Intermittent "sslv3 alert handshake failure" under Python

Question

I have a REST API written in Java running under JBoss. Recently we updated our JVM from 1.6 to 1.7. This started to cause issues with only our Python clients which were connecting. Intermittently, Python clients are getting handshake failures. We wrote a very simple test which reproduces the problem:

import httplib2

for i in range(1,500):
    print i
    response, content = httplib2.Http(disable_ssl_certificate_validation=True).request('https://server.com:8443',)

Give the following output:

.
.
.
64
65
66
67
Traceback (most recent call last):
  File "api_test/test.py", line 6, in <module>
    response, content = httplib2.Http(disable_ssl_certificate_validation=True).request('https://server.com:8443/rest/solidtumor/2012/id/50d3216c092c8554b8b9f384?glossary=true&api_key=APIKEY',)
  File "/home/hostovic/api_test/httplib2/__init__.py", line 1445, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/home/hostovic/api_test/httplib2/__init__.py", line 1197, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/home/hostovic/api_test/httplib2/__init__.py", line 1133, in _conn_request
    conn.connect()
  File "/home/hostovic/api_test/httplib2/__init__.py", line 914, in connect
    raise SSLHandshakeError(e)
httplib2.SSLHandshakeError: [Errno 1] _ssl.c:490: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

The 67th call failed on this run through, but it fails at different times each time the test is run.

Our other clients (Java, Groovy and Ruby) work without any problem.

If I switch the JVM back to 1.6 the failures stop.

I did an openssl check using:

openssl s_client -connect server.com:8443

and it returned this:

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 50E748EA341BB433EEBC7386C606313C2B8B86360ED71DC8F3B0A14A1579D91B
    Session-ID-ctx:
    Master-Key: 1007AC489D60FE2D818F71A5A6873D5BBF5B1770BEC31CDBF29D0562DB0D30A33D9EBBA8AD211B8E24B23494B20A6223
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1357334762
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Which seems correct, but I'm not sure. If it failed on every call it would be one thing, but it's really odd to only be failing a random times. Anyone seen this?

Answer 1

I'm experiencing the same intermittent error when connecting to Tomcat 7 (Java 1.7) with Python 2.6.

I first started experiencing the issue when I upgraded my JVM from 1.7u1 to 1.7u6. From this article, it looks like the cipher preference order has changed in Java:

Java 7 and Could not generate DH keypair

Before the JVM upgrade, SSL_RSA_WITH_3DES_EDE_CBC_SHA was the preferred cipher being used for SSL communication. After the upgrade, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA gets preference. 95% of the time, the SSL communication is fine. But 5% of the time, it fails as you've described.

It seems that Python has problems with Diffie-Hellman ciphers. There is a fix in Python 3.3:

http://bugs.python.org/issue13626

My current workaround it to remove the Diffie-Hellman cipher from my enabled ciphers in Tomcat. I haven't tried upgrading to Python 3.3.