Intermittent "sslv3 alert handshake failure" under Python
I have a REST API written in Java running under JBoss. Recently we updated our JVM from 1.6 to 1.7. This started to cause issues with only our Python clients which were connecting. Intermittently, Python clients are getting handshake failures. We wrote a very simple test which reproduces the problem:
import httplib2
for i in range(1,500):
print i
response, content = httplib2.Http(disable_ssl_certificate_validation=True).request('https://server.com:8443',)
Give the following output:
.
.
.
64
65
66
67
Traceback (most recent call last):
File "api_test/test.py", line 6, in <module>
response, content = httplib2.Http(disable_ssl_certificate_validation=True).request('https://server.com:8443/rest/solidtumor/2012/id/50d3216c092c8554b8b9f384?glossary=true&api_key=APIKEY',)
File "/home/hostovic/api_test/httplib2/__init__.py", line 1445, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/home/hostovic/api_test/httplib2/__init__.py", line 1197, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/home/hostovic/api_test/httplib2/__init__.py", line 1133, in _conn_request
conn.connect()
File "/home/hostovic/api_test/httplib2/__init__.py", line 914, in connect
raise SSLHandshakeError(e)
httplib2.SSLHandshakeError: [Errno 1] _ssl.c:490: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
The 67th call failed on this run through, but it fails at different times each time the test is run.
Our other clients (Java, Groovy and Ruby) work without any problem.
If I switch the JVM back to 1.6 the failures stop.
I did an openssl check using:
openssl s_client -connect server.com:8443
and it returned this:
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 50E748EA341BB433EEBC7386C606313C2B8B86360ED71DC8F3B0A14A1579D91B
Session-ID-ctx:
Master-Key: 1007AC489D60FE2D818F71A5A6873D5BBF5B1770BEC31CDBF29D0562DB0D30A33D9EBBA8AD211B8E24B23494B20A6223
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1357334762
Timeout : 300 (sec)
Verify return code: 0 (ok)
Which seems correct, but I'm not sure. If it failed on every call it would be one thing, but it's really odd to only be failing a random times. Anyone seen this?
Answer
I'm experiencing the same intermittent error when connecting to Tomcat 7 (Java 1.7) with Python 2.6.
I first started experiencing the issue when I upgraded my JVM from 1.7u1 to 1.7u6. From this article, it looks like the cipher preference order has changed in Java:
Java 7 and Could not generate DH keypair
Before the JVM upgrade, SSL_RSA_WITH_3DES_EDE_CBC_SHA was the preferred cipher being used for SSL communication. After the upgrade, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA gets preference. 95% of the time, the SSL communication is fine. But 5% of the time, it fails as you've described.
It seems that Python has problems with Diffie-Hellman ciphers. There is a fix in Python 3.3:
http://bugs.python.org/issue13626
My current workaround it to remove the Diffie-Hellman cipher from my enabled ciphers in Tomcat. I haven't tried upgrading to Python 3.3.