Develop Reference

Nginx: peer closed connection in SSL handshake while SSL handshaking to upstream

I have this new client which only can talk TLSv1.2 which communicate with a old service which can only talk TLSv1. It is about to be upgraded. It is an internal system without access to internet.
To solve the problem I have placed a Nginx proxy in between.
client =TLS1.2=> Nginx =TLSv1=> oldservice
Even with proxy_ssl_verify=off I get this error:
==> /var/log/nginx/ngx-error.log <==
2021/09/15 14:48:26 [error] 13231#0: *3 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 10.140.164.9, server: ngx.example.org, request: "GET /net/EXT/microservice.svc HTTP/1.1", upstream: "https://172.23.149.10:443/EXT/microservice.svc", host: "ngx.example.org"
If I on ngx.example.org run curl -v https://endp.example.org/EXT/microservice.svc I get this message:
* NSS error -8016 (SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)
* The certificate was signed using a signature algorithm that is disabled because it is not secure.
* Closing connection 0
curl: (60) The certificate was signed using a signature algorithm that is disabled because it is not secure.
If I run curl --insecure it is working and this is the behavior I want Nginx to do.
My Nginx configuration:
server {
listen 80;
listen 443 ssl;
server_name ngx.example.org;
access_log /var/log/nginx/ngx-access.log;
error_log /var/log/nginx/ngx-error.log;
root /var/www/nginx/ngx;
ssl_protocols TLSv1.2;
ssl_certificate /etc/pki/nginx/private/ngx.example.org.crt;
ssl_certificate_key /etc/pki/nginx/private/ngx.example.org.key;
ssl_verify_client off;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#proxy_ssl_ciphers PSK-3DES-EDE-CBC-SHA;
location /net/ {
proxy_ssl_name endp.example.org;
proxy_ssl_server_name on;
proxy_ssl_verify off;
proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/wsgw.root.ca.pem;
proxy_set_header Host endp.example.org;
proxy_set_header X_FORWARDED_PROTO https;
proxy_pass https://endp.example.org/;
}
}
Edit:
Here is the output from openssl without -tlsv1:
openssl s_client -connect endp.example.org:443
139801673865104:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1631880896
Timeout : 300 (sec)
Verify return code: 0 (ok)
Here is the output from openssl with -tlsv1:
openssl s_client -connect endp.example.org:443 -tls1
depth=0 CN = endp.example.org
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = endp.example.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=endp.example.org
i:/CN=endp.example.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIQZs9VZsp/iZRC2rL+oYTf0DANBgkqhkiG9w0BAQQFADAc
...lines deleted
OS+ih0tnXEzJKqtSC52Z+zAIFWdEipA=
-----END CERTIFICATE-----
subject=/CN=endp.example.org
issuer=/CN=endp.example.org
---
No client certificate CA names sent
---
SSL handshake has read 694 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: A01E00002B40C49CA7D7CD8EE73A9FB8DF44BF155300CDFCC98712657F697F88
Session-ID-ctx:
Master-Key: A90284275AA0067A47836A269592213E419F5286E0D30EA38F1094B50536F67913FCE7BA5D43025D1AC7FBDCA769FBE4
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1631862396
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Content of certificate:
$ openssl x509 -in endp.example.org.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
66:cf:55:66:ca:7f:89:94:42:da:b2:fe:a1:84:df:d0
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=endp.example.org
Validity
Not Before: Nov 9 11:08:50 2010 GMT
Not After : Dec 30 23:00:00 2030 GMT
Subject: CN=endp.example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:eb:ea:04:f0:53:87:26:b5:19:13:c6:a5:7b:27:
75:7e:f5:9a:84:74:59:d3:ec:0d:40:42:78:a4:c6:
1b:42:b2:50:19:3e:90:7b:20:73:f4:71:b8:3b:c3:
b3:dd:84:94:78:64:64:ac:5c:dc:a3:e4:8c:36:10:
32:ec:12:90:89:6c:e9:44:0e:fb:2e:84:0f:df:16:
c2:ae:b8:2c:d6:d0:73:b3:cf:4b:f8:56:91:e6:30:
c1:15:34:9f:70:6d:e1:e9:33:de:d6:9b:4d:2e:c8:
03:7b:eb:ed:6b:9c:8e:0b:80:a2:ef:29:5f:18:4e:
bf:e3:9a:81:e3:57:ae:c5:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
2.5.29.1:
0D....M..w....T..."...0.1.0...U....endp.example.org..f.Uf....B.......
Signature Algorithm: md5WithRSAEncryption
83:a7:c9:cf:a5:d3:91:78:65:d0:43:24:84:c5:77:62:be:ba:
52:db:7f:c6:ca:59:40:50:91:5f:48:fe:77:4a:94:26:36:23:
3a:82:6b:54:46:c1:a4:0d:bd:8f:96:bc:04:c8:54:f7:74:94:
83:3a:9e:71:61:8c:d4:a0:77:be:fc:50:e8:3f:12:a3:00:01:
9d:d6:06:a0:77:c2:84:24:96:03:c1:6a:05:57:bb:5e:d0:47:
e5:ff:a9:6c:a1:e1:cc:a4:d0:4b:b0:9d:1b:0b:d4:39:2f:a2:
87:4b:67:5c:4c:c9:2a:ab:52:0b:9d:99:fb:30:08:15:67:44:
8a:90

Not a solution but a work-around: Use Apache
ServerName ngx.example.org:443
SSLEngine on
SSLProxyEngine on
SSLProxyVerifyDepth 0
SSLProtocol TLSv1.2
SSLProxyProtocol TLSv1
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCertificateFile /etc/pki/nginx/private/ngx.example.org.crt
SSLCertificateKeyFile /etc/pki/nginx/private/ngx.example.org.key
DocumentRoot /var/www/httpd/ngx
CustomLog /var/log/httpd/ngx/access.log combined
ErrorLog /var/log/httpd/ngx/error.log
ProxyPass "/net/" "https://endp.example.org/"

How to POST an image to imgbb.com on ESP32 CAM? I get "Empty upload source."

I'm a DIYer and I'm trying to upload a picture from ESP32-CAM to imgbb.com using POST. This project from RandomNerdTutorials gave me a better notion about POST request on C++.
I took their code and modified it to upload to https://api.imgbb.com.
/*
Rui Santos
Complete project details at https://RandomNerdTutorials.com/esp32-cam-shield-pcb-telegram/
Project created using Brian Lough's Universal Telegram Bot Library: https://github.com/witnessmenow/Universal-Arduino-Telegram-Bot
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
*/
// Partial code modified to upload to imgbb.com
String uploadPhoto(char *apikey){
String getAll = "";
String getBody = "";
camera_fb_t * fb = NULL;
fb = esp_camera_fb_get();
if(!fb) {
Serial.println("Camera capture failed");
delay(1000);
ESP.restart();
return "Camera capture failed";
}
Serial.println("Connect to api.imgbb.com");
if (clientTCP.connect("api.imgbb.com", 443)) {
Serial.println("Connection successful");
String head = "--RandomNerdTutorials\r\nContent-Disposition: form-data; name=\"photo.jpg\"; filename=\"photo.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n";
// String head = "--RandomNerdTutorials\r\nContent-Disposition: form-data; name=\"photo.jpg\"; filename=\"photo.jpg\"\r\n\r\n";
String tail = "\r\n--RandomNerdTutorials--\r\n";
uint16_t imageLen = fb->len;
uint16_t extraLen = head.length() + tail.length();
uint16_t totalLen = imageLen + extraLen;
Serial.printf("imageLen:%d - extraLen: %d - totalLen: %d\n", imageLen, extraLen, totalLen);
clientTCP.println("POST /1/upload?expiration=600&key="+String(apikey)+" HTTP/1.1");
clientTCP.println("Host: api.imgbb.com");
clientTCP.println("Content-Length: " + String(totalLen));
clientTCP.println("Content-Type: multipart/form-data; boundary=RandomNerdTutorials");
clientTCP.println();
clientTCP.print(head);
uint8_t *fbBuf = fb->buf;
size_t fbLen = fb->len;
Serial.printf("fbLen: %d\n", fbLen);
int count = 0;
for (size_t n=0;n<fbLen;n=n+1024) {
count++;
Serial.printf("Sending part %d\n", count);
if (n+1024<fbLen) {
clientTCP.write(fbBuf, 1024);
fbBuf += 1024;
}
else if (fbLen%1024>0) {
size_t remainder = fbLen%1024;
clientTCP.write(fbBuf, remainder);
}
}
clientTCP.print(tail);
esp_camera_fb_return(fb);
unsigned long now = millis();
boolean state = false;
while (millis() - now < 10000){ // timeout 10 seconds
Serial.print(".");
delay(100);
while (clientTCP.available()){
char c = clientTCP.read();
if (c == '\n'){
if (getAll.length()==0) state=true;
getAll = "";
}
else if (c != '\r'){
getAll += String(c);
}
if (state==true){
getBody += String(c);
}
}
if (getBody.length()>0) break;
}
clientTCP.stop();
Serial.println(getBody);
}
else {
getBody="Connected to api.imgbb.com failed.";
Serial.println("Connected to api.imgbb.com failed.");
}
return getBody;
}
I get this on Serial Monitor
Connection successful
imageLen:7522 - extraLen: 150 - totalLen: 7672
fbLen: 7522
Sending part 1
Sending part 2
Sending part 3
Sending part 4
Sending part 5
Sending part 6
Sending part 7
Sending part 8
..
7a
