[or-cvs] [torflow/master 03/92] Properly handle SSL servers that only support SSLv3 or SSLv2

Sat Aug 21 05:13:57 UTC 2010

Author: John M. Schanck <john at anomos.info>
Date: Fri, 18 Jun 2010 19:22:52 -0400
Subject: Properly handle SSL servers that only support SSLv3 or SSLv2
Commit: cdecb672b7ef493b462291c0be03cfa1e34ec281

---
 NetworkScanners/ExitAuthority/soat.py |   15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/NetworkScanners/ExitAuthority/soat.py b/NetworkScanners/ExitAuthority/soat.py
index 8dabe5f..a2fd96a 100755
--- a/NetworkScanners/ExitAuthority/soat.py
+++ b/NetworkScanners/ExitAuthority/soat.py
@@ -1717,12 +1717,12 @@ class SSLTest(SearchBasedTest):
   def get_targets(self):
     return self.get_search_urls('https', self.test_hosts, True, search_mode=google_search_mode)
 
-  def ssl_request(self, address):
+  def ssl_request(self, address, method='TLSv1_METHOD'):
     ''' initiate an ssl connection and return the server certificate '''
     address=str(address) # Unicode hostnames not supported..
 
     # specify the context
-    ctx = SSL.Context(SSL.TLSv1_METHOD)
+    ctx = SSL.Context(getattr(SSL,method))
     ctx.set_timeout(int(read_timeout))
     ctx.set_verify_depth(1)
 
@@ -1755,6 +1755,17 @@ class SSLTest(SearchBasedTest):
     except crypto.Error, e:
       traceback.print_exc()
       return (-23.0, None, e.__class__.__name__+str(e))
+    except SSL.Error, e:
+      for (lib, func, reason) in e[0]:
+        if reason == 'wrong version number':
+          # Check if the server supports a different SSL version
+          if method == 'TLSv1_METHOD':
+            return self.ssl_request(address, 'SSLv3_METHOD')
+          elif method == 'SSLv3_METHOD':
+            return self.ssl_request(address, 'SSLv2_METHOD')
+      plog('WARN', 'An unknown SSL error occured for '+address+': '+str(e))
+      traceback.print_exc()
+      return (-666.0, None,  e.__class__.__name__+str(e))
     except Exception, e:
       plog('WARN', 'An unknown SSL error occured for '+address+': '+str(e))
       traceback.print_exc()
-- 
1.7.1


