bbot icon indicating copy to clipboard operation
bbot copied to clipboard
verified publisher icon blacklanternsecurity

Support deprecated SSL versions

Open TheTechromancer opened this issue 1 year ago • 1 comments

Currently, httpx works on older SSL versions, but our builtin request helper doesn't:

ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1000)

Supporting older, insecure protocols and ciphers is really important, since this is where the worst vulns are likely to be.

TheTechromancer avatar Jul 17 '24 22:07 TheTechromancer

Per Claude, example of using custom-compiled openssl version with python:

  1. Install build dependencies:
sudo apt-get update
sudo apt-get install build-essential checkinstall zlib1g-dev
  1. Download and compile custom OpenSSL:
wget https://www.openssl.org/source/openssl-1.1.1u.tar.gz
tar xvf openssl-1.1.1u.tar.gz
cd openssl-1.1.1u
./config --prefix=/opt/custom-openssl enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers
make
sudo make install
  1. Set up a virtual environment:
pip install virtualenv
virtualenv --python=$(which python3) venv
source venv/bin/activate
  1. Install required packages:
pip install requests[security] pyopenssl
  1. Create your Python script (e.g., security_scanner.py):
import os

# Set environment variables for custom OpenSSL
os.environ['LD_LIBRARY_PATH'] = '/opt/custom-openssl/lib:' + os.environ.get('LD_LIBRARY_PATH', '')
os.environ['PYTHONPATH'] = '/opt/custom-openssl/lib:' + os.environ.get('PYTHONPATH', '')
os.environ['OPENSSL_CONF'] = '/opt/custom-openssl/ssl/openssl.cnf'

import requests
from OpenSSL import SSL
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context

class CustomSSLContextAdapter(HTTPAdapter):
    def init_poolmanager(self, *args, **kwargs):
        context = create_urllib3_context()
        context.set_ciphers('ALL:@SECLEVEL=0')  # Use all available ciphers
        context.options |= 0x4  # SSL.OP_LEGACY_SERVER_CONNECT
        kwargs['ssl_context'] = context
        return super(CustomSSLContextAdapter, self).init_poolmanager(*args, **kwargs)

def make_request(url):
    session = requests.Session()
    adapter = CustomSSLContextAdapter()
    session.mount('https://', adapter)
    
    try:
        response = session.get(url, verify=False)
        print(f"Status Code: {response.status_code}")
        print(f"Content: {response.text[:100]}...")
    except requests.exceptions.RequestException as e:
        print(f"An error occurred: {e}")

if __name__ == "__main__":
    make_request('https://example.com')
  1. Run your script:
python security_scanner.py

These steps will:

  1. Install necessary build tools
  2. Compile a custom OpenSSL with all protocols and weak ciphers enabled
  3. Set up an isolated Python environment
  4. Install required Python packages
  5. Create a Python script that uses the custom OpenSSL
  6. Run the script directly

TheTechromancer avatar Jul 22 '24 03:07 TheTechromancer

merging this with https://github.com/blacklanternsecurity/bbot/issues/2447

liquidsec avatar Aug 12 '25 23:08 liquidsec