search

nabla-c0d3 / sslyze

Fast and powerful SSL/TLS scanning library.
GNU Affero General Public License v3.0
3.19k stars 445 forks source link

_ConnectivityTesterThread stuck with uncaught error #628

Closed madsugar closed 4 months ago

madsugar commented 7 months ago

Describe the bug

_ConnectivityTesterThread stucked after a _nassl.OpenSSLError rasie

To Reproduce

Exception in thread Thread-9:
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 120, in run
    tls_probing_result = check_connectivity_to_server(
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/server_connectivity.py", line 137, in check_connectivity_to_server
    is_ecdh_key_exchange_supported = _detect_ecdh_support(
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/server_connectivity.py", line 462, in _detect_ecdh_support
    ssl_connection.connect(should_retry_connection=False)
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/connection_helpers/tls_connection.py", line 296, in connect
    self.ssl_client.do_handshake()
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/nassl/ssl_client.py", line 194, in do_handshake
    self._ssl.do_handshake()
nassl._nassl.OpenSSLError: error:1010A066:elliptic curve routines:ecx_key_op:invalid encoding
error:141A4132:SSL routines:tls_process_ske_ecdhe:bad ecpoint

^CTraceback (most recent call last):
  File "main.py", line 27, in <module>
    check()
  File "main.py", line 22, in check
    task.check()
  File "/home/cty-devops/ssl_check/ssl-analyser/ssl_analysis/check_task.py", line 87, in check
    results = analyse(url_info_list)
  File "/home/cty-devops/ssl_check/ssl-analyser/ssl_analysis/ssl_analysis_new.py", line 201, in analyse
    for scan_result in scanner.get_results():
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/scanner/scanner.py", line 114, in get_results
    self._connectivity_tester.wait_until_all_work_was_processed(
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 75, in wait_until_all_work_was_processed
    result = self._results_queue.get(block=True)
  File "/usr/local/lib/python3.8/queue.py", line 170, in get
    self.not_empty.wait()
  File "/usr/local/lib/python3.8/threading.py", line 302, in wait
    waiter.acquire()
KeyboardInterrupt

Python environment (please complete the following information):

Additional context sslyze/server_connectivity.py _detect_ecdh_support may failed with _nassl.OpenSSLError but did not catched which seems to block the _mass_connectivity_tester run

#  sslyze/server_connectivity.py

def _detect_ecdh_support(
    server_location: ServerNetworkLocation,
    network_config: ServerNetworkConfiguration,
    tls_version: TlsVersionEnum,
) -> bool:
    if tls_version.value < TlsVersionEnum.TLS_1_2.value:
        # Retrieving ECDH information is only implemented in the modern nassl.SslClient, which is TLS 1.2+
        return False

    is_ecdh_key_exchange_supported = False
    ssl_connection = SslConnection(
        server_location=server_location,
        network_configuration=network_config,
        tls_version=tls_version,
        should_use_legacy_openssl=False,
        should_ignore_client_auth=True,
    )
    if not isinstance(ssl_connection.ssl_client, SslClient):
        raise RuntimeError(
            "Should never happen: specified should_use_legacy_openssl=False but didn't get the modern" " SSL client"
        )

    # Set the right elliptic curve cipher suites
    enable_ecdh_cipher_suites(tls_version, ssl_connection.ssl_client)
    try:
        ssl_connection.connect(should_retry_connection=False)
        is_ecdh_key_exchange_supported = True
    except ClientCertificateRequested:
        is_ecdh_key_exchange_supported = True
    except ServerRejectedTlsHandshake:
        is_ecdh_key_exchange_supported = False
#    add below catch code ?
#    except _nassl.OpenSSLError:
#        is_ecdh_key_exchange_supported = False
    finally:
        ssl_connection.close()

    return is_ecdh_key_exchange_supported
nabla-c0d3 commented 4 months ago

I merged @FestiveKyle 's fix.