Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-06-19 13:38:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix "ID resumption test failed" under Darwin

Browse Source 
Under Darwin using LibreSSL it was not possible to test for session
resumption by session ID.

This fixes  by checking not only the return value of the s_client
hello but also whether a probable certificate is being returned.
This commit is contained in:
Dirk Wetter 2022-02-16 23:09:11 +01:00 committed by Dirk
parent deef51305a
commit 1059b07909
1 changed files with 13 additions and 6 deletions

11
testssl.sh

@ -6521,17 +6521,22 @@ sub_session_resumption() {
addcmd+=" $protocol" addcmd+=" $protocol"
fi fi
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>$tmpfile
ret1=$? ret1=$?
if [[ $ret1 -ne 0 ]]; then if [[ $ret1 -ne 0 ]]; then
# MacOS and LibreSSL return 1 here, that's why we need to check whether the handshake contains e.g. a certificate
if [[ ! $(<$tmpfile) =~ -----.*\ CERTIFICATE----- ]]; then
debugme echo -n "Couldn't connect #1 " debugme echo -n "Couldn't connect #1 "
return 7 return 7
fi fi
fi
if "$byID" && [[ ! "$OSSL_NAME" =~ LibreSSL ]] && \ if "$byID" && [[ ! "$OSSL_NAME" =~ LibreSSL ]] && \
( [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || [[ $OSSL_VER_MAJOR == 3 ]] ) && \ ( [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || [[ $OSSL_VER_MAJOR == 3 ]] ) && \
[[ ! -s "$sess_data" ]]; then [[ ! -s "$sess_data" ]]; then
# it seems OpenSSL indicates no Session ID resumption by just not generating output # it seems OpenSSL indicates no Session ID resumption by just not generating output
debugme echo -n "No session resumption byID (empty file)" debugme echo -n "No session resumption byID (empty file)"
# If we want to check the presence of session data:
# [[ ! $(<$sess_data) =~ -----.*\ SSL\ SESSION\ PARAMETERS----- ]]
ret=2 ret=2
else else
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
@ -6541,9 +6546,11 @@ sub_session_resumption() {
[[ -s "$sess_data" ]] && echo "not empty" || echo "empty" [[ -s "$sess_data" ]] && echo "not empty" || echo "empty"
fi fi
if [[ $ret2 -ne 0 ]]; then if [[ $ret2 -ne 0 ]]; then
if [[ ! $(<$tmpfile) =~ -----.*\ CERTIFICATE----- ]]; then
debugme echo -n "Couldn't connect #2 " debugme echo -n "Couldn't connect #2 "
return 7 return 7
fi fi
fi
# "Reused" indicates session material was reused, "New": not # "Reused" indicates session material was reused, "New": not
if grep -aq "^Reused" "$tmpfile"; then if grep -aq "^Reused" "$tmpfile"; then
new_sid=false new_sid=false
@ -6553,7 +6560,7 @@ sub_session_resumption() {
debugme echo -n "Problem with 2nd ServerHello " debugme echo -n "Problem with 2nd ServerHello "
fi fi
# Now get the line and compare the numbers "read" and "written" as a second criteria. # Now get the line and compare the numbers "read" and "written" as a second criteria.
# If the "read" number is bigger: a new session ID was probably used # If the "read" number is bigger: a new session ID was probably used.
rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )" rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )"
rw_line=($rw_line) rw_line=($rw_line)
if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then