Another fix for OpenSSL 1.1.1

If testssl.sh is used with OpenSSL 1.1.1 and TLSv1.3 support is enabled, then the check for whether the server has a cipher order will always fail. The problem is that since the call to s_client doesn't specify a protocol a TLSv1.3 ClientHello will be sent. However, the call specifies a list of ciphers that doesn't include any TLSv1.3 ciphers. So, OpenSSL will fail with the error: "No ciphers enabled for max supported SSL/TLS version." The solution is to add the "-no_tls1_3" option. This PR fixes the problem by taking advantage of the recently-added s_client_options() function. It adds a "-no_tls1_3" option whenever: * $OPENSSL supports TLSv1.3 * The command line doesn't specify any protocol: -ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, or -tls1_3. * The command line includes the -cipher option * The list of ciphers that will be sent doesn't include any TLSv1.3 ciphers. Add TLSv1.3 support to run_cipher_per_proto() Fix branch
2025-01-01 06:19:44 +01:00 · 2017-09-19 17:16:41 -04:00 · 2017-09-19 17:16:41 -04:00 · 0efaf9114f
commit 0efaf9114f
parent f212b609ab
1 changed files with 15 additions and 6 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -1393,6 +1393,7 @@ string_to_asciihex() {
 # Adjust options to $OPENSSL s_client based on OpenSSL version and protocol version
 s_client_options() {
     local options="$1"
+     local ciphers

     # Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
     [[ -n "$SNI" ]] && [[ " $options " =~ \ -ssl[2|3]\  ]] && options="${options//$SNI/}"
@ -1410,6 +1411,19 @@ s_client_options() {
     # isn't needed for these versions of OpenSSL.)
     ! "$HAS_NO_SSL2" && options="${options//-no_ssl2/}"

+     # If $OPENSSL is compiled with TLSv1.3 support and s_client is called without
+     # specifying a protocol, but specifying a list of ciphers that doesn't include
+     # any TLSv1.3 ciphers, then the command will always fail. So, if $OPENSSL supports
+     # TLSv1.3 and a cipher list is provided, but no protocol is specified, then add
+     # -no_tls1_3 if the list of ciphers doesn't include any TLSv1.3 ciphers.
+     if "$HAS_TLS13" && [[ " $options " =~ " -cipher " ]] && \
+          [[ ! " $options " =~ \ -ssl[2|3]\  ]] && \
+          [[ ! " $options " =~ \ -tls1\  ]] && [[ ! " $options " =~ \ -tls1_[1|2|3]\  ]]; then
+          ciphers="${options#* -cipher }"
+          ciphers="${ciphers%% *}"
+          [[ ! "$($OPENSSL ciphers "$ciphers")" =~ TLS13 ]] && options+=" -no_tls1_3"
+     fi
+
     tm_out "$options"
 }

@ -2457,12 +2471,7 @@ std_cipherlists() {
                         "$FAST" && continue
                         [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
                    fi
-                    # FIXME: This check won't be needed once PR #827 is approved. At that point just the "else" statement will be needed.
-                    if "$HAS_TLS13" && [[ "$proto" == "-no_ssl2" ]] && [[ ! "$($OPENSSL ciphers "$1")" =~ TLS13 ]]; then
-                         $OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $proto -no_tls1_3") 2>$ERRFILE >$TMPFILE </dev/null
-                    else
-                         $OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $proto") 2>$ERRFILE >$TMPFILE </dev/null
-                    fi
+                    $OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $proto") 2>$ERRFILE >$TMPFILE </dev/null
                    sclient_connect_successful $? $TMPFILE
                    sclient_success=$?
                    debugme cat $ERRFILE