diff --git a/testssl.sh b/testssl.sh index 3b8e34c..002d729 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9319,20 +9319,25 @@ run_ssl_poodle() { local cve="CVE-2014-3566" local cwe="CWE-310" local hint="" + local -i nr_cbc_ciphers=0 local using_sockets=true - "$SSL_NATIVE" && using_sockets=false - [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln pr_bold " POODLE, SSL"; out " ($cve) " + + "$SSL_NATIVE" && using_sockets=false + # The openssl binary distributed has almost everything we need (PSK and KRB5 ciphers are typically missing). + # Measurements show that there's little impact whether we use sockets or TLS here, so the default is sockets here if "$using_sockets"; then tls_sockets "00" "$cbc_ciphers_hex" sclient_success=$? else - locally_supported "-ssl3" || return 0 - cbc_ciphers=$(actually_supported_ciphers $cbc_ciphers) - - debugme echo $cbc_ciphers + if ! "$HAS_SSL3"; then + local_problem_ln "Your $OPENSSL doesn't support SSLv3" + return 1 + fi + nr_cbc_ciphers=$(count_ciphers $cbc_ciphers) + nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $cbc_ciphers)) $OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE