30

I'm making the following call to branch.io

import requests
req = requests.get('https://bnc.lt/m/H3XKyKB3Tq', verify=False)

It works fine in my local machine but fails in the server.

SSLError: [Errno 1] _ssl.c:504: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Openssl versions:

local: OpenSSL 0.9.8zg 14 July 2015

server: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Python:

local: 2.7.10 server: 2.7.6

Branch io server connection:

Chrome verified that DigiCert SHA2 Secure Server CA issued this website's certificate. The server did not supply any Certificate Transparency information.

I tried urllib2, but the result was same. Any help?

Kumar Nitin
  • 1,745
  • 2
  • 15
  • 21
  • You need OpenSSL 0.9.8o at least to handle sha256 certificates so your server version is too old. – Barry Pollard Feb 15 '16 at 21:16
  • I tried on OpenSSL 1.0.1e-fips 11 Feb 2013. Its giving me the same error. – Kumar Nitin Feb 16 '16 at 03:00
  • And is your PHP using that version of OpenSSL? See here for details on how to check: http://stackoverflow.com/questions/18752409/updating-openssl-in-python-2-7 – Barry Pollard Feb 16 '16 at 08:06
  • Its using OpenSSL 1.0.0-fips 29 Mar 2010 – Kumar Nitin Feb 17 '16 at 11:54
  • This also can be an SNI issue, as `openssl s_client -connect bnc.lt:443` doesn't work while `openssl s_client -connect bnc.lt:443 -servername bnc.lt` works well. I'd say that both SHA2 signed cert and SNI can cause the issue, but the resolution is the same: update OpenSSL – Jyo de Lys Feb 17 '16 at 15:59
  • You are using 6 year old software to provide your users with a 'secure' connection? Maybe you should not offer ssl at all rather, to not provide a false sense of security. Check http://openssl.org/news/vulnerabilities.html So this is not even a question, just update your software, and the only version to consider is the most recent supported version. – Nappy Feb 22 '16 at 20:38
  • @Nappy I had this issue with OpenSSL 1.0.0-fips 29 Mar 2010 as well. We are already working on updating the certificate across the servers. – Kumar Nitin Feb 23 '16 at 02:47

1 Answers1

39

Jyo de Lys has identified the problem. The problem is described here and the solution is here. I did the following to get this working:

  1. easy_install pyOpenSSL
  2. easy_install ndg-httpsclient
  3. easy_install pyasn1

If you're getting this error while using urllib2, you'll need to upgrade to python 2.7.9 or later too.

Community
  • 1
  • 1
Rahul
  • 843
  • 7
  • 12
  • I needed: pip install pyasn1 as well, to remove some "subjectAltName check for SSL peer verification will be disabled" warnings, but otherwise bang on and saved me much headscratching. – Moby Duck Jul 12 '16 at 15:09
  • Thanks, I was missing ndg-httpsclient ! – David Underhill Nov 20 '16 at 03:47
  • In case this doesn't solve the problem. Fixing pyOpenSSL to 0.13 it does – Félix Aug 03 '17 at 09:53
  • I had the same problem/error using the request package and Python 2.7.6 (Linux Mint 17.3), I followed this answer and the error vanished. Thank you – Fabiano Tarlao Apr 19 '18 at 19:59
  • 1
    @Félix: Can you describe what you mean by "fixing pyOpenSSL to 0.13", including how to do that? Do you mean not allowing 0.13.1? – LarsH Jun 03 '19 at 19:46