tshark port 443 SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 267 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 263 Version: TLS 1.2 (0x0303) Random gmt_unix_time: Aug 26, 1973 10:35:41.000000000 UTC random_bytes: 46f445e55a639f227706f911bac2c2b312e64fa6f95dd630... Session ID Length: 0 Cipher Suites Length: 86 Cipher Suites (43 suites)How to avoid this issue? If you're using the Python requests library, one way is to take advantage of the PyOpenSSL extensions that will patch the underlying SSL implementation (https://github.com/shazow/urllib3/blob/master/urllib3/contrib/pyopenssl.py). This way, you don't need to get into the nitty/gritty details of patching the code yourself.
In order to do so, you must first install the libffi-dev package before doing a pip install:
pip install pyopenssl ndg-httpsclient pyasn1The requests library automatically tries to import this library (see https://github.com/kennethreitz/requests/blob/master/requests/__init__.py#L51-56), but in order to fix the above issue, you may have to set the DEFAULT_SSL_CIPHER_LIST to MEDIUM instead of DEFAULT. Note: do not make this change unless you understand the implications to reduce the cipher strength. For more options, see https://www.openssl.org/docs/apps/ciphers.html.
# Attempt to enable urllib3's SNI support, if possible from requests.packages.urllib3.contrib import pyopenssl pyopenssl.inject_into_urllib3() pyopenssl.DEFAULT_SSL_CIPHER_LIST = "MEDIUM"One other issue to note: pip installs also rely on the requests library, so adding this change will also enable certificate validation. Be sure to be using pip v1.5.6 since older pip installs have 301/302 redirect issues when using this package.
Addendum: you can download https://github.com/iSECPartners/sslyze/releases and use sslyze.py to probe the supported ciphers (i.e. python sslyze.py --sslv3 www.google.com). AES-128 and AES-256 based encryption may need to be added to your cipher list.