Title: Some absolute domain name not work in urllib
Type: Stage: resolved
Components: Library (Lib) Versions: Python 3.8
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: Nosy List: axot, christian.heimes
Priority: normal Keywords:

Created on 2020-10-19 02:18 by axot, last changed 2020-10-19 11:49 by christian.heimes. This issue is now closed.

Messages (2)
msg378919 - (view) Author: Zheng SHAO (axot) Date: 2020-10-19 02:18
import ssl
import urllib.request

url_string = "https://kubernetes.default.svc.cluster.local./api/"

ctx = ssl._create_unverified_context()

with urllib.request.urlopen(url_string, context=ctx) as f:

In running this sample code will got a following handshake error,

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.8/urllib/", line 222, in urlopen
    return, data, timeout)
  File "/usr/lib/python3.8/urllib/", line 525, in open
    response = self._open(req, data)
  File "/usr/lib/python3.8/urllib/", line 542, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "/usr/lib/python3.8/urllib/", line 502, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/", line 1393, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "/usr/lib/python3.8/urllib/", line 1353, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_UNEXPECTED_MESSAGE] sslv3 alert unexpected message (_ssl.c:1123)>

Instead using absolute domain name, using `https://kubernetes.default.svc.cluster.local/api/` then the issue solved. I also tried other domains like ``, but in this case the handshake process had no errors.
msg378943 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-10-19 11:49
SSLV3_ALERT_UNEXPECTED_MESSAGE means that the server is responding with incorrect TLS data. That's usually the case when the port on the server is HTTP instead of HTTPS. It's also possible that the server does not like the SNI header (Server Name Indication) and closes the connection incorrectly.

By the way unverified context is insecure and should not be used in production. I assume that you are using an unverified context because hostnames with a trailing dot are not supported by OpenSSL, see #31997 and #40306.
Date User Action Args
2020-10-19 11:49:19christian.heimessetstatus: open -> closed

nosy: + christian.heimes
messages: + msg378943

resolution: third party
stage: resolved
2020-10-19 02:20:07axotsettitle: Some Absolute domain name not work in urllib -> Some absolute domain name not work in urllib
2020-10-19 02:18:56axotcreate