From 3c97412a61f70749c1e0d770bf365aa3c6a8e780 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 28 Oct 2020 11:45:41 +0100 Subject: [PATCH] Address complaint by Travis + RC4 SSLv2 ciphers shortcut Despite the fact google doesn't support RC4 ciphers, testssl.sh called sslv2_sockets(). Google answered with a >= TLS alert. Building a sum then failed then in sslv2_sockets(). This fixes sslv2_sockets() and introduces count_chars() as a helper function (tested also under old FreeBSD to make sure it works under MacOSX). Also it adds a shortcut: if we are sure we don't have sslv2 we don't need to test any RC4 SSLv2 ciphers --- testssl.sh | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 07c5ed4..157d1b9 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1250,6 +1250,10 @@ strip_inconsistent_ciphers() { return 0 } +count_chars() { + echo $(wc -c <<< "$1") +} + newline_to_spaces() { tr '\n' ' ' <<< "$1" | sed 's/ $//' } @@ -12825,8 +12829,8 @@ sslv2_sockets() { if "$parse_complete"; then if [[ -s "$SOCK_REPLY_FILE" ]]; then server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") - server_hello_len=2 + $(hex2dec "${server_hello:1:3}") - response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }') + server_hello_len=$((2 + $(hex2dec "${server_hello:1:3}") )) + response_len=$(count_chars "$SOCK_REPLY_FILE") for (( 1; response_len < server_hello_len; 1 )); do sock_reply_file2=${SOCK_REPLY_FILE}.2 mv "$SOCK_REPLY_FILE" "$sock_reply_file2" @@ -12838,7 +12842,7 @@ sslv2_sockets() { [[ ! -s "$SOCK_REPLY_FILE" ]] && break cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2" mv "$sock_reply_file2" "$SOCK_REPLY_FILE" - response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }') + response_len=$(count_chars "$SOCK_REPLY_FILE") done fi fi @@ -12856,6 +12860,7 @@ sslv2_sockets() { return $ret } + # arg1: supported groups extension # arg2: "all" - process full response (including Certificate and certificate_status handshake messages) # "ephemeralkey" - extract the server's ephemeral key (if any) @@ -15914,7 +15919,8 @@ run_rc4() { return 0 fi - # get a list of all the cipher suites to test + # Get a list of all the cipher suites to test. #FIXME: This is rather ineffective as RC4 ciphers won't change. + # We should instead build a fixed list here like @ other functions if "$using_sockets" || [[ $OSSL_VER_MAJOR -lt 1 ]]; then for (( i=0; i < TLS_NR_CIPHERS; i++ )); do if [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ RC4 ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then @@ -15969,7 +15975,7 @@ run_rc4() { done < <($OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) fi - if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]]; then + if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then sslv2_sockets "${sslv2_ciphers_hex:2}" "true" if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")" @@ -15982,7 +15988,7 @@ run_rc4() { fi done fi - elif "$HAS_SSL2" && [[ -n "$sslv2_ciphers_ossl" ]]; then + elif "$HAS_SSL2" && [[ -n "$sslv2_ciphers_ossl" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then $OPENSSL s_client -cipher "${sslv2_ciphers_ossl:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE