search

nabla-c0d3 / sslyze

Fast and powerful SSL/TLS scanning library.
GNU Affero General Public License v3.0
3.27k stars 455 forks source link

error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert #522

Closed jeremy2048 closed 3 years ago

jeremy2048 commented 3 years ago

Describe the bug Error when running --tlsv1_2

To Reproduce Steps to reproduce the behavior:

  1. Install SSLyze using pip
  2. Run the following command 'python3 -m sslyze www.example.com:9443'

  3. See error

    • Error when running --tlsv1_2: You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

      • SSLyze version: 4.1.0
      • Server: www.example.com:9443 - 127.0.0.1
      • Scan command: tls_1_2_cipher_suites
       Traceback (most recent call last):
         File "/Users/jwebb/Code/sslyze/sslyze/scanner/_queued_server_scan.py", line 227, in _generate_result_for_completed_server_scan
    result = plugin_implementation_cls.result_for_completed_scan_jobs(server_info, scan_job_results_for_plugin)
         File "/Users/jwebb/Code/sslyze/sslyze/plugins/openssl_cipher_suites/implementation.py", line 126, in result_for_completed_scan_jobs
    cipher_suite_result = completed_job.get_result()
         File "/Users/jwebb/Code/sslyze/sslyze/plugins/plugin_base.py", line 50, in get_result
    raise self._exception
         File "/Users/jwebb/Code/sslyze/sslyze/scanner/_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/Users/jwebb/Code/sslyze/sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py", line 55, in connect_with_cipher_suite
    ssl_connection.connect()
         File "/Users/jwebb/Code/sslyze/sslyze/connection_helpers/tls_connection.py", line 293, in connect
    self.ssl_client.do_handshake()
         File "/usr/local/lib/python3.9/site-packages/nassl/ssl_client.py", line 182, in do_handshake
    self._ssl.do_handshake()
       nassl._nassl.OpenSSLError: error:1411713D:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for key agreement
error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert

 SCAN COMPLETED IN 0.90 S

Expected behavior Not sure what to expect, not this.

Python environment (please complete the following information):

Additional context Following tutorial here: https://github.com/playframework/play-samples/tree/2.8.x/play-scala-tls-example

nabla-c0d3 commented 3 years ago

It looks like the certificate that is configured on the server is invalid; specifically the content of the key agreement field seems wrong: ecc cert not for key agreement.