Bug #1035
Input fails on IIS over HTTPS due to missing servername
100%
Description
References:Huge fan of your app, seems to be a lot of clients using it and it’s proving to be a great way to get instant results for a lot of eComm heavy and branding focused organisations.
I’ve been trying to roll it out for a client of mine and it appears that it’s struggling with certain URLs running over HTTPS on IIS.
For example, when we try to hit up https://www.penfolds.com within the app, it fails to connect. After a fair bit of digging around, it appears to be down to how IIS handles SSL requests, as highlighted here:
http://blog.helge.net/2014/06/error-connecting-with-openssl-sclient.html
I tried to connect via OpenSSL with:
s_client –connect www.penfolds.com:443
This immediately returns an errorno=54
I can successfully connect with:
s_client –connect www.penfolds.com:443 –servername www.penfolds.com
Hooray for IIS.
That being said, do you think you may be able to add/fix this particular feature in a release for this app in the future? I guess a checkbox/field combo box to add a “–servername" argument when creating the input would be best, but I’m no app-creating genius, and there may be better ways to go about this.
Let me know if you have any questions about this particular issue; happy to give you more background.
- http://blog.helge.net/2014/06/error-connecting-with-openssl-sclient.html
- https://docs.python.org/2/whatsnew/2.7.html#pep-466-network-security-enhancements-for-python-2-7 (this may have been fixed in python 2.7)
History
#1 Updated by Luke Murphey over 9 years ago
Might be related: https://github.com/DataDog/dd-agent/issues/1196
#2 Updated by Luke Murphey over 9 years ago
Adding the host doesn't seem to work. It appears that httplib2 provides this by itself.
#3 Updated by Luke Murphey over 9 years ago
My problem might be SNI: http://docs.python-requests.org/en/latest/community/faq/
#4 Updated by Luke Murphey over 9 years ago
It appears this may never work: https://code.google.com/p/httplib2/issues/detail?id=233
#5 Updated by Luke Murphey over 9 years ago
I don't think I can fix this. From what I can tell, you need support from the SSL libs (https://stackoverflow.com/questions/18578439/using-requests-with-tls-doesnt-give-sni-support/18579484#18579484). I cannot install these from an app though.
#7 Updated by Luke Murphey over 9 years ago
Going to try using the requests library version 2.5.1 (https://github.com/kennethreitz/requests/releases/tag/v2.5.1).
#8 Updated by Luke Murphey over 9 years ago
BTW: look at the unit test testSslHostnameValidation here: https://github.com/kerin/httplib2/blob/master/python2/httplib2test.py
Thats a good test for SNI support (or lack thereof).
#9 Updated by Luke Murphey over 9 years ago
Requests seems to work:
import requests r = requests.get('https://www.penfolds.com') r.status_code # Is 200
#10 Updated by Luke Murphey over 9 years ago
Need to enable proxy support: https://scraperjs.wordpress.com/2013/11/26/using-socks-proxy-in-python-for-httphttps-requests/
#11 Updated by Luke Murphey over 9 years ago
This isn't working even after converting to requests. It appears that the unit tests succeed with Splunk's Python interpreter, but fail when running within Splunk.
#12 Updated by Luke Murphey over 9 years ago
Scratch that; I think this should work if Splunk is upgraded since SNI works on python 2.7.9 and up.
#13 Updated by Luke Murphey over 9 years ago
Need to make sure timeouts are recognized too.
#14 Updated by Luke Murphey over 9 years ago
Timeouts are not being raised like this: http://www.mobify.com/blog/http-requests-are-hard/
#15 Updated by Luke Murphey over 9 years ago
How to set timeout: https://urllib3.readthedocs.org/en/latest/index.html#timeout
#16 Updated by Luke Murphey over 9 years ago
#17 Updated by Luke Murphey over 9 years ago
- Status changed from New to In Progress
- Target version set to 1.3
- % Done changed from 0 to 70
#18 Updated by Luke Murphey over 9 years ago
Splunk 6.2.5 ships with Python 2.7.8. It appears that 6.3.0 is a minimum to achieve SNI support.
#19 Updated by Luke Murphey over 9 years ago
- % Done changed from 70 to 100
#20 Updated by Luke Murphey over 9 years ago
- Status changed from In Progress to Closed