Page MenuHomePhabricator
Create Task
Maniphest T107421

OAuth handshake can't complete for test.orain.org
Closed, ResolvedPublic
Actions

Description

Based on T102602 and use test.orain.org for testing.

> import pywikibot
> site = pywikibot.Site()
> from pywikibot.login import OauthLoginManager
> consumer_token = ('XXXXXXXXXXXXXXXXXXXXXXXXXX', 'XXXXXXXXXXXXXXXXXXXXXXXXXX')
> login_manager = OauthLoginManager(consumer_token, site)
> login_manager.login()
Logging in to oraintest:en via OAuth consumer XXXXXXXXXXXXXXXXXXXXXXXXXX
Authenticate via web browser
Response query string: XXXXXXXXXXXXXXXXXXXXXXXXXX
ERROR: [('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')]

The exception is actually raised by complete function in mwoauth (use mwoauth 0.2.4):

def complete(mw_uri, consumer_token, request_token, response_qs):
    """
    Completes an OAuth handshake with MediaWiki by exchanging an

    :Parameters:
        mw_uri : `str`
            The base URI of the MediaWiki installation.  Note that the URI
            should end in ``"index.php"``.
        consumer_token : :class:`~mwoauth.ConsumerToken`
            A key/secret pair representing you, the consumer.
        request_token : :class:`~mwoauth.RequestToken`
            A temporary token representing the user.  Returned by
            `initiate()`.
        response_qs : `bytes`
            The query string of the URL that MediaWiki forwards the user back
            after authorization.

    :Returns:
        An `AccessToken` containing an authorized key/secret pair that
        can be stored and used by you.
    """

    ......

    # Construct a new auth with the verifier
    auth = OAuth1(consumer_token.key,
                  client_secret=consumer_token.secret,
                  resource_owner_key=request_token.key,
                  resource_owner_secret=request_token.secret,
                  verifier=verifier)

    # Send the verifier and ask for an authorized resource owner key/secret
    r = requests.post(url=mw_uri,
                      params={'title': "Special:OAuth/token"},
                      auth=auth)

    ......

The exception is raised by the last r = requests.post(...)sentence.
Also, the actual exception is hided because of T105767.

The issue may be related: https://github.com/kennethreitz/requests/issues/2022

Workaround

SNI is the reason for the error, like @Tgr mentioned in his comments:

Looking at the SSLLabs analyses:

the main differences are that Orain uses SNI and only supports elliptic ciphers, while Wikimedia crams all its domains in a single certificate and has a bunch of fallback ciphers. SNI could be the reason for the error: (1) (2) (3) (although the error messages mentioned there are different)

(1) of comments above mentions the solution: http://docs.python-requests.org/en/latest/community/faq/#what-are-hostname-doesn-t-match-errors

Related Objects
Search...

Event Timeline

VcamX created this task.Jul 30 2015, 1:35 PM
VcamX raised the priority of this task from to Needs Triage.
VcamX updated the task description. (Show Details)
VcamX added projects: Pywikibot-OAuth, MediaWiki-extensions-OAuth.
VcamX added subscribers: VcamX, jayvdb, Halfak.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 30 2015, 1:35 PM
VcamX updated the task description. (Show Details)Jul 30 2015, 1:36 PM
VcamX set Security to None.
VcamX updated the task description. (Show Details)Jul 30 2015, 1:38 PM
VcamX mentioned this in T104290: Identify other MediaWiki sites using OAuth.Jul 30 2015, 1:48 PM
Tgr subscribed.Jul 31 2015, 5:50 AM

This seems like a generic SSL connection issue not specifically related to OAuth. You could test to make sure by trying to connect to some random page.

VcamX added a comment.Jul 31 2015, 6:56 PM

@Tgr I think you're right.

>>> import requests
>>>
>>> requests.get('https://test.orain.org/wiki/Main_Page')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')]

>>> requests.get('https://meta.orain.org/')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/var/pyenv/versions/2.7.9/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')]

@jayvdb Maybe it's requests lib problem.

Halfak added a comment.Jul 31 2015, 7:02 PM

@VcamX it looks like it's the server you are hitting.

$ python
Python 2.7.6 (default, Mar 22 2014, 22:59:56) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.__version__
'2.7.0'
>>> requests.get("https://test.orain.org/wiki/Main_Page")
/home/halfak/env/2.7/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/halfak/env/2.7/local/lib/python2.7/site-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/home/halfak/env/2.7/local/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/home/halfak/env/2.7/local/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/halfak/env/2.7/local/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/home/halfak/env/2.7/local/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:510: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
>>> requests.get("https://en.wikipedia.org/wiki/Main_Page")
/home/halfak/env/2.7/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
<Response [200]>

See also https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning

Tgr removed a project: MediaWiki-extensions-OAuth.Jul 31 2015, 7:26 PM
Tgr added a comment.Jul 31 2015, 7:38 PM

Per ssllabs (see the Configuration section) Orain does not support SSLv3 (nor SSL at all, in a strict technical sense, only TLS). That is a common setup - many organizations (including Wikimedia) dropped SSLv3 support in response to the POODLE attack. You are probably using an outdated or misconfigured library or OS which is not able to do protocol negotiation.

XZise subscribed.Jul 31 2015, 7:42 PM

But en.wikipedia.org doesn't support SSL too and @Halfak got the error only on orain.org.

VcamX added a comment.Aug 1 2015, 4:37 AM

It looks more like to be the problem of orain.org... Does it have possibility that requests lib can't adapt to orain.org or the TLS configuration of orain.org?

VcamX mentioned this in T101921: Weekly reports for "Implement OAuth Support for Pywikibot".Aug 3 2015, 6:31 AM
Tgr added a comment.Aug 3 2015, 11:53 PM
In T107421#1499406, @XZise wrote:

But en.wikipedia.org doesn't support SSL too and @Halfak got the error only on orain.org.

Fair point. Looking at the SSLLabs analyses:

the main differences are that Orain uses SNI and only supports elliptic ciphers, while Wikimedia crams all its domains in a single certificate and has a bunch of fallback ciphers. SNI could be the reason for the error: (1) (2) (3) (although the error messages mentioned there are different)

VcamX added a comment.Aug 4 2015, 6:20 AM

@XZise I agree with @Tgr. Installing pyOpenSSL, ndg-httpsclient and pyasn1 works for me when using python 2.7.6.

jayvdb added a comment.Aug 4 2015, 8:49 AM

Does ignoring ssl certificate verification work, without ndg-httpsclient?

VcamX added a comment.Aug 4 2015, 10:44 AM

@jayvdb, for python 2.7.6, it doesn't work.

VcamX added a subtask: T102602: Add OAuth support for Pywikibot.Aug 7 2015, 3:27 AM
VcamX added a subtask: T104568: Add Orain support for Pywikibot.Aug 7 2015, 3:29 AM
VcamX renamed this task from OAuth handshake can't complete to OAuth handshake can't complete for test.orain.org.Aug 9 2015, 6:35 AM
VcamX updated the task description. (Show Details)
VcamX closed this task as Resolved.Aug 17 2015, 1:19 PM
VcamX closed subtask T102602: Add OAuth support for Pywikibot as Resolved.
VcamX updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL