-2

How can I get requests to support the follow ciphers, some or any?

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA

I know this isn't best practices, but the device I am connecting to only supports the above.

Max retries exceeded with url: /jaws/monitor/units (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)')))

baduker
  • 19,152
  • 9
  • 33
  • 56
Craig Smith
  • 17
  • Please read [ask] and provide a [mre]. – baduker Jun 11 '23 at 21:38
  • @baduker If he were to create a minimum reproducible example, he would have to list the specific server he is attempting to connect to (which I can only assume is something OP wouldn't like to share), or find another one that only supports the same ciphers – MartinNajemi Jun 11 '23 at 21:45

2 Answers2

0

You should be able to configure which ciphers requests uses, I haven't tested this as your issue isn't reproducible without more information.

Try checking this answer to a related question: https://stackoverflow.com/a/46186957/13081815

MartinNajemi
  • 514
  • 3
  • 18
0

You will need to create an HTTPAdapter, like what is shown in the related question: https://stackoverflow.com/a/46186957/13081815. You will also need to get the correct ciphers, which can be found at https://www.openssl.org/docs/man1.1.1/man1/ciphers.html.

This is an example using the ciphers you described.

from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context

CIPHERS = 'AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA'


class RsaAesShaAdapter(HTTPAdapter):
    """
    A TransportAdapter that re-enables RSA AES SHA support in Requests.
    """
    def init_poolmanager(self, *args, **kwargs):
        context = create_urllib3_context(ciphers=CIPHERS)
        kwargs['ssl_context'] = context
        return super(RsaAesShaAdapter, self).init_poolmanager(*args, **kwargs)

    def proxy_manager_for(self, *args, **kwargs):
        context = create_urllib3_context(ciphers=CIPHERS)
        kwargs['ssl_context'] = context
        return super(RsaAesShaAdapter, self).proxy_manager_for(*args, **kwargs)

s = requests.Session()
s.mount('https://some-host.com', RsaAesShaAdapter())
r = s.get('https://some-host.com/some-path')

If you happen to be using requests_pkcs12 you will need to subclass the Pkcs12Adapter.

from requests_pkcs12 import Pkcs12Adapter
import requests

CIPHERS = 'AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA'

class Pkcs12RsaAesShaAdapter(Pkcs12Adapter):
    def __init__(self, *args, **kwargs):
        super(Pkcs12RsaAesShaAdapter, self).__init__(*args, **kwargs)
        self.ssl_context.set_ciphers(CIPHERS)

s = requests.Session()
s.mount('https://some-host.com', Pkcs12RsaAesShaAdapter(pkcs12_filename='some_file', pkcs12_password='some password'))
r = s.get('https://some-host.com/some-path')
theisencouple
  • 1
  • 1