我正在尝试通过 python 应用程序中的 FTPLib 获取一些文件 我经常遇到的错误
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1007)
我的通过 ftp 连接的功能
def download_alpha(self, filename):
"""Download the given file."""
host = 'ftp.appareldownload.com'
user = self.ftp_user
passwd = self.ftp_password
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
ssl_context.set_ciphers("AES256-GCM-SHA384")
ssl_context.set_alpn_protocols(["http/1.1"])
ftp = FTP_TLS()
ftp.ssl_context = ssl_context
ftp.connect(host)
ftp.login(user=user, passwd=passwd)
self.download_file(ftp, filename)
ftp.quit()
尝试添加我从 openssl s_client -connect ftp.appareldownload.com:21 -starttls ftp 获取的所有这些密码和 tls 协议
o/p
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
verify return:1
depth=0 CN = ftp.appareldownload.com
verify return:1
---
Certificate chain
0 s:CN = ftp.appareldownload.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 6 00:00:00 2023 GMT; NotAfter: Apr 5 23:59:59 2024 GMT
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 2 12:24:25 2017 GMT; NotAfter: Nov 2 12:24:25 2027 GMT
2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGHzCCBQegAwIBAgIQDF0nwoY6uFRmGjvTETk8oTANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRUaGF3dGUgVExTIFJTQSBDQSBHMTAe
Fw0yMzAzMDYwMDAwMDBaFw0yNDA0MDUyMzU5NTlaMCIxIDAeBgNVBAMTF2Z0cC5h
cHBhcmVsZG93bmxvYWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA3ZRNQ6Eo3DPV68FAvRA18aJ0BjjMm5xERgErDqkNF67ScMG+SUy9LzYnZK0D
QS3m65soJ483HZXnBJTRuUi5PGTAOMvKU/wl2w/4JJQFPS7mQzkvh2wDb4k9h3J3
xPKQkhdqrdfDmP4qTYF5Gcewu28u5+YFG7olcvYtl73HG8kfCOj5MpQxeXDZ1gsi
Qt9P85fimO5pl31TCsEDItz7DdjpmbyEXZUmXypydQaY71BhI8i6fQ2C2MfsKIhA
stYJH1Gfge8nyx7/5+7T1t7tCs6oa5MoBVtEayPposRWdbHdJ6H3w6vOoU2rw2FO
6jVzO3MwRidGIR+9GYNHZOlhdQIDAQABo4IDEzCCAw8wHwYDVR0jBBgwFoAUpYz+
MszrDyzUGcYIuAAkiF3DxbcwHQYDVR0OBBYEFNkt68PBPoUQGzrsoXLzGFOkTGPP
MCIGA1UdEQQbMBmCF2Z0cC5hcHBhcmVsZG93bmxvYWQuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0fBDQwMjAw
oC6gLIYqaHR0cDovL2NkcC50aGF3dGUuY29tL1RoYXd0ZVRMU1JTQUNBRzEuY3Js
MD4GA1UdIAQ3MDUwMwYGZ4EMAQIBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cu
ZGlnaWNlcnQuY29tL0NQUzBwBggrBgEFBQcBAQRkMGIwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9zdGF0dXMudGhhd3RlLmNvbTA6BggrBgEFBQcwAoYuaHR0cDovL2NhY2Vy
dHMudGhhd3RlLmNvbS9UaGF3dGVUTFNSU0FDQUcxLmNydDAJBgNVHRMEAjAAMIIB
fgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDuzdBk1dsazsVct520zROiModGfLzs
3sNRSFlGcR+1mwAAAYa4a/nUAAAEAwBHMEUCIFvJziHidLE6XYnfWfTYNB5n50wP
nQ8IXhX/+A1SWwIjAiEAwa2ab90sUntGHcFNQ8KfGKwPSRhJ79UNaYgZNjevOY4A
dwBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYa4a/oIAAAEAwBI
MEYCIQDVJGon5z7/5Lf/+eE8NXjwrUxSOGx2s2SAsNJBJiFNEAIhAPKGzbMhJhET
J3kNPGJZy1GVzPoGeBfYSaYidVzK79qhAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0
x70ADS1yb+H61BcAAAGGuGv6DwAABAMARjBEAiBkxeMdebR8kPAT4O4N7mFTgqSZ
rN1pekPUs4m+M3YldAIgP0sAhVqQevfUnziARzUNw6xph5AQifIwkJcCRdJbyS0w
DQYJKoZIhvcNAQELBQADggEBAEnPkIBWpX1kaiu5YzZy0GoH6RLFPqfq8R+J73VH
a66phougREr+pM9dYh3UA675fqFcxNFCV74ogvW3AOCLXbB9MRkm2YE6jQVyTG9M
tjV98oRzifwyJcVb2MbqLWDefQUdoNkV0SGTtPZTUQktHjCzp/a4O1+++BQYpVmH
sDvSQpSFS7XYNIBzpbFMwrK5syiR9Wg96yeI2Lq9+flvY58GDgShat14MPt7M/Ri
LZiLEobPOYe7PejKWhqi4q6lqBsqRc1DdejtE0Yf9eZNJUbYBSmPN0S+hVZvEkNa
d7eA3BVsnMjVd2SXfzhwnQEdEqschy9APeZONZAbVRhebmI=
-----END CERTIFICATE-----
subject=CN = ftp.appareldownload.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
---
No client certificate CA names sent
---
SSL handshake has read 4099 bytes and written 657 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 99F8A067156144FCE55741788AAC15E42759D4836B47FB7B90221920524995A7
Session-ID-ctx:
Master-Key: 0280D714F6F15ED7781AE92E94EE7BF355C435E4FE59A6A478CDD627D743C6CAC79482F65BA2D03CB96AFE8EB5DE47FF
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 24 6d b4 25 6f a5 b2 56-7b 9c 07 9d 14 71 88 5d $m.%o..V{....q.]
0010 - 98 db 8f 45 a8 fe 53 98-f4 2a 54 8b ae 49 d8 be ...E..S..*T..I..
0020 - cb f0 93 ed 6e c5 dc cb-b6 c9 69 90 cd 96 e0 f4 ....n.....i.....
0030 - 74 75 54 b4 67 79 ce 9f-8f 0d 11 dc 71 7d 1e 7a tuT.gy......q}.z
0040 - ac 8d 8d 0c 4e 20 1b 8a-81 4c 1e 9a 90 ba 9c 09 ....N ...L......
0050 - e4 30 bf 27 41 4e d7 81-d3 d1 6c 6f 90 cf c0 9d .0.'AN....lo....
0060 - cd 70 80 53 24 9d e5 a6-fb 2c 48 cd a7 07 59 a4 .p.S$....,H...Y.
0070 - ee ae 20 53 90 16 db fe-c2 74 86 48 25 d0 59 49 .. S.....t.H%.YI
0080 - 25 5b 6b c9 4d db 01 1a-b8 c1 f3 c3 64 0a 48 af %[k.M.......d.H.
0090 - eb 0f f3 10 31 bb b0 fc-b1 ea 4d 78 08 a2 cd 94 ....1.....Mx....
00a0 - 51 3f f3 86 bd a7 0b 1b-7c b8 1f 8f fb 73 c0 7a Q?......|....s.z
00b0 - 9f 59 74 65 ed cc 70 c0-c0 2d bc a1 f9 b8 18 4e .Yte..p..-.....N
Start Time: 1702873717
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
220 ftp7.broderbros.com X2 WS_FTP Server 7.7(76106001)
closed
我正在运行一个 docker 容器 python:3.10.13-bookworm openssl 版本是 OpenSSL 3.0.11 2023 年 9 月 19 日
我尝试添加 ssl 上下文以期望通过握手。问题仍然存在。
错误的堆栈跟踪
Attaching to my_python_app-1
my_python_app-1 | /app/main.py:29: DeprecationWarning: ssl.PROTOCOL_TLSv1_2 is deprecated
my_python_app-1 | ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
my_python_app-1 | *get* '220 ftp7.broderbros.com X2 WS_FTP Server 7.7(41376683)\n'
my_python_app-1 | *resp* '220 ftp7.broderbros.com X2 WS_FTP Server 7.7(41376683)'
my_python_app-1 | *cmd* 'AUTH TLS'
my_python_app-1 | *put* 'AUTH TLS\r\n'
my_python_app-1 | *get* '234 SSL enabled and waiting for negotiation\n'
my_python_app-1 | *resp* '234 SSL enabled and waiting for negotiation'
my_python_app-1 | Traceback (most recent call last):
my_python_app-1 | File "/app/main.py", line 45, in <module>
my_python_app-1 | testone().download_alpha('AllDBDiscoALP_4.txt')
my_python_app-1 | File "/app/main.py", line 37, in download_alpha
my_python_app-1 | ftp.login(user=user, passwd=passwd)
my_python_app-1 | File "/usr/local/lib/python3.10/ftplib.py", line 745, in login
my_python_app-1 | self.auth()
my_python_app-1 | File "/usr/local/lib/python3.10/ftplib.py", line 756, in auth
my_python_app-1 | self.sock = self.context.wrap_socket(self.sock, server_hostname=self.host)
my_python_app-1 | File "/usr/local/lib/python3.10/ssl.py", line 513, in wrap_socket
my_python_app-1 | return self.sslsocket_class._create(
my_python_app-1 | File "/usr/local/lib/python3.10/ssl.py", line 1104, in _create
my_python_app-1 | self.do_handshake()
my_python_app-1 | File "/usr/local/lib/python3.10/ssl.py", line 1375, in do_handshake```
my_python_app-1 | self._sslobj.do_handshake()
my_python_app-1 | ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1007)
ftp = FTP_TLS()
ftp.ssl_context = ssl_context
ftp.ssl_context
的设置无效。并且没有记录表明它应该有任何效果。相反,上下文应该作为参数给出 FTP_TLS
如文档所示:
ftp = FTP_TLS(context = ssl_context)
由于原始设置没有效果,因此使用了较新的 Python 和 OpenSSL 版本的更安全的默认值,默认情况下禁用 RSA 密钥交换。不幸的是,服务器似乎需要 RSA 密钥交换,因此使用默认设置的连接失败。