Avoid using TLS 1.2 for certain websites that freeze during HTTPS connections with Curl, Python, and PHP
2015-06-11 15:28 (9 years ago)
ytyng
As I wrote in this article http://b.ytyng.com/a-61/, when you make an HTTPS connection with OpenSSL 1.0.1f and attempt to connect using TLS1.2 by issuing a hello, certain sites may freeze in response.
(OpenSSL 1.0.1f is the latest default version for Ubuntu 14.04, 15.04, etc. If you are using 1.0.1g, this issue might be resolved)
In such cases, you can avoid the issue by connecting without using TLS1.2.
Here’s how to avoid using TLS1.2 (forcing TLS1.0) with curl, Python, and PHP.
curl
$ curl -vv "https://hoge.example.com/" # URL is hypothetical * Hostname was NOT found in DNS cache * Trying xxx.xxx.xxx.xxx... * Connected to hoge.example.com (xxx.xxx.xxx.xxx) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): It freezes here
↓
Not using TLS1.2 (forcing TLS1.0)
$ curl -vv "https://hoge.example.com/" --tlsv1.0 It doesn't freeze!
python3.4 + requests
# import requests
r = requests.get('https://hoge.example.com/')
It freezes!
↓ Not using TLS1.2 (forcing TLS1.0)
import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.poolmanager import PoolManager
import ssl
class MyAdapter(HTTPAdapter):
def init_poolmanager(self, connections, maxsize, block=False):
self.poolmanager = PoolManager(
num_pools=connections,
maxsize=maxsize,
block=block,
ssl_version=ssl.PROTOCOL_TLSv1)
s = requests.Session()
s.mount('https://', MyAdapter())
r = s.get("https://hoge.example.com/")
It doesn't freeze!
Reference:
Choosing The SSL Version In Python Requests • Lukasa's Echochamber https://lukasa.co.uk/2013/01/Choosing_SSL_Version_In_Requests/
PHP5.6
$html = file_get_contents('https://hoge.example.com/');
It freezes!
↓ Not using TLS1.2 (forcing TLS1.0)
$ctx = stream_context_create([
'ssl' => [
'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT,
],
]);
$html = file_get_contents('https://hoge.example.com/', false, $ctx);
It doesn't freeze!
Reference:
PHP: Changes related to OpenSSL in PHP 5.6.x - Manual http://php.net/manual/ja/migration56.openssl.php
Comments