This commit fixes #1433 by adding "@SECLEVEL=0" to the "$OPENSSL s_client" and "$OPENSSL ciphers" command lines if that option is supported. Adding this option configures OpenSSL to support some weak ciphers that it would not use in the default configuration.
This commit is contained in:
David Cooper 2020-05-06 08:43:13 -04:00
parent 693cb216f7
commit 329ba95d5b
1 changed files with 24 additions and 7 deletions

View File

@ -312,6 +312,7 @@ HAS_PKEY=false
HAS_NO_SSL2=false
HAS_NOSERVERNAME=false
HAS_CIPHERSUITES=false
HAS_SECLEVEL=false
HAS_COMP=false
HAS_NO_COMP=false
HAS_ALPN=false
@ -870,15 +871,17 @@ is_ipv6addr() {
#arg2: TLS 1.3 ciphers
#arg3: options (e.g., -V)
actually_supported_osslciphers() {
local ciphers="$1"
local tls13_ciphers="$TLS13_OSSL_CIPHERS"
[[ "$2" != ALL ]] && tls13_ciphers="$2"
"$HAS_SECLEVEL" && [[ -n "$ciphers" ]] && ciphers="@SECLEVEL=0:$1"
if "$HAS_CIPHERSUITES"; then
$OPENSSL ciphers $3 $OSSL_CIPHERS_S -ciphersuites "$tls13_ciphers" "$1" 2>/dev/null || echo ""
$OPENSSL ciphers $3 $OSSL_CIPHERS_S -ciphersuites "$tls13_ciphers" "$ciphers" 2>/dev/null || echo ""
elif [[ -n "$tls13_ciphers" ]]; then
$OPENSSL ciphers $3 $OSSL_CIPHERS_S "$tls13_ciphers:$1" 2>/dev/null || echo ""
$OPENSSL ciphers $3 $OSSL_CIPHERS_S "$tls13_ciphers:$ciphers" 2>/dev/null || echo ""
else
$OPENSSL ciphers $OSSL_CIPHERS_S $3 "$1" 2>/dev/null || echo ""
$OPENSSL ciphers $OSSL_CIPHERS_S $3 "$ciphers" 2>/dev/null || echo ""
fi
}
@ -2121,6 +2124,13 @@ s_client_options() {
options+=" -no_tls1_3"
fi
if "$HAS_SECLEVEL"; then
if [[ "$ciphers" == notpresent ]]; then
[[ ! " $options " =~ \ -tls1_3\ ]] && ciphers="@SECLEVEL=0:ALL:COMPLEMENTOFALL"
else
ciphers="@SECLEVEL=0:$ciphers"
fi
fi
if [[ "$ciphers" != notpresent ]] || [[ "$tls13_ciphers" != notpresent ]]; then
if ! "$HAS_CIPHERSUITES"; then
[[ "$ciphers" == notpresent ]] && ciphers=""
@ -5717,15 +5727,17 @@ run_protocols() {
listciphers() {
local -i ret
local debugname=""
local ciphers="$1"
local tls13_ciphers="$TLS13_OSSL_CIPHERS"
[[ "$2" != ALL ]] && tls13_ciphers="$2"
"$HAS_SECLEVEL" && [[ -n "$ciphers" ]] && ciphers="@SECLEVEL=0:$1"
if "$HAS_CIPHERSUITES"; then
$OPENSSL ciphers $OSSL_CIPHERS_S $3 -ciphersuites "$tls13_ciphers" "$1" &>$TMPFILE
$OPENSSL ciphers $OSSL_CIPHERS_S $3 -ciphersuites "$tls13_ciphers" "$ciphers" &>$TMPFILE
elif [[ -n "$tls13_ciphers" ]]; then
$OPENSSL ciphers $OSSL_CIPHERS_S $3 "$tls13_ciphers:$1" &>$TMPFILE
$OPENSSL ciphers $OSSL_CIPHERS_S $3 "$tls13_ciphers:$ciphers" &>$TMPFILE
else
$OPENSSL ciphers $OSSL_CIPHERS_S $3 "$1" &>$TMPFILE
$OPENSSL ciphers $OSSL_CIPHERS_S $3 "$ciphers" &>$TMPFILE
fi
ret=$?
debugme cat $TMPFILE
@ -16080,7 +16092,7 @@ run_ssl_poodle() {
nr_cbc_ciphers=$(count_ciphers $cbc_ciphers)
nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $cbc_ciphers))
# SNI not needed as SSLv3 has none:
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
$OPENSSL s_client $(s_client_options "-ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE
sclient_success=$?
[[ "$DEBUG" -eq 2 ]] && grep -Eq "error|failure" $ERRFILE | grep -Eav "unable to get local|verify error"
@ -18214,6 +18226,7 @@ find_openssl_binary() {
HAS_NO_SSL2=false
HAS_NOSERVERNAME=false
HAS_CIPHERSUITES=false
HAS_SECLEVEL=false
HAS_COMP=false
HAS_NO_COMP=false
HAS_CURVES=false
@ -18265,6 +18278,9 @@ find_openssl_binary() {
$OPENSSL s_client -ciphersuites -connect invalid. 2>&1 | grep -aiq "unknown option" || \
HAS_CIPHERSUITES=true
$OPENSSL ciphers @SECLEVEL=0:ALL > /dev/null 2> /dev/null
[[ $? -eq 0 ]] && HAS_SECLEVEL=true
$OPENSSL s_client -comp -connect invalid. 2>&1 | grep -aiq "unknown option" || \
HAS_COMP=true
@ -18634,6 +18650,7 @@ HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV
HAS_COMP: $HAS_COMP
HAS_NO_COMP: $HAS_NO_COMP
HAS_CIPHERSUITES: $HAS_CIPHERSUITES
HAS_SECLEVEL: $HAS_SECLEVEL
HAS_PKEY: $HAS_PKEY
HAS_PKUTIL: $HAS_PKUTIL
HAS_PROXY: $HAS_PROXY