_ConnectivityTesterThread stucked after a _nassl.OpenSSLError rasie
To Reproduce
Exception in thread Thread-9:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
self.run()
File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 120, in run
tls_probing_result = check_connectivity_to_server(
File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/server_connectivity.py", line 137, in check_connectivity_to_server
is_ecdh_key_exchange_supported = _detect_ecdh_support(
File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/server_connectivity.py", line 462, in _detect_ecdh_support
ssl_connection.connect(should_retry_connection=False)
File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/connection_helpers/tls_connection.py", line 296, in connect
self.ssl_client.do_handshake()
File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/nassl/ssl_client.py", line 194, in do_handshake
self._ssl.do_handshake()
nassl._nassl.OpenSSLError: error:1010A066:elliptic curve routines:ecx_key_op:invalid encoding
error:141A4132:SSL routines:tls_process_ske_ecdhe:bad ecpoint
^CTraceback (most recent call last):
File "main.py", line 27, in <module>
check()
File "main.py", line 22, in check
task.check()
File "/home/cty-devops/ssl_check/ssl-analyser/ssl_analysis/check_task.py", line 87, in check
results = analyse(url_info_list)
File "/home/cty-devops/ssl_check/ssl-analyser/ssl_analysis/ssl_analysis_new.py", line 201, in analyse
for scan_result in scanner.get_results():
File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/scanner/scanner.py", line 114, in get_results
self._connectivity_tester.wait_until_all_work_was_processed(
File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 75, in wait_until_all_work_was_processed
result = self._results_queue.get(block=True)
File "/usr/local/lib/python3.8/queue.py", line 170, in get
self.not_empty.wait()
File "/usr/local/lib/python3.8/threading.py", line 302, in wait
waiter.acquire()
KeyboardInterrupt
Python environment (please complete the following information):
OS: centos7
Python version: 3.8
Additional context
sslyze/server_connectivity.py _detect_ecdh_support may failed with _nassl.OpenSSLError but did not catched which seems to block the _mass_connectivity_tester run
# sslyze/server_connectivity.py
def _detect_ecdh_support(
server_location: ServerNetworkLocation,
network_config: ServerNetworkConfiguration,
tls_version: TlsVersionEnum,
) -> bool:
if tls_version.value < TlsVersionEnum.TLS_1_2.value:
# Retrieving ECDH information is only implemented in the modern nassl.SslClient, which is TLS 1.2+
return False
is_ecdh_key_exchange_supported = False
ssl_connection = SslConnection(
server_location=server_location,
network_configuration=network_config,
tls_version=tls_version,
should_use_legacy_openssl=False,
should_ignore_client_auth=True,
)
if not isinstance(ssl_connection.ssl_client, SslClient):
raise RuntimeError(
"Should never happen: specified should_use_legacy_openssl=False but didn't get the modern" " SSL client"
)
# Set the right elliptic curve cipher suites
enable_ecdh_cipher_suites(tls_version, ssl_connection.ssl_client)
try:
ssl_connection.connect(should_retry_connection=False)
is_ecdh_key_exchange_supported = True
except ClientCertificateRequested:
is_ecdh_key_exchange_supported = True
except ServerRejectedTlsHandshake:
is_ecdh_key_exchange_supported = False
# add below catch code ?
# except _nassl.OpenSSLError:
# is_ecdh_key_exchange_supported = False
finally:
ssl_connection.close()
return is_ecdh_key_exchange_supported
Describe the bug
_ConnectivityTesterThread stucked after a _nassl.OpenSSLError rasie
To Reproduce
Python environment (please complete the following information):
Additional context sslyze/server_connectivity.py _detect_ecdh_support may failed with _nassl.OpenSSLError but did not catched which seems to block the _mass_connectivity_tester run