Python SSLError，sslv3 警报握手失败，用于 wallhaven.cc

Question

Python 版本：3.5.2

操作系统：OS X 10.12

OpenSSL 版本：OpenSSL 1.1.0b 2016 年 9 月 26 日

我正在尝试请求“https://alpha.wallhaven.cc”。

import urllib.request
init_page=urllib.request.urlopen("https://alpha.wallhaven.cc")

然后得到

ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:645)

和

During handling of the above exception, another exception occurred:
...
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:645)>

以下解决方案不起作用：

import requests.packages.urllib3.util.ssl_
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS='ALL'

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

import requests
print(requests.get("https://alpha.wallhaven.cc",verify=False))

或更改 /APNSWrapper/connection.py 第 131 行：

ssl_version = self.ssl_module.PROTOCOL_SSLv3,

进入

ssl_version = self.ssl_module.PROTOCOL_TLSv1,

那么问题出在哪里？如何解决？ 非常感谢！

Answer 1

OpenSSL 版本：OpenSSL 1.1.0b 2016 年 9 月 26 日 ... sslv3 警报握手失败 (_ssl.c:645)>

我不怀疑你的系统上安装了 OpenSSL 1.1.0b，但我怀疑这个版本是否真的被你的 python 使用。通常 MacOS 安装了 OpenSSL 的旧版本 0.9.8，除非compiles python to use another openssl 会使用此版本，即使系统上的某个位置安装了其他 OpenSSL 版本。检查您的 python 使用的 OpenSSL 版本：

  import ssl
  print(ssl.OPENSSL_VERSION)

如果这显示 OpenSSL 1.1.0b... 我的假设是错误的，但如果这显示 0.9.8 我对以下论点是正确的：

• handshake failure 表示与证书验证无关的问题。
• 查看SSLLabs report 我可以看到服务器仅支持 ECDHE 密码。
• OpenSSL 0.9.8 版不支持 ECDHE 密码
• 因此客户端和服务器之间没有共享密码，握手失败

Answer 2

以下解决方案不起作用...
print(requests.get("https://alpha.wallhaven.cc",verify=False))

你应该避免 verify=False 的事情。

从 OpenSSL 的角度来看，这是可行的。确保你在 Python 代码中做三件事：

• 使用服务器名称指示（-servername 下面）
• 使用 TLS 1.0 或更高版本（-tls1 以下）
• 使用“AddTrust External CA Root”（-CAfile 下面）

您可以在 Comodo 的[Root] AddTrust External CA Root 找到“AddTrust External CA Root”。它已经是 PEM 格式了。

