commit abcb946b2d9bc9534b5e5649a3fe3a747a09f84f Author: Isis Lovecruft <isis@torproject.org> Date: Sat Jun 15 04:12:50 2013 +0000 Fix #8353, catch error when OpenSSL not compiled with SSLv2 context. * Change code to fallback to testing TLSv1 (the default) instead, and display a message to the user that if they really wish to test SSLv2 handshakes that it will be necessary for them to recompile OpenSSL with SSLv2 support. --- nettests/experimental/tls_handshake.py | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/nettests/experimental/tls_handshake.py b/nettests/experimental/tls_handshake.py index 83b2868..5da2e8b 100644 --- a/nettests/experimental/tls_handshake.py +++ b/nettests/experimental/tls_handshake.py @@ -88,7 +88,12 @@ class SSLContextError(usage.UsageError): errors = { 'NO_CONTEXT': 'No SSL/TLS context chosen! Defaulting to TLSv1.', 'INCOMPATIBLE': str("Testing TLSv1 (option '--tls1') is incompatible " - + "with testing SSL ('--ssl2' and '--ssl3').") } + + "with testing SSL ('--ssl2' and '--ssl3')."), + 'MISSING_SSLV2': str("Your version of OpenSSL was compiled without " + + "support for SSLv2. This is normal on newer " + + "versions of OpenSSL, but it means that you " + + "will be unable to test SSLv2 handshakes " + + "without recompiling OpenSSL."), } def __init__(self, message): if message in self.errors.keys(): @@ -164,12 +169,22 @@ class HandshakeTest(nettest.NetTestCase): except SSLContextError as sce: log.err(sce.message) finally: log.msg('Defaulting to testing only TLSv1.') elif options['ssl2']: - if not options['ssl3']: - self.context = SSL.Context(SSL.SSLv2_METHOD) - else: - self.context = SSL.Context(SSL.SSLv23_METHOD) + try: + if not options['ssl3']: + context = SSL.Context(SSL.SSLv2_METHOD) + else: + context = SSL.Context(SSL.SSLv23_METHOD) + except ValueError as ve: + log.err(ve.message) + try: raise SSLContextError('MISSING_SSLV2') + except SSLContextError as sce: + log.err(sce.message) + log.msg("Falling back to testing only TLSv1.") + context = SSL.Context(SSL.TLSv1_METHOD) elif options['ssl3']: - self.context = SSL.Context(SSL.SSLv3_METHOD) + context = SSL.Context(SSL.SSLv3_METHOD) + ## finally, reset the context if the user's choice was okay: + if context: self.context = context ## if we weren't given a file with a list of ciphersuites to use, ## then use the firefox default list: