diff --git a/testssl.sh b/testssl.sh
index 9daa3fc..f390005 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -226,6 +226,7 @@ HAS_SPDY=false
HAS_FALLBACK_SCSV=false
HAS_PROXY=false
HAS_XMPP=false
+HAS_POSTGRES=false
ADD_RFC_STR="rfc" # display RFC ciphernames
PORT=443 # unless otherwise auto-determined, see below
NODE=""
@@ -6227,6 +6228,16 @@ starttls_nntp_dialog() {
return $ret
}
+starttls_postgres_dialog() {
+ debugme echo "=== starting postgres STARTTLS dialog ==="
+ local reINITTLS="\x00\x00\x00\x08\x04\xD2\x16\x2F"
+ starttls_just_send "${reINITTLS}" && debugme echo "initiated STARTTLS" &&
+ starttls_full_read '' '' 'S' && debugme echo "received ack for STARTTLS"
+ local ret=$?
+ debugme echo "=== finished postgres STARTTLS dialog with ${ret} ==="
+ return $ret
+}
+
# arg for a fd doesn't work here
fd_socket() {
local jabber=""
@@ -6301,6 +6312,9 @@ EOF
starttls_line "" "proceed"
# BTW: https://xmpp.net !
;;
+ postgres|postgress) # Postgres SQL, see http://www.postgresql.org/docs/devel/static/protocol-message-formats.html
+ starttls_postgres_dialog
+ ;;
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not yet supported" -4
esac
@@ -9315,6 +9329,7 @@ test_openssl_suffix() {
find_openssl_binary() {
local s_client_has=$TEMPDIR/s_client_has.txt
+ local s_client_starttls_has=$TEMPDIR/s_client_starttls_has.txt
# 0. check environment variable whether it's executable
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
@@ -9371,6 +9386,8 @@ find_openssl_binary() {
$OPENSSL s_client -help 2>$s_client_has
+ $OPENSSL s_client -starttls foo 2>$s_client_starttls_has
+
grep -qw '\-alpn' $s_client_has && \
HAS_ALPN=true
@@ -9386,6 +9403,9 @@ find_openssl_binary() {
grep -q '\-xmpp' $s_client_has && \
HAS_XMPP=true
+ grep -q 'postgres' $s_client_starttls_has && \
+ HAS_POSTGRES=true
+
if [[ "$OPENSSL_TIMEOUT" != "" ]]; then
if which timeout >&2 2>/dev/null ; then
# there are different "timeout". Check whether --preserve-status is supported
@@ -9467,7 +9487,7 @@ help() {
"$PROG_NAME URI", where is:
-t, --starttls does a default run against a STARTTLS enabled (latter two require supplied openssl)
+ protocol is (latter three require supplied openssl)
--xmpphost for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
--mx tests MX records from high to low priority (STARTTLS, port 25)
--file mass testing option: Reads command lines from , one line per instance.
@@ -9600,6 +9620,7 @@ HAS_ALPN: $HAS_ALPN
HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV
HAS_PROXY: $HAS_PROXY
HAS_XMPP: $HAS_XMPP
+HAS_POSTGRES: $HAS_POSTGRES
PATH: $PATH
PROG_NAME: $PROG_NAME
@@ -10230,7 +10251,7 @@ determine_optimal_proto() {
}
-# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap (maybe with trailing s)
+# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap, postgres (maybe with trailing s)
determine_service() {
local ua
local protocol
@@ -10257,9 +10278,13 @@ determine_service() {
service_detection $OPTIMAL_PROTO
else
# STARTTLS
- protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
+ if [[ "$1" == postgres ]]; then
+ protocol="postgres"
+ else
+ protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
+ fi
case "$protocol" in
- ftp|smtp|pop3|imap|xmpp|telnet|ldap)
+ ftp|smtp|pop3|imap|xmpp|telnet|ldap|postgres)
STARTTLS="-starttls $protocol"
SNI=""
if [[ "$protocol" == xmpp ]]; then
@@ -10273,6 +10298,12 @@ determine_service() {
# see http://xmpp.org/rfcs/rfc3920.html
fi
fi
+ if [[ "$protocol" == postgres ]]; then
+ # Check if openssl version supports postgres.
+ if ! "$HAS_POSTGRES"; then
+ fatal "Your $OPENSSL does not support the \"-starttls postgres\" option" -5
+ fi
+ fi
$OPENSSL s_client -connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS 2>$ERRFILE >$TMPFILE &2
help 1 ;;
esac