LibreSSL doesn't support "engine"

LibreSSL prints an "invalid command" error for "openssl engine ..." regardless of what "..." is, but always returns 0. The result is that when using LibreSSL, the initialize_engine() concludes that there is engine support even though there isn't. This results in error messages later on in testing. This PR fixes the problem by checking whether "$OPENSSL engine -v" results in a "invalid command" error being send to stderr before trying any other tests with engine. On the system in which I was testing, fixing the above problem still lead to a few places in which $OPENSSL printed a "can't open config file" warning, where the warning was not being redirected to /dev/null or to $ERRFILE. This PR also fixes that.
2025-01-25 18:09:30 +01:00 · 2017-09-22 11:54:17 -04:00 · 2017-09-22 11:54:17 -04:00 · 10502b4b1e
commit 10502b4b1e
parent d3c3d65e1f
1 changed files with 13 additions and 8 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -6356,7 +6356,7 @@ run_server_defaults() {
     # ciphers_to_test[7]: cipher suites using certificates with GOST R 34.10 (either 2001 or 94) public keys
     ciphers_to_test[1]=""
     ciphers_to_test[2]=""
-     for ciph in $(colon_to_spaces $($OPENSSL ciphers "aRSA")); do
+     for ciph in $(colon_to_spaces $($OPENSSL ciphers "aRSA" 2>>$ERRFILE)); do
          if grep -q "\-RSA\-" <<<$ciph; then
               ciphers_to_test[1]="${ciphers_to_test[1]}:$ciph"
          else
@ -7412,13 +7412,13 @@ get_pub_key_size() {
     local tmppubkeyfile

     # OpenSSL displays the number of bits for RSA and ECC
-     pubkeybits=$($OPENSSL x509 -noout -pubkey -in $HOSTCERT | $OPENSSL pkey -pubin -text 2> $ERRFILE | grep -aw "Public-Key:" | sed -e 's/.*(//' -e 's/)//')
+     pubkeybits=$($OPENSSL x509 -noout -pubkey -in $HOSTCERT 2>>$ERRFILE | $OPENSSL pkey -pubin -text 2>>$ERRFILE | grep -aw "Public-Key:" | sed -e 's/.*(//' -e 's/)//')
     if [[ -n $pubkeybits ]]; then
          echo "Server public key is $pubkeybits" >> $TMPFILE
     else
          # This extracts the public key for DSA, DH, and GOST
          tmppubkeyfile=$(mktemp $TEMPDIR/pubkey.XXXXXX) || return 7
-          $OPENSSL x509 -noout -pubkey -in $HOSTCERT | $OPENSSL pkey -pubin -outform DER -out "$tmppubkeyfile" 2> $ERRFILE
+          $OPENSSL x509 -noout -pubkey -in $HOSTCERT 2>>$ERRFILE | $OPENSSL pkey -pubin -outform DER -out "$tmppubkeyfile" 2>>$ERRFILE
          pubkey=$(hexdump -v -e '16/1 "%02X"' "$tmppubkeyfile")
          rm $tmppubkeyfile
          [[ -z "$pubkey" ]] && return 1
@ -8411,8 +8411,8 @@ parse_tls_serverhello() {
          echo "===============================================================================" >> $TMPFILE
          echo "---" >> $TMPFILE
          echo "Certificate chain" >> $TMPFILE
-          subjectDN="$($OPENSSL x509 -in $HOSTCERT -noout -subject)"
-          issuerDN="$($OPENSSL x509 -in $HOSTCERT -noout -issuer)"
+          subjectDN="$($OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE)"
+          issuerDN="$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE)"
          echo " $nr_certs s:${subjectDN:9}" >> $TMPFILE
          echo "   i:${issuerDN:8}" >> $TMPFILE
          cat "$HOSTCERT" >> $TMPFILE
@ -8443,8 +8443,8 @@ parse_tls_serverhello() {
                    return 1
               fi
               nr_certs+=1
-               CAsubjectDN="$($OPENSSL x509 -in $tmp_pem_certfile -noout -subject)"
-               CAissuerDN="$($OPENSSL x509 -in $tmp_pem_certfile -noout -issuer)"
+               CAsubjectDN="$($OPENSSL x509 -in $tmp_pem_certfile -noout -subject 2>>$ERRFILE)"
+               CAissuerDN="$($OPENSSL x509 -in $tmp_pem_certfile -noout -issuer 2>>$ERRFILE)"
               echo " $nr_certs s:${CAsubjectDN:9}" >> $TMPFILE
               echo "   i:${CAissuerDN:8}" >> $TMPFILE
               cat "$tmp_pem_certfile"  >> $TMPFILE
@ -12126,7 +12126,12 @@ fatal() {
 initialize_engine(){
     grep -q '^# testssl config file' "$OPENSSL_CONF" 2>/dev/null && return 0        # have been here already

-     if ! $OPENSSL engine gost -vvvv -t -c 2>/dev/null >/dev/null; then
+     if $OPENSSL engine -v 2>&1 | grep -aq "invalid command"; then
+          outln
+          pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
+          fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
+          return 1
+     elif ! $OPENSSL engine gost -vvvv -t -c 2>/dev/null >/dev/null; then
          outln
          pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
          fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"