proxywatchd: secondary check only for SSL handshake failures
This commit is contained in:
Username
@@ -1535,7 +1535,7 @@ class TargetTestJob():
|
||||
elif et == rocksock.RS_ET_GAI:
|
||||
_log("could not resolve connection target %s" % connect_host, "ERROR")
|
||||
break
|
||||
elif err == rocksock.RS_E_SSL_CERTIFICATE_ERROR:
|
||||
elif et == rocksock.RS_ET_SSL and err == rocksock.RS_E_SSL_CERTIFICATE_ERROR:
|
||||
# MITM detected - proxy works but intercepts TLS
|
||||
ps.mitm = 1
|
||||
elapsed = time.time() - duration
|
||||
@@ -1559,9 +1559,9 @@ class TargetTestJob():
|
||||
if config.watchd.debug:
|
||||
_log('failed to extract MITM cert: %s' % str(e), 'debug')
|
||||
return None, proto, duration, torhost, srvname, 0, use_ssl, 'ssl_mitm'
|
||||
elif et == rocksock.RS_ET_SSL and not ssl_only_check:
|
||||
# SSL failed but proxy protocol worked - fallback to Tor API check (HTTP)
|
||||
# sock already disconnected above, but ensure cleanup
|
||||
elif et == rocksock.RS_ET_SSL and ssl_only_check:
|
||||
# SSL handshake failed (but proxy protocol worked) - verify with HTTP
|
||||
# Only for 'ssl' checktype; cert errors handled above as MITM
|
||||
try:
|
||||
sock.disconnect()
|
||||
except Exception:
|
||||
@@ -1569,7 +1569,7 @@ class TargetTestJob():
|
||||
# Delay before secondary check (allows different Tor circuit)
|
||||
time.sleep(0.3)
|
||||
if config.watchd.debug:
|
||||
_log('SSL failed, fallback to Tor API: %s://%s:%d' % (proto, ps.ip, ps.port), 'debug')
|
||||
_log('SSL handshake failed, fallback to HTTP: %s://%s:%d' % (proto, ps.ip, ps.port), 'debug')
|
||||
try:
|
||||
# Secondary check via Tor Project API (plain HTTP)
|
||||
tor_check_host = 'check.torproject.org'
|
||||
|
||||
Reference in New Issue
Block a user