Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

_ConnectivityTesterThread stuck with uncaught error #628

Closed
madsugar opened this issue Nov 29, 2023 · 1 comment · Fixed by #634
Closed

_ConnectivityTesterThread stuck with uncaught error #628

madsugar opened this issue Nov 29, 2023 · 1 comment · Fixed by #634
Labels
fix ready

Comments

@madsugar
Copy link

madsugar commented Nov 29, 2023
edited
Loading

Describe the bug

_ConnectivityTesterThread stucked after a _nassl.OpenSSLError rasie

To Reproduce

Exception in thread Thread-9:
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 120, in run
    tls_probing_result = check_connectivity_to_server(
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/server_connectivity.py", line 137, in check_connectivity_to_server
    is_ecdh_key_exchange_supported = _detect_ecdh_support(
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/server_connectivity.py", line 462, in _detect_ecdh_support
    ssl_connection.connect(should_retry_connection=False)
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/connection_helpers/tls_connection.py", line 296, in connect
    self.ssl_client.do_handshake()
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/nassl/ssl_client.py", line 194, in do_handshake
    self._ssl.do_handshake()
nassl._nassl.OpenSSLError: error:1010A066:elliptic curve routines:ecx_key_op:invalid encoding
error:141A4132:SSL routines:tls_process_ske_ecdhe:bad ecpoint

^CTraceback (most recent call last):
  File "main.py", line 27, in <module>
    check()
  File "main.py", line 22, in check
    task.check()
  File "/home/cty-devops/ssl_check/ssl-analyser/ssl_analysis/check_task.py", line 87, in check
    results = analyse(url_info_list)
  File "/home/cty-devops/ssl_check/ssl-analyser/ssl_analysis/ssl_analysis_new.py", line 201, in analyse
    for scan_result in scanner.get_results():
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/scanner/scanner.py", line 114, in get_results
    self._connectivity_tester.wait_until_all_work_was_processed(
  File "/home/cty-devops/ssl_check/ssl-analyser/py38/lib/python3.8/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 75, in wait_until_all_work_was_processed
    result = self._results_queue.get(block=True)
  File "/usr/local/lib/python3.8/queue.py", line 170, in get
    self.not_empty.wait()
  File "/usr/local/lib/python3.8/threading.py", line 302, in wait
    waiter.acquire()
KeyboardInterrupt

Python environment (please complete the following information):

  • OS: centos7
  • Python version: 3.8

Additional context
sslyze/server_connectivity.py _detect_ecdh_support may failed with _nassl.OpenSSLError but did not catched which seems to block the _mass_connectivity_tester run

#  sslyze/server_connectivity.py

def _detect_ecdh_support(
    server_location: ServerNetworkLocation,
    network_config: ServerNetworkConfiguration,
    tls_version: TlsVersionEnum,
) -> bool:
    if tls_version.value < TlsVersionEnum.TLS_1_2.value:
        # Retrieving ECDH information is only implemented in the modern nassl.SslClient, which is TLS 1.2+
        return False

    is_ecdh_key_exchange_supported = False
    ssl_connection = SslConnection(
        server_location=server_location,
        network_configuration=network_config,
        tls_version=tls_version,
        should_use_legacy_openssl=False,
        should_ignore_client_auth=True,
    )
    if not isinstance(ssl_connection.ssl_client, SslClient):
        raise RuntimeError(
            "Should never happen: specified should_use_legacy_openssl=False but didn't get the modern" " SSL client"
        )

    # Set the right elliptic curve cipher suites
    enable_ecdh_cipher_suites(tls_version, ssl_connection.ssl_client)
    try:
        ssl_connection.connect(should_retry_connection=False)
        is_ecdh_key_exchange_supported = True
    except ClientCertificateRequested:
        is_ecdh_key_exchange_supported = True
    except ServerRejectedTlsHandshake:
        is_ecdh_key_exchange_supported = False
#    add below catch code ?
#    except _nassl.OpenSSLError:
#        is_ecdh_key_exchange_supported = False
    finally:
        ssl_connection.close()

    return is_ecdh_key_exchange_supported
@nabla-c0d3 nabla-c0d3 moved this to Todo in SSLyze 6.0.0 Jan 3, 2024
@FestiveKyle FestiveKyle mentioned this issue Jan 5, 2024
Merged
@nabla-c0d3 nabla-c0d3 moved this from Todo to Done in SSLyze 6.0.0 Feb 24, 2024
@nabla-c0d3 nabla-c0d3 moved this from Done to Todo in SSLyze 6.0.0 Feb 24, 2024
@nabla-c0d3
Copy link
Owner

I merged @FestiveKyle 's fix.

@nabla-c0d3 nabla-c0d3 moved this from Todo to Done in SSLyze 6.0.0 Feb 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fix ready
Projects
No open projects
SSLyze 6.0.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add "invalid encoding" error message FestiveKyle/sslyze
2 participants
@nabla-c0d3 @madsugar