From 496373a60fb78a2e69a9b47af4a152a6e8aac904 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 22 Jan 2026 19:57:32 +0100 Subject: [PATCH 1/3] Finalize renaming MAX_WAITSOCK --> ROBOT_TIMEOUT The commit 51a35b0344128640237ec6b8f744f2aeabaec442 changed variable names but there were leftovers. Also before the tiemout values were reduced, so that the check may run faster. What was left were that some timeout values were still too long. Thus MAX_WAITSOCK is now completely changed to ROBOT_TIMEOUT . Also when the ROBOT check identified something as potentially vulnerable, the timeout value ist increased to 8 seconds which is less than in 3.2 . Tests however showed so far that there were no false positives or negatives. Moreover it changes the local variable robottimeout to robot_timeout. This PR fixes #2983 for 3.3dev . --- testssl.sh | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index 57997f9..ad8a53c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20690,7 +20690,7 @@ run_robot() { local -i i subret len iteration testnum pubkeybytes local pubkeybits local vulnerable=false send_ccs_finished=true - local -i start_time end_time robottimeout=$ROBOT_TIMEOUT + local -i start_time end_time robot_timeout=$ROBOT_TIMEOUT local cve="CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168" local cwe="CWE-203" local jsonID="ROBOT" @@ -20854,7 +20854,7 @@ run_robot() { fi debugme echo "reading server error response..." start_time=$(LC_ALL=C date "+%s") - sockread 32768 $robottimeout + sockread 32768 $robot_timeout subret=$? if [[ $subret -eq 0 ]]; then end_time=$(LC_ALL=C date "+%s") @@ -20869,9 +20869,9 @@ run_robot() { # exchange message, measure the amount of time it took to # receive a response and set the timeout value for future # tests to 2 seconds longer than it took to receive a response. - [[ $iteration -ne 2 ]] && [[ $robottimeout -eq $MAX_WAITSOCK ]] && \ - [[ $((end_time-start_time)) -lt $((MAX_WAITSOCK-2)) ]] && \ - robottimeout=$((end_time-start_time+2)) + [[ $iteration -ne 2 ]] && [[ $robot_timeout -eq $ROBOT_TIMEOUT ]] && \ + [[ $((end_time-start_time)) -lt $((ROBOT_TIMEOUT-2)) ]] && \ + robot_timeout=$((end_time-start_time+2)) else response[testnum]="Timeout waiting for alert" fi @@ -20910,14 +20910,15 @@ run_robot() { # If the test was run with a short timeout and was found to be # potentially vulnerable due to some tests timing out, then # verify the results by rerunning with a longer timeout. - if [[ $robottimeout -eq $MAX_WAITSOCK ]]; then + if [[ $robot_timeout -eq $ROBOT_TIMEOUT ]]; then break elif [[ "${response[0]}" == "Timeout waiting for alert" ]] || \ [[ "${response[1]}" == "Timeout waiting for alert" ]] || \ [[ "${response[2]}" == "Timeout waiting for alert" ]] || \ [[ "${response[3]}" == "Timeout waiting for alert" ]] || \ [[ "${response[4]}" == "Timeout waiting for alert" ]]; then - robottimeout=10 + [[ "$DEBUG" -ge 3 ]] && echo "5x Timeout waiting for alert, $robot_timeout increasing to 8" + robot_timeout=8 else break fi @@ -21795,6 +21796,7 @@ IPv6_OK: $IPv6_OK MAX_WAITSOCK: $MAX_WAITSOCK HEARTBLEED_MAX_WAITSOCK: $HEARTBLEED_MAX_WAITSOCK CCS_MAX_WAITSOCK: $CCS_MAX_WAITSOCK +ROBOT_TIMEOUT: $ROBOT_TIMEOUT USLEEP_SND $USLEEP_SND USLEEP_REC $USLEEP_REC HEADER_MAXSLEEP: $HEADER_MAXSLEEP From 98d3c8399f7ff689f23c41ce24ac5770d23afdfb Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 11 Feb 2026 19:00:38 +0100 Subject: [PATCH 2/3] Fix typo in ROBOT_TIMEOUT ... which may led to false positives Also in a number of tests the timeout was re-adjusted so that the robot check performs ~25% faster -- on MacOS. On Linux it's about the same. --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index ad8a53c..349cc08 100755 --- a/testssl.sh +++ b/testssl.sh @@ -209,7 +209,7 @@ MAX_WAITSOCK=${MAX_WAITSOCK:-5} # waiting at max 5 seconds for socket re QUIC_WAIT=${QUIC_WAIT:-3} # QUIC is UDP. Thus we run the connect in the background. This is how long in sec to wait CCS_MAX_WAITSOCK=${CCS_MAX_WAITSOCK:-5} # for the two CCS payload (each). There shouldn't be any reason to change this. HEARTBLEED_MAX_WAITSOCK=${HEARTBLEED_MAX_WAITSOCK:-8} # for the heartbleed payload. There shouldn't be any reason to change this. -ROBOT_TIMEOUT=${ROBOT_TIMEOUT:5} # Initial timeout for ROBOT check +ROBOT_TIMEOUT=${ROBOT_TIMEOUT:-1} # Initial timeout for ROBOT check STARTTLS_SLEEP=${STARTTLS_SLEEP:-10} # max time wait on a socket for STARTTLS. MySQL has a fixed value of 1 which can't be overwritten (#914) FAST_STARTTLS=${FAST_STARTTLS:-true} # at the cost of reliability decrease the handshakes for STARTTLS USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send From ee316ef7ee938e9ec0d2713e020098f1b6f7cfff Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 11 Feb 2026 20:06:24 +0100 Subject: [PATCH 3/3] Google has KEMs wjhich openssl doesn't show --- t/12_diff_opensslversions.t | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/t/12_diff_opensslversions.t b/t/12_diff_opensslversions.t index 74a1b95..9735d8e 100755 --- a/t/12_diff_opensslversions.t +++ b/t/12_diff_opensslversions.t @@ -82,6 +82,10 @@ $cat_csvfile2 =~ s/HTTP_headerTime.*\n//g; $cat_csvfile =~ s/"engine_problem.*\n//g; $cat_csvfile2 =~ s/"engine_problem.*\n//g; +# Google has KEMs for TLS 1.3 which the local openssl has not - yet +$cat_csvfile =~ s/MLKEM1024 AESGCM/ECDH 253 AESGCM/g; +$cat_csvfile =~ s/MLKEM1024 ChaCha20/ECDH 253 ChaCha20/g; + # PR #2628. TL:DR; make the kx between tls_sockets() and openssl the same for this CI run $cat_csvfile =~ s/ECDH 256/ECDH 253/g; $cat_csvfile =~ s/ECDH\/MLKEM/ECDH 253 /g;