analyze.py fails retrieving JSON file from S3 (Python SNI error)

Question

analyze.py fails retrieving JSON file from S3 (Python SNI error)

adamcrosby opened this issue 9 years ago · 3 comments

Using fully patched Ubuntu Trusty Tahr (14.04.4 LTS), Python version 2.7.6, current cipherscan clone.

Error message:

Failed to retrieve JSON configurations from https://statics.tls.security.mozilla.org/server-side-tls-conf.json

This appears to be because 2.7.6 doesn't support the 'statics.tls.seecurity.mozilla.org' TLS configuration, and attempts to use SSL23

>>> urllib2.urlopen("https://statics.tls.security.mozilla.org/server-side-tls-conf.json").read()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 404, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 422, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1222, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1184, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:510: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure>

This appears to be related to Python <2.7.8's inability to support SNI in certificates when using the standard library 'ssl' module (which urllib2 does). I found this issue with the Requests library that indicates the same problem/source, and a fix (changing to PyOpenSSL), however, for the use of cipherscan, might it be easier to just reference the JSON file locally, and put it in the git repo (with the nice side effect that it can now be used internally on systems that can't access the Internet)?

Alternatively, an indicator in the Readme (or a quick check of code version in the python file itself) that you must have SNI support in order to use the software (e.g. Py 2.7.8+) would work.

Answer 1 · 2016-02-28T22:45:15.000Z

I really really really want to roll my eyes at this. But I think you're right: the JSON file needs to be included in the repo as a fallback for failure to fetch the online version.

Answer 2 · 2016-02-28T23:16:46.000Z

I agree, and it's def. not your responsibility to cater to old software (see: bash 4 issue). Not being able to use it 'offline' or disconnected is sort of a pain though, and having the JSON included is the best way to fix both, I think.

I'll submit a PR for that, if you'd like?

Answer 3 · 2016-02-29T10:51:21.000Z

I always welcome pull requests :)
Thanks!