Enhance SSL check command to handle protocol version issues with OpenSSL, adding retry logic for TLS1.2 support.
This commit is contained in:
@@ -420,6 +420,24 @@ def ssl_check_cmd(url: str) -> str:
|
||||
proc = subprocess.run(cmd, input='\n', capture_output=True, text=True, timeout=60)
|
||||
out = proc.stdout + "\n" + proc.stderr
|
||||
logger.debug(f"OpenSSL finished, {len(out)} bytes returned, rc={proc.returncode}")
|
||||
# Some older OpenSSL builds (or default s_client options) may
|
||||
# negotiate an incompatible protocol version with modern servers
|
||||
# and return a short error like 'tlsv1 alert protocol version'. If
|
||||
# that appears, try again forcing TLS1.2 which most servers still
|
||||
# support. This helps when the openssl on PATH is old (eg bundled
|
||||
# with other software) and defaults to legacy negotiation.
|
||||
if "tlsv1 alert protocol version" in out or "SSL23_GET_SERVER_HELLO" in out:
|
||||
logger.debug("OpenSSL reported protocol version issue; retrying with -tls1_2")
|
||||
try:
|
||||
cmd2 = cmd + ["-tls1_2"]
|
||||
proc2 = subprocess.run(cmd2, input='\n', capture_output=True, text=True, timeout=30)
|
||||
out2 = proc2.stdout + "\n" + proc2.stderr
|
||||
logger.debug(f"OpenSSL retry finished, {len(out2)} bytes returned, rc={proc2.returncode}")
|
||||
return out + "\n--- retry with -tls1_2 ---\n" + out2
|
||||
except Exception:
|
||||
logger.exception("OpenSSL tls1_2 retry failed")
|
||||
return out + "\nNote: OpenSSL appears to be too old to negotiate modern TLS.\nConsider installing a newer OpenSSL (eg Git for Windows or a Win64 OpenSSL build).\n"
|
||||
|
||||
return out
|
||||
except subprocess.TimeoutExpired:
|
||||
logger.debug("OpenSSL timed out")
|
||||
|
||||
Reference in New Issue
Block a user