From ebff5f2466ab630f3642283c63823b2596f0b86c Mon Sep 17 00:00:00 2001 From: Yoginski Date: Mon, 21 Nov 2016 14:40:09 +0600 Subject: [PATCH] Descriptive error message for SSL context initialization failure (#1767) --- mitmproxy/net/tcp.py | 21 ++++++++++++++++++++- test/mitmproxy/net/test_tcp.py | 15 +++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/mitmproxy/net/tcp.py b/mitmproxy/net/tcp.py index 3437452fd..117fda6d6 100644 --- a/mitmproxy/net/tcp.py +++ b/mitmproxy/net/tcp.py @@ -70,6 +70,15 @@ sslversion_choices = { "TLSv1_2": (SSL.TLSv1_2_METHOD, SSL_BASIC_OPTIONS), } +ssl_method_names = { + SSL.SSLv2_METHOD: "SSLv2", + SSL.SSLv3_METHOD: "SSLv3", + SSL.SSLv23_METHOD: "SSLv23", + SSL.TLSv1_METHOD: "TLSv1", + SSL.TLSv1_1_METHOD: "TLSv1.1", + SSL.TLSv1_2_METHOD: "TLSv1.2", +} + class SSLKeyLogger: @@ -510,7 +519,17 @@ class _Connection: :param cipher_list: A textual OpenSSL cipher list, see https://www.openssl.org/docs/apps/ciphers.html :rtype : SSL.Context """ - context = SSL.Context(method) + try: + context = SSL.Context(method) + except ValueError as e: + method_name = ssl_method_names.get(method, "unknown") + raise exceptions.TlsException( + "SSL method \"%s\" is most likely not supported " + "or disabled (for security reasons) in your libssl. " + "Please refer to https://github.com/mitmproxy/mitmproxy/issues/1101 " + "for more details." % method_name + ) + # Options (NO_SSLv2/3) if options is not None: context.set_options(options) diff --git a/test/mitmproxy/net/test_tcp.py b/test/mitmproxy/net/test_tcp.py index 3238ab2fc..c5b026ef8 100644 --- a/test/mitmproxy/net/test_tcp.py +++ b/test/mitmproxy/net/test_tcp.py @@ -800,3 +800,18 @@ class TestSSLKeyLogger(tservers.ServerTestBase): tcp.SSLKeyLogger.create_logfun("test"), tcp.SSLKeyLogger) assert not tcp.SSLKeyLogger.create_logfun(False) + + +class TestSSLInvalidMethod(tservers.ServerTestBase): + handler = EchoHandler + ssl = True + + def test_invalid_ssl_method_should_fail(self): + fake_ssl_method = 100500 + c = tcp.TCPClient(("127.0.0.1", self.port)) + with c.connect(): + tutils.raises( + exceptions.TlsException, + c.convert_to_ssl, + method=fake_ssl_method + )