{"status_code":400,"error":{"message":"Empty upload source.","code":130,"context":"Exception"},"status_txt":"Bad Request"}
In case you are asking for the cURL example output on their API site, the output using -v option prints:
With command
curl --location --request POST "https://api.imgbb.com/1/upload?expiration=600&key=YOUR_CLIENT_API_KEY" --form image=#"example.jpg" -v
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 51.81.57.189...
* TCP_NODELAY set
* Connected to api.imgbb.com (51.81.57.189) port 443 (#0)
* schannel: SSL/TLS connection with api.imgbb.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 178 bytes...
* schannel: sent initial handshake data: sent 178 bytes
* schannel: SSL/TLS connection with api.imgbb.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with api.imgbb.com port 443 (step 2/3)
* schannel: encrypted data got 3525
* schannel: encrypted data buffer: offset 3525 length 4096
* schannel: sending next handshake data: sending 93 bytes...
* schannel: SSL/TLS connection with api.imgbb.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with api.imgbb.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> POST /1/upload?expiration=600&key=1be33137765dd807cb05b2ff94885779 HTTP/1.1
> Host: api.imgbb.com
> User-Agent: curl/7.55.1
> Accept: */*
> Content-Length: 18608
> Expect: 100-continue
> Content-Type: multipart/form-data; boundary=------------------------c67a7796e0413135
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 54
* schannel: encrypted data buffer: offset 54 length 103424
* schannel: decrypted data length: 25
* schannel: decrypted data added: 25
* schannel: decrypted data cached: offset 25 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 25 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 25
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 100 Continue
HTTP/1.1 100 Continue
* schannel: client wants to read 102400 bytes
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 1096
* schannel: encrypted data buffer: offset 1096 length 103424
* schannel: decrypted data length: 1067
* schannel: decrypted data added: 1067
* schannel: decrypted data cached: offset 1067 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 1067 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 1067
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx
Server: nginx
< Date: Mon, 10 Aug 2020 20:08:42 GMT
Date: Mon, 10 Aug 2020 20:08:42 GMT
< Content-Type: application/json; charset=UTF-8
Content-Type: application/json; charset=UTF-8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Connection: keep-alive
Connection: keep-alive
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: Cache-Control, X-Requested-With, Content-Type
Access-Control-Allow-Headers: Cache-Control, X-Requested-With, Content-Type
< Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Methods: POST, GET, OPTIONS
< Last-Modified: Mon, 10 Aug 2020 20:08:42GMT
Last-Modified: Mon, 10 Aug 2020 20:08:42GMT
< Cache-Control: no-cache, must-revalidate
Cache-Control: no-cache, must-revalidate
< Pragma: no-cache
Pragma: no-cache
<
{"data":{"id":"P6Ynw91","title":"pull","url_viewer":"https:\/\/ibb.co\/P6Ynw91","url":"https:\/\/i.ibb.co\/d5cqGLk\/pull.jpg","display_url":"https:\/\/i.ibb.co\/d5cqGLk\/pull.jpg","size":18421,"time":"1597090122","expiration":"600","image":{"filename":"pull.jpg","name":"pull","mime":"image\/jpeg","extension":"jpg","url":"https:\/\/i.ibb.co\/d5cqGLk\/pull.jpg"},"thumb":{"filename":"pull.jpg","name":"pull","mime":"image\/jpeg","extension":"jpg","url":"https:\/\/i.ibb.co\/P6Ynw91\/pull.jpg"},"delete_url":"https:\/\/ibb.co\/P6Ynw91\/7912eb21dadf18bcf78119d10ae7b427"},"success":true,"status":200}* Connection #0 to host api.imgbb.com left intact

