From ebff5f2466ab630f3642283c63823b2596f0b86c Mon Sep 17 00:00:00 2001
From: Yoginski <yoginski@gmail.com>
Date: Mon, 21 Nov 2016 14:40:09 +0600
Subject: Descriptive error message for SSL context initialization failure
 (#1767)

---
 mitmproxy/net/tcp.py           | 21 ++++++++++++++++++++-
 test/mitmproxy/net/test_tcp.py | 15 +++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/mitmproxy/net/tcp.py b/mitmproxy/net/tcp.py
index 3437452f..117fda6d 100644
--- a/mitmproxy/net/tcp.py
+++ b/mitmproxy/net/tcp.py
@@ -70,6 +70,15 @@ sslversion_choices = {
     "TLSv1_2": (SSL.TLSv1_2_METHOD, SSL_BASIC_OPTIONS),
 }
 
+ssl_method_names = {
+    SSL.SSLv2_METHOD: "SSLv2",
+    SSL.SSLv3_METHOD: "SSLv3",
+    SSL.SSLv23_METHOD: "SSLv23",
+    SSL.TLSv1_METHOD: "TLSv1",
+    SSL.TLSv1_1_METHOD: "TLSv1.1",
+    SSL.TLSv1_2_METHOD: "TLSv1.2",
+}
+
 
 class SSLKeyLogger:
 
@@ -510,7 +519,17 @@ class _Connection:
         :param cipher_list: A textual OpenSSL cipher list, see https://www.openssl.org/docs/apps/ciphers.html
         :rtype : SSL.Context
         """
-        context = SSL.Context(method)
+        try:
+            context = SSL.Context(method)
+        except ValueError as e:
+            method_name = ssl_method_names.get(method, "unknown")
+            raise exceptions.TlsException(
+                "SSL method \"%s\" is most likely not supported "
+                "or disabled (for security reasons) in your libssl. "
+                "Please refer to https://github.com/mitmproxy/mitmproxy/issues/1101 "
+                "for more details." % method_name
+            )
+
         # Options (NO_SSLv2/3)
         if options is not None:
             context.set_options(options)
diff --git a/test/mitmproxy/net/test_tcp.py b/test/mitmproxy/net/test_tcp.py
index 3238ab2f..c5b026ef 100644
--- a/test/mitmproxy/net/test_tcp.py
+++ b/test/mitmproxy/net/test_tcp.py
@@ -800,3 +800,18 @@ class TestSSLKeyLogger(tservers.ServerTestBase):
             tcp.SSLKeyLogger.create_logfun("test"),
             tcp.SSLKeyLogger)
         assert not tcp.SSLKeyLogger.create_logfun(False)
+
+
+class TestSSLInvalidMethod(tservers.ServerTestBase):
+    handler = EchoHandler
+    ssl = True
+
+    def test_invalid_ssl_method_should_fail(self):
+        fake_ssl_method = 100500
+        c = tcp.TCPClient(("127.0.0.1", self.port))
+        with c.connect():
+            tutils.raises(
+                exceptions.TlsException,
+                c.convert_to_ssl,
+                method=fake_ssl_method
+            )
-- 
cgit v1.2.3