파이썬 SSLError, SSLv3에 경고 핸드 셰이크 실패, wallhaven.cc에 대한

Question

파이썬 버전 : 3.5.2

OS : OS X 10.12

은 OpenSSL 버전 :

나 '2016에는 OpenSSL 1.1.0b 9월 26일 "https://alpha.wallhaven.cc"을 (를) 요청하려고합니다.

import requests.packages.urllib3.util.ssl_ 
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS='ALL' 

import ssl 
ssl._create_default_https_context = ssl._create_unverified_context 

import requests 
print(requests.get("https://alpha.wallhaven.cc",verify=False)) 

또는 /APNSWrapper/connection.py 라인 (131)을 변경

import urllib.request 
init_page=urllib.request.urlopen("https://alpha.wallhaven.cc") 

그런

ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:645) 

및

During handling of the above exception, another exception occurred: 
... 
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:645)> 

는 다음과 같은 솔루션은 작동하지 않습니다 얻을 :

012 그럼 뭐가 문제

ssl_version = self.ssl_module.PROTOCOL_TLSv1, 

에 3,516,

ssl_version = self.ssl_module.PROTOCOL_SSLv3, 

입니까? 그것을 해결하는 방법? 감사합니다.

Answer 1

다음 솔루션은 작동하지 않습니다 ...
print(requests.get("https://alpha.wallhaven.cc",verify=False))

당신은 아마 verify=False 일을 피해야한다.

다음은 OpenSSL 관점에서의 작동 방식입니다.

• 이 "AddTrust 외부 CA 루트"를 사용하여 위의 TLS 1.0 (아래 -tls1)
• 을 사용하여 서버 이름 표시 (아래 -servername)
• 사용 : 당신이 당신의 파이썬 코드에 세 가지 일을하고 있는지 확인 (아래 -CAfile)

당신은 코모도의 [Root] AddTrust External CA Root에서 "AddTrust 외부 CA 루트"을 찾을 수 있습니다. 이미 PEM 형식입니다.

아래는 OpenSSL의 s_client입니다. 예상대로 완료 : Verify return code: 0 (ok).