You only need to modify the parameter name of imageField to "image".
form-data; name=\"image\"; filename=\"photo.jpg\"
https://api.imgbb.com/
Parameters
image (required)
A binary file, base64 data, or a URL for an image. (up to 32 MB)

String head = "--RandomNerdTutorials\r\nContent-Disposition: form-data; name=\"expiration\"; \r\n\r\n600\r\n--RandomNerdTutorials\r\nContent-Disposition: form-data; name=\"key\"; \r\n\r\n" + String(apikey) + "\r\n--RandomNerdTutorials\r\nContent-Disposition: form-data; name=\"image\"; filename=\"photo.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n";
clientTCP.println("POST /1/upload HTTP/1.1");

QWebSocket doesn't connect over TLS

I have a WebSocket which works good over WebSocket protocol, but I can not switch to WebSocketSecure protocol, It doesn't generate any errors on server side, client says error:141970DF:SSL routines:tls_construct_cke_psk_preamble:psk identity not found. The certificate was generated by certbot and is used of for https web site on same domain.
Server code:
QSslConfiguration conf = server.sslConfiguration();
QFile * privkey =
new QFile{"/etc/letsencrypt/live/example.com/privkey.pem"};
privkey->open(QFile::ReadOnly);
conf.setCaCertificates(QSslCertificate::fromPath(
"/etc/letsencrypt/live/example.com/fullchain.pem"));
conf.setPrivateKey(QSslKey(privkey));
conf.setProtocol(QSsl::TlsV1_0);
server.setSslConfiguration(conf);
if (server.listen(QHostAddress::Any, 54045)) {
connect(
&server, &QWebSocketServer::newConnection, this,
&Server::onNewConnection);
connect(&server, &QWebSocketServer::closed, this, &Server::closed);
qDebug() << "server started";
}
The client code:
import QtQuick 2.13
import QtWebSockets 1.13
WebSocket {
active: true
url: "wss://example.com:54045"
}
Output of openSSL:
$ openssl s_client -connect example.com:54045
CONNECTED(00000003)
140623606740288:error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:302:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 325 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Tomcat [9.0.26] - SSLHandshake Exception

