This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: All SSL requests fail with WRONG_VERSION_NUMBER when a packet sniffer is open
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.9
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, darrenrs
Priority: normal Keywords:

Created on 2021-01-22 04:46 by darrenrs, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (3)
msg385476 - (view) Author: Darren Skidmore (darrenrs) Date: 2021-01-22 04:46
As of Python 3.9.1, when attempting to perform any SSL requests when a packet sniffer tool (e.g. Telerik Fiddler) is intercepting SSL traffic, the program will hang for about a minute and then crash with a WRONG_VERSION_NUMBER error. This has been tested to occur with urllib2 and requests modules. Alternatives such as verify=False and adding the Fiddler Root Certificate to Python's cacert.pem file do not rectify this error.

This traceback was generated when attempting to access while Fiddler 5.0.20204.45441 was open:

Traceback (most recent call last):
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\", line 696, in urlopen
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\", line 964, in _prepare_proxy
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\", line 359, in connect
    conn = self._connect_tls_proxy(hostname, conn)
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\", line 496, in _connect_tls_proxy
    return ssl_wrap_socket(
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\util\", line 432, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\util\", line 474, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock)
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\", line 1040, in _create
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\", line 1309, in do_handshake
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1123)

This exact question has recently been asked on StackOverflow:
msg385483 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-01-22 08:05
I'm not familiar with Telerik Fiddler and don't have access to the tool. From the description on its Wikipedia page, it sounds like the tool is an active interceptor that uses a man-in-the-middle attack approach.

Python's ssl module wraps OpenSSL. All steps of the TLS handshake are performed by OpenSSL code. Your connection issue is most likely an incompatibility between recent OpenSSL 1.1.1 and your tool. I recommend that you contact the vendor of your tool.

The ssl module supports passive introspection of TLS connections with SSLKEYLOGFILE. The format is supported by Wireshark and other tools.
msg391296 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-17 18:15
The op hasn't replied in three months. I'm closing the issue. Please feel free to reopen the issue with more information.
Date User Action Args
2022-04-11 14:59:40adminsetgithub: 87166
2021-04-17 18:15:48christian.heimessetstatus: open -> closed
type: crash -> behavior
messages: + msg391296

resolution: out of date
stage: resolved
2021-01-22 08:05:16christian.heimessetmessages: + msg385483
2021-01-22 04:46:13darrenrscreate