35

I'm making the following call to branch.io

import requests
req = requests.get('https://bnc.lt/m/H3XKyKB3Tq', verify=False)

It works fine in my local machine but fails in the server.

SSLError: [Errno 1] _ssl.c:504: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Openssl versions:

local: OpenSSL 0.9.8zg 14 July 2015

server: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Python:

local: 2.7.10 server: 2.7.6

Branch io server connection:

Chrome verified that DigiCert SHA2 Secure Server CA issued this website's certificate. The server did not supply any Certificate Transparency information.

I tried urllib2, but the result was same. Any help?

Kumar Nitin
  • 1,845
  • 2
  • 16
  • 21
  • You need OpenSSL 0.9.8o at least to handle sha256 certificates so your server version is too old. – Barry Pollard Feb 15 '16 at 21:16
  • I tried on OpenSSL 1.0.1e-fips 11 Feb 2013. Its giving me the same error. – Kumar Nitin Feb 16 '16 at 03:00
  • And is your PHP using that version of OpenSSL? See here for details on how to check: http://stackoverflow.com/questions/18752409/updating-openssl-in-python-2-7 – Barry Pollard Feb 16 '16 at 08:06
  • Its using OpenSSL 1.0.0-fips 29 Mar 2010 – Kumar Nitin Feb 17 '16 at 11:54
  • This also can be an SNI issue, as `openssl s_client -connect bnc.lt:443` doesn't work while `openssl s_client -connect bnc.lt:443 -servername bnc.lt` works well. I'd say that both SHA2 signed cert and SNI can cause the issue, but the resolution is the same: update OpenSSL – Jyo de Lys Feb 17 '16 at 15:59
  • You are using 6 year old software to provide your users with a 'secure' connection? Maybe you should not offer ssl at all rather, to not provide a false sense of security. Check http://openssl.org/news/vulnerabilities.html So this is not even a question, just update your software, and the only version to consider is the most recent supported version. – Nappy Feb 22 '16 at 20:38
  • @Nappy I had this issue with OpenSSL 1.0.0-fips 29 Mar 2010 as well. We are already working on updating the certificate across the servers. – Kumar Nitin Feb 23 '16 at 02:47

2 Answers2

41

Jyo de Lys has identified the problem. The problem is described here and the solution is here. I did the following to get this working:

  1. easy_install pyOpenSSL
  2. easy_install ndg-httpsclient
  3. easy_install pyasn1

If you're getting this error while using urllib2, you'll need to upgrade to python 2.7.9 or later too.

Community
  • 1
  • 1
Rahul
  • 963
  • 9
  • 14
0

for those who are working on python 3.9 and you are facing this issue "SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] " while getting certificate or fetching expiry date for particular url

so you have to follow this steps in order to get valid response from the url

  1. install openssl in windows
  2. now copy the folder path of openssl which is being installed in C drive

use below code

servers is list of url and ports is list of all ports in my case

for i in range(0,len(servers)):
    try:
        s = servers[i]
        port = ports[i]
        print("querying {}".format(s))
        q = Popen(["C:\\Program Files\\OpenSSL-Win64\\bin\\openssl.exe", "s_client", "-connect","{}:{}".format(s,port),"-servername",s,"-showcerts" ], stdout=PIPE, stdin=PIPE, shell=False)
        y = check_output(["C:\\Program Files\\OpenSSL-Win64\\bin\\openssl.exe", "x509", "-noout", "-dates"], stdin=q.stdout)
        print(y.decode("utf-8"))
    except Exception as e:
        print(e)
Saiyam Jain
  • 51
  • 8