Merge pull request #386 from EthanArbuckle/master

Fix crash: Legacy sslclient can not build verified chain
nabla-c0d3 · Sep 1, 2019 · 09b9ad4 · 09b9ad4
2 parents 763832e + ac4e9d0
commit 09b9ad4
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/sslyze/plugins/http_headers_plugin.py b/sslyze/plugins/http_headers_plugin.py
@@ -57,6 +57,10 @@ def process_task(
                 verified_chain_as_pem = ssl_connection.ssl_client.get_verified_chain()
             except CouldNotBuildVerifiedChain:
                 verified_chain_as_pem = None
+            except AttributeError:
+                # Only the modern SSL Client can build the verified chain; hence we get here if the server only supports
+                # an older version of TLS (pre 1.2)
+                verified_chain_as_pem = None
 
             # Send an HTTP GET request to the server
             ssl_connection.ssl_client.write(HttpRequestGenerator.get_request(host=server_info.hostname))

diff --git a/tests/plugin_tests/test_http_headers_plugin.py b/tests/plugin_tests/test_http_headers_plugin.py
@@ -141,3 +141,15 @@ def test_works_when_client_auth_succeeded(self):
         assert plugin_result.expect_ct_header is None
         assert plugin_result.as_text()
         assert plugin_result.as_xml()
+
+    def test_legacy_ssl_client_missing_verified_chain(self):
+        # Given a tls1.0 server
+        server_test = ServerConnectivityTester(hostname='tls-v1-0.badssl.com', port=1010)
+        server_info = server_test.perform()
+
+        # The plugin does not throw an exception trying to access LegacySslClient.get_verified_chain()
+        plugin = HttpHeadersPlugin()
+        plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
+
+        assert plugin_result.as_text()
+        assert plugin_result.as_xml()