AttributeError: module 'urllib3.util.ssl_' has no attribute 'DEFAULT_CIPHERS'

[n3bojs4]

The Issue

After cloning and using the project in a virtual env and install requirements, i had this error message when launching the program :

└─$ python humble.py -u https://business-together-as-a-service.com/                                                                                                                                                               

 Analyzing URL, please wait ...

Traceback (most recent call last):
  File "/home/milan/Stuff/Tools/humble/humble.py", line 872, in <module>
    requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'urllib3.util.ssl_' has no attribute 'DEFAULT_CIPHERS'

OS and Python infos

Python 3.11.4 on kali linux
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2023.3
Codename: kali-rolling

How i fixed this :

I fixed the issue by uninstalling urllib3 ( urllib3-2.0.4 ) and adding urllib3<2 in requirements.txt

[n3bojs4]

FYI : I used this page to fix my issue : https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html#importerror-cannot-import-name-default-ciphers-from-urllib3-util-ssl

[rfc-st]

Thank you for reporting it!.

I have to check it in more detail, as it may also be related to the 'requests' library, and the minimum required version that I indicate in the requirements file.

[rfc-st]

After reading a bit about this topic tomorrow I will start with several tests to change the current logic: using SSLContext, an HTTPAdapter class and working directly with Session objects.

The underlying problem, indeed, seems to be that from version 2 of urllib3 (or version 2.30 of the requests library that supports that version of urllib3), the DEFAULT_CIPHERS attribute was removed.

My goal with this code-level change is to avoid modifying the requirements file, allowing that regardless of the version of urllib3/requests installed, this tool will work without problems.

I'll keep updating this issue!

[rfc-st]

Well, this is getting difficult :( ... I've done several tests and I can't find the right combination of the SSLContext and HTTPAdapter to retrieve the response headers, in order to fix the 'AttributeError: module 'urllib3.util.ssl' has no attribute 'DEFAULT_CIPHERS'' error while using urllib3-2.x.

I can't get this example to work correctly... I have adapted it but the request does not return any headers, which is obviously not correct. Tsk, tsk.

I keep trying!.

[rfc-st]

Hello!,

I haven't been able to continue reviewing this problem, due to lack of time :(, but I have it in mind!

I hope, in the following weeks, to address it from other perspectives and find a definitive solution.

Best regards,

[ehlewis]

Sounds good!
Should have mentioned that I tested on urllib3-2.1.0 and urllib3-1.26.18

[rfc-st]

Thanks for the information!; I will try it as soon as I have time.

[dkadev]

Any update on this?

Adding urllib3<2 to requirements.txt does indeed solve the problem. (Long term this will be less hassle than trying to pin an older version of Requests)

But it does not really solve it like @rfc-st said by code without modifying dependencies.

[rfc-st]

Hi, dkadev!

I would like to resume this issue this Friday, based initially on #16 (with some modifications regarding the 'FORCED_CIPHERS') and with the objective, indeed, of not having to modify the requirements.txt file.

Thanks for your patience!.

Best regards,

[rfc-st]

Hi, @n3bojs4, @ehlewis and @dkadev:

Good news! (I hope ^^). Please, take a look at this recent commit: e0d0610

The fix is initially based on #16, along with additional changes I have had to make.

I just tested it in the following configurations, with these Python libraries:

• Linux (Kali): requests 2.29.0 & urllib3 1.26.18
• Windows (10): request 2.31.0 & urllib3 2.1.0

And it seems that everything goes OK (I have tested it with several https:// and http:// URLs) and it does not return any error, in fact the scans finish without any problem. It was not necessary to modify anything in the 'requirements.txt' file :).

I would greatly appreciate, in order to resolve this issue, if you could run several tests after updating 'humble' with that commit, to confirm that everything is indeed OK.

Thanks, as always, for your time!.

Best regards,

[dkadev]

Working great!

Tested on:

• macOS Ventura: requests 2.31.0 & urllib3 2.1.0

Will test on Kali and Windows 10 too.

Awesome work man, love the tool! 😉

[rfc-st]

Hi,

After the tests performed I understand that there is nothing more to check: so I am going to close this issue and the PR (#16) and mention you three in the "Acknowledgements" section of the README.

Thanks for your help!.

Best regards,