From a1dae24a20b8b9f348eaca97c5d9f82d850a7109 Mon Sep 17 00:00:00 2001 From: Maurizio S <46047144+akabe1@users.noreply.github.com> Date: Sat, 9 Mar 2024 09:21:50 +0100 Subject: [PATCH] Fix: modified mtls option location in s_client_options() and code cleanup --- testssl.sh | 37 +++++++++++-------------------------- 1 file changed, 11 insertions(+), 26 deletions(-) diff --git a/testssl.sh b/testssl.sh index 03a616a..a2c1d38 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2306,6 +2306,12 @@ s_client_options() { fi fi fi + + # In case of mutual TLS authentication is required by the server + # Note: the PEM certificate file must contain: client certificate and key (not encrypted) + if [[ -n "$MTLS" ]]; then + options+=" -cert $MTLS" + fi # OpenSSL's name for secp256r1 is prime256v1. So whenever we encounter this # (e.g. client simulations) we replace it with the name which OpenSSL understands @@ -2317,11 +2323,6 @@ s_client_options() { fi tm_out "$options" - # In case of mutual TLS authentication is required by the server - # Note: the PEM certificate file must contain: client certificate and certificate key (not encrypted) - if [[ -n "$MTLS" ]]; then - options+=" -cert $MTLS" - fi } ###### check code starts here ###### @@ -2440,7 +2441,6 @@ run_http_header() { local url redirect local jsonID="HTTP_status_code" local spaces=" " - local cert_option="" HEADERFILE=$TEMPDIR/$NODEIP.http_header.txt if [[ $NR_HEADER_FAIL -eq 0 ]]; then @@ -2456,16 +2456,12 @@ run_http_header() { pr_bold " HTTP Status Code " [[ -z "$1" ]] && url="/" || url="$1" - # Set -cert option value if mTLS authentication is selected - if [[ ! -z "$MTLS" ]]; then - cert_option="-cert $MTLS" - fi - tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE & + tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE & wait_kill $! $HEADER_MAXSLEEP if [[ $? -eq 0 ]]; then # Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang. # Doing it again in the foreground to get an accurate header time - tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE + tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE NOW_TIME=$(date "+%s") HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) HTTP_AGE=$(awk -F': ' '/^[aA][gG][eE]: / { print $2 }' $HEADERFILE) @@ -6726,12 +6722,6 @@ sub_session_resumption() { local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX) local -a rw_line local protocol="$1" - local cert_option="" - - # Set -cert option value if mTLS authentication is selected - if [[ ! -z "$MTLS" ]]; then - cert_option="-cert $MTLS" - fi if [[ "$2" == ID ]]; then local byID=true @@ -6761,7 +6751,7 @@ sub_session_resumption() { addcmd+=" $protocol" fi - $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $cert_option $addcmd -sess_out $sess_data") $tmpfile + $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") $tmpfile ret1=$? if [[ $ret1 -ne 0 ]]; then # MacOS and LibreSSL return 1 here, that's why we need to check whether the handshake contains e.g. a certificate @@ -6779,7 +6769,7 @@ sub_session_resumption() { # [[ ! $(<$sess_data) =~ -----.*\ SSL\ SESSION\ PARAMETERS----- ]] ret=2 else - $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $cert_option $addcmd -sess_in $sess_data") $tmpfile 2>$ERRFILE + $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") $tmpfile 2>$ERRFILE ret2=$? if [[ $DEBUG -ge 2 ]]; then echo -n "$ret1, $ret2, " @@ -17292,13 +17282,8 @@ sub_breach_helper() { local get_command="$1" local detected_compression="" local -i was_killed=0 - local cert_option="" - # Set -cert option value if mTLS authentication is selected - if [[ ! -z "$MTLS" ]]; then - cert_option="-cert $MTLS" - fi - safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE & + safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE & wait_kill $! $HEADER_MAXSLEEP was_killed=$? # !=0 when it was killed detected_compression=$(grep -ia ^Content-Encoding: $TMPFILE)