mirror of
https://github.com/GAM-team/GAM.git
synced 2026-07-03 20:31:35 +00:00
further checkconn diagnostics data
This commit is contained in:
@@ -9499,6 +9499,26 @@ def getOSPlatform():
|
|||||||
pltfrm = platform.platform()
|
pltfrm = platform.platform()
|
||||||
return f'{myos} {pltfrm}'
|
return f'{myos} {pltfrm}'
|
||||||
|
|
||||||
|
def inspect_untrusted_cert(url):
|
||||||
|
"""Bypasses validation momentarily to extract the untrusted Issuer."""
|
||||||
|
parsed = urlparse(url if '://' in url else f'https://{url}')
|
||||||
|
host = parsed.hostname
|
||||||
|
port = parsed.port or 443
|
||||||
|
# Create an unverified context purely for diagnostic extraction
|
||||||
|
ctx = ssl.create_default_context()
|
||||||
|
ctx.check_hostname = False
|
||||||
|
ctx.verify_mode = ssl.CERT_NONE
|
||||||
|
try:
|
||||||
|
with socket.create_connection((host, port), timeout=5) as sock:
|
||||||
|
with ctx.wrap_socket(sock, server_hostname=host) as ssock:
|
||||||
|
der_cert = ssock.getpeercert(binary_form=True)
|
||||||
|
cert = x509.load_der_x509_certificate(der_cert, default_backend())
|
||||||
|
issuer = cert.issuer.rfc4514_string()
|
||||||
|
subject = cert.subject.rfc4514_string()
|
||||||
|
return f"Untrusted Issuer: {issuer}\n Server Subject: {subject}"
|
||||||
|
except Exception as e:
|
||||||
|
return f"Failed to retrieve diagnostic certificate: {e}"
|
||||||
|
|
||||||
# gam checkconnection
|
# gam checkconnection
|
||||||
def doCheckConnection():
|
def doCheckConnection():
|
||||||
|
|
||||||
@@ -9535,8 +9555,9 @@ def doCheckConnection():
|
|||||||
except httplib2.error.ServerNotFoundError:
|
except httplib2.error.ServerNotFoundError:
|
||||||
writeStdout(f'{not_okay}\n Failed to find server. Your DNS is probably misconfigured.\n')
|
writeStdout(f'{not_okay}\n Failed to find server. Your DNS is probably misconfigured.\n')
|
||||||
except ssl.SSLCertVerificationError as e:
|
except ssl.SSLCertVerificationError as e:
|
||||||
|
diag_info = inspect_untrusted_cert(host)
|
||||||
# e.verify_message contains the specific OpenSSL error string
|
# e.verify_message contains the specific OpenSSL error string
|
||||||
writeStdout(f'{not_okay}\n Certificate verification failed: {e.verify_message}\n If you are behind a firewall / proxy server that does TLS / SSL inspection you may need to point GAM at your certificate authority file by setting cacerts_pem = /path/to/your/certauth.pem in gam.cfg.\n')
|
writeStdout(f'{not_okay}\n Certificate verification failed: {e.verify_message}\n Diagnostic Info:\n {diag_info}\nIf you are behind a firewall / proxy server that does TLS / SSL inspection you may need to point GAM at your certificate authority file by setting cacerts_pem = /path/to/your/certauth.pem in gam.cfg.\n')
|
||||||
except ssl.SSLError as e:
|
except ssl.SSLError as e:
|
||||||
if e.reason == 'SSLV3_ALERT_HANDSHAKE_FAILURE':
|
if e.reason == 'SSLV3_ALERT_HANDSHAKE_FAILURE':
|
||||||
writeStdout(f'{not_okay}\n GAM expects to connect with TLS 1.3 or newer and that failed. If your firewall / proxy server is not compatible with TLS 1.3 then you can tell GAM to allow TLS 1.2 by setting tls_min_version = TLSv1.2 in gam.cfg.\n')
|
writeStdout(f'{not_okay}\n GAM expects to connect with TLS 1.3 or newer and that failed. If your firewall / proxy server is not compatible with TLS 1.3 then you can tell GAM to allow TLS 1.2 by setting tls_min_version = TLSv1.2 in gam.cfg.\n')
|
||||||
|
|||||||
Reference in New Issue
Block a user