My application in tomcat (version 9.0.26) is interacting with a third party HTTPS webservice. In the proces of SSL negotiation, the handshake fails and I am looking for help with the debug.
Tomcat startup parameters are:
INFO: Command line argument:
-Djavax.net.ssl.trustStore=C:\tomcat32\9.0.26\conf\MyTrustStore.p12 Dec 08, 2019 8:56:08 AM
org.apache.catalina.startup.VersionLoggerListener log INFO: Command
line argument: -Djavax.net.ssl.trustStorePassword=MyPass Dec 08, 2019
8:56:08 AM org.apache.catalina.startup.VersionLoggerListener log INFO:
Command line argument: -Djavax.net.ssl.trustStoreType=PKCS12 Dec 08,
2019 8:56:08 AM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument:
-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager Dec 08, 2019 8:56:08 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent INFO: Loaded APR based Apache Tomcat Native library
[1.2.23] using APR version [1.7.0]. Dec 08, 2019 8:56:08 AM
org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: APR
capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true]. Dec 08, 2019 8:56:08 AM
org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO:
APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
Dec 08, 2019 8:56:08 AM org.apache.catalina.core.AprLifecycleListener
initializeSSL INFO: OpenSSL successfully initialized [OpenSSL 1.1.1c
28 May 2019] Dec 08, 2019 8:56:09 AM
org.apache.coyote.AbstractProtocol init INFO: Initializing
ProtocolHandler ["http-nio-8080"] Dec 08, 2019 8:56:10 AM
org.apache.coyote.AbstractProtocol init INFO: Initializing
ProtocolHandler ["ajp-nio-8009"] Dec 08, 2019 8:56:10 AM
org.apache.catalina.startup.Catalina load INFO: Server initialization
in [2,592] milliseconds Dec 08, 2019 8:56:10 AM
org.apache.catalina.core.StandardService startInternal INFO: Starting
service [Catalina]
On enabling SSL debug logs, I captured below on the logs
Allow unsafe renegotiation: false Allow legacy hello messages: true Is
initial handshake: true Is secure renegotiation: false Ignoring
unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1 Ignoring unsupported cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported
cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring
unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1 Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported
cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1 Ignoring unsupported cipher suite:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring
unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1 Ignoring unsupported cipher suite:
TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported
cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring unsupported
cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1 %% No cached client session update handshake state:
client_hello1 upcoming handshake states: server_hello[2]
* ClientHello, TLSv1.2 RandomCookie: GMT: 1558998647 bytes = { 181, 223, 221, 91, 197, 4, 57, 190, 202, 50, 65, 37, 54, 151, 211, 23, 88,
35, 181, 111, 187, 68, 160, 166, 229, 25, 76, 123 } Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1,
secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1,
sect571r1, secp256k1} Extension ec_point_formats, formats:
[uncompressed] Extension signature_algorithms, signature_algorithms:
SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA,
SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA,
SHA1withRSA, SHA1withDSA Extension extended_master_secret Extension
server_name, server_name: [type=host_name (0),
value=certservicesgateway.Bingonline.com]
http-nio-8080-exec-3, WRITE: TLSv1.2 Handshake, length = 236 http-nio-8080-exec-3, READ: TLSv1.2 Handshake, length = 89 check
handshake state: server_hello[2]
ServerHello, TLSv1.2 RandomCookie: GMT: 1119462208 bytes = { 96, 236, 134, 31, 185, 89, 247, 95, 189, 217, 105, 127, 42, 183, 115, 120,
142, 31, 103, 111, 54, 50, 166, 58, 130, 107, 63, 128 } Session ID:
{15, 155, 163, 64, 244, 187, 119, 250, 40, 154, 103, 47, 201, 208,
211, 136, 114, 116, 248, 159, 173, 34, 212, 74, 194, 65, 71, 17, 39,
181, 196, 228} Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0 Extension renegotiation_info,
renegotiated_connection: Extension ec_point_formats, formats:
[uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
* %% Initialized: [Session-6, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
And towards the end of the handshake failure find the 'Invalidated' logger:
update handshake state: change_cipher_spec upcoming
handshake states: client finished[20] upcoming handshake states:
server change_cipher_spec[-1] upcoming handshake states: server
finished[20] http-nio-8080-exec-3, WRITE: TLSv1.2 Change Cipher Spec,
length = 1
* Finished verify_data: { 124, 94, 237, 141, 218, 48, 210, 88, 98, 142, 112, 197 }
* update handshake state: finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server
finished[20] http-nio-8080-exec-3, WRITE: TLSv1.2 Handshake, length =
40 http-nio-8080-exec-3, READ: TLSv1.2 Alert, length = 2
http-nio-8080-exec-3, RECV TLSv1.2 ALERT: fatal, handshake_failure %%
Invalidated: [Session-6, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
http-nio-8080-exec-3, called closeSocket() http-nio-8080-exec-3,
handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure 2019-12-07 23:00:43.732 INFO ---
[nio-8080-exec-3] .v.w.t.MyServiceHandler : ######### Other Exception
happened in
MyServiceHandler.execute():com.sun.xml.internal.ws.client.ClientTransportException:
HTTP transport error: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure, and the cause
is:javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
com.sun.xml.internal.ws.client.ClientTransportException: HTTP
transport error: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure at
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(Unknown
Source) at
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown
Source) at
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown
Source) at
com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown
Source) at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown
Source) at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown
Source) at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown
Source) at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown
Source)
From the loggers, I think the SSL protocol version used is TLS1.2 and that looks good. It looks like the Cipher is not matching - but unsure if I am overlooking something and how to remediate this.
On inspecting the logs further, found this one error:
Unparseable certificate extensions: 1 1: ObjectId: 2.5.29.31
Criticality=false Unparseable CRLDistributionPoints extension due to
java.io.IOException: invalid URI
name:ldap://Enroll.visaca.com:389/cn=Visa Information Delivery
External CA,c=US,ou=Visa International Service
Association,o=VISA?certificateRevocationList
Update - 09-Dec -- In consultation with our middleware support team who indicate that the above CRL exception could be a false alarm.
So with that assumption, looking closely at the log and comparing with the steps outlined in TLS handshake steps wiki.
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
http-nio-8080-exec-15, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished verify_data: { 27, 249, 167, 252, 151, 220, 110, 252, 113, 134, 248, 228 }
*** update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
http-nio-8080-exec-15, WRITE: TLSv1.2 Handshake, length = 40
http-nio-8080-exec-15, READ: TLSv1.2 Alert, length = 2
http-nio-8080-exec-15, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-6, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
http-nio-8080-exec-15, called closeSocket() http-nio-8080-exec-15,
handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
The step 'server change_cipher_spec' is where I am suspecting something has gone wrong - though unsure how to debug this further. Appreciate any pointers.

