Skip to content
Advertisement

How to solve the handshake failure using ssl in python?

I try connect to specific https server:

socketHandler = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socketWraped = ssl.wrap_socket(socketHandler)
socketWraped.connect(('certificatedetails.com', 443))

But the python says:

File "/usr/lib/python3.6/ssl.py", line 1109, in connect
self._real_connect(addr, False)
File "/usr/lib/python3.6/ssl.py", line 1100, in _real_connect
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:852)

I try using TLS1:

socketWraped = ssl.wrap_socket(
    socketHandler,
    ssl_version=ssl.PROTOCOL_TLSv1,
    ciphers='ADH-AES256-SHA'
)

But says:

ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:852)

Have a upgraded ssl in python and operative system:

$ hostnamectl
   Static hostname: machine
         Icon name: computer-desktop
           Chassis: desktop
        Machine ID: ...
           Boot ID: ...
  Operating System: Ubuntu 18.04.2 LTS
            Kernel: Linux 4.15.0-51-generic
      Architecture: x86-64
$ openssl version
OpenSSL 1.1.1c  28 May 2019
$ python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.1.1c  28 May 2019

From netcat can connect without problems:

$ ncat --ssl -v certificatedetails.com 443
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: SSL connection to 104.28.6.163:443.
Ncat: SHA-1 fingerprint: 75B3 C6AD 7A72 62B5 7104 0632 0585 A82A F542 641B

What is the problem and how to solve this?

Advertisement

Answer

From the documentation:

Since Python 3.2 and 2.7.9, it is recommended to use the SSLContext.wrap_socket() of an SSLContext instance to wrap sockets as SSLSocket objects. The helper functions create_default_context() returns a new context with secure default settings. The old wrap_socket() function is deprecated since it is both inefficient and has no support for server name indication (SNI) and hostname matching.

When I use SSLContext.wrap_socket() instead of the deprecated wrap_socket(), it works:

socketHandler = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socketWraped = ssl.create_default_context().wrap_socket(socketHandler, server_hostname='certificatedetails.com')
socketWraped.connect(('certificatedetails.com', 443))
Advertisement