Fix run_server_defaults() for SSLv2-only servers

This PR makes a few improvements to run_server_defaults() when run on an SSLv2-only server.

First, it uses sslv2_sockets() to test the server rather than $OPENSSL, so that it will work even if $OPENSSL does not support SSLv2.

Second, it changes run_server_defaults() to only call get_server_certificate() once if $OPTIMAL_PROTO is -ssl2, since calling more than once is a waste -  SSLv2 only supports ciphers that use RSA key exchange.

Finally, as some code assumes that $TEMPDIR/intermediatecerts.pem will exist, even if it is empty, this PR changes a couple of places that delete $TEMPDIR/intermediatecerts.pem to instead make the file empty.
This commit is contained in:
David Cooper 2019-02-12 15:15:18 -05:00 committed by GitHub
parent 5d1109a582
commit 1cf796fd36
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 8 deletions

View File

@ -7005,11 +7005,11 @@ get_server_certificate() {
success=7 success=7
if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY -ssl2 </dev/null 2>$ERRFILE >$TMPFILE success=1
sclient_connect_successful $? $TMPFILE && success=0 sslv2_sockets "" "true"
if [[ $success -eq 0 ]]; then if [[ $? -eq 3 ]]; then
extract_certificates "ssl2" mv $TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt $TMPFILE
success=$? success=0
fi fi
tmpfile_handle ${FUNCNAME[0]}.txt tmpfile_handle ${FUNCNAME[0]}.txt
return $success return $success
@ -8454,7 +8454,9 @@ run_server_defaults() {
# specifies TLSv1.1 and doesn't include a server name extension. # specifies TLSv1.1 and doesn't include a server name extension.
# So, for each public key type for which a certificate was found, # So, for each public key type for which a certificate was found,
# try again, but only with TLSv1.1 and without SNI. # try again, but only with TLSv1.1 and without SNI.
if [[ $n -ge 10 ]]; then if [[ $n -ne 2 ]] && [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
ciphers_to_test[n]=""
elif [[ $n -ge 10 ]]; then
ciphers_to_test[n]="" ciphers_to_test[n]=""
[[ ${success[n-9]} -eq 0 ]] && [[ $(has_server_protocol "tls1_1") -ne 1 ]] && \ [[ ${success[n-9]} -eq 0 ]] && [[ $(has_server_protocol "tls1_1") -ne 1 ]] && \
ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}" ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}"
@ -10127,7 +10129,8 @@ parse_sslv2_serverhello() {
"$parse_complete" || return $ret "$parse_complete" || return $ret
# not sure why we need this # not sure why we need this
rm -f $HOSTCERT $TEMPDIR/intermediatecerts.pem rm -f $HOSTCERT
> $TEMPDIR/intermediatecerts.pem
if [[ $ret -eq 3 ]]; then if [[ $ret -eq 3 ]]; then
certificate_len=2*$(hex2dec "$v2_hello_cert_length") certificate_len=2*$(hex2dec "$v2_hello_cert_length")
@ -11780,7 +11783,7 @@ parse_tls_serverhello() {
if [[ "$process_full" =~ all ]]; then if [[ "$process_full" =~ all ]]; then
# not sure why we need this # not sure why we need this
[[ -e "$HOSTCERT" ]] && rm "$HOSTCERT" [[ -e "$HOSTCERT" ]] && rm "$HOSTCERT"
[[ -e "$TEMPDIR/intermediatecerts.pem" ]] && rm "$TEMPDIR/intermediatecerts.pem" [[ -e "$TEMPDIR/intermediatecerts.pem" ]] && > "$TEMPDIR/intermediatecerts.pem"
fi fi
if [[ $tls_certificate_ascii_len -ne 0 ]]; then if [[ $tls_certificate_ascii_len -ne 0 ]]; then
# The first certificate is the server's certificate. If there are anything # The first certificate is the server's certificate. If there are anything