classification
Title: All SSL requests fail with WRONG_VERSION_NUMBER when a packet sniffer is open
Type: crash Stage:
Components: SSL Versions: Python 3.9
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, darrenrs
Priority: normal Keywords:

Created on 2021-01-22 04:46 by darrenrs, last changed 2021-01-22 08:05 by christian.heimes.

Messages (2)
msg385476 - (view) Author: Darren Skidmore (darrenrs) Date: 2021-01-22 04:46
As of Python 3.9.1, when attempting to perform any SSL requests when a packet sniffer tool (e.g. Telerik Fiddler) is intercepting SSL traffic, the program will hang for about a minute and then crash with a WRONG_VERSION_NUMBER error. This has been tested to occur with urllib2 and requests modules. Alternatives such as verify=False and adding the Fiddler Root Certificate to Python's cacert.pem file do not rectify this error.

This traceback was generated when attempting to access https://example.com:443 while Fiddler 5.0.20204.45441 was open:

Traceback (most recent call last):
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\connectionpool.py", line 696, in urlopen
    self._prepare_proxy(conn)
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\connectionpool.py", line 964, in _prepare_proxy
    conn.connect()
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\connection.py", line 359, in connect
    conn = self._connect_tls_proxy(hostname, conn)
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\connection.py", line 496, in _connect_tls_proxy
    return ssl_wrap_socket(
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\util\ssl_.py", line 432, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\site-packages\urllib3\util\ssl_.py", line 474, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock)
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\ssl.py", line 1040, in _create
    self.do_handshake()
  File "C:\Users\Darren\AppData\Local\Programs\Python\Python39\lib\ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1123)

This exact question has recently been asked on StackOverflow: https://stackoverflow.com/questions/65516325/ssl-wrong-version-number-on-python-request
msg385483 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-01-22 08:05
I'm not familiar with Telerik Fiddler and don't have access to the tool. From the description on its Wikipedia page, it sounds like the tool is an active interceptor that uses a man-in-the-middle attack approach.

Python's ssl module wraps OpenSSL. All steps of the TLS handshake are performed by OpenSSL code. Your connection issue is most likely an incompatibility between recent OpenSSL 1.1.1 and your tool. I recommend that you contact the vendor of your tool.

The ssl module supports passive introspection of TLS connections with SSLKEYLOGFILE. The format is supported by Wireshark and other tools.
History
Date User Action Args
2021-01-22 08:05:16christian.heimessetmessages: + msg385483
2021-01-22 04:46:13darrenrscreate