From 1cf796fd36a3c3f1224c7b0346eae41f0921788e Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 12 Feb 2019 15:15:18 -0500 Subject: [PATCH] Fix run_server_defaults() for SSLv2-only servers This PR makes a few improvements to run_server_defaults() when run on an SSLv2-only server. First, it uses sslv2_sockets() to test the server rather than $OPENSSL, so that it will work even if $OPENSSL does not support SSLv2. Second, it changes run_server_defaults() to only call get_server_certificate() once if $OPTIMAL_PROTO is -ssl2, since calling more than once is a waste - SSLv2 only supports ciphers that use RSA key exchange. Finally, as some code assumes that $TEMPDIR/intermediatecerts.pem will exist, even if it is empty, this PR changes a couple of places that delete $TEMPDIR/intermediatecerts.pem to instead make the file empty. --- testssl.sh | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/testssl.sh b/testssl.sh index c8ab76a..6ecae2a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7005,11 +7005,11 @@ get_server_certificate() { success=7 if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then - $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY -ssl2 $ERRFILE >$TMPFILE - sclient_connect_successful $? $TMPFILE && success=0 - if [[ $success -eq 0 ]]; then - extract_certificates "ssl2" - success=$? + success=1 + sslv2_sockets "" "true" + if [[ $? -eq 3 ]]; then + mv $TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt $TMPFILE + success=0 fi tmpfile_handle ${FUNCNAME[0]}.txt return $success @@ -8454,7 +8454,9 @@ run_server_defaults() { # specifies TLSv1.1 and doesn't include a server name extension. # So, for each public key type for which a certificate was found, # try again, but only with TLSv1.1 and without SNI. - if [[ $n -ge 10 ]]; then + if [[ $n -ne 2 ]] && [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then + ciphers_to_test[n]="" + elif [[ $n -ge 10 ]]; then ciphers_to_test[n]="" [[ ${success[n-9]} -eq 0 ]] && [[ $(has_server_protocol "tls1_1") -ne 1 ]] && \ ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}" @@ -10127,7 +10129,8 @@ parse_sslv2_serverhello() { "$parse_complete" || return $ret # not sure why we need this - rm -f $HOSTCERT $TEMPDIR/intermediatecerts.pem + rm -f $HOSTCERT + > $TEMPDIR/intermediatecerts.pem if [[ $ret -eq 3 ]]; then certificate_len=2*$(hex2dec "$v2_hello_cert_length") @@ -11780,7 +11783,7 @@ parse_tls_serverhello() { if [[ "$process_full" =~ all ]]; then # not sure why we need this [[ -e "$HOSTCERT" ]] && rm "$HOSTCERT" - [[ -e "$TEMPDIR/intermediatecerts.pem" ]] && rm "$TEMPDIR/intermediatecerts.pem" + [[ -e "$TEMPDIR/intermediatecerts.pem" ]] && > "$TEMPDIR/intermediatecerts.pem" fi if [[ $tls_certificate_ascii_len -ne 0 ]]; then # The first certificate is the server's certificate. If there are anything