Skip to content Skip to sidebar Skip to footer
Home / Python / Ssl

Python Ssl Ssl.sslerror: [ssl: Unsupported_protocol] Unsupported Protocol (_ssl.c:590)

Post a Comment
I get this error when using python 2.7.10 or 2.7.9 but works with python 2.7.6 (haven't tested other versions) OpenSLL version: openssl version -a OpenSSL 1.0.1f 6 Jan 2014 built o

Solution 1:

If you run your requests in debian-based OS or docker image you need to change your SSL config. Debian by default works with SSL v1.2 + at the moment.

You can edit openssl.cnf manually if you want but there's a quicker solution:

sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1.0/' /etc/ssl/openssl.cnf

It helped in my case, requests to URLs with old SSL now return nice 200 response.

Solution 2:

Apparently python 2.7.6 used this cipher suite:

DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2

and now it uses:

# Disable weak or insecure ciphers by default# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')# Enable a better set of ciphers by default# This list has been explicitly chosen to:#   * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)#   * Prefer ECDHE over DHE for better performance#   * Prefer any AES-GCM over any AES-CBC for better performance and security#   * Then Use HIGH cipher suites as a fallback#   * Then Use 3DES as fallback which is secure but slow#   * Disable NULL authentication, NULL encryption, and MD5 MACs for security#     reasons
_DEFAULT_CIPHERS = (
    'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:''DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:''!eNULL:!MD5'
)

I had to build the following code that informs me in case an old cipher suite was used. I could do this because I'm interested in retrieving the certificate

from socket import socket
from ssl import SSLContext
from ssl import PROTOCOL_SSLv23
from ssl import DER_cert_to_PEM_cert

WEAK_CTX = SSLContext(PROTOCOL_SSLv23)
WEAK_CTX.set_ciphers('ALL:!aNULL:!eNULL')

NORMAL_CTX = SSLContext(PROTOCOL_SSLv23)
NORMAL_CTX.set_ciphers(
    'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:''DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:''!eNULL:!MD5'
)

defgetCertificate(addr):
    sock = socket()
    sock.connect(addr)
    isWeakCipher = Falsetry:
        sslobj = NORMAL_CTX._wrap_socket(sock._sock, server_side=False)
        sslobj.do_handshake()
    except Exception as ex:
        ifhasattr(ex, 'reason') and ex.reason == 'SSLV3_ALERT_HANDSHAKE_FAILURE':
            sock.close()
            sock = socket()
            sock.connect(addr)
            sslobj = WEAK_CTX._wrap_socket(sock._sock, server_side=False)
            sslobj.do_handshake()
            isWeakCipher = Trueelse:
            raise
    cipher = sslobj.cipher()

    cert = sslobj.peer_certificate(True)
    sock.close()
    return isWeakCipher, cipher, cert

Solution 3:

Probably your server is exposing an old, insecure version of the TLS protocol, which modern OpenSSLs are configured not to allow.

https://stackoverflow.com/a/53065682/6214034 might help.

Solution 4:

This is how I solved it using python 3.8 on Ubuntu 20.04.

import ssl
import socket

defget_ssl_data(self, host, port=443):
    context = ssl.create_default_context()
    context.set_ciphers('ALL:@SECLEVEL=1') # this magic line allows us to connect with anything under the sun!!! It took me 3 hours to find it.with socket.socket(socket.AF_INET) as sock:
        with context.wrap_socket( sock, server_hostname=host ) as conn:
            conn.settimeout(3.0)
            conn.connect((host, port))
            ssl_info = conn.getpeercert()
            # print(json.dumps(ssl_info, indent=2, sort_keys=True))return ssl_info

You may like these posts

Post a Comment for "Python Ssl Ssl.sslerror: [ssl: Unsupported_protocol] Unsupported Protocol (_ssl.c:590)"