[or-cvs] [torflow/master 04/92] Perform SSL handshake w/o sending spurious data.

Sat Aug 21 05:13:57 UTC 2010

Author: John M. Schanck <john at anomos.info>
Date: Sat, 19 Jun 2010 12:06:00 -0400
Subject: Perform SSL handshake w/o sending spurious data.
Commit: a3c8114930ece822cb6006192b39400f833cc782

---
 NetworkScanners/ExitAuthority/soat.py |   16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/NetworkScanners/ExitAuthority/soat.py b/NetworkScanners/ExitAuthority/soat.py
index a2fd96a..02ea369 100755
--- a/NetworkScanners/ExitAuthority/soat.py
+++ b/NetworkScanners/ExitAuthority/soat.py
@@ -1726,9 +1726,6 @@ class SSLTest(SearchBasedTest):
     ctx.set_timeout(int(read_timeout))
     ctx.set_verify_depth(1)
 
-    # ready the certificate request
-    request = crypto.X509Req()
-
     # open an ssl connection
     # FIXME: Hrmmm. handshake considerations
     try:
@@ -1738,7 +1735,12 @@ class SSLTest(SearchBasedTest):
       c = SSL.Connection(ctx, s)
       c.set_connect_state()
       c.connect((address, 443)) # DNS OK.
-      c.send(crypto.dump_certificate_request(crypto.FILETYPE_PEM,request))
+      # XXX: A PEM encoded certificate request was a bizarre and fingerprintable
+      # thing to send here. All we actually need to do is perform a handshake,
+      # but it might be good to make a simple GET request to further limit
+      # fingerprintability.
+      # c.send(crypto.dump_certificate_request(crypto.FILETYPE_PEM,request))
+      c.do_handshake()
       # return the cert
       return (0, c.get_peer_certificate(), None)
     except socket.timeout, e:
@@ -1757,11 +1759,13 @@ class SSLTest(SearchBasedTest):
       return (-23.0, None, e.__class__.__name__+str(e))
     except SSL.Error, e:
       for (lib, func, reason) in e[0]:
-        if reason == 'wrong version number':
+        if reason in ('wrong version number','sslv3 alert illegal parameter'):
           # Check if the server supports a different SSL version
           if method == 'TLSv1_METHOD':
+            plog('DEBUG','Could not negotiate SSL handshake with %s, retrying with SSLv3_METHOD' % address)
             return self.ssl_request(address, 'SSLv3_METHOD')
           elif method == 'SSLv3_METHOD':
+            plog('DEBUG','Could not negotiate SSL handshake with %s, retrying with SSLv2_METHOD' % address)
             return self.ssl_request(address, 'SSLv2_METHOD')
       plog('WARN', 'An unknown SSL error occured for '+address+': '+str(e))
       traceback.print_exc()
@@ -1789,7 +1793,7 @@ class SSLTest(SearchBasedTest):
     for ip in check_ips:
       #let's always check.
       #if not ssl_domain.seen_ip(ip):
-      plog('INFO', 'Ssl connection to new ip '+ip+" for "+ssl_domain.domain)
+      plog('INFO', 'SSL connection to new ip '+ip+" for "+ssl_domain.domain)
       (code, raw_cert, exc) = self.ssl_request(ip)
       if not raw_cert:
         plog('WARN', 'Error getting the correct cert for '+ssl_domain.domain+":"+ip+" "+str(code)+"("+str(exc)+")")
-- 
1.7.1


