On Thu, 6 Nov 2014, Rusty wrote:
> On 11/05/14 20:04, Joel Sing wrote:
> > On Thu, 6 Nov 2014, Ted Unangst wrote:
> >> I see errors trying to download some https URLs using python, but the
> >> base ftp client isn't affected. 5.6 release and current. One example is
> >> https://www.duosecurity.com/feed.
> >>
> >> athens:/tmp> python2.7
> >> Python 2.7.8 (default, Oct 6 2014, 13:51:42)
> >> [GCC 4.2.1 20070719 ] on openbsd5
> >> Type "help", "copyright", "credits" or "license" for more information.
> >>
> >>>>> import urllib
> >>>>> urllib.urlopen('https://www.duosecurity.com/feed')
> >>
> >> Traceback (most recent call last):
> >> File "<stdin>", line 1, in <module>
> >> File "/usr/local/lib/python2.7/urllib.py", line 87, in urlopen
> >> return opener.open(url)
> >> File "/usr/local/lib/python2.7/urllib.py", line 208, in open
> >> return getattr(self, name)(url)
> >> File "/usr/local/lib/python2.7/urllib.py", line 437, in open_https
> >> h.endheaders(data)
> >> File "/usr/local/lib/python2.7/httplib.py", line 991, in endheaders
> >> self._send_output(message_body)
> >> File "/usr/local/lib/python2.7/httplib.py", line 844, in _send_output
> >> self.send(msg)
> >> File "/usr/local/lib/python2.7/httplib.py", line 806, in send
> >> self.connect()
> >> File "/usr/local/lib/python2.7/httplib.py", line 1198, in connect
> >> self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
> >> File "/usr/local/lib/python2.7/ssl.py", line 392, in wrap_socket
> >> ciphers=ciphers)
> >> File "/usr/local/lib/python2.7/ssl.py", line 148, in __init__
> >> self.do_handshake()
> >> File "/usr/local/lib/python2.7/ssl.py", line 310, in do_handshake
> >> self._sslobj.do_handshake()
> >> IOError: [Errno socket error] [Errno 1] _ssl.c:510: error:14077410:SSL
> >> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
> >
> > The server requires SNI, which libtls/ftp(1) does. If you make s_client
> > do SNI it works:
> >
> > $ openssl s_client -connect www.duosecurity.com:443 \
> > -servername www.duosecurity.com
> >
> > So you'd need to make Python handle SNI if you want to talk to it... FWIW
> > the site is hosted on Amazon Cloudfront, so you'll probably see the same
> > with any other site that uses it.
> >
> >> athens:/tmp> ftp https://www.duosecurity.com/feed
> >> Trying 54.192.22.134...
> >> Requesting https://www.duosecurity.com/feed
> >> 118278 bytes received in 0.17 seconds (673.14 KB/s)
>
> hmm. not documented at all.
> I am not sure if this actually explains anything but it throws a few
> names and acronyms around that can be used for further information.
Thanks. Unfortunately this diff is against /usr/share/man/man1/openssl.1,
which is not current so it failed to apply. I've just committed a version of
this diff, including part from the current OpenSSL documentation.
You'd be surprised how many options existing in openssl(1) that are not
documented and not in usage... OpenSSL documented some of these
semi-recently - it would be a useful exercise for someone to identify these
and document the ones that are worth documenting.
> --- /usr/share/man/man1/openssl.1 Fri Oct 31 17:43:53 2014
> +++ openssl.1 Wed Nov 5 23:33:46 2014
> @@ -6617,6 +6617,7 @@
> .Op Fl psk_identity Ar identity
> .Op Fl quiet
> .Op Fl reconnect
> +.Op Fl servername Ar host
> .Op Fl showcerts
> .Op Fl ssl3
> .Op Fl starttls Ar protocol
> @@ -6773,6 +6774,8 @@
> .It Fl reconnect
> Reconnects to the same server 5 times using the same session ID; this can
> be used as a test that session caching is working.
> +.It Fl servername Ar host
> +Use specified host name as the Server Name Indicater (SNI)
> .It Fl showcerts
> Display the whole server certificate chain: normally only the server
> certificate itself is displayed.
--
"Stop assuming that systems are secure unless demonstrated insecure;
start assuming that systems are insecure unless designed securely."
- Bruce Schneier
