search

nabla-c0d3 / sslyze

Fast and powerful SSL/TLS scanning library.
GNU Affero General Public License v3.0
3.28k stars 454 forks source link

OpenSSLError "invalid alert" #609

Closed Lukas-Ldc closed 1 year ago

Lukas-Ldc commented 1 year ago

Describe the bug

When using SSLyze, an exception from nassl (OpenSSLError) crashes the program.

Exception in thread Thread-824:
Traceback (most recent call last):
  File "/home/user/tools/python392/lib/python3.9/threading.py", line 954, in _bootstrap_inner
    self.run()
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 106, in run
    tls_probing_result = check_connectivity_to_server(
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/server_connectivity.py", line 128, in check_connectivity_to_server
    is_ecdh_key_exchange_supported = _detect_ecdh_support(
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/server_connectivity.py", line 435, in _detect_ecdh_support
    ssl_connection.connect(should_retry_connection=False)
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/connection_helpers/tls_connection.py", line 296, in connect
    self.ssl_client.do_handshake()
  File "/home/user/project/.venv/lib/python3.9/site-packages/nassl/ssl_client.py", line 194, in do_handshake
    self._ssl.do_handshake()
nassl._nassl.OpenSSLError: error:140940CD:SSL routines:ssl3_read_bytes:invalid alert

Expected behavior

Not crashing the entire program, ignoring the host if necessary.

Python environment (please complete the following information):

Additional context

Similar issues:

nabla-c0d3 commented 1 year ago

Hello, Can you provide the URL to a server that triggers this crash ? You can either post it here or email it to me. Thanks!

Lukas-Ldc commented 1 year ago

Hello, The server that triggers the crash is inside a private network, so you won't be able to access it. Is there any information I can provide that could help you fix the issue ?

The other problem is that the exception occurs in a thread and therefore cannot be caught. When I use SSLyze, a lot of servers are scanned and if an exception occurs, it stops the entire program. Maybe having some general "try catch" on every server scanned, preventing the whole program to crash, could be interesting ? And a warning message could be given to the user "The scan request on the server X and the port Y has been ignored because of the following error : [...]".

nabla-c0d3 commented 1 year ago

Hello,

Indeed, an error happening within one scan is not supposed to crash the whole program, and there is already code in place to prevent that. But it looks like this code is not working when scanning your server.

Unfortunately, without a way to reproduce the bug, I won't be able to fix it. Feel free to re-open this issue if you're able to provide a test server (or how to set one up in a few commands).

Thanks