diff --git a/nice.py b/nice.py index 4a1fd4e..fe468b7 100644 --- a/nice.py +++ b/nice.py @@ -420,6 +420,24 @@ def ssl_check_cmd(url: str) -> str: proc = subprocess.run(cmd, input='\n', capture_output=True, text=True, timeout=60) out = proc.stdout + "\n" + proc.stderr logger.debug(f"OpenSSL finished, {len(out)} bytes returned, rc={proc.returncode}") + # Some older OpenSSL builds (or default s_client options) may + # negotiate an incompatible protocol version with modern servers + # and return a short error like 'tlsv1 alert protocol version'. If + # that appears, try again forcing TLS1.2 which most servers still + # support. This helps when the openssl on PATH is old (eg bundled + # with other software) and defaults to legacy negotiation. + if "tlsv1 alert protocol version" in out or "SSL23_GET_SERVER_HELLO" in out: + logger.debug("OpenSSL reported protocol version issue; retrying with -tls1_2") + try: + cmd2 = cmd + ["-tls1_2"] + proc2 = subprocess.run(cmd2, input='\n', capture_output=True, text=True, timeout=30) + out2 = proc2.stdout + "\n" + proc2.stderr + logger.debug(f"OpenSSL retry finished, {len(out2)} bytes returned, rc={proc2.returncode}") + return out + "\n--- retry with -tls1_2 ---\n" + out2 + except Exception: + logger.exception("OpenSSL tls1_2 retry failed") + return out + "\nNote: OpenSSL appears to be too old to negotiate modern TLS.\nConsider installing a newer OpenSSL (eg Git for Windows or a Win64 OpenSSL build).\n" + return out except subprocess.TimeoutExpired: logger.debug("OpenSSL timed out")