SSL v3 Handshake Failure (but only in newer versions of OpenSSL)

Question

This basic snippet in Python 3.5, with a specific website, fails with requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure

Answer 1

The server only supports a single old cipher: DES-CBC3-SHA. This cipher is considered weak (SWEET32) and is removed from the default build in OpenSSL 1.1.0. Since Debian follows the default build the cipher is not available on newer Debian versions.

From Changes between 1.0.2h and 1.1.0:

To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites have been disabled by default and removed from DEFAULT, just like RC4. See the RC4 item below to re-enable both.
...
RC4 based libssl ciphersuites are now classed as "weak" ciphers and are disabled by default. They can be re-enabled using the enable-weak-ssl-ciphers option to Configure.