Bug #1035: Input fails on IIS over HTTPS due to missing servername - Website Monitoring - LukeMurphey.net

Bug #1035

Input fails on IIS over HTTPS due to missing servername

Added by Luke Murphey about 9 years ago. Updated about 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Luke Murphey

Target version:

1.3

Start date:

08/25/2015

Due date:

% Done:

100%

Description

Huge fan of your app, seems to be a lot of clients using it and it’s proving to be a great way to get instant results for a lot of eComm heavy and branding focused organisations.

I’ve been trying to roll it out for a client of mine and it appears that it’s struggling with certain URLs running over HTTPS on IIS.

For example, when we try to hit up https://www.penfolds.com within the app, it fails to connect. After a fair bit of digging around, it appears to be down to how IIS handles SSL requests, as highlighted here:

http://blog.helge.net/2014/06/error-connecting-with-openssl-sclient.html

I tried to connect via OpenSSL with:

s_client –connect www.penfolds.com:443

This immediately returns an errorno=54

I can successfully connect with:

s_client –connect www.penfolds.com:443 –servername www.penfolds.com

Hooray for IIS.

That being said, do you think you may be able to add/fix this particular feature in a release for this app in the future? I guess a checkbox/field combo box to add a “–servername" argument when creating the input would be best, but I’m no app-creating genius, and there may be better ways to go about this.

Let me know if you have any questions about this particular issue; happy to give you more background.

References:

http://blog.helge.net/2014/06/error-connecting-with-openssl-sclient.html
https://docs.python.org/2/whatsnew/2.7.html#pep-466-network-security-enhancements-for-python-2-7 (this may have been fixed in python 2.7)

History

#1 Updated by Luke Murphey about 9 years ago

Might be related: https://github.com/DataDog/dd-agent/issues/1196

#2 Updated by Luke Murphey about 9 years ago

Adding the host doesn't seem to work. It appears that httplib2 provides this by itself.

#3 Updated by Luke Murphey about 9 years ago

My problem might be SNI: http://docs.python-requests.org/en/latest/community/faq/

#4 Updated by Luke Murphey about 9 years ago

It appears this may never work: https://code.google.com/p/httplib2/issues/detail?id=233

#5 Updated by Luke Murphey about 9 years ago

I don't think I can fix this. From what I can tell, you need support from the SSL libs (https://stackoverflow.com/questions/18578439/using-requests-with-tls-doesnt-give-sni-support/18579484#18579484). I cannot install these from an app though.

Thats a good test for SNI support (or lack thereof).

#9 Updated by Luke Murphey about 9 years ago

Requests seems to work:

import requests
r = requests.get('https://www.penfolds.com')
r.status_code # Is 200

#10 Updated by Luke Murphey about 9 years ago

Need to enable proxy support: https://scraperjs.wordpress.com/2013/11/26/using-socks-proxy-in-python-for-httphttps-requests/

#11 Updated by Luke Murphey about 9 years ago

This isn't working even after converting to requests. It appears that the unit tests succeed with Splunk's Python interpreter, but fail when running within Splunk.