使用scrapy 1.6.0(扭曲18.9.0,pyopenssl 19.0.0,openssl 1.0.2r,osx 10.14.3)。我已经排除了用户代理和robots.txt。似乎是证书协商问题。不涉及任何Web代理。
要复制:
04:49:59 dork@Dorks-MacBook:~
0 $ scrapy shell
.
.
.
>>> fetch('https://www.labor.ny.gov')
2019-04-05 16:45:11 [scrapy.core.engine] INFO: Spider opened
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/Users/dork/project/venv/lib/python3.6/site-packages/scrapy/shell.py", line 115, in fetch
reactor, self._schedule, request, spider)
File "/Users/dork/project/venv/lib/python3.6/site-packages/twisted/internet/threads.py", line 122, in blockingCallFromThread
result.raiseException()
File "/Users/dork/project/venv/lib/python3.6/site-packages/twisted/python/failure.py", line 467, in raiseException
raise self.value.with_traceback(self.tb)
twisted.web._newclient.ResponseNeverReceived: [<twisted.python.failure.Failure twisted.internet.error.ConnectionLost: Connection to the other side was lost in a non-clean fashion: Connection lost.>]
尝试直接在命令行上通过OpenSSL进行连接和协商似乎也失败了:
0 $ openssl version
OpenSSL 1.0.2r 26 Feb 2019
04:49:59 dork@Dorks-MacBook:~
0 $ openssl s_client -connect www.labor.ny.gov:443
CONNECTED(00000003)
4472571500:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1554497411
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
但是,如果我将openssl强制为TLSv1,它似乎可以工作。我只是不知道如何从草率->扭曲-> pyopenssl-> OpenSSL或可能的情况下强制这样做。
04:49:59 dork@Dorks-MacBook:~
0 $ openssl s_client -tls1 -connect www.labor.ny.gov:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = US, ST = New York, L = Albany, O = New York State Office for Technology, CN = labor.ny.gov
verify return:1
---
Certificate chain
0 s:/C=US/ST=New York/L=Albany/O=New York State Office for Technology/CN=labor.ny.gov
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
.
.
.
邮递员也无法获取该页面。似乎所有依赖OpenSSL的东西都无声地死亡。
答案 0 :(得分:0)
没有完整的答案;如果有人可以添加刮板(或相关的)部件,请使用CW。
Man that server is bad! 它仅支持SSL2 SSL3和TLS1.0,其中前两个完全被破坏,第一个完全被破坏上个世纪。它标识为IIS / 6.0,该版本可追溯到Windows Server 2003,Windows Server 2003的生命周期很短。
FWLIW实际上并不是版本不兼容的,也不是因为超过256个字节而打断的,因为一些有缺陷的实现是在几年前发现的;如果我使用OpenSSL 1.0.2发送给ClientHello,则它提供的TLS1.2密码仅限于kRSA,它会正确协商到TLS1.0。它仅在OpenSSL> = 1.0.2 default ClientHello失败,该客户端使用比以前版本大得多的密码列表,因为TLS1.2为新的AEAD格式和新的PRF方案添加了一堆新的密码套件。强制TLS1.0具有相同的效果,因为它使OpenSSL仅提供在TLS1.0中有效的较小的密码套件列表。 我隐约记得一个由“大”密码列表触发的XP时代的错误,这可能是这里的问题。
这不是证书。证书是他们唯一拥有 right 的权限。