Fix Darwin / LibreSSL startup problem (3.0)

This PR addresses a bug where a user encountered the question "The results
might look ok but they could be nonsense. Really proceed".

That happened under Darwin and probably some LibreSSL versions when
checking some hosts. sclient_auth() returned 1 indicating no SSL/TLS
handshake could be established.

This PR modifies sclient_auth() so that in those cases 0 is returned by
skipping the check for the session ID. As NO_SSL_SESSIONID needs to
be set when there's no session ID. This is done separately.

This fixes #2052 for 3.0
This commit is contained in:
Dirk Wetter 2022-02-02 12:20:06 +01:00
parent 1809595576
commit 37c6d78bfa

View File

@ -18317,26 +18317,30 @@ check_proxy() {
} }
# this is only being called from determine_optimal_proto in order to check whether we have a server # This is only being called from determine_optimal_proto() in order to check whether we have a server with
# with client authentication, a server with no SSL session ID switched off # client authentication, a server with no SSL session ID switched off -- and as the name indicates a protocol.
# ARG1 is the return value of openssl s_client connect. (Darwin or LibreSSL may return 1 here)
# ARG2 is the file name containing the server hello
# #
sclient_auth() { sclient_auth() {
[[ $1 -eq 0 ]] && return 0 # no client auth (CLIENT_AUTH=false is preset globally) local -i ret=1
if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then # connect succeeded
if grep -q '^<<< .*CertificateRequest' "$2"; then # CertificateRequest message in -msg if [[ $1 -eq 0 ]] ; then
CLIENT_AUTH=true ret=0 # no client auth (CLIENT_AUTH=false is preset globally)
return 0 else
fi if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then # connect succeeded
if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session if grep -q '^<<< .*CertificateRequest' "$2"; then # CertificateRequest message in -msg
if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then # do another sanity check to be sure CLIENT_AUTH=true
ret=0
elif [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then # do another sanity check to be sure
CLIENT_AUTH=false CLIENT_AUTH=false
NO_SSL_SESSIONID=true # NO_SSL_SESSIONID is preset globally to false for all other cases ret=0
return 0
fi fi
fi fi
fi fi
# what's left now is: master key empty, handshake returned not successful, session ID empty --> not successful [[ $ret -eq 0 ]] && \
return 1 [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]] && NO_SSL_SESSIONID=true # NO_SSL_SESSIONID is preset globally first
return $ret
} }
# Determine the best parameters to use with tls_sockets(): # Determine the best parameters to use with tls_sockets():