OpenSSLError "invalid alert"
Lukas-Ldc opened this issue · comments
Describe the bug
When using SSLyze, an exception from nassl (OpenSSLError) crashes the program.
Exception in thread Thread-824:
Traceback (most recent call last):
File "/home/user/tools/python392/lib/python3.9/threading.py", line 954, in _bootstrap_inner
self.run()
File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/scanner/_mass_connectivity_tester.py", line 106, in run
tls_probing_result = check_connectivity_to_server(
File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/server_connectivity.py", line 128, in check_connectivity_to_server
is_ecdh_key_exchange_supported = _detect_ecdh_support(
File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/server_connectivity.py", line 435, in _detect_ecdh_support
ssl_connection.connect(should_retry_connection=False)
File "/home/user/project/.venv/lib/python3.9/site-packages/sslyze/connection_helpers/tls_connection.py", line 296, in connect
self.ssl_client.do_handshake()
File "/home/user/project/.venv/lib/python3.9/site-packages/nassl/ssl_client.py", line 194, in do_handshake
self._ssl.do_handshake()
nassl._nassl.OpenSSLError: error:140940CD:SSL routines:ssl3_read_bytes:invalid alert
Expected behavior
Not crashing the entire program, ignoring the host if necessary.
Python environment (please complete the following information):
- OS: CentOS7 & Debian 11
- Python version: 3.9
Additional context
Similar issues:
Hello,
Can you provide the URL to a server that triggers this crash ? You can either post it here or email it to me.
Thanks!
Hello,
The server that triggers the crash is inside a private network, so you won't be able to access it.
Is there any information I can provide that could help you fix the issue ?
The other problem is that the exception occurs in a thread and therefore cannot be caught.
When I use SSLyze, a lot of servers are scanned and if an exception occurs, it stops the entire program.
Maybe having some general "try catch" on every server scanned, preventing the whole program to crash, could be interesting ?
And a warning message could be given to the user "The scan request on the server X and the port Y has been ignored because of the following error : [...]".
Hello,
Indeed, an error happening within one scan is not supposed to crash the whole program, and there is already code in place to prevent that. But it looks like this code is not working when scanning your server.
Unfortunately, without a way to reproduce the bug, I won't be able to fix it. Feel free to re-open this issue if you're able to provide a test server (or how to set one up in a few commands).
Thanks