I'm writing an application in Google App Engine, and I'm trying to send HTTPS requests (GET / POST) from GAE to a private server.
Is there any method to achieve a request with:
- sending request with client certificate/key;
- verify server certificate;
AND using SNI support?
I'v tried to use:
urllib2 -> but it can't verifies server CA;
urlfetch -> it only verifies server CA;
urllib3 -> i'm getting
"_ssl.c:529: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed", caused by missing SNI support;
lib requests -> same of urllib3.
I'v also tried for SNI to put libraries on Google App Engine as indicated in using requests with TLS doesn't give SNI support
pyOpenSSL
ndg-httpsclient
pyasn1
But pyOpenSSL has C dependencies, so there is no way to use it, and it's not supported as third party library.
TL;DR: sending request from GAE to private server in SSL with client cert, verify server CA and SNI support seems to be impossible.
I think the matter is:
python version in GAE, that is 2.7.5 and not 2.7.9 (with backported SNI compatibilty).
maybe also SSL version included in GAE is not supporting SNI ( ssl has not HAS_SNI attr)
How can I do that?
Related
I'd like to modify the Extensions that I send in the client Hello packet with python.
I've had a read of most of the source code found on GitHub for urllib3 but I still don't know how it determines which TLS extensions to use.
I am aware that it will be quite low level and the creators of urllib3 may just import another package to do this for them. If this is the case, which package do they use?
If not, how is this determined?
Thanks in advance for any assistance.
The HTTPS support in urllib3 uses the ssl package which uses the openssl C-library. ssl does not provide any way to directly fiddle with the TLS extension except for setting the hostname in the TLS handshake (i.e. server_name extension aka SNI).
I am checking the http protcol in use for this site http://www.dlf.in/
Chrome developer tools shows it to be http/1.1 as in the image below.
However the command line tool is-http2 or alpn in python as seems to indicate the http/1.1 is not available. And only http1 is available. What's going on here?
I am doing the ALPN negotiation in python as follows (openssl version : OpenSSL 1.0.2h and python version 3.5.1)
import ssl
import socket
port = 443
domain = 'www.dlf.in'
ctx = ssl.create_default_context()
ctx.set_alpn_protocols(['h2', 'spdy/3.1', 'spdy/3', 'spdy/2', 'http/1.1'])
conn = ctx.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM),
server_hostname=domain)
conn.connect((domain, port))
print(conn.selected_alpn_protocol())
That site doesn't have HTTPS on it. Browsers only support HTTP/2 over HTTPS despite the spec allowing it over HTTP in theory.
Using telnet and HTTPie to send HTTP requests (both 1.0 and 1.1), the web server responds with:
HTTP/1.1 200 OK
I tried it with 2.0 and got:
HTTP/1.1 505 HTTP Version Not Supported
This site doesn't support SSL (I tried using using curl https://www.dlf.in and got the HTTP 504 response)
Curl is a command line browser that also implements HTTP/2 in clear (non SSL) and it has the upgrade mechanism (using the --http2 flag). Using that flag I saw that the website doesn't support clear HTTP/2. (There is an option to connect directly with HTTP/2 in clear, without the upgrade mechanism, using --http2-prior-knowledge, but it doesn't work either).
Using Python 3.4 and requests 2.11.1 package to get 'https://www.nfm.com' website, requests throws an SSLError [SSL: UNKNOWN_PROTOCOL]. I'm able to get a valid response from other https sites such as pythonanywhere.com and amazon.com. The error is only encountered trying to requests.get('https://www.nfm.com') or requests.get('https://www.nfm.com', verify=False).
I checked NFM's certificate in Chrome and it's a valid thawte SHA256 SSL CA. Is this a problem with NFM or is there something I need to configure on my end to get a response object from this website?
According to SSLLabs the server supports only TLS 1.1 and higher. My guess is that you have an older OpenSSL version which is not able to speak this version. Support for TLS 1.1 and TLS 1.2 was added with OpenSSL 1.0.1 years ago but for example Apple ships only the very old version 0.9.8 on Mac OS X which only supports at most TLS 1.0 (which the server does not support).
I'm running an older version of python (2.6) and tornado (2.3). In my program I have an instance of HTTPClient running fetch() requesting an https url on facebook. However, it's trying to make the request over SSLv3. Since Facebook disabled SSLv3 when POODLE happened, the request is throwing a handshake failure.
I can't figure out where to change the protocol, if I even can. Is there any way I can change it to use TLS with these older versions? This is a legacy application that I was just given to fix asap, so I'm not sure of the implication of updating any of the libraries.
Heres the error I'm receiving:
SSL Error on 16: [Errno 1] _ssl.c:492: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Thanks!
In the end, I ended up upgrading tornado to version 3.2 since there was a change made to simple_httpclient that changed it's protocol from sslv3 to tlsv1, as stated here http://tornado.readthedocs.org/en/latest/releases/v3.2.0.html#tornado-simple-httpclient
I'm attempting to use requests to access a remote server over SSL. Unfortunately it's misconfigured such that it responds with the error TLSV1_UNRECOGNIZED_NAME during the SNI handshake, which is ignored by browsers but raises an exception in requests.
This appears to be the same issue as this question, but in Python rather than Java: SSL handshake alert: unrecognized_name error since upgrade to Java 1.7.0`
The connection works perfectly in Python 2, which doesn't support SNI. How can I disable SNI in Python 3 so that the connection works?
I couldn't find a way to disable SNI on the requests level, but I found a hack that will trick it into thinking SNI isn't supported. Add this code before importing requests (not after, or it will be too late):
import ssl
ssl.HAS_SNI = False