Fixes ssl-native and LOGJAM: no common primes

When testssl.sh was using -ssl-native and the local openssl version didn't support any DH ciphers the deliberately lazy approach was to not complete the second part of the test: check for common primes. This is a FIX for issue #1016.
2025-01-03 23:39:45 +01:00 · 2018-03-17 15:40:28 +01:00 · 2018-03-17 15:40:28 +01:00 · 377bde14cc
commit 377bde14cc
parent f6dc501aed
1 changed files with 8 additions and 6 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -12890,6 +12890,7 @@ run_logjam() {
     local dh_p=""
     local spaces="                                           "
     local vuln_exportdh_ciphers=false
+     local openssl_no_dhciphers=false
     local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
     local comment="" str=""
     local -i lineno_matched=0
@ -12912,9 +12913,8 @@ run_logjam() {
          case $nr_supported_ciphers in
               0)   prln_local_problem "$OPENSSL doesn't have any DH EXPORT ciphers configured"
                    fileout "$jsonID" "WARN" "Not tested. $OPENSSL doesn't support any DH EXPORT ciphers" "$cve" "$cwe"
-                    # we could continue here testing common primes but the logjam test would be not complete and it'd be misleading
-                    #FIXME: with low priority this can be fixed
-                    return 1
+                    out "$spaces"
+                    openssl_no_dhciphers=true
                    ;;
               1|2|3) addtl_warning=" ($magenta""tested w/ $nr_supported_ciphers/4 ciphers only!$off)" ;;
               4)   ;;
@ -13062,9 +13062,11 @@ run_logjam() {
                    out "Common prime with $len_dh_p bits detected: "; pr_italic "$comment"
                    fileout "$jsonID2" "INFO" "common prime \"$comment\" detected"
               fi
-               outln ","
-               out "${spaces}but no DH EXPORT ciphers${addtl_warning}"
-               fileout "$jsonID" "OK" "not vulnerable, no DH EXPORT ciphers,$addtl_warning" "$cve" "$cwe"
+               if ! "$openssl_no_dhciphers"; then
+                    outln ","
+                    out "${spaces}but no DH EXPORT ciphers${addtl_warning}"
+                    fileout "$jsonID" "OK" "not vulnerable, no DH EXPORT ciphers,$addtl_warning" "$cve" "$cwe"
+               fi
          elif [[ $subret -eq 3 ]]; then
               pr_svrty_good "not vulnerable (OK):"; out " no DH EXPORT ciphers${addtl_warning}"
               fileout "$jsonID" "OK" "not vulnerable, no DH EXPORT ciphers,$addtl_warning" "$cve" "$cwe"