Enhance SSL check command to handle protocol version issues with OpenSSL, adding retry logic for TLS1.2 support.

This commit is contained in:
Ross
2025-11-24 16:23:30 +00:00
parent 8780a409de
commit ffc4c79def
+18
View File
@@ -420,6 +420,24 @@ def ssl_check_cmd(url: str) -> str:
proc = subprocess.run(cmd, input='\n', capture_output=True, text=True, timeout=60)
out = proc.stdout + "\n" + proc.stderr
logger.debug(f"OpenSSL finished, {len(out)} bytes returned, rc={proc.returncode}")
# Some older OpenSSL builds (or default s_client options) may
# negotiate an incompatible protocol version with modern servers
# and return a short error like 'tlsv1 alert protocol version'. If
# that appears, try again forcing TLS1.2 which most servers still
# support. This helps when the openssl on PATH is old (eg bundled
# with other software) and defaults to legacy negotiation.
if "tlsv1 alert protocol version" in out or "SSL23_GET_SERVER_HELLO" in out:
logger.debug("OpenSSL reported protocol version issue; retrying with -tls1_2")
try:
cmd2 = cmd + ["-tls1_2"]
proc2 = subprocess.run(cmd2, input='\n', capture_output=True, text=True, timeout=30)
out2 = proc2.stdout + "\n" + proc2.stderr
logger.debug(f"OpenSSL retry finished, {len(out2)} bytes returned, rc={proc2.returncode}")
return out + "\n--- retry with -tls1_2 ---\n" + out2
except Exception:
logger.exception("OpenSSL tls1_2 retry failed")
return out + "\nNote: OpenSSL appears to be too old to negotiate modern TLS.\nConsider installing a newer OpenSSL (eg Git for Windows or a Win64 OpenSSL build).\n"
return out
except subprocess.TimeoutExpired:
logger.debug("OpenSSL timed out")