From 21618eccdac6a051c0fb56a76a3ed51b50d661d1 Mon Sep 17 00:00:00 2001 From: Ethan Arbuckle Date: Fri, 23 Aug 2019 16:06:15 -0700 Subject: [PATCH 1/2] Legacy sslclient can not build verified chain a codepath did not gracefully recover from LegacySSLClient missing get_verified_chain() --- sslyze/plugins/http_headers_plugin.py | 4 ++++ tests/plugin_tests/test_http_headers_plugin.py | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/sslyze/plugins/http_headers_plugin.py b/sslyze/plugins/http_headers_plugin.py index 8766d7a6..539528c4 100755 --- a/sslyze/plugins/http_headers_plugin.py +++ b/sslyze/plugins/http_headers_plugin.py @@ -57,6 +57,10 @@ def process_task( verified_chain_as_pem = ssl_connection.ssl_client.get_verified_chain() except CouldNotBuildVerifiedChain: verified_chain_as_pem = None + except AttributeError: + # Only the modern SSL Client can build the verified chain; hence we get here if the server only supports + # an older version of TLS (pre 1.2) + verified_chain_as_pem = None # Send an HTTP GET request to the server ssl_connection.ssl_client.write(HttpRequestGenerator.get_request(host=server_info.hostname)) diff --git a/tests/plugin_tests/test_http_headers_plugin.py b/tests/plugin_tests/test_http_headers_plugin.py index cc06ed06..b5a966ae 100644 --- a/tests/plugin_tests/test_http_headers_plugin.py +++ b/tests/plugin_tests/test_http_headers_plugin.py @@ -141,3 +141,15 @@ def test_works_when_client_auth_succeeded(self): assert plugin_result.expect_ct_header is None assert plugin_result.as_text() assert plugin_result.as_xml() + + def test_legacy_ssl_client_missing_verified_chain(self): + # Given a tls1.0 server + server_test = ServerConnectivityTester(hostname='tls-v1-0.badssl.com', port=1010) + server_info = server_test.perform() + + # The plugin does not throw an exception trying to access LegacySslClient.get_verified_chain() + plugin = HttpHeadersPlugin() + plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) + + assert plugin_result.as_text() + assert plugin_result.as_xml() From ac4e9d01b95ceca9d6bd05192795c2a09dc0dee1 Mon Sep 17 00:00:00 2001 From: Ethan Arbuckle Date: Tue, 27 Aug 2019 19:14:39 -0700 Subject: [PATCH 2/2] remove whitespace --- tests/plugin_tests/test_http_headers_plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/plugin_tests/test_http_headers_plugin.py b/tests/plugin_tests/test_http_headers_plugin.py index b5a966ae..e37b7fcd 100644 --- a/tests/plugin_tests/test_http_headers_plugin.py +++ b/tests/plugin_tests/test_http_headers_plugin.py @@ -146,7 +146,7 @@ def test_legacy_ssl_client_missing_verified_chain(self): # Given a tls1.0 server server_test = ServerConnectivityTester(hostname='tls-v1-0.badssl.com', port=1010) server_info = server_test.perform() - + # The plugin does not throw an exception trying to access LegacySslClient.get_verified_chain() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())