Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade cryptography #400

Closed
PhilippSelenium opened this issue Nov 15, 2019 · 9 comments
Closed

Upgrade cryptography #400

PhilippSelenium opened this issue Nov 15, 2019 · 9 comments
Projects
3.0.0

Comments

@PhilippSelenium
Copy link
Contributor

PhilippSelenium commented Nov 15, 2019
edited
Loading

Is your feature request related to a problem? Please describe.
I want to use this module but I require a recent version of cryptography (2.8)

Describe the solution you'd like
change the used version of cryptography == 2.8 or >=2.5

Describe alternatives you've considered
Not using sslyze

Additional context
Regularly update dependencies
@nabla-c0d3 nabla-c0d3 added this to To do in 3.0.0 Nov 19, 2019
@warburtr0n
Copy link

warburtr0n commented Nov 26, 2019
edited
Loading

FWIW I'd like to add my vote to this. I'm running in to ASN1 decode issues which seem to be resolved in Cryptography 2.8 as per pyca/cryptography#3542

@warburtr0n
Copy link

@nabla-c0d3 are you aware of any work around for this issue? My main issue is that having set off a scan for a large number of domains it will fail at the point of JSON creation but I won't know what domain it is that is causing it all to fail.

I've actually had a number of various (but seemingly related failures) that all have the same outcome - I don't know what domain caused the issue...

File "c:\python\python37\lib\site-packages\cryptography\hazmat\backends\openssl\decode_asn1.py", line 56, in _decode_x509_name_entry value = _asn1_string_to_utf8(backend, data) File "c:\python\python37\lib\site-packages\cryptography\hazmat\backends\openssl\decode_asn1.py", line 761, in _asn1_string_to_utf8 "Unsupported ASN1 string type. Type: {0}".format(asn1_string.type) ValueError: Unsupported ASN1 string type. Type: 3

File "c:\python\python37\lib\site-packages\sslyze\plugins\certificate_info_plugin.py", line 618, in _certificate_chain_to_xml elem_xml.text = certificate.signature_hash_algorithm.name File "c:\python\python37\lib\site-packages\cryptography\hazmat\backends\openssl\x509.py", line 120, in signature_hash_algorithm "Signature algorithm OID:{0} not recognized".format(oid) cryptography.exceptions.UnsupportedAlgorithm: Signature algorithm OID:<ObjectIdentifier(oid=1.2.840.113549.1.1.2, name=Unknown OID)> not recognized

File "c:\python\python37\lib\site-packages\sslyze\cli\console_output.py", line 107, in server_scan_completed self._file_to.write(self._format_title(scan_txt) + target_result_str + "\n\n") File "c:\python\python37\lib\encodings\cp1252.py", line 19, in encode return codecs.charmap_encode(input,self.errors,encoding_table)[0] UnicodeEncodeError: 'charmap' codec can't encode character '\u0151' in position 1665: character maps to <undefined>

If I could identify which domain had caused the failure I could skip it for now. Is there a way to have the problematic domain (cert name) in the output when it fails? (Even better would be if it could just log and skip this domain and then continue with the output).

@PhilippSelenium
Copy link
Contributor Author

PhilippSelenium commented Nov 27, 2019
edited
Loading

I installed sslyze without dependencies and then the latest version of cryptography (or the other way around) (and of course the other dependencies) and had no issues

@warburtr0n
Copy link

Thanks for the suggestion! Are you able to describe the steps that you did to get this to work? I'm on Windows with Python 3.7.4 and used pip to install SSLyze 2.1.4. I then also used pip to forcibly install cryptography 2.8. When I run SSLyze I get...

