I want to choose the Transport Layer Security protocol in urllib2

Question

I want to choose the transport layer protocol used for opening https links using urllib2.urlopen() in Python 2.7

Similar to what we can do using openssl utility:

openssl s_client -connect www.google.com:443 -ssl2
openssl s_client -connect www.google.com:443 -ssl3
openssl s_client -connect www.google.com:443 -tls1

The motive is to not use ssl2 protocol that leads to handshake problems in most of the servers. urllib2 seems to use SSLv23 protocol that uses SSLv2 or SSLv3 with some kind of fall of mechanism. There are cases where this leads to handshake issues

In C with OpenSSL, we usually use TLS 1.0 and above (for those who pay attention to these sorts of things). To get the old handshake with the newer protocols, use the `SSLv23_method` and then set the two context options `SSL_OP_NO_SSLv2` and `SSL_OP_NO_SSLv3`. Not sure how to do it in Python, though. Also, there's usually no need for fallback. If you have to fallback, you dealing with an ancient or broken server (both are rare now a days). If that's the case, just fail and move on... — jww, Mar 26 '14 at 10:40

score 10 · Accepted Answer · edited May 23 '17 at 11:51

10

Update: Since Python 2.7.9 you could pass SSLContext that specifies TLS protocol to urlopen() function:

import ssl
import urllib2

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
# other settings (see ssl.create_default_context() implementation)
urllib2.urlopen('https://example.com', context=context).close()

^{old answer:}

httplib.HTTPSConnection and urllib2.HTTPSHandler do not allow to change ssl version but ssl.wrap_socket() does.

You could define your own HTTPSHandler that would allow you to pass arbitrary arguments to ssl.wrap_socket() e.g., urllib2_ssl.py:

>>> import ssl
>>> import urllib2
>>> import urllib2_ssl # https://gist.github.com/zed/1347055
>>> opener = urllib2.build_opener(urllib2_ssl.HTTPSHandler(
...     ssl_version=ssl.PROTOCOL_TLSv1, #XXX you need to modify urllib2_ssl
...     ca_certs='cacert.pem')) # http://curl.haxx.se/ca/cacert.pem.bz2
>>> opener.open('https://example.com/').read()

edited May 23 '17 at 11:51

Community

1
1

answered Mar 28 '14 at 18:21

jfs

399,953
195
994
1,670

Thanks Sebastian. This is very useful. – attaboyabhipro Mar 31 '14 at 03:54
1

This answer was just awesome, including the link to the example script. – Alfabravo Nov 06 '14 at 21:35
1

@Alfabravo: note: it might be better in the new Python 2.7.9 (unreleased yet) due to the backport of the code that is required to implement [PEP 476: Enabling certificate verification by default for stdlib http clients](http://legacy.python.org/dev/peps/pep-0476/), see https://bugs.python.org/issue22417 – jfs Dec 01 '14 at 16:59
I am stuck with 2.7.5, so the old answer is still what I needed. Thanks for this – MiMo Oct 27 '15 at 20:54
This gives me ``. – James Hirschorn Aug 30 '20 at 18:22

I want to choose the Transport Layer Security protocol in urllib2

1 Answers1