From 37c6d78bfa1e30020664b8068f995b94cdf2ad68 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Wed, 2 Feb 2022 12:20:06 +0100
Subject: [PATCH] Fix Darwin / LibreSSL startup problem (3.0)

This PR addresses a bug where a user encountered the question "The results
might look ok but they could be nonsense. Really proceed".

That happened under Darwin and probably some LibreSSL versions when
checking some hosts. sclient_auth() returned 1 indicating no SSL/TLS
handshake could be established.

This PR modifies sclient_auth() so that in those cases 0 is returned by
skipping the check for the session ID. As NO_SSL_SESSIONID needs to
be set when there's no session ID. This is done separately.

This fixes #2052 for 3.0
---
 testssl.sh | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 19eab50..6bb59ab 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -18317,26 +18317,30 @@ check_proxy() {
 }
 
 
-# this is only being called from determine_optimal_proto in order to check whether we have a server
-# with client authentication, a server with no SSL session ID switched off
+# This is only being called from determine_optimal_proto() in order to check whether we have a server with
+# client authentication, a server with no SSL session ID switched off -- and as the name indicates a protocol.
+# ARG1 is the return value of openssl s_client connect. (Darwin or LibreSSL may return 1 here)
+# ARG2 is the file name containing the server hello
 #
 sclient_auth() {
-     [[ $1 -eq 0 ]] && return 0                                            # no client auth (CLIENT_AUTH=false is preset globally)
-     if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then           # connect succeeded
-          if grep -q '^<<< .*CertificateRequest' "$2"; then                # CertificateRequest message in -msg
-               CLIENT_AUTH=true
-               return 0
-          fi
-          if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then      # probably no SSL session
-               if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then            # do another sanity check to be sure
+     local -i ret=1
+
+     if [[ $1 -eq 0 ]] ; then
+          ret=0                                                            # no client auth (CLIENT_AUTH=false is preset globally)
+     else
+          if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then      # connect succeeded
+               if grep -q '^<<< .*CertificateRequest' "$2"; then           # CertificateRequest message in -msg
+                    CLIENT_AUTH=true
+                    ret=0
+               elif [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then          # do another sanity check to be sure
                     CLIENT_AUTH=false
-                    NO_SSL_SESSIONID=true                                  # NO_SSL_SESSIONID is preset globally to false for all other cases
-                    return 0
+                    ret=0
                fi
           fi
      fi
-     # what's left now is: master key empty, handshake returned not successful, session ID empty --> not successful
-     return 1
+     [[ $ret -eq 0 ]] && \
+          [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]] && NO_SSL_SESSIONID=true # NO_SSL_SESSIONID is preset globally first
+     return $ret
 }
 
 # Determine the best parameters to use with tls_sockets():