Commit 402c2a95 authored by Alexandre's avatar Alexandre
Browse files

Catch ZeroReturnError, closes #18

When using a literal IP address, the IP address is sent as SNI.
This may lead to a `close notify' from the server. Therefore we
decided to catch the OpenSSL error and suggest to use the --nosni
option.
parent e6c00acf
......@@ -468,10 +468,9 @@ class ConnectionDoT(Connection):
lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
self.session = OpenSSL.SSL.Connection(self.context, self.sock)
if sni:
self.session.set_tlsext_host_name(canonicalize(self.check).encode()) # Server Name Indication (SNI)
self.session.set_tlsext_host_name(canonicalize(self.check).encode())
try:
self.session.connect((self.addr))
# TODO We may here have exceptions such as OpenSSL.SSL.ZeroReturnError
self.session.do_handshake()
except TimeoutConnectionError:
if self.verbose:
......@@ -485,6 +484,11 @@ class ConnectionDoT(Connection):
if self.verbose:
error(f"OpenSSL error: {e.args[1]}", exit=False)
return False
except OpenSSL.SSL.ZeroReturnError:
# see #18
if self.verbose:
error("Error: The SSL connection has been closed (try with --nosni to avoid sending SNI ?)", exit=False)
return False
except OpenSSL.SSL.Error as e:
if self.verbose:
print(f"OpenSSL error: {', '.join(err[0][2] for err in e.args)}")
......
......@@ -546,6 +546,21 @@ tests:
partstderr: 'OpenSSL error: Unexpected EOF'
- exe: './homer.py'
name: '[dot][exception] Catch error with SNI set with IPv6 address'
markers:
- 'dot'
- 'exception'
args:
- '--dot'
- '--insecure'
- '--verbose'
- '2001:41d0:302:2200::180'
- 'toto.fr'
retcode: 1
partstderr: 'The SSL connection has been closed (try with --nosni'
################################################################################
- exe: './homer.py'
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment