Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2817 from testssl/errormsg_2807

Browse Source 
Improve error message for sockets fail and Alpine
This commit is contained in:
Dirk Wetter
2025-06-29 17:06:01 +02:00
committed by GitHub
parent 9b1a7ae1f8 3792bceeda
commit 2829827cc2
1 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
testssl.sh
View File

@@ -22468,6 +22468,9 @@ sclient_auth() {
# (3) This is not a TLS/SSL enabled server. # (3) This is not a TLS/SSL enabled server.
# This information can be used by determine_optimal_proto() to help distinguish between a server # This information can be used by determine_optimal_proto() to help distinguish between a server
# that is not TLS/SSL enabled and one that is not compatible with the version of OpenSSL being used. # that is not TLS/SSL enabled and one that is not compatible with the version of OpenSSL being used.
# The function sets the global ALL_FAILED_SOCKETS. It is mandatory to be set to true unless the user
# wants to do pure openssl based tests.
#
determine_optimal_sockets_params() { determine_optimal_sockets_params() {
local -i ret1=1 ret2=1 ret3=1 local -i ret1=1 ret2=1 ret3=1
local i proto cipher_offered local i proto cipher_offered
@@ -22623,7 +22626,8 @@ determine_optimal_sockets_params() {
# This function determines (STARTTLS_)OPTIMAL_PROTO. It is basically a workaround function as under certain # This function determines (STARTTLS_)OPTIMAL_PROTO. It is basically a workaround function as under certain
# circumstances a ClientHello without specifying a protocol will fail. # circumstances a ClientHello without specifying a protocol will fail.
# Circumstances observed so far: 1.) IIS 6 and openssl 1.0.2 as opposed to 1.0.1 2.) starttls + dovecot imap. # Circumstances observed so far: 1.) IIS 6 and openssl 1.0.2 as opposed to 1.0.1 2.) starttls + dovecot imap.
# Independent on the server side it seems reasonable to to know upfront which protocol always works # Independent on the server side it seems reasonable to to know upfront which protocol always works.
# All clientHellos are openssl based here as opposed to determine_optimal_sockets_params() .
# #
# arg1: if empty: no STARTTLS, else: STARTTLS protocol # arg1: if empty: no STARTTLS, else: STARTTLS protocol
# The first try in the loop is empty as we prefer not to specify always a protocol if we can get along w/o it # The first try in the loop is empty as we prefer not to specify always a protocol if we can get along w/o it
@@ -22770,13 +22774,13 @@ determine_optimal_proto() {
elif ! "$HAS_SSL3" && [[ "$(has_server_protocol "ssl3")" -eq 0 ]] && [[ "$(has_server_protocol "tls1_3")" -ne 0 ]] && \ elif ! "$HAS_SSL3" && [[ "$(has_server_protocol "ssl3")" -eq 0 ]] && [[ "$(has_server_protocol "tls1_3")" -ne 0 ]] && \
[[ "$(has_server_protocol "tls1_2")" -ne 0 ]] && [[ "$(has_server_protocol "tls1_1")" -ne 0 ]] && [[ "$(has_server_protocol "tls1_2")" -ne 0 ]] && [[ "$(has_server_protocol "tls1_1")" -ne 0 ]] &&
[[ "$(has_server_protocol "tls1")" -ne 0 ]]; then [[ "$(has_server_protocol "tls1")" -ne 0 ]]; then
prln_magenta " $NODE:$PORT appears to support SSLv3 ONLY. You better use --openssl=<path_to_openssl_supporting_SSL_3>" prln_warning " $NODE:$PORT appears to support SSLv3 ONLY. You better use --openssl=<path_to_openssl_supporting_SSL_3>"
fileout "$jsonID" "WARN" "$NODE:$PORT appears to support SSLv3 ONLY, but $OPENSSL does not support SSLv3." fileout "$jsonID" "WARN" "$NODE:$PORT appears to support SSLv3 ONLY, but $OPENSSL does not support SSLv3."
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes" ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
[[ $? -ne 0 ]] && exit $ERR_CLUELESS [[ $? -ne 0 ]] && exit $ERR_CLUELESS
MAX_OSSL_FAIL=10 MAX_OSSL_FAIL=10
else else
prln_bold " Your OpenSSL cannot connect to $NODEIP:$PORT" prln_warning " Your OpenSSL cannot connect to $NODEIP:$PORT"
fileout "$jsonID" "WARN" "Your OpenSSL cannot connect to $NODEIP:$PORT." fileout "$jsonID" "WARN" "Your OpenSSL cannot connect to $NODEIP:$PORT."
ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes" ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes"
[[ $? -ne 0 ]] && exit $ERR_CLUELESS [[ $? -ne 0 ]] && exit $ERR_CLUELESS
@@ -22795,12 +22799,13 @@ determine_optimal_proto() {
ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes" ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes"
[[ $? -ne 0 ]] && exit $ERR_CLUELESS [[ $? -ne 0 ]] && exit $ERR_CLUELESS
elif ! "$all_failed" && "$ALL_FAILED_SOCKETS" && ! "$SSL_NATIVE"; then elif ! "$all_failed" && "$ALL_FAILED_SOCKETS" && ! "$SSL_NATIVE"; then
# For some reason connecting with tls_sockets/sslv2_sockets didn't work, but connecting # Edge case: connecting with tls_sockets/sslv2_sockets didn't work, but connecting with $OPENSSL s_client did.
# with $OPENSSL s_client did. # See #2807
# FIXME: Should we include some sort of "please report" note here? prln_warning "This shouldn't happen (pls report): Testing $NODE:$PORT only succeeded using $OPENSSL."
prln_magenta " Testing with $NODE:$PORT only worked using $OPENSSL." prln_warning "But testssl.sh also needs bash sockets to perform its checks correctly.\n"
prln_magenta " Test results may be somewhat better if the --ssl-native option is used." outln "You can try to continue using the --ssl-native option but the results are likely not complete."
fileout "$jsonID" "WARN" "Testing with $NODE:$PORT only worked using $OPENSSL." outln "Or you can restart using --ssl-native with another openssl version (--openssl <PATH>)."
fileout "$jsonID" "WARN" "Sockets didn't work. Testing NODE:$PORT only succeeded using $OPENSSL."
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes" ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
[[ $? -ne 0 ]] && exit $ERR_CLUELESS [[ $? -ne 0 ]] && exit $ERR_CLUELESS
fi fi