search

nabla-c0d3 / sslyze

Fast and powerful SSL/TLS scanning library.
GNU Affero General Public License v3.0
3.28k stars 454 forks source link

Uncaught TypeError while handling "Network is unreachable" exception (OS Error 101) leads to crash #672

Open msecrfe opened 3 weeks ago

msecrfe commented 3 weeks ago

Describe the bug When network connectivity changes during an ongoing scan with SSLyze and the network briefly becomes unavailable (e.g. because you plug in and plug out the Ethernet cable, or because the WiFi is shortly disconnected, or because a virtual machine network interface is detached and reattached), the following chain of exceptions happens:

  1. nassl._nassl.WantReadError (nassl/ssl_client.py", line 193, in do_handshake)
  2. OSError: [Errno 101] Network is unreachable (sslyze/connection_helpers/tls_connection.py", line 298, in connect self.ssl_client.do_handshake())
  3. TypeError: argument of type 'int' is not iterable (sslyze/connection_helpers/tls_connection.py", line 318, in connect if "Nassl SSL handshake failed" in e.args[0])

The root cause seems to be that, as the Exceptions/Errors are passed from steps 1 and 2 to 3, the exception handling in step 3 assumes that e.args[0] is a str. In the case of the above two exceptions, however, it is an int.

To Reproduce Steps to reproduce the behavior:

  1. Install SSLyze 6.0 using pip
  2. Run a scan on many targets, such that SSLyze will run for a while
  3. Disconnect and reconnect the network connection/interface over which the SSLyze scan is running

Expected behavior Error handling should not assume that e.args[0] is iterable (specifically a string). A type check should be implemented before checking for substring memership with in in e.args[0]

Python environment (please complete the following information):

Additional context Trace:

Exception in thread Thread-16623:
Traceback (most recent call last):
  File "/home/<snip>/.cache/pypoetry/virtualenvs/<snip>-py3.12/lib/python3.12/site-packages/nassl/ssl_client.py", line 193, in do_handshake
    self._ssl.do_handshake()
nassl._nassl.WantReadError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/<snip>/.cache/pypoetry/virtualenvs/<snip>-py3.12/lib/python3.12/site-packages/sslyze/connection_helpers/tls_connection.py", line 298, in connect
    self.ssl_client.do_handshake()
  File "/home/<snip>/.cache/pypoetry/virtualenvs/<snip>-py3.12/lib/python3.12/site-packages/nassl/ssl_client.py", line 201, in do_handshake
    self._flush_ssl_engine()
  File "/home/<snip>/.cache/pypoetry/virtualenvs/<snip>-py3.12/lib/python3.12/site-packages/nassl/ssl_client.py", line 288, in _flush_ssl_engine
    self._sock.send(encrypted_data)
OSError: [Errno 101] Network is unreachable

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.12/threading.py", line 1075, in _bootstrap_inner
    self.run()
  File "/home/<snip>/.cache/pypoetry/virtualenvs/<snip>-py3.12/lib/python3.12/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 120, in run
    tls_probing_result = check_connectivity_to_server(
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/<snip>/.cache/pypoetry/virtualenvs/<snip>-py3.12/lib/python3.12/site-packages/sslyze/server_connectivity.py", line 74, in check_connectivity_to_server
    tls_detection_result = _detect_support_for_tls_1_3(
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/<snip>/.cache/pypoetry/virtualenvs/<snip>-py3.12/lib/python3.12/site-packages/sslyze/server_connectivity.py", line 244, in _detect_support_for_tls_1_3
    ssl_connection.connect(should_retry_connection=False)
  File "/home/<snip>/.cache/pypoetry/virtualenvs/<snip>-py3.12/lib/python3.12/site-packages/sslyze/connection_helpers/tls_connection.py", line 318, in connect
    if "Nassl SSL handshake failed" in e.args[0]:
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument of type 'int' is not iterable
msecrfe commented 3 weeks ago

I just commited one suggested fix with a pull request. There is a different one that might be more resilient because it makes fewer assumptions about e.args:

-            if "Nassl SSL handshake failed" in e.args[0]:
+            if "Nassl SSL handshake failed" in str(e.args):

That way you can perform the string comparison on the stringified array and it is ensured that a) the match happens no matter which index the error message is at, and b) you do not need to check for types.

msecrfe commented 3 weeks ago

Submitted the second option as a PR as well. Choose whichever you think is more suitable and/or resilient.