$ openssl s_client -connect alpha.wallhaven.cc:443 -servername alpha.wallhaven.cc -tls1 -CAfile addtrustexternalcaroot.crt 
CONNECTED(00000005) 
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root 
verify return:1 
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority 
verify return:1 
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2 
verify return:1 
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = sni142395.cloudflaressl.com 
verify return:1 
Server did acknowledge servername extension. 
--- 
Certificate chain 
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni142395.cloudflaressl.com 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2 
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority 
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority 
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
MIIHJzCCBs2gAwIBAgIRANivubFmbH0XdX2fZFAo82kwCgYIKoZIzj0EAwIwgZIx 
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV 
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQD 
Ey9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Eg 
MjAeFw0xNjEwMTIwMDAwMDBaFw0xNzA0MTYyMzU5NTlaMGwxITAfBgNVBAsTGERv 
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs 
dGktRG9tYWluMSQwIgYDVQQDExtzbmkxNDIzOTUuY2xvdWRmbGFyZXNzbC5jb20w 
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASX5NtMc+UpLkSrMFfo482pkybz201a 
CYinLcDPWtn3YRGXa4nt42PsnXMVjUP8kfkKs3vWc/bklx9oTNREl/Oao4IFJzCC 
BSMwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFFCr 
l1Hj4n4NQTjpP3eg2cNhUMkBMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA 
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG 
AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j 
b20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNv 
bW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZl 
ckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2Ny 
dC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVT 
ZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQu 
Y29tMIIDbgYDVR0RBIIDZTCCA2GCG3NuaTE0MjM5NS5jbG91ZGZsYXJlc3NsLmNv 
bYINKi4zYmJvb2t5eC50a4INKi42ZmJvb2t4bi50a4IJKi45eDloLnRrgg8qLmFz 
aWFwcmljZS54eXqCECouYmVzdGJvb2t6amMudGuCECouYmVzdGJvb2t6bHgudGuC 
ECouYmVzdGJvb2t6b24udGuCDiouYnVybmFtYW4ueHl6ghAqLmVhdG1lM2QuY29t 
LmF1gg0qLmV0Ym9va3p1LnRrghIqLmZvb2Rza2VwdGljcy5jb22CGyouZ2VtaW50 
ZXJuZXRwYXlkYXlsb2FuLnRvcIINKi5oYWJvb2thNC50a4INKi5pYm9va3ozMi50 
a4INKi5pYm9va3o4by50a4INKi5pYm9va3phMy50a4INKi5pYm9va3ppcy50a4IN 
Ki5pYm9va3psai50a4INKi5pYm9va3pwOS50a4INKi5pYm9va3p3YS50a4INKi5p 
cWJvb2t0ZC50a4INKi5qZGJvb2tyeC50a4IIKi5tNXUuZGWCDSouc21ib29rdjMu 
dGuCGCoudXBxdWlja21vbmV5b25saW5lLnRvcIIQKi52aXBlcmNpZy5jby51a4IO 
Ki53YWxsaGF2ZW4uY2OCCzNiYm9va3l4LnRrggs2ZmJvb2t4bi50a4IHOXg5aC50 
a4INYXNpYXByaWNlLnh5eoIOYmVzdGJvb2t6amMudGuCDmJlc3Rib29remx4LnRr 
gg5iZXN0Ym9va3pvbi50a4IMYnVybmFtYW4ueHl6gg5lYXRtZTNkLmNvbS5hdYIL 
ZXRib29renUudGuCEGZvb2Rza2VwdGljcy5jb22CGWdlbWludGVybmV0cGF5ZGF5 
bG9hbi50b3CCC2hhYm9va2E0LnRrggtpYm9va3ozMi50a4ILaWJvb2t6OG8udGuC 
C2lib29remEzLnRrggtpYm9va3ppcy50a4ILaWJvb2t6bGoudGuCC2lib29renA5 
LnRrggtpYm9va3p3YS50a4ILaXFib29rdGQudGuCC2pkYm9va3J4LnRrggZtNXUu 
ZGWCC3NtYm9va3YzLnRrghZ1cHF1aWNrbW9uZXlvbmxpbmUudG9wgg52aXBlcmNp 
Zy5jby51a4IMd2FsbGhhdmVuLmNjMAoGCCqGSM49BAMCA0gAMEUCIQDZDdOmPxr5 
ZImuHhD05P6pxqhBzaYT5gpimwiwRaTH/gIgfONp6ajv3h7J7Yy5Y56s1MkKIrTG 
90DdHE0ewI40258= 
-----END CERTIFICATE----- 
subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni142395.cloudflaressl.com 
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2 
--- 
No client certificate CA names sent 
Server Temp Key: ECDH, P-256, 256 bits 
--- 
SSL handshake has read 4263 bytes and written 263 bytes 
Verification: OK 
--- 
New, SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA 
Server public key is 256 bit 
Secure Renegotiation IS supported 
No ALPN negotiated 
SSL-Session: 
    Protocol : TLSv1 
    Cipher : ECDHE-ECDSA-AES128-SHA 
    Session-ID: B3D3918537F17225CC5CEFAC956D1CA633EBD1AC0F5FF431B27BADCEA8D768BB 
    Session-ID-ctx: 
    Master-Key: 3484745B4C605ED65273BC86C58514EF8DD32B7847D7FA188093BBE9192451218E5FA4F3DF11D6CEEA648AFA6FE65CE6 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
    TLS session ticket lifetime hint: 64800 (seconds) 
    TLS session ticket: 
    0000 - c9 ea 35 99 eb cc 0d 9b-57 14 76 91 e1 54 eb 98 ..5.....W.v..T.. 
    0010 - d4 39 86 bc f3 84 ea 86-16 8d 08 d2 e6 ef 0c 02 .9.............. 
    0020 - 07 ec cf f7 41 43 9f 7d-5a 3f 92 37 50 28 0a 53 ....AC.}Z?.7P(.S 
    0030 - 70 0b 91 cf 66 1e db f5-aa 34 1a f3 59 8e bd da p...f....4..Y... 
    0040 - f5 38 e6 7d 23 9c b5 78-36 92 a9 8e 92 97 09 ec .8.}#..x6....... 
    0050 - bd 7e 39 37 58 59 d2 88-fb 1e 2e c9 02 d7 11 3b .~97XY.........; 
    0060 - 80 01 4b c3 f7 a7 4b 33-4b 2b 0d b0 3f f8 bc 3e ..K...K3K+..?..> 
    0070 - 9f 61 ff dd da 42 ee 06-dd 17 69 5c 08 c0 75 7b .a...B....i\..u{ 
    0080 - ac bf 08 22 0b fe 64 b8-19 a0 04 08 07 67 3a bc ..."..d......g:. 
    0090 - 27 24 16 83 87 c3 a2 46-72 e1 fa 96 78 92 36 71 '$.....Fr...x.6q 
    00a0 - 58 ab 00 eb d8 b1 b8 e2-6e e2 4e 30 f3 1a 2d 6a X.......n.N0..-j 
    00b0 - 38 7e 29 75 83 d7 45 26-e3 70 0a bf ed 51 a4 1c 8~)u..E&.p...Q.. 

    Start Time: 1477471636 
    Timeout : 7200 (sec) 
    Verify return code: 0 (ok) 
    Extended master secret: no 

---

$ openssl version 
OpenSSL 1.1.0b 26 Sep 2016 

Answer 2

은 OpenSSL 버전 : OpenSSL을 1.1.0b 2016년 9월 26일 ... SSLv3에 경고 핸드 셰이크 실패 (_ssl.c : 645)>

난 몰라 OpenSSL 1.1을 가지고 있는지 의심하십시오.0b가 시스템에 설치되어 있지만이 버전이 실제로 파이썬에서 사용되는 것은 아닌지 의심 스럽습니다. 일반적으로 MacOS에는 OpenSSL의 구 버전 0.9.8이 설치되어 있으며 다른 OpenSSL 버전이 시스템의 어딘가에 설치되어 있어도 compiles python to use another openssl이 사용됩니다. 이것이 내가 내 가정에 틀렸다 OpenSSL 1.1.0b...가 표시되면

import ssl 
    print(ssl.OPENSSL_VERSION) 

그러나 이것은 0.9.8 표시되면 나는 다음과 같은 논증으로 옳다 : 파이썬에서 사용됩니다에는 OpenSSL의 버전을 확인하려면

• handshake failure은 인증서 유효성 검사와 관련이없는 문제를 나타냅니다.
• SSLLabs report을 보면 서버가 ECDHE 암호 만 지원한다는 것을 알 수 있습니다.
• ECDHE 암호는 OpenSSL이 버전에서 지원되지 않습니다 0.9.8
• 따라서 클라이언트와 서버와 악수를 사이에 공유 암호는

을 실패하지있다