Descriptive error message for SSL context initialization failure (#1767)

author: Yoginski <yoginski@gmail.com> 2016-11-21 14:40:09 +0600
committer: Thomas Kriechbaumer <Kriechi@users.noreply.github.com> 2016-11-21 09:40:09 +0100
commit: ebff5f2466ab630f3642283c63823b2596f0b86c (patch)
tree: 3572a0ec4cfeb50870016d332a467fc7da8f3e99
parent: c90405253a2345b7722bdb68906561e4c50dc1bf (diff)
download: mitmproxy-ebff5f2466ab630f3642283c63823b2596f0b86c.tar.gz
mitmproxy-ebff5f2466ab630f3642283c63823b2596f0b86c.tar.bz2
mitmproxy-ebff5f2466ab630f3642283c63823b2596f0b86c.zip
2 files changed, 35 insertions, 1 deletions
diff --git a/mitmproxy/net/tcp.py b/mitmproxy/net/tcp.py
index 3437452f..117fda6d 100644
--- a/mitmproxy/net/tcp.py
+++ b/mitmproxy/net/tcp.py
@@ -70,6 +70,15 @@ sslversion_choices = {
     "TLSv1_2": (SSL.TLSv1_2_METHOD, SSL_BASIC_OPTIONS),
 }
 
+ssl_method_names = {
+    SSL.SSLv2_METHOD: "SSLv2",
+    SSL.SSLv3_METHOD: "SSLv3",
+    SSL.SSLv23_METHOD: "SSLv23",
+    SSL.TLSv1_METHOD: "TLSv1",
+    SSL.TLSv1_1_METHOD: "TLSv1.1",
+    SSL.TLSv1_2_METHOD: "TLSv1.2",
+}
+
 
 class SSLKeyLogger:
 
@@ -510,7 +519,17 @@ class _Connection:
         :param cipher_list: A textual OpenSSL cipher list, see https://www.openssl.org/docs/apps/ciphers.html
         :rtype : SSL.Context
         """
-        context = SSL.Context(method)
+        try:
+            context = SSL.Context(method)
+        except ValueError as e:
+            method_name = ssl_method_names.get(method, "unknown")
+            raise exceptions.TlsException(
+                "SSL method \"%s\" is most likely not supported "
+                "or disabled (for security reasons) in your libssl. "
+                "Please refer to https://github.com/mitmproxy/mitmproxy/issues/1101 "
+                "for more details." % method_name
+            )
+
         # Options (NO_SSLv2/3)
         if options is not None:
             context.set_options(options)
diff --git a/test/mitmproxy/net/test_tcp.py b/test/mitmproxy/net/test_tcp.py
index 3238ab2f..c5b026ef 100644
--- a/test/mitmproxy/net/test_tcp.py
+++ b/test/mitmproxy/net/test_tcp.py
@@ -800,3 +800,18 @@ class TestSSLKeyLogger(tservers.ServerTestBase):
             tcp.SSLKeyLogger.create_logfun("test"),
             tcp.SSLKeyLogger)
         assert not tcp.SSLKeyLogger.create_logfun(False)
+
+
+class TestSSLInvalidMethod(tservers.ServerTestBase):
+    handler = EchoHandler
+    ssl = True
+
+    def test_invalid_ssl_method_should_fail(self):
+        fake_ssl_method = 100500
+        c = tcp.TCPClient(("127.0.0.1", self.port))
+        with c.connect():
+            tutils.raises(
+                exceptions.TlsException,
+                c.convert_to_ssl,
+                method=fake_ssl_method
+            )
author	Yoginski <yoginski@gmail.com>	2016-11-21 14:40:09 +0600
committer	Thomas Kriechbaumer <Kriechi@users.noreply.github.com>	2016-11-21 09:40:09 +0100
commit	ebff5f2466ab630f3642283c63823b2596f0b86c (patch)
tree	3572a0ec4cfeb50870016d332a467fc7da8f3e99
parent	c90405253a2345b7722bdb68906561e4c50dc1bf (diff)
download	mitmproxy-ebff5f2466ab630f3642283c63823b2596f0b86c.tar.gz mitmproxy-ebff5f2466ab630f3642283c63823b2596f0b86c.tar.bz2 mitmproxy-ebff5f2466ab630f3642283c63823b2596f0b86c.zip