Finally the issue is resolved.
As expected, 'Unparseable certificate extensions' turned out to be a false alarm.
Finally setting both trust store and key store helped resolve. The key store was also require for client authentication during the SSL Handshake.
-Djavax.net.ssl.trustStore=C:\Users\cert\visatomcat.p12 -Djavax.net.ssl.trustStorePassword=pass123 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.keyStore=C:\Users\cert\visatomcat.p12 -Djavax.net.ssl.keyStorePassword=pass123

Requests ignoring setting OP_NO_SSLv3

i'm trying to get a domain on a private server, but requests get continuously fails with sslv3 alert handshake failure.
I have configured the session to ignore sslv3 according to the blog post here https://lukasa.co.uk/2017/02/Configuring_TLS_With_Requests/
but it continues using it as statet in the exception message.
Any ideas what i am making wrong here?
Heres my minimal script:
import ssl
import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context
CIPHERS = (
'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:'
'!eNULL:!MD5'
)
class DESAdapter(HTTPAdapter):
"""
A TransportAdapter that re-enables 3DES support in Requests.
"""
def create_ssl_context(self):
ctx = ssl.create_default_context()
# opt out the SSLv3
ctx.options |= ssl.OP_NO_SSLv3
ctx.set_ciphers( CIPHERS )
return ctx
def init_poolmanager(self, *args, **kwargs):
kwargs['ssl_context'] = self.create_ssl_context()
return super(DESAdapter, self).init_poolmanager(*args, **kwargs)
def proxy_manager_for(self, *args, **kwargs):
kwargs['ssl_context'] = self.create_ssl_context()
return super(DESAdapter, self).proxy_manager_for(*args, **kwargs)
s = requests.Session()
s.mount('https://my-broken-intranet-domain.net:4942', DESAdapter())
# This will throw the error:
r = s.get('https://my-broken-intranet-domain.net:4942')
Exception has occurred: requests.exceptions.SSLError
HTTPSConnectionPool(host='my-broken-intranet-domain.net', port=4942): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056)')))
With Curl, the request goes trough and the negotiated CIPHER and TLS are:
curl -v https://my-broken-intranet-domain.net:4942
...
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DES-CBC3-SHA
* ALPN, server did not agree to a protocol
Versions:
Python 3.7.2
requests
Version: 2.21.0
urllib3
Version: 1.24.1
OpenSSL
1.1.0j
Thanks for the help!

Related to Python 3.7.2.
Closing this, as it is not present with 3.6.8