PDA

View Full Version : Python SSl connections.



fb1h2s
05-10-2013, 11:36 AM
Last day we were stuck with an error in a python program of ours . The code was working fine on our dev environment, but when it was moved to production, we were getting the following error [ even when we had the same python virtual environment as that of production ] (http://www.garage4hackers.com/f55/how-copy-python-virtual-environment-duplicate-virtualenv-3714.html) for a particular domain/server.

Error:

<class 'socket.error'>: [Errno 104] Connection reset by peer)

A sample code to make a python Https request [something we used].


import httplib
h = httplib.HTTPSConnection(host, port)
headers = {
'User-Agent': 'trap',
'Content-Type': content_type
}
h.request('POST', uri, body, headers)
res = h.getresponse()
return res.status, res.reason, res.read()


Python handles https communication by using Openssl lib [ Python openssl lib ] . Actually many apps out there use openssl libs for there https communication.

Even Wget was failing

So for debugging an htpps /ssl issue you can use the openssl client to directly connect to our target the following way.

openssl s_client -connect Google (http://www.google.com:443) -verify -debug -ssl3

And this should give back the server Cert, tokens and necessary info for the communication .

But when we tried to connect to our faulting server we were getting .

openssl s_client -connect target-server.com:443 -verify -debug -ssl3
verify depth is 0
CONNECTED(00000003)
52709:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102:SSL alert number 40
52709:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:539:

Based on Openssl documentation the faulting function is used to initiate the ssl connection |ssl handshake (http://en.wikipedia.org/wiki/Transport_Layer_Security)http://www.openssl.org/docs/ssl/SSL_do_handshake.html

So from this it is clear that the ssl handshake failed and that's the reason why the server closed the connection. So I tried to changing from ssl3 to tls1

openssl s_client -connect Google (http://www.google.com:443) -verify -debug -tls1

and the connection was successful. So this solution was to force tls1 when making the request. And later I found that the current issue was a bug in openssl https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371 . And why it was working on dev server was it was running an updated version of openssl, and the production had an outdated openssl.

Fix is you can upgrade openssl [fekd up thing to do ] or force tls1 on your programs when dealing with such servers.

You can also patch httplib in python (http://askubuntu.com/questions/116020/python-https-requests-urllib2-to-some-sites-fail-on-ubuntu-12-04-without-proxy/116059)


Forcing TLSv1 on python:

sock = socket.create_connection(host, port),
self.timeout, self.source_address)

self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
ssl_version=ssl.PROTOCOL_TLSv1)
httplib.HTTPSConnection.connect = connect



Forcing tls in perl:

my $thing = whatever->new(
ssl_opts => { SSL_version => 'TLSv1' },
);

Forcing TLS in Wget and Curl

wget --secure-protocol=TLSv1 ...

curl --tlsv1


Ref: Python HTTPS requests (urllib2) to some sites fail on Ubuntu 12.04 without proxy - Ask Ubuntu (http://askubuntu.com/questions/116020/python-https-requests-urllib2-to-some-sites-fail-on-ubuntu-12-04-without-proxy/116059#116059)
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371
ssl - Is there a difference between SSLv3 and TLS1.0? - Stack Overflow (http://stackoverflow.com/questions/385634/is-there-a-difference-between-sslv3-and-tls1-0)
pyOpenSSL - Python interface to the OpenSSL library (http://pyopenssl.sourceforge.net/)

b0nd
05-11-2013, 11:36 AM
Thanks for the time and efforts you invested on the issue. Best thing is - you found the solution :) Good job buddy!

Cheers!

steeve154
02-03-2014, 09:58 PM
nice all post...........................