[tor-commits] [stem/master] Better normalize ORPort SSL connection failures

atagar at torproject.org atagar at torproject.org
Fri Oct 5 17:32:15 UTC 2018 

commit 0f0ba5d53468223ea8ca42887f103af16fc37291
Author: Damian Johnson <atagar at torproject.org>
Date:   Thu Oct 4 11:10:01 2018 -0700

    Better normalize ORPort SSL connection failures
    
    On reflection the assertion failure addressed in commit 0e08db7 was a
    legitimate one. It was exposing a bug in our error response normalization.
    Reverting the change to the test and doing a proper fix.
---
 stem/client/__init__.py         | 14 +++++++++++---
 test/integ/client/connection.py | 16 +---------------
 2 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/stem/client/__init__.py b/stem/client/__init__.py
index aaa62f5b..6cadc098 100644
--- a/stem/client/__init__.py
+++ b/stem/client/__init__.py
@@ -82,10 +82,18 @@ class Relay(object):
     except stem.SocketError as exc:
       if 'Connection refused' in str(exc):
         raise stem.SocketError("Failed to connect to %s:%i. Maybe it isn't an ORPort?" % (address, port))
-      elif 'SSL: ' in str(exc):
+
+      # If not an ORPort (for instance, mistakenly connecting to a ControlPort
+      # instead) we'll likely fail during SSL negotiation. This can result
+      # in a variety of responses so normalizing what we can...
+      #
+      #   Ubuntu 16.04:   [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:590)
+      #   Ubuntu 12.04:   [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
+
+      if 'unknown protocol' in str(exc):
         raise stem.SocketError("Failed to SSL authenticate to %s:%i. Maybe it isn't an ORPort?" % (address, port))
-      else:
-        raise
+
+      raise
 
     # To negotiate our link protocol the first VERSIONS cell is expected to use
     # a circuit ID field size from protocol version 1-3 for backward
diff --git a/test/integ/client/connection.py b/test/integ/client/connection.py
index ca8853c7..a43283b9 100644
--- a/test/integ/client/connection.py
+++ b/test/integ/client/connection.py
@@ -31,21 +31,7 @@ class TestConnection(unittest.TestCase):
     # connect to our ControlPort like it's an ORPort
 
     if test.runner.Torrc.PORT in test.runner.get_runner().get_options():
-      try:
-        Relay.connect('127.0.0.1', test.runner.CONTROL_PORT)
-        self.fail('Connecting to a non-ORPort should raise a stem.SocketError')
-      except stem.SocketError as exc:
-        if str(exc) == "Failed to SSL authenticate to 127.0.0.1:1111. Maybe it isn't an ORPort?":
-          pass  # good, this is the usual response
-        elif 'SSL23_GET_SERVER_HELLO:unknown protocol' in str(exc):
-          # Less common, but still ok. This arises on older systems that do not
-          # support tor's ssl version. The full response is...
-          #
-          #   [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
-
-          pass
-        else:
-          self.fail('Unexpected response when connecting to a non-ORPort: %s' % exc)
+      self.assertRaisesWith(stem.SocketError, "Failed to SSL authenticate to 127.0.0.1:1111. Maybe it isn't an ORPort?", Relay.connect, '127.0.0.1', test.runner.CONTROL_PORT)
 
   def test_no_common_link_protocol(self):
     """

More information about the tor-commits mailing list