mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Merge pull request #2476 from akabe1/3.2
Fix mtls option location in s_client_options() and code cleanup
This commit is contained in:
commit
16efbd645c
37
testssl.sh
37
testssl.sh
@ -2307,6 +2307,12 @@ s_client_options() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# In case of mutual TLS authentication is required by the server
|
||||||
|
# Note: the PEM certificate file must contain: client certificate and key (not encrypted)
|
||||||
|
if [[ -n "$MTLS" ]]; then
|
||||||
|
options+=" -cert $MTLS"
|
||||||
|
fi
|
||||||
|
|
||||||
# OpenSSL's name for secp256r1 is prime256v1. So whenever we encounter this
|
# OpenSSL's name for secp256r1 is prime256v1. So whenever we encounter this
|
||||||
# (e.g. client simulations) we replace it with the name which OpenSSL understands
|
# (e.g. client simulations) we replace it with the name which OpenSSL understands
|
||||||
# This shouldn't be needed. We have this here as a last resort
|
# This shouldn't be needed. We have this here as a last resort
|
||||||
@ -2317,11 +2323,6 @@ s_client_options() {
|
|||||||
fi
|
fi
|
||||||
tm_out "$options"
|
tm_out "$options"
|
||||||
|
|
||||||
# In case of mutual TLS authentication is required by the server
|
|
||||||
# Note: the PEM certificate file must contain: client certificate and certificate key (not encrypted)
|
|
||||||
if [[ -n "$MTLS" ]]; then
|
|
||||||
options+=" -cert $MTLS"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
###### check code starts here ######
|
###### check code starts here ######
|
||||||
@ -2440,7 +2441,6 @@ run_http_header() {
|
|||||||
local url redirect
|
local url redirect
|
||||||
local jsonID="HTTP_status_code"
|
local jsonID="HTTP_status_code"
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
local cert_option=""
|
|
||||||
|
|
||||||
HEADERFILE=$TEMPDIR/$NODEIP.http_header.txt
|
HEADERFILE=$TEMPDIR/$NODEIP.http_header.txt
|
||||||
if [[ $NR_HEADER_FAIL -eq 0 ]]; then
|
if [[ $NR_HEADER_FAIL -eq 0 ]]; then
|
||||||
@ -2456,16 +2456,12 @@ run_http_header() {
|
|||||||
pr_bold " HTTP Status Code "
|
pr_bold " HTTP Status Code "
|
||||||
[[ -z "$1" ]] && url="/" || url="$1"
|
[[ -z "$1" ]] && url="/" || url="$1"
|
||||||
|
|
||||||
# Set -cert option value if mTLS authentication is selected
|
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
|
||||||
if [[ ! -z "$MTLS" ]]; then
|
|
||||||
cert_option="-cert $MTLS"
|
|
||||||
fi
|
|
||||||
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
|
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
# Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang.
|
# Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang.
|
||||||
# Doing it again in the foreground to get an accurate header time
|
# Doing it again in the foreground to get an accurate header time
|
||||||
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE
|
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE
|
||||||
NOW_TIME=$(date "+%s")
|
NOW_TIME=$(date "+%s")
|
||||||
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
|
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
|
||||||
HTTP_AGE=$(awk -F': ' '/^[aA][gG][eE]: / { print $2 }' $HEADERFILE)
|
HTTP_AGE=$(awk -F': ' '/^[aA][gG][eE]: / { print $2 }' $HEADERFILE)
|
||||||
@ -6726,12 +6722,6 @@ sub_session_resumption() {
|
|||||||
local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
|
local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
|
||||||
local -a rw_line
|
local -a rw_line
|
||||||
local protocol="$1"
|
local protocol="$1"
|
||||||
local cert_option=""
|
|
||||||
|
|
||||||
# Set -cert option value if mTLS authentication is selected
|
|
||||||
if [[ ! -z "$MTLS" ]]; then
|
|
||||||
cert_option="-cert $MTLS"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "$2" == ID ]]; then
|
if [[ "$2" == ID ]]; then
|
||||||
local byID=true
|
local byID=true
|
||||||
@ -6761,7 +6751,7 @@ sub_session_resumption() {
|
|||||||
addcmd+=" $protocol"
|
addcmd+=" $protocol"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $cert_option $addcmd -sess_out $sess_data") </dev/null &>$tmpfile
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>$tmpfile
|
||||||
ret1=$?
|
ret1=$?
|
||||||
if [[ $ret1 -ne 0 ]]; then
|
if [[ $ret1 -ne 0 ]]; then
|
||||||
# MacOS and LibreSSL return 1 here, that's why we need to check whether the handshake contains e.g. a certificate
|
# MacOS and LibreSSL return 1 here, that's why we need to check whether the handshake contains e.g. a certificate
|
||||||
@ -6779,7 +6769,7 @@ sub_session_resumption() {
|
|||||||
# [[ ! $(<$sess_data) =~ -----.*\ SSL\ SESSION\ PARAMETERS----- ]]
|
# [[ ! $(<$sess_data) =~ -----.*\ SSL\ SESSION\ PARAMETERS----- ]]
|
||||||
ret=2
|
ret=2
|
||||||
else
|
else
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $cert_option $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
|
||||||
ret2=$?
|
ret2=$?
|
||||||
if [[ $DEBUG -ge 2 ]]; then
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
echo -n "$ret1, $ret2, "
|
echo -n "$ret1, $ret2, "
|
||||||
@ -17292,13 +17282,8 @@ sub_breach_helper() {
|
|||||||
local get_command="$1"
|
local get_command="$1"
|
||||||
local detected_compression=""
|
local detected_compression=""
|
||||||
local -i was_killed=0
|
local -i was_killed=0
|
||||||
local cert_option=""
|
|
||||||
|
|
||||||
# Set -cert option value if mTLS authentication is selected
|
safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE &
|
||||||
if [[ ! -z "$MTLS" ]]; then
|
|
||||||
cert_option="-cert $MTLS"
|
|
||||||
fi
|
|
||||||
safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE &
|
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
was_killed=$? # !=0 when it was killed
|
was_killed=$? # !=0 when it was killed
|
||||||
detected_compression=$(grep -ia ^Content-Encoding: $TMPFILE)
|
detected_compression=$(grep -ia ^Content-Encoding: $TMPFILE)
|
||||||
|
Loading…
Reference in New Issue
Block a user