Project

General

Profile

Bug #1035

Input fails on IIS over HTTPS due to missing servername

Added by Luke Murphey over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
08/25/2015
Due date:
% Done:

100%


Description

Huge fan of your app, seems to be a lot of clients using it and it’s proving to be a great way to get instant results for a lot of eComm heavy and branding focused organisations.

I’ve been trying to roll it out for a client of mine and it appears that it’s struggling with certain URLs running over HTTPS on IIS.

For example, when we try to hit up https://www.penfolds.com within the app, it fails to connect. After a fair bit of digging around, it appears to be down to how IIS handles SSL requests, as highlighted here:

http://blog.helge.net/2014/06/error-connecting-with-openssl-sclient.html

I tried to connect via OpenSSL with:

s_client –connect www.penfolds.com:443

This immediately returns an errorno=54

I can successfully connect with:

s_client –connect www.penfolds.com:443 –servername www.penfolds.com

Hooray for IIS.

That being said, do you think you may be able to add/fix this particular feature in a release for this app in the future? I guess a checkbox/field combo box to add a “–servername" argument when creating the input would be best, but I’m no app-creating genius, and there may be better ways to go about this.

Let me know if you have any questions about this particular issue; happy to give you more background.

References:

History

#2 Updated by Luke Murphey over 9 years ago

Adding the host doesn't seem to work. It appears that httplib2 provides this by itself.

#5 Updated by Luke Murphey over 9 years ago

I don't think I can fix this. From what I can tell, you need support from the SSL libs (https://stackoverflow.com/questions/18578439/using-requests-with-tls-doesnt-give-sni-support/18579484#18579484). I cannot install these from an app though.

#7 Updated by Luke Murphey over 9 years ago

Going to try using the requests library version 2.5.1 (https://github.com/kennethreitz/requests/releases/tag/v2.5.1).

#8 Updated by Luke Murphey over 9 years ago

BTW: look at the unit test testSslHostnameValidation here: https://github.com/kerin/httplib2/blob/master/python2/httplib2test.py

Thats a good test for SNI support (or lack thereof).

#9 Updated by Luke Murphey over 9 years ago

Requests seems to work:

import requests
r = requests.get('https://www.penfolds.com')
r.status_code # Is 200

#11 Updated by Luke Murphey over 9 years ago

This isn't working even after converting to requests. It appears that the unit tests succeed with Splunk's Python interpreter, but fail when running within Splunk.

#12 Updated by Luke Murphey over 9 years ago

Scratch that; I think this should work if Splunk is upgraded since SNI works on python 2.7.9 and up.

#13 Updated by Luke Murphey over 9 years ago

Need to make sure timeouts are recognized too.

#14 Updated by Luke Murphey over 9 years ago

Timeouts are not being raised like this: http://www.mobify.com/blog/http-requests-are-hard/

#17 Updated by Luke Murphey over 9 years ago

  • Status changed from New to In Progress
  • Target version set to 1.3
  • % Done changed from 0 to 70

#18 Updated by Luke Murphey over 9 years ago

Splunk 6.2.5 ships with Python 2.7.8. It appears that 6.3.0 is a minimum to achieve SNI support.

#19 Updated by Luke Murphey over 9 years ago

  • % Done changed from 70 to 100

#20 Updated by Luke Murphey over 9 years ago

  • Status changed from In Progress to Closed

Also available in: Atom PDF