Fix sub_session_resumption()
This PR fixes an issue with sub_session_resumption() when using OpenSSL 1.1.1. As noted in #1335, some servers will return a session ticket for TLSv1.2, but not for TLSv1.3. OpenSSL 1.1.1 does not support the "-no_ssl2" option, and so when using OpenSSL 1.1.1 sub_session_resumption() adds $OPTIMAL_PROTO to the $OPENSSL s_client command line. When determine_optimal_proto_sockets_helper() is called, $OPTIMAL_PROTO will generally be set to "-tls1_2" (or "-tls1_1" or "-tls1") unless the server is a TLSv1.3-only server. As a result sub_session_resumption() will specify that same protocol on the command line if OpenSSL 1.1.1 is being used. If "--ssl-native" is used, however, then determine_optimal_proto() will set $OPTIMAL_PROTO to "-tls1_3" if the server supports TLSv1.3 (and doesn't use STARTTLS). Similarly, if the version of determine_optimal_proto() in #1336 is used, then $OPTIMAL_PROTO will usually be empty. In either case, sub_session_resumption() will send a TLSv1.3 ClientHello, even if the server only supports session tickets for TLSv1.2 and below. This PR appears to fix the problem. This PR makes no changes when using a version of OpenSSL that supports "-no_ssl2". When using a version of OpenSSL that does not support "-no_ssl2", however, rather than using $OPTIMAL_PROTO, this PR has sub_session_resumption() use whatever protocol version the server connected with when $sessticket_lifetime_hint was set.
This commit is contained in:
parent
e492b5761d
commit
0fe60e82a8
25
testssl.sh
25
testssl.sh
|
@ -6055,8 +6055,9 @@ sub_session_resumption() {
|
||||||
local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
|
local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
|
||||||
local -a rw_line
|
local -a rw_line
|
||||||
local not_new_reused=false
|
local not_new_reused=false
|
||||||
|
local protocol="$1"
|
||||||
|
|
||||||
if [[ "$1" == ID ]]; then
|
if [[ "$2" == ID ]]; then
|
||||||
local byID=true
|
local byID=true
|
||||||
local addcmd="-no_ticket"
|
local addcmd="-no_ticket"
|
||||||
else
|
else
|
||||||
|
@ -6067,7 +6068,10 @@ sub_session_resumption() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
"$CLIENT_AUTH" && return 3
|
"$CLIENT_AUTH" && return 3
|
||||||
"$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO"
|
protocol=${protocol/\./_}
|
||||||
|
protocol=${protocol/v/}
|
||||||
|
protocol="-$(tolower $protocol)"
|
||||||
|
"$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $protocol"
|
||||||
|
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
|
||||||
ret1=$?
|
ret1=$?
|
||||||
|
@ -8823,7 +8827,7 @@ certificate_info() {
|
||||||
run_server_defaults() {
|
run_server_defaults() {
|
||||||
local ciph newhostcert sni
|
local ciph newhostcert sni
|
||||||
local match_found
|
local match_found
|
||||||
local sessticket_lifetime_hint="" lifetime unit
|
local sessticket_lifetime_hint="" sessticket_proto="" lifetime unit
|
||||||
local -i i n
|
local -i i n
|
||||||
local -i certs_found=0
|
local -i certs_found=0
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
|
@ -8890,6 +8894,7 @@ run_server_defaults() {
|
||||||
>$ERRFILE
|
>$ERRFILE
|
||||||
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
||||||
sessticket_lifetime_hint=$(awk '/session ticket life/ { if (!found) print; found=1 }' $TMPFILE)
|
sessticket_lifetime_hint=$(awk '/session ticket life/ { if (!found) print; found=1 }' $TMPFILE)
|
||||||
|
sessticket_proto="$(get_protocol "$TMPFILE")"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $n -le 7 ]]; then
|
if [[ $n -le 7 ]]; then
|
||||||
|
@ -9042,7 +9047,10 @@ run_server_defaults() {
|
||||||
if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
|
if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
|
||||||
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
|
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
|
||||||
>$ERRFILE
|
>$ERRFILE
|
||||||
[[ -z "$sessticket_lifetime_hint" ]] && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
|
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
||||||
|
sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
|
||||||
|
sessticket_proto="$(get_protocol "$TMPFILE")"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
if "$using_sockets" && ! "$TLS13_ONLY" && [[ -z "$sessticket_lifetime_hint" ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
|
if "$using_sockets" && ! "$TLS13_ONLY" && [[ -z "$sessticket_lifetime_hint" ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
|
||||||
if "$HAS_TLS13" && ( [[ -z "$OPTIMAL_PROTO" ]] || [[ "$OPTIMAL_PROTO" == -tls1_3 ]] ) ; then
|
if "$HAS_TLS13" && ( [[ -z "$OPTIMAL_PROTO" ]] || [[ "$OPTIMAL_PROTO" == -tls1_3 ]] ) ; then
|
||||||
|
@ -9052,7 +9060,10 @@ run_server_defaults() {
|
||||||
else
|
else
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS "$OPTIMAL_PROTO" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS "$OPTIMAL_PROTO" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
fi
|
fi
|
||||||
sclient_connect_successful $? $TMPFILE && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
|
sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
|
||||||
|
sessticket_proto="$(get_protocol "$TMPFILE")"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
[[ -z "$sessticket_lifetime_hint" ]] && TLS_TICKETS=false || TLS_TICKETS=true
|
[[ -z "$sessticket_lifetime_hint" ]] && TLS_TICKETS=false || TLS_TICKETS=true
|
||||||
|
|
||||||
|
@ -9122,7 +9133,7 @@ run_server_defaults() {
|
||||||
|
|
||||||
pr_bold " Session Resumption "
|
pr_bold " Session Resumption "
|
||||||
jsonID="sessionresumption_ticket"
|
jsonID="sessionresumption_ticket"
|
||||||
sub_session_resumption
|
sub_session_resumption "$sessticket_proto"
|
||||||
case $? in
|
case $? in
|
||||||
0) SESS_RESUMPTION[2]="ticket=yes"
|
0) SESS_RESUMPTION[2]="ticket=yes"
|
||||||
out "Tickets: yes, "
|
out "Tickets: yes, "
|
||||||
|
@ -9154,7 +9165,7 @@ run_server_defaults() {
|
||||||
outln "ID: no"
|
outln "ID: no"
|
||||||
fileout "$jsonID" "INFO" "No Session ID, no resumption"
|
fileout "$jsonID" "INFO" "No Session ID, no resumption"
|
||||||
else
|
else
|
||||||
sub_session_resumption ID
|
sub_session_resumption "$sessticket_proto" ID
|
||||||
case $? in
|
case $? in
|
||||||
0) SESS_RESUMPTION[1]="ID=yes"
|
0) SESS_RESUMPTION[1]="ID=yes"
|
||||||
outln "ID: yes"
|
outln "ID: yes"
|
||||||
|
|
Loading…
Reference in New Issue