go to a diagnostics site like this one https://www.ssllabs.com/ssltest/analyze.html
find out what protocol the website uses (TLS1.0, TLS1.2, SSL3.0 (only?) …)
find out what obsolete ciphers suite are used
from 3) translate cipher name to the the openssl name from a list like https://www.openssl.org/docs/man1.1.0/apps/ciphers.html or http://testssl.sh/openssl-rfc.mapping.html to use in code
import requests, ssl
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.poolmanager import PoolManager
from requests.packages.urllib3.util import ssl_
class OldInsecureWebsiteAdapter(HTTPAdapter):
def __init__(self, **kwargs):
super(OldInsecureWebsiteAdapter, self).__init__(**kwargs)
def init_poolmanager(self, *pool_args, **pool_kwargs):
"""
my website uses TLS1.0 ONLY (from step 2)
and several obsolete ciphers (from step 3/4 I only picked one)
"""
context = ssl_.create_urllib3_context(ssl.PROTOCOL_TLSv1, ciphers="DES-CBC3-SHA")
"""
website does not support anything else so exclude all other protocols
"""
context.options |= ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_3 | ssl.OP_NO_TLSv1_2
context.options |= ssl.OP_NO_SSLv3 | ssl.OP_NO_SSLv2
self.poolmanager = PoolManager(*pool_args,
ssl_context=context,
**pool_kwargs)
url = "https://yourwebsite.gov.whocares"
session = requests.session()
session.mount(url, OldInsecureWebsiteAdapter())
result = session.get(url)
#no more ssl3 handshake error...
go to a diagnostics site like this one https://www.ssllabs.com/ssltest/analyze.htmlfind out what protocol the website uses (TLS1.0, TLS1.2, SSL3.0 (only?) …)find out what obsolete ciphers suite are...