File "/usr/local/lib/python3.6/dist-packages/tlsfuzzer/runner.py", line 186, in run node.process(self.state) File "/usr/local/lib/python3.6/dist-packages/tlsfuzzer/messages.py", line 86, in process sock.connect((self.hostname, self.port))
higher75 opened this issue · comments
Bug Report
sanity ...
Error encountered while processing node <tlsfuzzer.messages.Connect object at 0x7f72515620b8> (child: ClientHelloGenerator(ciphers=[47], compression=[0], extensions={65281: None})) with last message being: None
Error while processing
Traceback (most recent call last):
File "test-cve-2016-2107.py", line 199, in main
runner.run()
File "/usr/local/lib/python3.6/dist-packages/tlsfuzzer/runner.py", line 186, in run
node.process(self.state)
File "/usr/local/lib/python3.6/dist-packages/tlsfuzzer/messages.py", line 86, in process
sock.connect((self.hostname, self.port))
socket.timeout: timed out
CVE-2016-2107 ...
Error encountered while processing node <tlsfuzzer.messages.Connect object at 0x7f7251501be0> (child: ClientHelloGenerator(ciphers=[47], compression=[0], extensions={65281: None})) with last message being: None
Error while processing
Traceback (most recent call last):
File "test-cve-2016-2107.py", line 199, in main
runner.run()
File "/usr/local/lib/python3.6/dist-packages/tlsfuzzer/runner.py", line 186, in run
node.process(self.state)
File "/usr/local/lib/python3.6/dist-packages/tlsfuzzer/messages.py", line 86, in process
sock.connect((self.hostname, self.port))
socket.timeout: timed out
sanity ...
Error encountered while processing node <tlsfuzzer.messages.Connect object at 0x7f72515620b8> (child: ClientHelloGenerator(ciphers=[47], compression=[0], extensions={65281: None})) with last message being: None
Error while processing
Traceback (most recent call last):
File "test-cve-2016-2107.py", line 199, in main
runner.run()
File "/usr/local/lib/python3.6/dist-packages/tlsfuzzer/runner.py", line 186, in run
node.process(self.state)
File "/usr/local/lib/python3.6/dist-packages/tlsfuzzer/messages.py", line 86, in process
sock.connect((self.hostname, self.port))
socket.timeout: timed out
Test end
====================
version: 2
====================
TOTAL: 3
SKIP: 0
PASS: 0
XFAIL: 0
FAIL: 3
XPASS: 0
====================
FAILED:
'CVE-2016-2107'
'sanity'
'sanity'
System Information
Type | Version/Name |
---|---|
Operating System Name | ubuntu |
Operating System Version | 18.04 |
Python version | python3.6.9 |
tlslite-ng version | 0.8.0a38 |
tlsfuzzer revision | The latest version as of today |
Problem description
A clear and concise description of what the bug is.
Describe how to reproduce the problem
(if the issue is interaction with some other system/library/application,
please provide relevant version numbers or commit IDs of it too.)
Steps to reproduce the behaviour:
1.sudo python3 test-cve-2016-2107.py -h <ip>
I have Certificate creation on my server and I used scay before_ ssl_ Fuzzer test successful
How can I solve it? Except for the -h parameter, I have not used any other parameters, nor do I know how to use it.
Expected behaviour
A concise description of what you expected to happen.
Include errors or backtraces
socket.timeout: timed out
suggests that the TCP connection failed, is your server running on point 4433? if not, you need to specify -p 443
, or similar, when running the script
btw, it's not necessary to run the regular scripts as root, you don't need to use sudo
This problem has not been resolved, and the next problem will appear soon...I have targeted a virtual machine and used the self-certificate generated by openssl in the virtual machine, but I am executing python3 test-certificate-request. py -h -p <443>, the message "Test to confirm that the server accepts the empty certificate message" and
Only publish the expected signature algorithm in the certificate
Request for Information
End of test
Version: 7
Total: 2
Skip: 0
Qualified: 0
XFAIL: 0
Failure: 0
XPASS: 0
I used Wireshark and did not get the corresponding packet information. Do I need to specify some other parameters to run the file? I am a beginner, thank you very much for replying to my message, thank you
test-certificate-request. py script requires a server with certificate based client authentication
if the server doesn't send a CertificateRequest message to ask the client for its certificate, then this script is not applicable to the server or you need to reconfigure the server to run the script (depends if you're interested in testing a specific configuration or performing a complete test coverage of a TLS implementation)
here are more scripts that require such behaviour from server:
https://github.com/tomato42/tlsfuzzer/blob/ac1b278c68ed96f1fed8f8d59310c0d2d1e1bd32/tests/tlslite-ng-random-subset.json#L332-L376
I followed your prompt to run this script in linux,
python3 test-certificate-request.py -h 192.168.197.141 -p 443 -k ../tests/serverECKey.pem -c ../tests/serverECCert.pem
But the result is still the same as before,
Test end
====================
version: 7
====================
TOTAL: 5
SKIP: 0
PASS: 0
XFAIL: 0
FAIL: 5
XPASS: 0
====================
FAILED:
'check cert types in cert request'
'check sigalgs in cert request'
'sanity'
'sanity'
'with certificate'
What you said is correct, there is no certificate configured on my local machine, but the -c parameter of this script does not mean to specify a certificate, so do I need to configure a certificate?
Thank you for your reply, it helped me a lot
certificate based client authentication is a special server configuration, that means that a server that works with general scripts (like test-cve-2016-2107.py
) won't work with with scripts that expect client certificates (like test-certificate-request. py
). But that also means that a server that works with scripts that expect client certificates won't work with regular scripts.
Now, the next step depends on what you want to do:
- if you want to verify that a specific server configuration is not vulnerable, then you're done, you don't need to run scripts that test certificate based client authentication
- if you want to verify that the implementation is secure, then you have to configure it to ask client for certificates (and actually, there are a lot more options that need to be iterated over if a comprehensive test coverage is the goal, see https://tlsfuzzer.readthedocs.io/en/latest/ci-integration.html )
@higher75 if you managed to run the test, please close this issue
Unless you have a suggestion to make the "Usage" section in README.md or the test execution section clearer https://tlsfuzzer.readthedocs.io/en/latest/quickstart.html#executing-a-test-case, I don't think there's anything more I can do
You're of course welcome to open new issues if you hit problems with other test scripts.