OpenSSLError "invalid alert"

Question

OpenSSLError "invalid alert"

Lukas-Ldc opened this issue a year ago · comments

Describe the bug

When using SSLyze, an exception from nassl (OpenSSLError) crashes the program.

Exception in thread Thread-824:
Traceback (most recent call last):
  File "/home/user/tools/python392/lib/python3.9/threading.py", line 954, in _bootstrap_inner
    self.run()
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 106, in run
    tls_probing_result = check_connectivity_to_server(
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/server_connectivity.py", line 128, in check_connectivity_to_server
    is_ecdh_key_exchange_supported = _detect_ecdh_support(
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/server_connectivity.py", line 435, in _detect_ecdh_support
    ssl_connection.connect(should_retry_connection=False)
  File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/connection_helpers/tls_connection.py", line 296, in connect
    self.ssl_client.do_handshake()
  File "/home/user/project/.venv/lib/python3.9/site-packages/nassl/ssl_client.py", line 194, in do_handshake
    self._ssl.do_handshake()
nassl._nassl.OpenSSLError: error:140940CD:SSL routines:ssl3_read_bytes:invalid alert

Expected behavior

Not crashing the entire program, ignoring the host if necessary.

Python environment (please complete the following information):

OS: CentOS7 & Debian 11
Python version: 3.9

Additional context

Similar issues:

#531
#555

Alban Diquet · Answer 1 · Fri Jul 28 2023 00:03:24 GMT+0800 (China Standard Time)

Hello,
Can you provide the URL to a server that triggers this crash ? You can either post it here or email it to me.
Thanks!

Lukas-Ldc · Answer 2 · Wed Aug 02 2023 03:08:51 GMT+0800 (China Standard Time)

Hello,
The server that triggers the crash is inside a private network, so you won't be able to access it.
Is there any information I can provide that could help you fix the issue ?

The other problem is that the exception occurs in a thread and therefore cannot be caught.
When I use SSLyze, a lot of servers are scanned and if an exception occurs, it stops the entire program.
Maybe having some general "try catch" on every server scanned, preventing the whole program to crash, could be interesting ?
And a warning message could be given to the user "The scan request on the server X and the port Y has been ignored because of the following error : [...]".

Alban Diquet · Answer 3 · Sun Sep 24 2023 16:29:38 GMT+0800 (China Standard Time)

Hello,

Indeed, an error happening within one scan is not supposed to crash the whole program, and there is already code in place to prevent that. But it looks like this code is not working when scanning your server.

Unfortunately, without a way to reproduce the bug, I won't be able to fix it. Feel free to re-open this issue if you're able to provide a test server (or how to set one up in a few commands).

Thanks