Traceback (most recent call last): File "C:\Python\Python37\Scripts\sslyze-script.py", line 11, in <module> load_entry_point('sslyze==2.1.4', 'console_scripts', 'sslyze')() File "c:\python\python37\lib\site-packages\pkg_resources\__init__.py", line 489, in load_entry_point return get_distribution(dist).load_entry_point(group, name) File "c:\python\python37\lib\site-packages\pkg_resources\__init__.py", line 2852, in load_entry_point return ep.load() File "c:\python\python37\lib\site-packages\pkg_resources\__init__.py", line 2443, in load return self.resolve() File "c:\python\python37\lib\site-packages\pkg_resources\__init__.py", line 2449, in resolve module = __import__(self.module_name, fromlist=['__name__'], level=0) File "c:\python\python37\lib\site-packages\sslyze\__main__.py", line 6, in <module> from sslyze.concurrent_scanner import ConcurrentScanner File "c:\python\python37\lib\site-packages\sslyze\concurrent_scanner.py", line 8, in <module> from sslyze.synchronous_scanner import SynchronousScanner File "c:\python\python37\lib\site-packages\sslyze\synchronous_scanner.py", line 3, in <module> from sslyze.plugins.plugins_repository import PluginsRepository File "c:\python\python37\lib\site-packages\sslyze\plugins\plugins_repository.py", line 1, in <module> from sslyze.plugins.certificate_info_plugin import CertificateInfoPlugin File "c:\python\python37\lib\site-packages\sslyze\plugins\certificate_info_plugin.py", line 18, in <module> from cryptography.x509 import Certificate, load_pem_x509_certificate, ExtensionOID, ExtensionNotFound File "c:\python\python37\lib\site-packages\cryptography\x509\__init__.py", line 8, in <module> from cryptography.x509.base import ( File "c:\python\python37\lib\site-packages\cryptography\x509\base.py", line 18, in <module> from cryptography.x509.extensions import Extension, ExtensionType File "c:\python\python37\lib\site-packages\cryptography\x509\extensions.py", line 20, in <module> from cryptography.hazmat.primitives import constant_time, serialization File "c:\python\python37\lib\site-packages\cryptography\hazmat\primitives\constant_time.py", line 11, in <module> from cryptography.hazmat.bindings._constant_time import lib ModuleNotFoundError: No module named 'cryptography.hazmat.bindings._constant_time'

@PhilippSelenium
Copy link
Contributor Author

I cannot test on windows but it should make no difference:
Inside my virtualenv I did:

  1. Install the dependencies mentioned here: https://github.com/nabla-c0d3/sslyze/blob/master/setup.py#L82
pip install cryptography nassl tls-parser dataclasses
  1. Install sslyze without dependencies
 pip install --no-deps sslyze

@warburtr0n
Copy link

Really appreciate your help! Sadly this doesn't work as I get a dependency error...

File "c:\python\python37\lib\site-packages\pkg_resources\__init__.py", line 786, in resolve raise DistributionNotFound(req, requirers) pkg_resources.DistributionNotFound: The 'cryptography==2.5' distribution was not found and is required by sslyze

I'll give it a go on my Linux box to see if it's the same...

@warburtr0n
Copy link

Okay, rushed and didn't use venv. Having installed and used venv to install things it to it seems to be working! I'll report back if I hit any more ASN1 issues. Thanks for your help @PhilippSelenium

@warburtr0n
Copy link

Damnit, same issue. I thought that the newest Cryptography library has solved this but, alas, not. Currently trying to figure out the best way to dump the name of the domain that causes the ASN1 > UTF8 error...

@mcdonnnj mcdonnnj mentioned this issue Jan 4, 2020
Open
@nabla-c0d3 nabla-c0d3 moved this from To do to Done in 3.0.0 Feb 29, 2020
nabla-c0d3 added a commit that referenced this issue Mar 1, 2020
@nabla-c0d3
[#400] Update cryptography lib
9366b9f
@nabla-c0d3
Copy link
Owner

Released with v3.0.0.

@weddige weddige mentioned this issue Mar 31, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
3.0.0
  
Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nabla-c0d3 @warburtr0n @PhilippSelenium