This is a manifestation of incompatibility between the latest versions of OpenSSL and some web servers. Apple is doing everything possible to eliminate OpenSSL on OS X, so they only apply security fixes (OpenSSL was difficult to maintain as part of the OS, not to mention βminorβ updates that present problems like this), while Debian uses the later OpenSSL version 1.0.1.
@Brian Redbeards's suggestion to check openssl using the command line is good - it depended on me on wwws.mint.com when I just tried.
This question on ServerFault finally answered. A trusted SSLLabs test identifies long handshake intolerance as a problem that affects OpenSSL 1.0.1 and later, and links to an OpenSSL error with some possible workarounds.
Either using -no_tls1_2 , as one of the OpenSSL developers recommends, or reduces the list of ciphers with the -cipher argument, makes OpenSSL 1.0.1 successfully communicate with wwws.mint.com (as well as with the other server that I tried to communicate).
For my purposes - a script that will not be distributed - I ssl.wrap_socket as follows:
import ssl old_wrap_socket = ssl.wrap_socket def wrap_socket(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv3, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True, ciphers=None): return old_wrap_socket(sock, keyfile, certfile, server_side, cert_reqs, ssl_version, ca_certs, do_handshake_on_connect, suppress_ragged_eofs, ciphers) ssl.wrap_socket = wrap_socket import mechanize
The default value for ssl_version is ssl.PROTOCOL_SSLv23 ; changing it to PROTOCOL_SSLv3 , he has successfully connected.
You can protect this patch using a test, for example ssl.OPENSSL_VERSION_INFO[:3] >= (1, 0, 1) .
This could probably be indicated as a Debian OpenSSL error, if it was not already.