AttributeError: can't set attribute
Closed this issue · 6 comments
VadimKulagin commented
Hello.
When I run the script to check the site, I get this error.
$ ./analyze.py -t google.com
Traceback (most recent call last):
File "cscan.py", line 265, in <module>
scan_TLS_intolerancies(host, port, hostname)
File "cscan.py", line 146, in scan_TLS_intolerancies
host_up = not all(conf_iterator(lambda conf: True))
File "cscan.py", line 143, in <genexpr>
if predicate(conf))
File "cscan.py", line 126, in result_cache
hostname))
File "cscan.py", line 29, in scan_with_config
ret = scanner.scan()
File "/home/user/ssl/cipherscan/cscan/scanner.py", line 141, in scan
msg = handshake_parser.parse(parser)
File "/home/user/ssl/cipherscan/cscan/scanner.py", line 58, in parse
msg.parse(parser)
File "/home/user/ssl/cipherscan/cscan/messages.py", line 117, in parse
self.certChain = certificate_list
AttributeError: can't set attribute
google.com:443 has intermediate ssl/tls
Changes needed to match the old level:
* enable SSLv3
* use a certificate with sha1WithRSAEncryption signature
* use DHE of 1024bits and ECC of 160bits
* consider enabling OCSP Stapling
Changes needed to match the intermediate level:
* consider enabling OCSP Stapling
Changes needed to match the modern level:
* remove cipher ECDHE-RSA-AES128-SHA
* remove cipher ECDHE-RSA-AES256-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES256-GCM-SHA384
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1.1
* disable TLSv1
* consider enabling OCSP Stapling
I ran this and with port 443 and using local openssl. But it did not help.
I'm using Debian 9.4 and OpenSSL 1.1.0f 25 May 2017
How to fix this error?
tomato42 commented
which python version you are using?
which version of tlslite-ng do you have installed (pip list | grep tlslite)?
VadimKulagin commented
Python 2.7.13
tlslite-ng (0.6.0)
$ ./analyze.py -t test.test
/home/user/ssl/cipherscan/cscan.sh: tlslite-ng not found, downloading...
Клонирование в «.tlslite-ng»…
remote: Counting objects: 243, done.
remote: Compressing objects: 100% (183/183), done.
remote: Total 243 (delta 64), reused 128 (delta 55), pack-reused 0
Получение объектов: 100% (243/243), 390.84 KiB | 308.00 KiB/s, готово.
Определение изменений: 100% (64/64), готово.
/home/user/ssl/cipherscan/cscan.sh: python-ecdsa not found, downloading...
Клонирование в «.python-ecdsa»…
remote: Counting objects: 31, done.
remote: Compressing objects: 100% (28/28), done.
remote: Total 31 (delta 1), reused 9 (delta 1), pack-reused 0
Распаковка объектов: 100% (31/31), готово.
Traceback (most recent call last):
File "cscan.py", line 265, in <module>
scan_TLS_intolerancies(host, port, hostname)
File "cscan.py", line 146, in scan_TLS_intolerancies
host_up = not all(conf_iterator(lambda conf: True))
File "cscan.py", line 143, in <genexpr>
if predicate(conf))
File "cscan.py", line 126, in result_cache
hostname))
File "cscan.py", line 29, in scan_with_config
ret = scanner.scan()
File "/home/user/ssl/cipherscan/cscan/scanner.py", line 141, in scan
msg = handshake_parser.parse(parser)
File "/home/user/ssl/cipherscan/cscan/scanner.py", line 58, in parse
msg.parse(parser)
File "/home/user/ssl/cipherscan/cscan/messages.py", line 117, in parse
self.certChain = certificate_list
AttributeError: can't set attribute
test.test:443 has intermediate ssl/tls
Changes needed to match the old level:
* enable SSLv3
* add cipher DES-CBC3-SHA
* use a certificate with sha1WithRSAEncryption signature
* use DHE of 1024bits and ECC of 160bits
* consider enabling OCSP Stapling
Changes needed to match the intermediate level:
* consider enabling OCSP Stapling
Changes needed to match the modern level:
* remove cipher DHE-RSA-AES128-GCM-SHA256
* remove cipher DHE-RSA-AES256-GCM-SHA384
* remove cipher ECDHE-ECDSA-AES128-SHA
* remove cipher ECDHE-RSA-AES128-SHA
* remove cipher ECDHE-ECDSA-AES256-SHA
* remove cipher ECDHE-RSA-AES256-SHA
* remove cipher DHE-RSA-AES128-SHA256
* remove cipher DHE-RSA-AES128-SHA
* remove cipher DHE-RSA-AES256-SHA256
* remove cipher DHE-RSA-AES256-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES256-GCM-SHA384
* remove cipher AES128-SHA256
* remove cipher AES256-SHA256
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* disable TLSv1.1
* disable TLSv1
* consider enabling OCSP Stapling
I looked at the .tlslite-ng/tlslite/messages.py
And saw that there certChain is defined as a read-only property (method), as far as I understood. I'm not very good at python, but maybe the problem is this:
class Certificate(HandshakeMsg):
def __init__(self, certificateType, version=(3, 2)):
HandshakeMsg.__init__(self, HandshakeType.certificate)
self.certificateType = certificateType
self._certChain = None
self.version = version
self.certificate_list = None
self.certificate_request_context = None
@property
def certChain(self):
if self._certChain:
return self._certChain
elif self.certificate_list is None:
return None
else:
return X509CertChain([i.certificate
for i in self.certificate_list])
tomato42 commented
you're right, I broke backwards compatibility while adding TLS 1.3 support, that property is missing a setter, could you go into .tlslite-ng directory and fetch the certChain-property branch from my repo and see if that helps (tlsfuzzer/tlslite-ng#239)?
VadimKulagin commented
I'm going to try now.
VadimKulagin commented
It looks like the problem is fixed.
I checked at the intermediate and modern levels.
tomato42 commented
as it's not a bug in cipherscan, I'm going to close it as invalid, the changes to tlslite-ng should get merged in few days at most
Thanks for the report and quick turnaround!