[tor-commits] [ooni-probe/develop] Fix #8353, catch error when OpenSSL not compiled with SSLv2 context.

Wed Jun 26 01:02:11 UTC 2013

commit abcb946b2d9bc9534b5e5649a3fe3a747a09f84f
Author: Isis Lovecruft <isis at torproject.org>
Date:   Sat Jun 15 04:12:50 2013 +0000

    Fix #8353, catch error when OpenSSL not compiled with SSLv2 context.
    
     * Change code to fallback to testing TLSv1 (the default) instead,
       and display a message to the user that if they really wish to
       test SSLv2 handshakes that it will be necessary for them to
       recompile OpenSSL with SSLv2 support.
---
 nettests/experimental/tls_handshake.py |   27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/nettests/experimental/tls_handshake.py b/nettests/experimental/tls_handshake.py
index 83b2868..5da2e8b 100644
--- a/nettests/experimental/tls_handshake.py
+++ b/nettests/experimental/tls_handshake.py
@@ -88,7 +88,12 @@ class SSLContextError(usage.UsageError):
     errors = {
         'NO_CONTEXT': 'No SSL/TLS context chosen! Defaulting to TLSv1.',
         'INCOMPATIBLE': str("Testing TLSv1 (option '--tls1') is incompatible "
-                            + "with testing SSL ('--ssl2' and '--ssl3').") }
+                            + "with testing SSL ('--ssl2' and '--ssl3')."),
+        'MISSING_SSLV2': str("Your version of OpenSSL was compiled without "
+                             + "support for SSLv2. This is normal on newer "
+                             + "versions of OpenSSL, but it means that you "
+                             + "will be unable to test SSLv2 handshakes "
+                             + "without recompiling OpenSSL."), }
 
     def __init__(self, message):
         if message in self.errors.keys():
@@ -164,12 +169,22 @@ class HandshakeTest(nettest.NetTestCase):
                     except SSLContextError as sce: log.err(sce.message)
                     finally: log.msg('Defaulting to testing only TLSv1.')
                 elif options['ssl2']:
-                    if not options['ssl3']:
-                        self.context = SSL.Context(SSL.SSLv2_METHOD)
-                    else:
-                        self.context = SSL.Context(SSL.SSLv23_METHOD)
+                    try:
+                        if not options['ssl3']:
+                            context = SSL.Context(SSL.SSLv2_METHOD)
+                        else:
+                            context = SSL.Context(SSL.SSLv23_METHOD)
+                    except ValueError as ve:
+                        log.err(ve.message)
+                        try: raise SSLContextError('MISSING_SSLV2')
+                        except SSLContextError as sce:
+                            log.err(sce.message)
+                            log.msg("Falling back to testing only TLSv1.")
+                            context = SSL.Context(SSL.TLSv1_METHOD)
                 elif options['ssl3']:
-                    self.context = SSL.Context(SSL.SSLv3_METHOD)
+                    context = SSL.Context(SSL.SSLv3_METHOD)
+            ## finally, reset the context if the user's choice was okay:
+            if context: self.context = context
 
             ## if we weren't given a file with a list of ciphersuites to use,
             ## then use the firefox default list:



