Bug #1035: Input fails on IIS over HTTPS due to missing servername - Website Monitoring - LukeMurphey.net

Bug #1035

Input fails on IIS over HTTPS due to missing servername

Added by Luke Murphey almost 10 years ago. Updated almost 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Luke Murphey

Target version:

1.3

Start date:

08/25/2015

Due date:

% Done:

100%

Description

Huge fan of your app, seems to be a lot of clients using it and it’s proving to be a great way to get instant results for a lot of eComm heavy and branding focused organisations.

I’ve been trying to roll it out for a client of mine and it appears that it’s struggling with certain URLs running over HTTPS on IIS.

For example, when we try to hit up https://www.penfolds.com within the app, it fails to connect. After a fair bit of digging around, it appears to be down to how IIS handles SSL requests, as highlighted here:

http://blog.helge.net/2014/06/error-connecting-with-openssl-sclient.html

I tried to connect via OpenSSL with:

s_client –connect www.penfolds.com:443

This immediately returns an errorno=54

I can successfully connect with:

s_client –connect www.penfolds.com:443 –servername www.penfolds.com

Hooray for IIS.

That being said, do you think you may be able to add/fix this particular feature in a release for this app in the future? I guess a checkbox/field combo box to add a “–servername" argument when creating the input would be best, but I’m no app-creating genius, and there may be better ways to go about this.

Let me know if you have any questions about this particular issue; happy to give you more background.

References:

http://blog.helge.net/2014/06/error-connecting-with-openssl-sclient.html
https://docs.python.org/2/whatsnew/2.7.html#pep-466-network-security-enhancements-for-python-2-7 (this may have been fixed in python 2.7)

History

#1 Updated by Luke Murphey almost 10 years ago

Might be related: https://github.com/DataDog/dd-agent/issues/1196

#2 Updated by Luke Murphey almost 10 years ago

Adding the host doesn't seem to work. It appears that httplib2 provides this by itself.

#3 Updated by Luke Murphey almost 10 years ago

My problem might be SNI: http://docs.python-requests.org/en/latest/community/faq/

#4 Updated by Luke Murphey almost 10 years ago

It appears this may never work: https://code.google.com/p/httplib2/issues/detail?id=233

#5 Updated by Luke Murphey almost 10 years ago

I don't think I can fix this. From what I can tell, you need support from the SSL libs (https://stackoverflow.com/questions/18578439/using-requests-with-tls-doesnt-give-sni-support/18579484#18579484). I cannot install these from an app though.

Thats a good test for SNI support (or lack thereof).

#9 Updated by Luke Murphey almost 10 years ago

Requests seems to work:

import requests
r = requests.get('https://www.penfolds.com')
r.status_code # Is 200

#10 Updated by Luke Murphey almost 10 years ago

Need to enable proxy support: https://scraperjs.wordpress.com/2013/11/26/using-socks-proxy-in-python-for-httphttps-requests/

#11 Updated by Luke Murphey almost 10 years ago

This isn't working even after converting to requests. It appears that the unit tests succeed with Splunk's Python interpreter, but fail when running within Splunk.