search

nabla-c0d3 / sslyze

Fast and powerful SSL/TLS scanning library.
GNU Affero General Public License v3.0
3.19k stars 445 forks source link

OpenSSLError "invalid alert" #609

Closed Lukas-Ldc closed 9 months ago

Lukas-Ldc commented 11 months ago

Describe the bug

When using SSLyze, an exception from nassl (OpenSSLError) crashes the program.

Exception in thread Thread-824:
Traceback (most recent call last):
  File "/home/user/tools/python392/lib/python3.9/threading.py", line 954, in _bootstrap_inner
    self.run()
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 106, in run
    tls_probing_result = check_connectivity_to_server(
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/server_connectivity.py", line 128, in check_connectivity_to_server
    is_ecdh_key_exchange_supported = _detect_ecdh_support(
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/server_connectivity.py", line 435, in _detect_ecdh_support
    ssl_connection.connect(should_retry_connection=False)
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/connection_helpers/tls_connection.py", line 296, in connect
    self.ssl_client.do_handshake()
  File "/home/user/project/.venv/lib/python3.9/site-packages/nassl/ssl_client.py", line 194, in do_handshake
    self._ssl.do_handshake()
nassl._nassl.OpenSSLError: error:140940CD:SSL routines:ssl3_read_bytes:invalid alert

Expected behavior

Not crashing the entire program, ignoring the host if necessary.

Python environment (please complete the following information):

Additional context

Similar issues:

nabla-c0d3 commented 11 months ago

Hello, Can you provide the URL to a server that triggers this crash ? You can either post it here or email it to me. Thanks!

Lukas-Ldc commented 11 months ago

Hello, The server that triggers the crash is inside a private network, so you won't be able to access it. Is there any information I can provide that could help you fix the issue ?

The other problem is that the exception occurs in a thread and therefore cannot be caught. When I use SSLyze, a lot of servers are scanned and if an exception occurs, it stops the entire program. Maybe having some general "try catch" on every server scanned, preventing the whole program to crash, could be interesting ? And a warning message could be given to the user "The scan request on the server X and the port Y has been ignored because of the following error : [...]".

nabla-c0d3 commented 9 months ago

Hello,

Indeed, an error happening within one scan is not supposed to crash the whole program, and there is already code in place to prevent that. But it looks like this code is not working when scanning your server.

Unfortunately, without a way to reproduce the bug, I won't be able to fix it. Feel free to re-open this issue if you're able to provide a test server (or how to set one up in a few commands).

Thanks