Socket.timeout for --reneg and --certinfo (using --https_tunnel)

[GoogleCodeExporter]

using --regular and --https_tunnel I received timeouts whereas everything 
returned fine

Unhandled exception when processing --reneg: 
socket.timeout - timed out

Unhandled exception when processing --certinfo: 
socket.timeout - timed out

I can connect to another host using this proxy and both of the above options 
return fine.

I had a fiddle within the code, its basically bombing out on 
ssl_connect.connect() within _get_cert().

I had a fiddle with the SSL_CTX settings, None causes it to timeout, tlsv1_2 
causes a timeout, tlsv1_1 causes:

Unhandled exception when processing --certinfo:
utils.CtSSLHelper.SSLHandshakeRejected - SSL Wrong version

and SSLv3 works fine...

None appears to be attempting TLSv1.2 from the captured packets.

The server does negotiate at some levels on TLS1.2 when I use --tlsv1_2.

The following fix attempts SSLv3 if the original attempt fails:

        try: # Perform the SSL handshake
            ssl_connect.connect()
            cert = ssl_connect.ssl.get_peer_certificate()
        except Exception:
            ssl_connect.close()
            ssl_ctx = SSL_CTX.SSL_CTX('sslv3')
            ssl_connect = self._create_ssl_connection(self.target, ssl_ctx=ssl_ctx)
            if verify_cert:
                ssl_connect.ssl_ctx.load_verify_locations(TRUSTED_CA_STORE)
                ssl_connect.ssl.set_verify(constants.SSL_VERIFY_PEER)
            ssl_connect.connect()
            cert = ssl_connect.ssl.get_peer_certificate()


I haven't tried this for renegotiate checks, but it may be worthwhile 
explicitly attempting a CTX value if the initial SSL negotiation times out due 
to some reason?

Original issue reported on code.google.com by a.ben.ca...@gmail.com on 27 Jun 2012 at 12:40

[GoogleCodeExporter]

Thanks for the feedback.

It might be a few different things.
First, you should get the code from the SVN tree (v0.5 beta), as it has a bug 
fix that could be related to what's happening there.
If it still doesn't work, it could just mean that the server can't handle the 
load (--regular is pretty intense). Try running --reneg only and see what 
happens.

Original comment by nabla.c...@gmail.com on 29 Jun 2012 at 6:55

• Changed state: Accepted

[GoogleCodeExporter]

I was re-attempting it with --certinfo=basic to test the specific timeout. I 
also attempted to set the timeout to 60 but came back with same issue. 

Trying with revision 188 I hit a seperate exception now:

exceptions.TypeError - _get_cert() takes at least 2 arguments (2 given) 

On line 100 in PluginCertInfo.py it doesn't specify target
Should be: cert = self._get_cert(target, verify_cert=False)


--certinfo then works fine, and --reneg works fine out of the box. Looks like 
the hello_workaround thing did the job. Thanks a lot.

Original comment by a.ben.ca...@gmail.com on 29 Jun 2012 at 8:01

[GoogleCodeExporter]

Cool

Original comment by nabla.c...@gmail.com on 29 Jun 2012 at 11:14

• Changed state: Fixed

[GoogleCodeExporter]

And I just fixed that other bug... thanks

Original comment by nabla.c...@gmail.com on 29 Jun 2012 at 11:18