Python SSL error when using TLS 1.2

Question

I'm trying to connect to a site which uses TLS 1.2 using reqests package in Python 3.5. In Chrome I get the warning that the certificate chain for the website contains atleast one certificate that was signed by using SHA-1.

I get the following error:

Traceback (most recent call last):

  File "<ipython-input-51-e43bc1030cea>", line 1, in <module>
    f = s.get(url)

  File "C:\Anaconda3\lib\site-packages\requests\sessions.py", line 480, in get
    return self.request('GET', url, **kwargs)

  File "C:\Anaconda3\lib\site-packages\requests\sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)

  File "C:\Anaconda3\lib\site-packages\requests\sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)

  File "C:\Anaconda3\lib\site-packages\requests\adapters.py", line 433, in send
    raise SSLError(e, request=request)

SSLError: EOF occurred in violation of protocol (_ssl.c:646)

Reqests version is 2.8.1 and Python version is Python 3.5.0 :: Anaconda 2.4.0 (64-bit)

Does anyone know how to fix this issue or has come across something similar? I have tried connecting to the site by forcing the TLS version after this blog form one of the contributors to Requests package, but I still get the sam error. Upgrading certs on the site is not an option now.

Answer 1

This is probably not a problem of the certificate since python does not enforce sha-256. The close from the server indicates that the server did not like something the client has sent, which is usually either the TLS protocol version or the set of ciphers offered by the client. A common problem is no cipher overlap because the server only want to have insecure ciphers like RC4-SHA and the client does not offer these ciphers (RC4-SHA is disabled by default in current versions of requests). Try the tips found in Why does Python requests ignore the verify parameter?.