-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fails on older TLS stacks with OpenSSL 1.1.1pre9 #4775
Comments
For the adobe problem I've opened: openssl/openssl#7126 |
The caniuse problem is: Fyrd/caniuse#4198 It's caused by Debian setting a minimum TLS version of 1.2. They really should add at least TLS 1.2 support. |
For the SNI problem, see: https://wiki.openssl.org/index.php/TLS1.3#Server_Name_Indication You will get that problem for anything hosted by Google. |
So some of those issues are caused by Debian increasing the security level of openssl by default. The proper fix is to get the websites fixed. But it's possible to lower those security settings as a work around. Please don't override the defaults by default. The SNI problem is something you really should fix. I don't know which part doesn't set it. |
Hi, could you provide the workarounds? I have tried to lower the security connection to avoid |
See /usr/share/doc/libssl1.1/NEWS.Debian.gz
|
I've seen that, but I don't want to lower the security for the whole system, just for specific script. I've also tried https://stackoverflow.com/q/38015537/2440346, but change of |
If you want to lower the security setting in an other file than
/etc/ssl/openssl.cfg you need to use DEFAULT@SECLEVEL=1
|
I've tried number of approaches, but none work, see import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context
# Attempt 1:
# requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = '@SECLEVEL=1'
# Attempt 2:
# requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'DEFAULT@SECLEVEL=1'
# Attempt 3:
# requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'ALL'
requests.get('https://www.ceskatelevize.cz/')
# Attempt 4:
# CIPHERS = '@SECLEVEL=1'
# Attempt 5:
# CIPHERS = 'DEFAULT@SECLEVEL=1'
# Attempt 6:
CIPHERS = 'ALL'
class CustomAdapter(HTTPAdapter):
"""
A TransportAdapter that re-enables 3DES support in Requests.
"""
def init_poolmanager(self, *args, **kwargs):
context = create_urllib3_context(ciphers=CIPHERS)
kwargs['ssl_context'] = context
return super(CustomAdapter, self).init_poolmanager(*args, **kwargs)
def proxy_manager_for(self, *args, **kwargs):
context = create_urllib3_context(ciphers=CIPHERS)
kwargs['ssl_context'] = context
return super(CustomAdapter, self).proxy_manager_for(*args, **kwargs)
session = requests.Session()
session.mount('https://www.ceskatelevize.cz', CustomAdapter())
session.get('https://www.ceskatelevize.cz/') |
The following works for me:
|
Thanks! |
@codefather-labs thanks I had the same issue, very odd |
This very much seems like a server-side/OpenSSL config problem instead of anything Requests can "work-around". How OpenSSL is configured on a platform can't be controlled by Requests maintainers. Going to close this as not a defect in Requests. |
The upcoming adoption of OpenSSL 1.1 (or more specifically, 1.1.1) by Linux distributions might cause problems for requests when checking old websites.
This was first reported in the Debian bugtracker as bug #907807, originally against the linkchecker program (and forwarded upstream as linkchecker/linkchecker#188), but it was found that the requests library directly suffers from this problem as well.
This issue will probably block requests from being released with buster, the current "testing" release and upcoming (mid 2019?) stable release unless it is somewhat fixed.That assertion was incorrect: the bug is currently marked with a "normal" severity which is not blocking release.The tested sites were:
All sites load correctly in Firefox 60.1.0 and although I haven't tested that with OpenSSL 1.1.1, I doubt it would be affected as Firefox (and Chromium) have their own TLS library (NSS). Also note that
urllib3
seems to have no problem loading those sites itself:Expected Result
All sites should load correctly, and do load correctly in Debian buster (which still has OpenSSL 1.1.0):
Actual Result
Reproduction Steps
Run a Debian unstable machine to get the latest 1.1.1~~pre9 package. This can be done with Docker with:
If you do not have access to such an environment, the latest OpenSSL code can be found in their project page.
System Information
I am aware that we are one minor version behind upstream in Debian, and this is being worked on. But I have reviewed the requests changelog and there didn't seem to be any change relevant to this. I am therefore going under the assertion that current versions also suffer from the same problem.
Also note that this might be a regression in OpenSSL itself. I am filing this here to see what your opinion is regarding this issue and whether it is something that belongs in requests or the upstream cryptographic library(ies).
The text was updated successfully, but these errors were encountered: