mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
SSLv2 fixes for determine_optimal_proto()
This PR makes three changes to `determine_optimal_proto()`: * It no longer tries an empty string for `$OPTIMAL_PROTO` twice. * It does not include `-servername` for `-ssl2` or `-ssl3`, since some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options. * It displays a warning if `$OPTIMAL_PROTO` is `-ssl2`, since some tests in testssl.sh will not work correctly for SSLv2-only servers.
This commit is contained in:
parent
5a763ff8e1
commit
23d311b1fc
10
testssl.sh
10
testssl.sh
@ -7811,7 +7811,7 @@ sclient_auth() {
|
|||||||
#
|
#
|
||||||
determine_optimal_proto() {
|
determine_optimal_proto() {
|
||||||
local all_failed
|
local all_failed
|
||||||
local addcmd=""
|
local sni=""
|
||||||
|
|
||||||
#TODO: maybe query known openssl version before this workaround. 1.0.1 doesn't need this
|
#TODO: maybe query known openssl version before this workaround. 1.0.1 doesn't need this
|
||||||
|
|
||||||
@ -7829,8 +7829,9 @@ determine_optimal_proto() {
|
|||||||
done
|
done
|
||||||
debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO"
|
debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO"
|
||||||
else
|
else
|
||||||
for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2 ''; do
|
for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do
|
||||||
$OPENSSL s_client $OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI </dev/null >$TMPFILE 2>>$ERRFILE
|
[[ "$OPTIMAL_PROTO" =~ ssl ]] && sni="" || sni=$SNI
|
||||||
|
$OPENSSL s_client $OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $sni </dev/null >$TMPFILE 2>>$ERRFILE
|
||||||
if sclient_auth $? $TMPFILE; then
|
if sclient_auth $? $TMPFILE; then
|
||||||
all_failed=1
|
all_failed=1
|
||||||
break
|
break
|
||||||
@ -7838,6 +7839,9 @@ determine_optimal_proto() {
|
|||||||
all_failed=0
|
all_failed=0
|
||||||
done
|
done
|
||||||
debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO"
|
debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO"
|
||||||
|
pr_warningln "$NODEIP:$PORT appears to only support SSLv2."
|
||||||
|
ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives "
|
||||||
|
[[ $? -ne 0 ]] && exit -2
|
||||||
fi
|
fi
|
||||||
grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190
|
grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user