AttributeError: module 'urllib3.util.ssl_' has no attribute 'DEFAULT_CIPHERS'

Question

AttributeError: module 'urllib3.util.ssl_' has no attribute 'DEFAULT_CIPHERS'

n3bojs4 opened this issue a year ago · comments

The Issue

After cloning and using the project in a virtual env and install requirements, i had this error message when launching the program :


└─$ python humble.py -u https://business-together-as-a-service.com/                                                                                                                                                               

 Analyzing URL, please wait ...

Traceback (most recent call last):
  File "/home/milan/Stuff/Tools/humble/humble.py", line 872, in <module>
    requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'urllib3.util.ssl_' has no attribute 'DEFAULT_CIPHERS'

OS and Python infos

Python 3.11.4 on kali linux
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2023.3
Codename: kali-rolling

How i fixed this :

I fixed the issue by uninstalling urllib3 ( urllib3-2.0.4 ) and adding urllib3<2 in requirements.txt

n3bojs4 · Answer 1 · Thu Sep 14 2023 16:59:48 GMT+0800 (China Standard Time)

FYI : I used this page to fix my issue : https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html#importerror-cannot-import-name-default-ciphers-from-urllib3-util-ssl

Rafa 'Bluesman' Faura · Answer 2 · Thu Sep 14 2023 20:07:08 GMT+0800 (China Standard Time)

Thank you for reporting it!.

I have to check it in more detail, as it may also be related to the 'requests' library, and the minimum required version that I indicate in the requirements file.

Rafa 'Bluesman' Faura · Answer 3 · Thu Sep 14 2023 23:48:46 GMT+0800 (China Standard Time)

After reading a bit about this topic tomorrow I will start with several tests to change the current logic: using SSLContext, an HTTPAdapter class and working directly with Session objects.

The underlying problem, indeed, seems to be that from version 2 of urllib3 (or version 2.30 of the requests library that supports that version of urllib3), the DEFAULT_CIPHERS attribute was removed.

My goal with this code-level change is to avoid modifying the requirements file, allowing that regardless of the version of urllib3/requests installed, this tool will work without problems.

I'll keep updating this issue!

Rafa 'Bluesman' Faura · Answer 4 · Sat Sep 23 2023 23:46:26 GMT+0800 (China Standard Time)

Well, this is getting difficult :( ... I've done several tests and I can't find the right combination of the SSLContext and HTTPAdapter to retrieve the response headers, in order to fix the 'AttributeError: module 'urllib3.util.ssl' has no attribute 'DEFAULT_CIPHERS'' error while using urllib3-2.x.

I can't get this example to work correctly... I have adapted it but the request does not return any headers, which is obviously not correct. Tsk, tsk.

I keep trying!.

Rafa 'Bluesman' Faura · Answer 5 · Sun Oct 22 2023 02:03:31 GMT+0800 (China Standard Time)

Hello!,

I haven't been able to continue reviewing this problem, due to lack of time :(, but I have it in mind!

I hope, in the following weeks, to address it from other perspectives and find a definitive solution.

Best regards,

Evan Lewis · Answer 6 · Sun Nov 26 2023 01:17:47 GMT+0800 (China Standard Time)

Sounds good!
Should have mentioned that I tested on urllib3-2.1.0 and urllib3-1.26.18

Rafa 'Bluesman' Faura · Answer 7 · Sun Nov 26 2023 02:01:08 GMT+0800 (China Standard Time)

Thanks for the information!; I will try it as soon as I have time.

dkadev · Answer 8 · Wed Jan 10 2024 21:12:47 GMT+0800 (China Standard Time)

Any update on this?

Adding urllib3<2 to requirements.txt does indeed solve the problem. (Long term this will be less hassle than trying to pin an older version of Requests)

But it does not really solve it like @rfc-st said by code without modifying dependencies.

Rafa 'Bluesman' Faura · Answer 9 · Thu Jan 11 2024 03:11:05 GMT+0800 (China Standard Time)

Hi, dkadev!

I would like to resume this issue this Friday, based initially on #16 (with some modifications regarding the 'FORCED_CIPHERS') and with the objective, indeed, of not having to modify the requirements.txt file.

Thanks for your patience!.

Best regards,

Rafa 'Bluesman' Faura · Answer 10 · Sat Jan 13 2024 01:21:02 GMT+0800 (China Standard Time)

Hi, @n3bojs4, @ehlewis and @dkadev:

Good news! (I hope ^^). Please, take a look at this recent commit: e0d0610

The fix is initially based on #16, along with additional changes I have had to make.

I just tested it in the following configurations, with these Python libraries:

Linux (Kali): requests 2.29.0 & urllib3 1.26.18
Windows (10): request 2.31.0 & urllib3 2.1.0

And it seems that everything goes OK (I have tested it with several https:// and http:// URLs) and it does not return any error, in fact the scans finish without any problem. It was not necessary to modify anything in the 'requirements.txt' file :).

I would greatly appreciate, in order to resolve this issue, if you could run several tests after updating 'humble' with that commit, to confirm that everything is indeed OK.

Thanks, as always, for your time!.

Best regards,

dkadev · Answer 11 · Sat Jan 13 2024 07:54:17 GMT+0800 (China Standard Time)

Working great!

Tested on:

macOS Ventura: requests 2.31.0 & urllib3 2.1.0

Will test on Kali and Windows 10 too.

Awesome work man, love the tool! 😉

Rafa 'Bluesman' Faura · Answer 12 · Sun Jan 14 2024 02:25:33 GMT+0800 (China Standard Time)

Hi,

After the tests performed I understand that there is nothing more to check: so I am going to close this issue and the PR (#16) and mention you three in the "Acknowledgements" section of the README.

Thanks for your help!.

Best regards,