Error when running --elliptic_curves: "bad key share"
svengo opened this issue · comments
Describe the bug
I get the error nassl._nassl.OpenSSLError: error:141BD06C:SSL routines:tls_parse_stoc_key_share:bad key share
when I run sslyze:5.1.1 --elliptic_curves
.
To Reproduce
Steps to reproduce the behavior:
- Run SSLyze using docker:
docker run --rm -it nablac0d3/sslyze:5.1.1 --elliptic_curves mail.svengo.net
- See error:
SCAN RESULTS FOR MAIL.SVENGO.NET:443 - 135.125.25.133
-----------------------------------------------------
* Error when running --elliptic_curves:
You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:
* SSLyze version: 5.1.1
* Server: mail.svengo.net:443 - 135.125.25.133
* Scan command: elliptic_curves
Traceback (most recent call last):
File "/sslyze/sslyze/scanner/_mass_scanner.py", line 267, in _generate_result_for_completed_server_scan
scan_cmd_result = plugin_implementation_cls.result_for_completed_scan_jobs(
File "/sslyze/sslyze/plugins/elliptic_curves_plugin.py", line 169, in result_for_completed_scan_jobs
all_ecdh_results = [scan_job.get_result() for scan_job in scan_job_results]
File "/sslyze/sslyze/plugins/elliptic_curves_plugin.py", line 169, in <listcomp>
all_ecdh_results = [scan_job.get_result() for scan_job in scan_job_results]
File "/sslyze/sslyze/plugins/plugin_base.py", line 61, in get_result
raise self._exception
File "/sslyze/sslyze/scanner/_jobs_worker_thread.py", line 50, in run
return_value = job_to_complete.function_to_call(*job_to_complete.function_arguments)
File "/sslyze/sslyze/plugins/elliptic_curves_plugin.py", line 213, in _test_curve
ssl_connection.connect()
File "/sslyze/sslyze/connection_helpers/tls_connection.py", line 296, in connect
self.ssl_client.do_handshake()
File "/usr/local/lib/python3.9/site-packages/nassl-5.0.0-py3.9-linux-x86_64.egg/nassl/ssl_client.py", line 194, in do_handshake
self._ssl.do_handshake()
nassl._nassl.OpenSSLError: error:141BD06C:SSL routines:tls_parse_stoc_key_share:bad key share
Expected behavior
SSLyze should not throw an error.
Python environment (please complete the following information):
- OS: Ubuntu 22.04.1 LTS
- Docker Commmunity 20.10.22
Additional context
The server runs mailcow (nginx) with a user-supplied certificate. The Qualys' SSL server test reports no issues.
I reproduced the error with nginx:mainline-alpine
(nginx/1.23.3) on the server side and the following SSL configuration from mailcow:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
Hello !
Thanks for the bug report. Did you change the server's configuration ? I am not able to reproduce this error with SSLyze 5.1.3. Thanks!
I can no longer reproduce the error either. Maybe an update of nginx ( the current version is 1.25.2) has solved the problem.