4

I'm trying to set up https connection from Python on Windows using Requests to Cisco ASA firewall which does not have AES/3DES license installed. The goal is to download pcap capture file from URL pattern https://10.0.0.1/capture/TEST_CAPTURE/pcap but it does not really matter for the question further and we'll consider URL to be https://10.0.0.1.

With default Requests setup a connection attempt fails for both Python 2 and Python 3:

requests.get('https://10.0.0.1', verify = False, auth = ('username','password'))
...
requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:600)

This could be due to lack of cipher overlap between the server and the client. CURL with -v option was used to determine what cipher is used by the server:

CURL -u username -v -l -k https://10.0.0.1
...
SSLv3, TLS handshake, Finished (20):
SSL connection using DES-CBC-SHA
...

The server is using DES-CBC-SHA cipher and I can't change that. So this cipher was added to a list of default ciphers for urllib3:

requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':DES-CBC-SHA'

After that for Python 3 version 3.4.3 connection succeeded but for Python 2 version 2.7.12 it still failed. And I do need to use Python 2. I tried to install security dependencies: 

pip install pyopenssl ndg-httpsclient pyasn1

And to add DES-CBC-SHA cipher to pyopenssl list of default ciphers:

requests.packages.urllib3.contrib.pyopenssl.DEFAULT_SSL_CIPHER_LIST += ':DES-CBC-SHA'

But connecton from Python 2.7.12 still failed with the same error:

requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')],)",)

It was noticed that Python 3.4.3 for which the connection succeeds uses an older version of openssl than Python 2.7.12 for which the connection fails:

Python 3.4.3
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.1l 15 Jan 2015'

Python 2.7.12
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.2h  3 May 2016'

And after replacing Python 2.7.12 with Python 2.7.9 which has 'OpenSSL 1.0.1j 15 Oct 2014', the connection succeeded.

Is it possible to establish https connection using DES-CBC-SHA cipher with the latest version of Python?

jww
  • 97,681
  • 90
  • 411
  • 885
Andrey Grachev
  • 1,259
  • 1
  • 14
  • 22

0 Answers0