search

nabla-c0d3 / sslyze

Fast and powerful SSL/TLS scanning library.
GNU Affero General Public License v3.0
3.28k stars 454 forks source link

Error when running --elliptic_curves: "bad key share" #592

Closed svengo closed 1 year ago

svengo commented 1 year ago

Describe the bug I get the error nassl._nassl.OpenSSLError: error:141BD06C:SSL routines:tls_parse_stoc_key_share:bad key share when I run sslyze:5.1.1 --elliptic_curves.

To Reproduce Steps to reproduce the behavior:

  1. Run SSLyze using docker:
  2. docker run --rm -it nablac0d3/sslyze:5.1.1 --elliptic_curves mail.svengo.net
  3. See error:
 SCAN RESULTS FOR MAIL.SVENGO.NET:443 - 135.125.25.133
 -----------------------------------------------------

 * Error when running --elliptic_curves:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * SSLyze version: 5.1.1
       * Server: mail.svengo.net:443 - 135.125.25.133
       * Scan command: elliptic_curves

       Traceback (most recent call last):
         File "/sslyze/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
    scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
         File "/sslyze/sslyze/plugins/elliptic_curves_plugin.py", line 169, in result_for_completed_scan_jobs
    all_ecdh_results = [scan_job.get_result() for scan_job in scan_job_results]
         File "/sslyze/sslyze/plugins/elliptic_curves_plugin.py", line 169, in <listcomp>
    all_ecdh_results = [scan_job.get_result() for scan_job in scan_job_results]
         File "/sslyze/sslyze/plugins/plugin_base.py", line 61, in get_result
    raise self._exception
         File "/sslyze/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
    return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
         File "/sslyze/sslyze/plugins/elliptic_curves_plugin.py", line 213, in _test_curve
    ssl_connection.connect()
         File "/sslyze/sslyze/connection_helpers/tls_connection.py", line 296, in connect
    self.ssl_client.do_handshake()
         File "/usr/local/lib/python3.9/site-packages/nassl-5.0.0-py3.9-linux-x86_64.egg/nassl/ssl_client.py", line 194, in do_handshake
    self._ssl.do_handshake()
       nassl._nassl.OpenSSLError: error:141BD06C:SSL routines:tls_parse_stoc_key_share:bad key share

Expected behavior SSLyze should not throw an error.

Python environment (please complete the following information):

Additional context The server runs mailcow (nginx) with a user-supplied certificate. The Qualys' SSL server test reports no issues.

svengo commented 1 year ago

I reproduced the error with nginx:mainline-alpine (nginx/1.23.3) on the server side and the following SSL configuration from mailcow:

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;
nabla-c0d3 commented 1 year ago

Hello ! Thanks for the bug report. Did you change the server's configuration ? I am not able to reproduce this error with SSLyze 5.1.3. Thanks!

svengo commented 1 year ago

I can no longer reproduce the error either. Maybe an update of nginx ( the current version is 1.25.2) has solved the problem.