On Sun, Oct 13, 2019 at 10:31:31PM +0800, Drew Parsons wrote:
It conditionally works. Using curl, I found that TLSv1_0 or TLSv1_1
will
support a successful connection, but only if the maximum SSL_VERSION
is
constrained to TLSv1_0 or TLSv1_1 (e.g. curl -v --tlsv1.1 --tls-max
1.1
https://pub.orcid.org). Without the max, the connection fails:
$ curl --tlsv1.1 https://pub.orcid.org
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake
failure
The urllib3 failure was similar, but I do not know how to set tls-max
with
urllib3. I could only find the option with curl. I could set up a
custom
HTTPAdapter as suggested at
https://requests.readthedocs.io/en/master/user/advanced/#example-specific-ssl-version
to set ssl_version=ssl.PROTOCOL_TLSv1_1 but the ssl module doesn't
have the
SSLVERSION_MAX_TLSv1_1 value that curl has. I could solve it with
pycurl
using c.setopt(pycurl.SSLVERSION, pycurl.SSLVERSION_TLSv1_1 |
pycurl.SSLVERSION_MAX_TLSv1_1)
For sure I'm missing something, but why not just set TLS version?
I tried the following on both Python2 and Python3:
>>> import ssl
>>> from urllib3.poolmanager import PoolManager
>>> http = PoolManager(ssl_version=ssl.PROTOCOL_TLSv1)
>>> r = http.request('GET', 'https://pub.orcid.org')
>>> r.status
200