Fix run_server_defaults() for SSLv2-only servers
This PR makes a few improvements to run_server_defaults() when run on an SSLv2-only server. First, it uses sslv2_sockets() to test the server rather than $OPENSSL, so that it will work even if $OPENSSL does not support SSLv2. Second, it changes run_server_defaults() to only call get_server_certificate() once if $OPTIMAL_PROTO is -ssl2, since calling more than once is a waste - SSLv2 only supports ciphers that use RSA key exchange. Finally, as some code assumes that $TEMPDIR/intermediatecerts.pem will exist, even if it is empty, this PR changes a couple of places that delete $TEMPDIR/intermediatecerts.pem to instead make the file empty.
This commit is contained in:
parent
5d1109a582
commit
1cf796fd36
19
testssl.sh
19
testssl.sh
|
@ -7005,11 +7005,11 @@ get_server_certificate() {
|
||||||
success=7
|
success=7
|
||||||
|
|
||||||
if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
|
if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
|
||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY -ssl2 </dev/null 2>$ERRFILE >$TMPFILE
|
success=1
|
||||||
sclient_connect_successful $? $TMPFILE && success=0
|
sslv2_sockets "" "true"
|
||||||
if [[ $success -eq 0 ]]; then
|
if [[ $? -eq 3 ]]; then
|
||||||
extract_certificates "ssl2"
|
mv $TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt $TMPFILE
|
||||||
success=$?
|
success=0
|
||||||
fi
|
fi
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return $success
|
return $success
|
||||||
|
@ -8454,7 +8454,9 @@ run_server_defaults() {
|
||||||
# specifies TLSv1.1 and doesn't include a server name extension.
|
# specifies TLSv1.1 and doesn't include a server name extension.
|
||||||
# So, for each public key type for which a certificate was found,
|
# So, for each public key type for which a certificate was found,
|
||||||
# try again, but only with TLSv1.1 and without SNI.
|
# try again, but only with TLSv1.1 and without SNI.
|
||||||
if [[ $n -ge 10 ]]; then
|
if [[ $n -ne 2 ]] && [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
|
||||||
|
ciphers_to_test[n]=""
|
||||||
|
elif [[ $n -ge 10 ]]; then
|
||||||
ciphers_to_test[n]=""
|
ciphers_to_test[n]=""
|
||||||
[[ ${success[n-9]} -eq 0 ]] && [[ $(has_server_protocol "tls1_1") -ne 1 ]] && \
|
[[ ${success[n-9]} -eq 0 ]] && [[ $(has_server_protocol "tls1_1") -ne 1 ]] && \
|
||||||
ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}"
|
ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}"
|
||||||
|
@ -10127,7 +10129,8 @@ parse_sslv2_serverhello() {
|
||||||
"$parse_complete" || return $ret
|
"$parse_complete" || return $ret
|
||||||
|
|
||||||
# not sure why we need this
|
# not sure why we need this
|
||||||
rm -f $HOSTCERT $TEMPDIR/intermediatecerts.pem
|
rm -f $HOSTCERT
|
||||||
|
> $TEMPDIR/intermediatecerts.pem
|
||||||
if [[ $ret -eq 3 ]]; then
|
if [[ $ret -eq 3 ]]; then
|
||||||
certificate_len=2*$(hex2dec "$v2_hello_cert_length")
|
certificate_len=2*$(hex2dec "$v2_hello_cert_length")
|
||||||
|
|
||||||
|
@ -11780,7 +11783,7 @@ parse_tls_serverhello() {
|
||||||
if [[ "$process_full" =~ all ]]; then
|
if [[ "$process_full" =~ all ]]; then
|
||||||
# not sure why we need this
|
# not sure why we need this
|
||||||
[[ -e "$HOSTCERT" ]] && rm "$HOSTCERT"
|
[[ -e "$HOSTCERT" ]] && rm "$HOSTCERT"
|
||||||
[[ -e "$TEMPDIR/intermediatecerts.pem" ]] && rm "$TEMPDIR/intermediatecerts.pem"
|
[[ -e "$TEMPDIR/intermediatecerts.pem" ]] && > "$TEMPDIR/intermediatecerts.pem"
|
||||||
fi
|
fi
|
||||||
if [[ $tls_certificate_ascii_len -ne 0 ]]; then
|
if [[ $tls_certificate_ascii_len -ne 0 ]]; then
|
||||||
# The first certificate is the server's certificate. If there are anything
|
# The first certificate is the server's certificate. If there are anything
|
||||||
|
|
Loading…
Reference in New Issue