Results 1 to 3 of 3

Thread: Python SSl connections. Share/Save - My123World.Com!

  1. #1
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Blog Entries

    Python SSl connections.

    Last day we were stuck with an error in a python program of ours . The code was working fine on our dev environment, but when it was moved to production, we were getting the following error [ even when we had the same python virtual environment as that of production ] for a particular domain/server.


    <class 'socket.error'>: [Errno 104] Connection reset by peer)

    A sample code to make a python Https request [something we used].

    import httplib
     h = httplib.HTTPSConnection(host, port)
     headers = {
            'User-Agent': 'trap',
            'Content-Type': content_type
    h.request('POST', uri, body, headers)
    res = h.getresponse()
    return res.status, res.reason,
    Python handles https communication by using Openssl lib [ Python openssl lib ] . Actually many apps out there use openssl libs for there https communication.

    Even Wget was failing

    So for debugging an htpps /ssl issue you can use the openssl client to directly connect to our target the following way.

    openssl s_client -connect Google -verify -debug -ssl3

    And this should give back the server Cert, tokens and necessary info for the communication .

    But when we tried to connect to our faulting server we were getting .

    openssl s_client -connect -verify -debug -ssl3
    verify depth is 0
    52709:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102:SSL alert number 40
    52709:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:539:

    Based on Openssl documentation the faulting function is used to initiate the ssl connection |ssl handshake

    So from this it is clear that the ssl handshake failed and that's the reason why the server closed the connection. So I tried to changing from ssl3 to tls1

    openssl s_client -connect Google -verify -debug -tls1

    and the connection was successful. So this solution was to force tls1 when making the request. And later I found that the current issue was a bug in openssl . And why it was working on dev server was it was running an updated version of openssl, and the production had an outdated openssl.

    Fix is you can upgrade openssl [fekd up thing to do ] or force tls1 on your programs when dealing with such servers.

    You can also patch httplib in python

    Forcing TLSv1 on python:

    sock = socket.create_connection(host, port),
    self.timeout, self.source_address)

    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
    httplib.HTTPSConnection.connect = connect

    Forcing tls in perl:

    my $thing = whatever->new(
    ssl_opts => { SSL_version => 'TLSv1' },

    Forcing TLS in Wget and Curl

    wget --secure-protocol=TLSv1 ...

    curl --tlsv1

    Ref: Python HTTPS requests (urllib2) to some sites fail on Ubuntu 12.04 without proxy - Ask Ubuntu
    ssl - Is there a difference between SSLv3 and TLS1.0? - Stack Overflow
    pyOpenSSL - Python interface to the OpenSSL library
    Hacking Is a Matter of Time Knowledge and Patience

  2. #2
    ... I am no Expert b0nd's Avatar
    Join Date
    Jul 2010
    Location #g4h
    Thanks for the time and efforts you invested on the issue. Best thing is - you found the solution Good job buddy!

    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  3. #3
    nice all post...........................

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts