[nabla-c0d3#601]Provide a better error message for SSL2-only servers

Author: nabla-c0d3

sslyze/server_connectivity.py

@@ -86,6 +86,7 @@ def check_connectivity_to_server(
             TlsVersionEnum.TLS_1_1,
             TlsVersionEnum.TLS_1_0,
             TlsVersionEnum.SSL_3_0,
+            TlsVersionEnum.SSL_2_0,
         ]:
             try:
                 tls_detection_result = _detect_support_for_tls_1_2_or_below(
@@ -105,6 +106,14 @@ def check_connectivity_to_server(
             error_message="TLS probing failed: could not find a TLS version and cipher suite supported by the server",
         )
 
+    if tls_detection_result.tls_version_supported == TlsVersionEnum.SSL_2_0:
+        raise ServerTlsConfigurationNotSupported(
+            server_location=server_location,
+            network_configuration=network_configuration,
+            error_message="WARNING: Server only supports SSL 2.0 and is therefore affected by critical vulnerabilities."
+            " Update the server's software as soon as possible.",
+        )
+
     # If the server requested a client certificate, detect if the client cert is optional or required
     client_auth_requirement = ClientAuthRequirementEnum.DISABLED
     if tls_detection_result.server_requested_client_cert:
@@ -272,10 +281,17 @@ def _detect_support_for_tls_1_2_or_below(
     network_config: ServerNetworkConfiguration,
     tls_version: TlsVersionEnum,
 ) -> _TlsVersionDetectionResult:
+
+    if tls_version == TlsVersionEnum.SSL_2_0:
+        # DEFAULT excludes SSLv2 ciphers in OpenSSL 1.0.2
+        default_cipher_list = "SSLv2"
+    else:
+        default_cipher_list = "DEFAULT"
+
     # First try the default cipher list, and then all ciphers; this is to work around F5 network devices
     # that time out when the client hello is too long (ie. too many cipher suites enabled)
     # https://support.f5.com/csp/article/K14758
-    for cipher_list in ["DEFAULT", "ALL:COMPLEMENTOFALL:-PSK:-SRP"]:
+    for cipher_list in [default_cipher_list, "ALL:COMPLEMENTOFALL:-PSK:-SRP"]:
         ssl_connection = SslConnection(
             server_location=server_location,
             network_configuration=network_config,

tests/server_connectivity_tests/test_direct_connection.py

@@ -158,11 +158,25 @@ def test_server_triggers_unexpected_connection_error(self):
             )
 
             # When testing connectivity against it
-            # It fails and return the generic "connection failed" error, instead of crashing
-            with pytest.raises(ConnectionToServerFailed) as e:
+            # It fails and the actual error / root cause is mentioned in the message
+            with pytest.raises(ConnectionToServerFailed, match="unrecognized name") as e:
+                check_connectivity_to_server(
+                    server_location=server_location,
+                    network_configuration=ServerNetworkConfiguration.default_for_server_location(server_location),
+                )
+
+    @can_only_run_on_linux_64
+    def test_server_only_supports_sslv2(self):
+        # Given a TLS server that only supports SSLv2
+        with LegacyOpenSslServer(openssl_cipher_string="SSLv2") as server:
+            server_location = ServerNetworkLocation(
+                hostname=server.hostname, ip_address=server.ip_address, port=server.port
+            )
+
+            # When testing connectivity against it
+            # It fails and the fact that the server only supports SSL 2.0 is mentioned in the error
+            with pytest.raises(ConnectionToServerFailed, match="SSL 2.0") as e:
                 check_connectivity_to_server(
                     server_location=server_location,
                     network_configuration=ServerNetworkConfiguration.default_for_server_location(server_location),
                 )
-                # And the actual error / root cause is mentioned in the message
-                assert "unrecognized name" in e.error_message