From ffc4c79def84f3763a829f702722f2463e30d277 Mon Sep 17 00:00:00 2001 From: Ross Date: Mon, 24 Nov 2025 16:23:30 +0000 Subject: [PATCH] Enhance SSL check command to handle protocol version issues with OpenSSL, adding retry logic for TLS1.2 support. --- nice.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/nice.py b/nice.py index 4a1fd4e..fe468b7 100644 --- a/nice.py +++ b/nice.py @@ -420,6 +420,24 @@ def ssl_check_cmd(url: str) -> str: proc = subprocess.run(cmd, input='\n', capture_output=True, text=True, timeout=60) out = proc.stdout + "\n" + proc.stderr logger.debug(f"OpenSSL finished, {len(out)} bytes returned, rc={proc.returncode}") + # Some older OpenSSL builds (or default s_client options) may + # negotiate an incompatible protocol version with modern servers + # and return a short error like 'tlsv1 alert protocol version'. If + # that appears, try again forcing TLS1.2 which most servers still + # support. This helps when the openssl on PATH is old (eg bundled + # with other software) and defaults to legacy negotiation. + if "tlsv1 alert protocol version" in out or "SSL23_GET_SERVER_HELLO" in out: + logger.debug("OpenSSL reported protocol version issue; retrying with -tls1_2") + try: + cmd2 = cmd + ["-tls1_2"] + proc2 = subprocess.run(cmd2, input='\n', capture_output=True, text=True, timeout=30) + out2 = proc2.stdout + "\n" + proc2.stderr + logger.debug(f"OpenSSL retry finished, {len(out2)} bytes returned, rc={proc2.returncode}") + return out + "\n--- retry with -tls1_2 ---\n" + out2 + except Exception: + logger.exception("OpenSSL tls1_2 retry failed") + return out + "\nNote: OpenSSL appears to be too old to negotiate modern TLS.\nConsider installing a newer OpenSSL (eg Git for Windows or a Win64 OpenSSL build).\n" + return out except subprocess.TimeoutExpired: logger.debug("OpenSSL timed out")