0

I am using python 2.7.6 on ubuntu

I am getting this error when I use urlfetch (1.0.2) to post data to a remote server. It starts 2 days ago after the ssl certificate of the server was updated.

Similar problems have been reported to another python package request. The solution is to update some dependencies by running 

pip install --force-reinstall requests[security]

but I only got this

Requirement already satisfied: requests[security] in /usr/lib/python2.7/dist-packages
  requests 2.2.1 does not provide the extra 'security'

Nothing seems to be downloaded and installed.

Some post suggests it is related to cipher (https://github.com/kennethreitz/requests/issues/3608#issuecomment-250681069)

openssl s_client -connect www.example.com:443 
CONNECTED(00000003)
140353237063328:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Does it look normal ? Is there anything I can do to fix it?

The target server is living on Google App Engine. The new SSL cert does not support vip.

Ubuntu version info:

NAME="Ubuntu"
VERSION="14.04.2 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.2 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
Anthony Kong
  • 37,791
  • 46
  • 172
  • 304

2 Answers2

2

My first choice was to use this answer to resolve the issue by monkey-patching ssl.py.

import ssl
from functools import wraps
def sslwrap(func):
    @wraps(func)
    def bar(*args, **kw):
        kw['ssl_version'] = ssl.PROTOCOL_TLSv1
        return func(*args, **kw)
    return bar

ssl.wrap_socket = sslwrap(ssl.wrap_socket)

However it did not work.

At the end I find that I can resolve it by upgrading python to 2.7.13 from source. Here are the steps:

1) Install python dev dependency

sudo apt-get install -y \
autotools-dev      \
blt-dev            \
bzip2              \
dpkg-dev           \
g++-multilib       \
gcc-multilib       \
libbluetooth-dev   \
libbz2-dev         \
libexpat1-dev      \
libffi-dev         \
libffi6            \
libffi6-dbg        \
libgdbm-dev        \
libgpm2            \
libncursesw5-dev   \
libreadline-dev    \
libsqlite3-dev     \
libssl-dev         \
libtinfo-dev       \
mime-support       \
net-tools          \
netbase            \
python-crypto      \
python-mox3        \
python-pil         \
python-ply         \
quilt              \
tk-dev             \
zlib1g-dev

2) Download source code

wget https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tgz

3) Unpack

tar xfz Python-2.7.13.tgz

4) configure

cd Python-2.7.13/
./configure --prefix /usr/local/lib/python2.7.13 --enable-ipv6

5) build

make

6) deploy

sudo make install

7) Install pip and urlfetch and other dependencies

Community
  • 1
  • 1
Anthony Kong
  • 37,791
  • 46
  • 172
  • 304
2

This error occurs on older versions of Python, which don't support the TLS SNI (Server Name Indication) extension. You need to use SNI to connect to sites hosted on App Engine with HTTPS. It looks like SNI support is present in Python 2.7.9 and later.

If you're making requests from an App Engine app written in Python and need SNI support, you need to reference version 2.7.11 of the ssl library in your app.yaml file or you'll run into this same issue.

Phillip Pearson
  • 138
  • 6