Improvement for testing curves with several openssl / libressl versions

As noted in #2016 the detection of curves in find_openssl_binary()
was not yet perfect.

This commit removes another connect call. Also it corrects the port statement
for LibreSSL-like pre-checks as port 0 generally seems to me better suited.
Inline documentation was added.

It worked so far with OpenSSL 1.0.2, 1.1.1 and 3.0 and LibreSSL 3.4.

This is for 3.0. Similar commit (a11bd1585e)
was for 3.1dev, see PR #2020 .
This commit is contained in:
Dirk Wetter 2021-10-24 22:01:08 +02:00
parent 25a8579a5a
commit 1b2903e7ac

View File

@ -17090,14 +17090,20 @@ find_openssl_binary() {
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')") OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
if $OPENSSL s_client -curves "${curves_ossl[0]}" -connect $NXCONNECT 2>&1 | grep -aiq "unknown option"; then # The following statement works with openssl 1.0.2, 1.1.1 and 3.0 as LibreSSL 3.4
if $OPENSSL s_client -curves 2>&1 | grep -aiq "unknown option"; then
# This is e.g. for LibreSSL (tested with version 3.4.1): WSL users will get "127.0.0.1:0" here,
# All other "invalid.:0". We need a port here, in any case!
# The $OPENSSL connect call deliberately fails: when the curve isn't available with
# "getaddrinfo: Name or service not known", newer LibreSSL with "Failed to set groups".
for curve in "${curves_ossl[@]}"; do for curve in "${curves_ossl[@]}"; do
$OPENSSL s_client -groups $curve -connect ${NXCONNECT%:*}:8443 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups" $OPENSSL s_client -groups $curve -connect ${NXCONNECT%:*}:0 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups"
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve " [[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
done done
else else
HAS_CURVES=true HAS_CURVES=true
for curve in "${curves_ossl[@]}"; do for curve in "${curves_ossl[@]}"; do
# Same as above, we just don't need a port for invalid.
$OPENSSL s_client -curves $curve -connect $NXCONNECT 2>&1 | grep -Eiaq "Error with command|unknown option" $OPENSSL s_client -curves $curve -connect $NXCONNECT 2>&1 | grep -Eiaq "Error with command|unknown option"
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve " [[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
done done