Merge pull request #2476 from akabe1/3.2

Fix mtls option location in s_client_options() and code cleanup
This commit is contained in:
Dirk Wetter 2024-03-14 10:13:57 +01:00 committed by GitHub
commit 16efbd645c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -2307,6 +2307,12 @@ s_client_options() {
fi fi
fi fi
# In case of mutual TLS authentication is required by the server
# Note: the PEM certificate file must contain: client certificate and key (not encrypted)
if [[ -n "$MTLS" ]]; then
options+=" -cert $MTLS"
fi
# OpenSSL's name for secp256r1 is prime256v1. So whenever we encounter this # OpenSSL's name for secp256r1 is prime256v1. So whenever we encounter this
# (e.g. client simulations) we replace it with the name which OpenSSL understands # (e.g. client simulations) we replace it with the name which OpenSSL understands
# This shouldn't be needed. We have this here as a last resort # This shouldn't be needed. We have this here as a last resort
@ -2317,11 +2323,6 @@ s_client_options() {
fi fi
tm_out "$options" tm_out "$options"
# In case of mutual TLS authentication is required by the server
# Note: the PEM certificate file must contain: client certificate and certificate key (not encrypted)
if [[ -n "$MTLS" ]]; then
options+=" -cert $MTLS"
fi
} }
###### check code starts here ###### ###### check code starts here ######
@ -2440,7 +2441,6 @@ run_http_header() {
local url redirect local url redirect
local jsonID="HTTP_status_code" local jsonID="HTTP_status_code"
local spaces=" " local spaces=" "
local cert_option=""
HEADERFILE=$TEMPDIR/$NODEIP.http_header.txt HEADERFILE=$TEMPDIR/$NODEIP.http_header.txt
if [[ $NR_HEADER_FAIL -eq 0 ]]; then if [[ $NR_HEADER_FAIL -eq 0 ]]; then
@ -2456,16 +2456,12 @@ run_http_header() {
pr_bold " HTTP Status Code " pr_bold " HTTP Status Code "
[[ -z "$1" ]] && url="/" || url="$1" [[ -z "$1" ]] && url="/" || url="$1"
# Set -cert option value if mTLS authentication is selected tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
if [[ ! -z "$MTLS" ]]; then
cert_option="-cert $MTLS"
fi
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $HEADER_MAXSLEEP
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
# Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang. # Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang.
# Doing it again in the foreground to get an accurate header time # Doing it again in the foreground to get an accurate header time
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE
NOW_TIME=$(date "+%s") NOW_TIME=$(date "+%s")
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
HTTP_AGE=$(awk -F': ' '/^[aA][gG][eE]: / { print $2 }' $HEADERFILE) HTTP_AGE=$(awk -F': ' '/^[aA][gG][eE]: / { print $2 }' $HEADERFILE)
@ -6726,12 +6722,6 @@ sub_session_resumption() {
local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX) local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
local -a rw_line local -a rw_line
local protocol="$1" local protocol="$1"
local cert_option=""
# Set -cert option value if mTLS authentication is selected
if [[ ! -z "$MTLS" ]]; then
cert_option="-cert $MTLS"
fi
if [[ "$2" == ID ]]; then if [[ "$2" == ID ]]; then
local byID=true local byID=true
@ -6761,7 +6751,7 @@ sub_session_resumption() {
addcmd+=" $protocol" addcmd+=" $protocol"
fi fi
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $cert_option $addcmd -sess_out $sess_data") </dev/null &>$tmpfile $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>$tmpfile
ret1=$? ret1=$?
if [[ $ret1 -ne 0 ]]; then if [[ $ret1 -ne 0 ]]; then
# MacOS and LibreSSL return 1 here, that's why we need to check whether the handshake contains e.g. a certificate # MacOS and LibreSSL return 1 here, that's why we need to check whether the handshake contains e.g. a certificate
@ -6779,7 +6769,7 @@ sub_session_resumption() {
# [[ ! $(<$sess_data) =~ -----.*\ SSL\ SESSION\ PARAMETERS----- ]] # [[ ! $(<$sess_data) =~ -----.*\ SSL\ SESSION\ PARAMETERS----- ]]
ret=2 ret=2
else else
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $cert_option $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
ret2=$? ret2=$?
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
echo -n "$ret1, $ret2, " echo -n "$ret1, $ret2, "
@ -17292,13 +17282,8 @@ sub_breach_helper() {
local get_command="$1" local get_command="$1"
local detected_compression="" local detected_compression=""
local -i was_killed=0 local -i was_killed=0
local cert_option=""
# Set -cert option value if mTLS authentication is selected safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE &
if [[ ! -z "$MTLS" ]]; then
cert_option="-cert $MTLS"
fi
safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $HEADER_MAXSLEEP
was_killed=$? # !=0 when it was killed was_killed=$? # !=0 when it was killed
detected_compression=$(grep -ia ^Content-Encoding: $TMPFILE) detected_compression=$(grep -ia ^Content-Encoding: $TMPFILE)