From 1b7e6630d7a45c7ae3255f51d216e903ca780aed Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 30 Nov 2017 16:07:51 +0100 Subject: [PATCH] Extending OPTIMAL_PROTO tests with TLS 1.3 It partly addresses #915, supposedly the openssl binary used supports TLS 1.3 (and the correct draft/final). It also reduces handshakes by not trying protocols which aren't supported on the client side. --- testssl.sh | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index dc104fd..9f28664 100755 --- a/testssl.sh +++ b/testssl.sh @@ -13869,7 +13869,13 @@ determine_optimal_proto() { >$ERRFILE if [[ -n "$1" ]]; then # starttls workaround needed see https://github.com/drwetter/testssl.sh/issues/188 -- kind of odd - for STARTTLS_OPTIMAL_PROTO in -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do + for STARTTLS_OPTIMAL_PROTO in -tls1_2 -tls1 -ssl3 -tls1_1 -tls1_3 -ssl2; do + case $STARTTLS_OPTIMAL_PROTO in + -tls1_3) "$HAS_TLS13" || continue ;; + -ssl3) "$HAS_SSL3" || continue ;; + -ssl2) "$HAS_SSL2" || continue ;; + *) ;; + esac $OPENSSL s_client $(s_client_options "$STARTTLS_OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" $PROXY -msg -starttls $1") $TMPFILE 2>>$ERRFILE if sclient_auth $? $TMPFILE; then all_failed=false @@ -13880,7 +13886,13 @@ determine_optimal_proto() { "$all_failed" && STARTTLS_OPTIMAL_PROTO="" debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO" else - for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do + for OPTIMAL_PROTO in '' -tls1_2 -tls1 -tls1_3 -ssl3 -tls1_1 -ssl2; do + case $OPTIMAL_PROTO in + -tls1_3) "$HAS_TLS13" || continue ;; + -ssl3) "$HAS_SSL3" || continue ;; + -ssl2) "$HAS_SSL2" || continue ;; + *) ;; + esac $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI") $TMPFILE 2>>$ERRFILE if sclient_auth $? $TMPFILE; then # we use the successful handshake at least to get one valid protocol supported -- it saves us time later