首页 / 问题 / 正文

使用Python Requests访问Shibboleth认证服务器时出现SSL错误

2 投票
1 回答
8310 浏览
提问于 2025-04-18 01:19

我正在尝试通过一个Python脚本访问一个由学术服务提供商(SP)托管的期刊文章。

这个服务器使用Shibboleth登录进行身份验证。我看过一篇关于如何用Python Requests登录SAML/Shibboleth认证服务器的文章,并尝试实现这个登录。

这个脚本首先向服务提供商请求一个链接,这个链接指向我的身份提供者(IDP)机构,然后应该自动与IDP进行身份验证。前面的部分运行得很好,但在跟随链接到IDP时,出现了SSL错误。

这是我使用的代码:

import requests
import lxml.html

LOGINLINK = 'https://www.jsave.org/action/showLogin?redirectUri=%2F'
USERAGENT = 'Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0'

s = requests.session()
s.headers.update({'User-Agent' : USERAGENT})

# getting the page where you can search for your IDP
# need to get the cookies so we can continue
response = s.get(LOGINLINK)
rtext = response.text
print('Don\'t see your school?' in rtext) # prints True

# POSTing the name of my institution
data = {
    'institutionName' : 'tubingen',
    'submitForm' : 'Search',
    'currUrl' : '%2Faction%2FshowBasicSearch',
    'redirectUri' : '%2F',
    'activity' : 'isearch'
}
response = s.post(BASEURL + '/action/showLogin', data=data)
rtext = response.text
print('university of tubingen' in rtext) # prints True

# get the link that leads to the IDP
tree = lxml.html.fromstring(rtext)
loginlinks = tree.cssselect('a.extLogin')
if (loginlinks):
    loginlink = loginlinks[0].get('href')
else: 
    exit(1)

print('continuing to IDP')
response = s.get(loginlink)
rtext = response.text
print('zentrale Anmeldeseite' in rtext)

运行后得到的结果是:

continuing to IDP...

2014-04-04 10:04:06,010 - INFO - Starting new HTTPS connection (1): idp.uni-tuebingen.de
Traceback (most recent call last):

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 480, in urlopen
body=body, headers=headers)

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 285, in _make_request
conn.request(method, url, **httplib_request_kw)

File "/usr/lib/python3.4/http/client.py", line 1066, in request
self._send_request(method, url, body, headers)

File "/usr/lib/python3.4/http/client.py", line 1104, in _send_request
self.endheaders(body)

File "/usr/lib/python3.4/http/client.py", line 1062, in endheaders
self._send_output(message_body)

File "/usr/lib/python3.4/http/client.py", line 907, in _send_output
self.send(msg)

File "/usr/lib/python3.4/http/client.py", line 842, in send
self.connect()

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/connection.py", line 164, in connect
ssl_version=resolved_ssl_version)

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/util.py", line 639, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)

File "/usr/lib/python3.4/ssl.py", line 344, in wrap_socket
_context=self)

File "/usr/lib/python3.4/ssl.py", line 540, in __init__
self.do_handshake()

File "/usr/lib/python3.4/ssl.py", line 767, in do_handshake
self._sslobj.do_handshake()

ssl.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:598)


During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File "/usr/lib/python3.4/site-packages/requests/adapters.py", line 330, in send
timeout=timeout

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 504, in urlopen
raise SSLError(e)

requests.packages.urllib3.exceptions.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:598)


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "./try.py", line 154, in <module>
response = s.get(loginlink)

File "/usr/lib/python3.4/site-packages/requests/sessions.py", line 395, in get
return self.request('GET', url, **kwargs)

File "/usr/lib/python3.4/site-packages/requests/sessions.py", line 383, in request
resp = self.send(prep, **send_kwargs)

File "/usr/lib/python3.4/site-packages/requests/sessions.py", line 486, in send
r = adapter.send(request, **kwargs)

File "/usr/lib/python3.4/site-packages/requests/adapters.py", line 385, in send
raise SSLError(e)

requests.exceptions.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:598)

使用s.get(loginlink, verify=False)也会出现完全相同的错误。简单使用urllib.request.urlopen(loginlink)也会这样。

不过,把这个链接打印出来并粘贴到Firefox浏览器中是可以正常工作的。

身份验证 urllib ssl错误 saml shibboleth 学术服务 服务提供商 idp

1 个回答

2

经过尝试使用 openssl s_client,发现目标地址 idp.uni-tuebingen.de:443 只支持 SSLv3,而对更新的版本表现不佳。当强制使用 SSLv3 时,得到的结果是:

$ openssl s_client -connect idp.uni-tuebingen.de:443 -ssl3
CONNECTED(00000003)
depth=3 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN = Deutsche Telekom Root CA 2
...

但是在默认设置下或者强制使用 TLSv1(-tls1)时,只会返回一个警告:

openssl s_client -connect idp.uni-tuebingen.de:443 
CONNECTED(00000003)
140493591938752:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:741:

所以你需要找到一种方法来强制这个连接使用 SSLv3。我对 Python 还不太熟悉,但也许可以参考 http://docs.python-requests.org/en/latest/user/advanced/ 中的“示例:特定 SSL 版本”这一章。

至于为什么在 Firefox 中可以正常工作:浏览器通常会在使用更安全的版本连接失败时,尝试降级到较低的 SSL 版本。比如说,大家都在想办法绕过那些有问题的东西,这样那些有问题的东西的拥有者就没有修复它的意愿了 :(

回答于 2025-04-18 由 Python大师
分享 举报

撰写回答