Crash during OCSP response parsing for ephtsecure.cdc.gov

[konklone]

When running the certificate info scanner on ephtsecure.cdc.gov, using the Python API and running a CertificateInfoScanCommand(), I get a crash in a text parsing function inside nassl that looks related to OCSP response parsing:

Traceback (most recent call last):

  File "./scan", line 121, in process_scan
    rows = list(scanner.scan(domain, options))

  File "/home/eric/18f/scan/scanners/sslyze.py", line 74, in scan
    data = run_sslyze(scan_domain, options)

  File "/home/eric/18f/scan/scanners/sslyze.py", line 160, in run_sslyze
    sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2, certs = scan_serial(scanner, server_info, options)

  File "/home/eric/18f/scan/scanners/sslyze.py", line 373, in scan_serial
    certs = scanner.run_scan_command(server_info, CertificateInfoScanCommand())

  File "/home/eric/.pyenv/versions/3.6.1/lib/python3.6/site-packages/sslyze/synchronous_scanner.py", line 52, in run_scan_command
    return plugin.process_task(server_info, scan_command)

  File "/home/eric/.pyenv/versions/3.6.1/lib/python3.6/site-packages/sslyze/plugins/certificate_info_plugin.py", line 159, in process_task
    path_validation_error_list, ocsp_response)

  File "/home/eric/.pyenv/versions/3.6.1/lib/python3.6/site-packages/sslyze/plugins/certificate_info_plugin.py", line 262, in __init__
    self.ocsp_response = ocsp_response.as_dict()

  File "/home/eric/.pyenv/versions/3.6.1/lib/python3.6/site-packages/nassl/ocsp_response.py", line 63, in as_dict
    'version' : self._get_value_from_text_output_no_p('Version:', response_text),

  File "/home/eric/.pyenv/versions/3.6.1/lib/python3.6/site-packages/nassl/ocsp_response.py", line 104, in _get_value_from_text_output_no_p
    value = value[1].split('\n')[0].strip()

IndexError: list index out of range

This is using a SynchronousScanner on Ubuntu 16.04. On another system, also Ubuntu 16.04, I got a segfault.

[IanLee1521]

@konklone do you have a short code snippet to attempt to reproduce this?

[konklone]

Sure, this will reproduce the issue:

import sslyze
from sslyze.synchronous_scanner import SynchronousScanner
from sslyze.plugins.certificate_info_plugin import CertificateInfoScanCommand

hostname = "ephtsecure.cdc.gov"

server_info = sslyze.server_connectivity.ServerConnectivityInfo(hostname=hostname, port=443)

server_info.test_connectivity_to_server()
scanner = SynchronousScanner()

certs = scanner.run_scan_command(server_info, CertificateInfoScanCommand())

When running that in an ipython session, I get:

IndexError                                Traceback (most recent call last)
<ipython-input-3-e27c29ce7a54> in <module>()
      2 scanner = SynchronousScanner()
      3 
----> 4 certs = scanner.run_scan_command(server_info, CertificateInfoScanCommand())

~/.pyenv/versions/3.6.3/lib/python3.6/site-packages/sslyze/synchronous_scanner.py in run_scan_command(self, server_info, scan_command)
     50         plugin_class = self._plugins_repository.get_plugin_class_for_command(scan_command)
     51         plugin = plugin_class()
---> 52         return plugin.process_task(server_info, scan_command)

~/.pyenv/versions/3.6.3/lib/python3.6/site-packages/sslyze/plugins/certificate_info_plugin.py in process_task(self, server_info, scan_command)
    157         # All done
    158         return CertificateInfoScanResult(server_info, scan_command, certificate_chain, path_validation_result_list,
--> 159                                          path_validation_error_list, ocsp_response)
    160 
    161 

~/.pyenv/versions/3.6.3/lib/python3.6/site-packages/sslyze/plugins/certificate_info_plugin.py in __init__(self, server_info, scan_command, certificate_chain, path_validation_result_list, path_validation_error_list, ocsp_response)
    260         if ocsp_response:
    261             # We only keep the dictionary as a nassl.OcspResponse is not pickable
--> 262             self.ocsp_response = ocsp_response.as_dict()
    263             if self.successful_trust_store:
    264                 try:

~/.pyenv/versions/3.6.3/lib/python3.6/site-packages/nassl/ocsp_response.py in as_dict(self)
     61         response_dict = {
     62             'responseStatus': self._get_value_from_text_output_no_p('OCSP Response Status:', response_text),
---> 63             'version' : self._get_value_from_text_output_no_p('Version:', response_text),
     64             'responseType': self._get_value_from_text_output('Response Type:', response_text),
     65             'responderID': self._get_value_from_text_output('Responder Id:', response_text),

~/.pyenv/versions/3.6.3/lib/python3.6/site-packages/nassl/ocsp_response.py in _get_value_from_text_output_no_p(key, text_output)
    102         # type: (Text, Text) -> Text
    103         value = text_output.split(key)
--> 104         value = value[1].split('\n')[0].strip()
    105         return value.split('(')[0].strip()
    106 

IndexError: list index out of range

[nabla-c0d3]

I couldn't reproduce this issue specifically, but nassl definitely was not ready to handle non-successful OCSP responses; your test servers returns a "Try again later" response.
It should be fixed by nabla-c0d3/nassl@71097b8

[faheel]

@nabla-c0d3 I'm facing a similar issue when scanning e-saksham.nic.in:

python -m sslyze --regular e-saksham.nic.in

 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   e-saksham.nic.in:443                       => 164.100.229.145 




 SCAN RESULTS FOR E-SAKSHAM.NIC.IN:443 - 164.100.229.145
 -------------------------------------------------------

 * TLS 1.3 Cipher Suites:
     Attempted to connect using 5 cipher suites; the server rejected all cipher suites.

 * TLS 1.0 Cipher Suites:
     Attempted to connect using 80 cipher suites.

     The server accepted the following 2 cipher suites:
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (2048 bits) 

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported

     The server is configured to prefer the following cipher suite:
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)


 * TLS 1.2 Session Resumption Support:
      With Session IDs: OK - Supported (5 successful resumptions out of 5 attempts).
      With TLS Tickets: NOT SUPPORTED - Server did not return a TLS ticket.

 * ROBOT Attack:
                                          OK - Not vulnerable, RSA cipher suites not supported.

 * TLS 1.1 Cipher Suites:
     Attempted to connect using 80 cipher suites.

     The server accepted the following 2 cipher suites:
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (2048 bits) 

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported

     The server is configured to prefer the following cipher suite:
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)


 * OpenSSL Heartbleed:
                                          OK - Not vulnerable to Heartbleed

 * SSL 3.0 Cipher Suites:
     Attempted to connect using 80 cipher suites; the server rejected all cipher suites.

 * Elliptic Curve Key Exchange:
       Supported curves:                  X25519, prime256v1, secp384r1, secp521r1
       Rejected curves:                   secp224k1, secp160k1, sect239k1, secp224r1, X448, secp160r1, sect283k1, secp192k1, secp256k1, secp160r2, sect283r1, sect163r2, prime192v1, sect409k1, sect233r1, sect163k1, sect193r1, sect409r1, sect193r2, sect571k1, sect233k1, sect163r1, sect571r1

 * SSL 2.0 Cipher Suites:
     Attempted to connect using 7 cipher suites; the server rejected all cipher suites.

 * OpenSSL CCS Injection:
                                          OK - Not vulnerable to OpenSSL CCS injection

 * Downgrade Attacks:
       TLS_FALLBACK_SCSV:                 OK - Supported

 * TLS 1.2 Cipher Suites:
     Attempted to connect using 158 cipher suites.

     The server accepted the following 10 cipher suites:
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             128       ECDH: prime256v1 (256 bits)
        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               256       DH (2048 bits) 
        TLS_DHE_RSA_WITH_AES_256_CCM_8                    256       DH (2048 bits) 
        TLS_DHE_RSA_WITH_AES_256_CCM                      256       DH (2048 bits) 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               256       DH (2048 bits) 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (2048 bits) 
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               128       DH (2048 bits) 

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported

     The server is configured to prefer the following cipher suite:
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             256       ECDH: prime256v1 (256 bits)


 * Deflate Compression:
                                          OK - Compression disabled

 * Session Renegotiation:
       Client-initiated Renegotiation:    OK - Rejected
       Secure Renegotiation:              OK - Supported

 * Error when running --certinfo:
       You can open an issue at https://github.com/nabla-c0d3/sslyze/issues with the following information:

       * Server: e-saksham.nic.in:443 - 164.100.229.145
       * Scan command: certificate_info

       Traceback (most recent call last):
         File "/home/faheel/.local/lib/python3.8/site-packages/sslyze/scanner.py", line 264, in get_results
    result = implementation_cls.result_for_completed_scan_jobs(
         File "/home/faheel/.local/lib/python3.8/site-packages/sslyze/plugins/certificate_info/implementation.py", line 100, in result_for_completed_scan_jobs
    received_chain_as_pem, ocsp_response, custom_ca_file = completed_job.result()
         File "/home/faheel/.asdf/installs/python/3.8.2/lib/python3.8/concurrent/futures/_base.py", line 432, in result
    return self.__get_result()
         File "/home/faheel/.asdf/installs/python/3.8.2/lib/python3.8/concurrent/futures/_base.py", line 388, in __get_result
    raise self._exception
         File "/home/faheel/.asdf/installs/python/3.8.2/lib/python3.8/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
         File "/home/faheel/.local/lib/python3.8/site-packages/sslyze/plugins/certificate_info/_get_cert_chain.py", line 27, in get_certificate_chain
    ocsp_response = ssl_connection.ssl_client.get_tlsext_status_ocsp_resp()
         File "/home/faheel/.local/lib/python3.8/site-packages/nassl/ssl_client.py", line 371, in get_tlsext_status_ocsp_resp
    return OcspResponse.from_openssl(ocsp_response)
         File "/home/faheel/.local/lib/python3.8/site-packages/nassl/ocsp_response.py", line 102, in from_openssl
    version=int(_get_value_from_text_output_no_p("Version:", response_text)),
         File "/home/faheel/.local/lib/python3.8/site-packages/nassl/ocsp_response.py", line 140, in _get_value_from_text_output_no_p
    value = _get_value_from_text_output(key, text_output)
         File "/home/faheel/.local/lib/python3.8/site-packages/nassl/ocsp_response.py", line 136, in _get_value_from_text_output
    return value[1].split("\n")[0].strip()
       IndexError: list index out of range


 SCAN COMPLETED IN 4.58 S
 ------------------------

Python v3.8.2
sslyze v3.1.0
nassl v3.1.0