SSLV3_ALERT_HANDSHAKE_FAILURE in Python 3.5, works in Python 2.7

[ghtyrant]

I'm running the following code:

import requests
import ssl
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.poolmanager import PoolManager

class SSLAdapter(HTTPAdapter):
    '''An HTTPS Transport Adapter that uses an arbitrary SSL version.'''
    def __init__(self, ssl_version=None, **kwargs):
        self.ssl_version = ssl_version

        super(SSLAdapter, self).__init__(**kwargs)

    def init_poolmanager(self, connections, maxsize, block=False):
        self.poolmanager = PoolManager(num_pools=connections,
                                       maxsize=maxsize,
                                       block=block,
                                       ssl_version=self.ssl_version)

s = requests.Session()
s.mount('https://', SSLAdapter(ssl.PROTOCOL_TLSv1_2))

print(ssl.OPENSSL_VERSION)

r = s.get('https://bibliothek.weltenbau.net/api/profile/265854176393691138')
print(r.status_code)

Using Python 3.5.3, I get the following errors:

OpenSSL 1.1.0f  25 May 2017
Traceback (most recent call last):
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/urllib3/connectionpool.py", line 849, in _validate_conn
    conn.connect()
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/urllib3/connection.py", line 356, in connect
    ssl_context=context)
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/urllib3/util/ssl_.py", line 359, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.5/ssl.py", line 385, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 760, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 996, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 641, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/requests/adapters.py", line 445, in send
    timeout=timeout
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/urllib3/connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/urllib3/util/retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='bibliothek.weltenbau.net', port=443): Max retries exceeded with url: /api/profile/265854176393691138 (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "test.py", line 24, in <module>
    r = s.get('https://bibliothek.weltenbau.net/api/profile/265854176393691138')
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/requests/sessions.py", line 525, in get
    return self.request('GET', url, **kwargs)
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/requests/sessions.py", line 512, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/requests/sessions.py", line 622, in send
    r = adapter.send(request, **kwargs)
  File "/opt/weltenbau-bot/.venv/lib/python3.5/site-packages/requests/adapters.py", line 511, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='bibliothek.weltenbau.net', port=443): Max retries exceeded with url: /api/profile/265854176393691138 (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)'),))

Using Python 2.7.13 everything works as expected:

OpenSSL 1.1.0f  25 May 2017
200

System Information

Python 3.5.3

requests.help

{
  "chardet": {
    "version": "3.0.4"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "2.7"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.5.3"
  },
  "platform": {
    "release": "4.9.0-6-amd64",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.19.1"
  },
  "system_ssl": {
    "version": "1010006f"
  },
  "urllib3": {
    "version": "1.23"
  },
  "using_pyopenssl": false
}

pip freeze

certifi==2018.4.16
chardet==3.0.4
idna==2.7
requests==2.19.1
urllib3==1.23

Python 2.7.13:

requests.help

{
  "chardet": {
    "version": "3.0.4"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "2.7"
  },
  "implementation": {
    "name": "CPython",
    "version": "2.7.13"
  },
  "platform": {
    "release": "4.9.0-6-amd64",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.19.1"
  },
  "system_ssl": {
    "version": "1010006f"
  },
  "urllib3": {
    "version": "1.23"
  },
  "using_pyopenssl": false
}

pip freeze

certifi==2018.4.16
chardet==3.0.4
idna==2.7
requests==2.19.1
urllib3==1.23

Possible solution

Installing pyOpenSSL in the Python3 venv seems to fix this issue.

[nateprewitt]

Hi @ghtyrant,

It looks like there is some variance in your SSL setup between each python install. The 3.5 interpreter is unable to negotiate an acceptable protocol with the server. The fact that installing PyOpenSSL solves this suggests that there is something wrong with your 3.5 SSL setup.

I unfortunately haven't been able to reproduce this locally between installations of 2.7.13 and 3.5.3 either. I believe there were some issues originally with OpenSSL 1.1 and Python not building together nicely due to API/struct changes.

The only advice I can offer at the moment is to look at either reinstalling 3.5.3 against your system OpenSSL, or upgrading to 3.5.6. I'm not sure I see a clear link to a defect in Requests and the behaviour being observed. I'm going to close this for now but If you find further information, please feel free to reopen. Thanks!

[ianare]

Came across this when having the same problem when installing OpenSSL 1.1.1b from packages.sury.org on Debian 9. This was the easiest way to get the latest version of nginx and TLS 1.3.

However apparently it does not play very well with the default Python install (3.5.3) and was causing this error in the Django app. Installing pyOpenSSL fixes the problem.

Guess we'll have to wait for Debian 10 to get TLS 1.3 and Python working together properly ;-)

[medoedoff]

hey did you find a solution?

[Tectract]

This issue from ws4py websocket implementation of TLS SNI might be relevant. Seems you need to have an ssl.py that supports SNI and ALSO ssl.wrap_socket call is deprecated and needs to be updated to ssl.SSLSocket(self.sock, **self.ssl_options), with 'server_hostname' specified (as the full hostname) in the self.ssl_options dictionary, to get a good SNI-enabled handshake.