以下来自 OpenSSL 的 s_client。它按预期完成：Verify return code: 0 (ok)。

$ openssl s_client -connect alpha.wallhaven.cc:443 -servername alpha.wallhaven.cc -tls1 -CAfile addtrustexternalcaroot.crt 
CONNECTED(00000005)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = sni142395.cloudflaressl.com
verify return:1
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni142395.cloudflaressl.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHJzCCBs2gAwIBAgIRANivubFmbH0XdX2fZFAo82kwCgYIKoZIzj0EAwIwgZIx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQD
Ey9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Eg
MjAeFw0xNjEwMTIwMDAwMDBaFw0xNzA0MTYyMzU5NTlaMGwxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
dGktRG9tYWluMSQwIgYDVQQDExtzbmkxNDIzOTUuY2xvdWRmbGFyZXNzbC5jb20w
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASX5NtMc+UpLkSrMFfo482pkybz201a
CYinLcDPWtn3YRGXa4nt42PsnXMVjUP8kfkKs3vWc/bklx9oTNREl/Oao4IFJzCC
BSMwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFFCr
l1Hj4n4NQTjpP3eg2cNhUMkBMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG
AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j
b20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNv
bW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZl
ckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2Ny
dC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVT
ZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQu
Y29tMIIDbgYDVR0RBIIDZTCCA2GCG3NuaTE0MjM5NS5jbG91ZGZsYXJlc3NsLmNv
bYINKi4zYmJvb2t5eC50a4INKi42ZmJvb2t4bi50a4IJKi45eDloLnRrgg8qLmFz
aWFwcmljZS54eXqCECouYmVzdGJvb2t6amMudGuCECouYmVzdGJvb2t6bHgudGuC
ECouYmVzdGJvb2t6b24udGuCDiouYnVybmFtYW4ueHl6ghAqLmVhdG1lM2QuY29t
LmF1gg0qLmV0Ym9va3p1LnRrghIqLmZvb2Rza2VwdGljcy5jb22CGyouZ2VtaW50
ZXJuZXRwYXlkYXlsb2FuLnRvcIINKi5oYWJvb2thNC50a4INKi5pYm9va3ozMi50
a4INKi5pYm9va3o4by50a4INKi5pYm9va3phMy50a4INKi5pYm9va3ppcy50a4IN
Ki5pYm9va3psai50a4INKi5pYm9va3pwOS50a4INKi5pYm9va3p3YS50a4INKi5p
cWJvb2t0ZC50a4INKi5qZGJvb2tyeC50a4IIKi5tNXUuZGWCDSouc21ib29rdjMu
dGuCGCoudXBxdWlja21vbmV5b25saW5lLnRvcIIQKi52aXBlcmNpZy5jby51a4IO
Ki53YWxsaGF2ZW4uY2OCCzNiYm9va3l4LnRrggs2ZmJvb2t4bi50a4IHOXg5aC50
a4INYXNpYXByaWNlLnh5eoIOYmVzdGJvb2t6amMudGuCDmJlc3Rib29remx4LnRr
gg5iZXN0Ym9va3pvbi50a4IMYnVybmFtYW4ueHl6gg5lYXRtZTNkLmNvbS5hdYIL
ZXRib29renUudGuCEGZvb2Rza2VwdGljcy5jb22CGWdlbWludGVybmV0cGF5ZGF5
bG9hbi50b3CCC2hhYm9va2E0LnRrggtpYm9va3ozMi50a4ILaWJvb2t6OG8udGuC
C2lib29remEzLnRrggtpYm9va3ppcy50a4ILaWJvb2t6bGoudGuCC2lib29renA5
LnRrggtpYm9va3p3YS50a4ILaXFib29rdGQudGuCC2pkYm9va3J4LnRrggZtNXUu
ZGWCC3NtYm9va3YzLnRrghZ1cHF1aWNrbW9uZXlvbmxpbmUudG9wgg52aXBlcmNp
Zy5jby51a4IMd2FsbGhhdmVuLmNjMAoGCCqGSM49BAMCA0gAMEUCIQDZDdOmPxr5
ZImuHhD05P6pxqhBzaYT5gpimwiwRaTH/gIgfONp6ajv3h7J7Yy5Y56s1MkKIrTG
90DdHE0ewI40258=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni142395.cloudflaressl.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4263 bytes and written 263 bytes
Verification: OK
---
New, SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-ECDSA-AES128-SHA
    Session-ID: B3D3918537F17225CC5CEFAC956D1CA633EBD1AC0F5FF431B27BADCEA8D768BB
    Session-ID-ctx: 
    Master-Key: 3484745B4C605ED65273BC86C58514EF8DD32B7847D7FA188093BBE9192451218E5FA4F3DF11D6CEEA648AFA6FE65CE6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - c9 ea 35 99 eb cc 0d 9b-57 14 76 91 e1 54 eb 98   ..5.....W.v..T..
    0010 - d4 39 86 bc f3 84 ea 86-16 8d 08 d2 e6 ef 0c 02   .9..............
    0020 - 07 ec cf f7 41 43 9f 7d-5a 3f 92 37 50 28 0a 53   ....AC.}Z?.7P(.S
    0030 - 70 0b 91 cf 66 1e db f5-aa 34 1a f3 59 8e bd da   p...f....4..Y...
    0040 - f5 38 e6 7d 23 9c b5 78-36 92 a9 8e 92 97 09 ec   .8.}#..x6.......
    0050 - bd 7e 39 37 58 59 d2 88-fb 1e 2e c9 02 d7 11 3b   .~97XY.........;
    0060 - 80 01 4b c3 f7 a7 4b 33-4b 2b 0d b0 3f f8 bc 3e   ..K...K3K+..?..>
    0070 - 9f 61 ff dd da 42 ee 06-dd 17 69 5c 08 c0 75 7b   .a...B....i\..u{
    0080 - ac bf 08 22 0b fe 64 b8-19 a0 04 08 07 67 3a bc   ..."..d......g:.
    0090 - 27 24 16 83 87 c3 a2 46-72 e1 fa 96 78 92 36 71   '$.....Fr...x.6q
    00a0 - 58 ab 00 eb d8 b1 b8 e2-6e e2 4e 30 f3 1a 2d 6a   X.......n.N0..-j
    00b0 - 38 7e 29 75 83 d7 45 26-e3 70 0a bf ed 51 a4 1c   8~)u..E&.p...Q..

    Start Time: 1477471636
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

---

$ openssl version
OpenSSL 1.1.0b  26 Sep 2016