Fix #2138
This commit fixes #2138 by having testssl.sh not wrap early JSON findings in a clientProblem object if the finding is created by a mass testing child and all findings are being placed in a common file. It also sets FIRST_FINDING to true in case another finding is written before the "service" information is written. Since fileout_insert_warning() adds a comma after the finding is written, the JSON can become corrupted in mass testing if a clientProblem finding is written and then no additional findings are written for that test. In order to try to prevent this, the commit adds several fileout() calls to determine_optimal_proto() in cases in which testssl.sh might exit before testing begins.
This commit is contained in:
parent
b6c18f5e4e
commit
3d0dab4da3
17
testssl.sh
17
testssl.sh
|
@ -1301,15 +1301,20 @@ fileout_insert_warning() {
|
||||||
[[ "$CMDLINE=" =~ -iL ]] && return 0
|
[[ "$CMDLINE=" =~ -iL ]] && return 0
|
||||||
# Note we still have the message on screen + in HTML which is not as optimal as it could be
|
# Note we still have the message on screen + in HTML which is not as optimal as it could be
|
||||||
|
|
||||||
if "$do_pretty_json"; then
|
if "$do_pretty_json" && "$JSONHEADER"; then
|
||||||
echo -e " \"clientProblem${CLIENT_PROB_NO}\" : [" >>"$JSONFILE"
|
echo -e " \"clientProblem${CLIENT_PROB_NO}\" : [" >>"$JSONFILE"
|
||||||
CLIENT_PROB_NO=$((CLIENT_PROB_NO + 1))
|
CLIENT_PROB_NO=$((CLIENT_PROB_NO + 1))
|
||||||
FIRST_FINDING=true # make sure we don't have a comma here
|
FIRST_FINDING=true # make sure we don't have a comma here
|
||||||
fi
|
fi
|
||||||
fileout "$1" "$2" "$3"
|
fileout "$1" "$2" "$3"
|
||||||
if "$do_pretty_json"; then
|
if "$do_pretty_json"; then
|
||||||
echo -e "\n ]," >>"$JSONFILE"
|
if "$JSONHEADER"; then
|
||||||
|
echo -e "\n ]," >>"$JSONFILE"
|
||||||
|
else
|
||||||
|
echo -e ", " >>"$JSONFILE"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
FIRST_FINDING=true
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_csv_finding() {
|
fileout_csv_finding() {
|
||||||
|
@ -21214,6 +21219,7 @@ determine_optimal_proto() {
|
||||||
local all_failed=true
|
local all_failed=true
|
||||||
local tmp=""
|
local tmp=""
|
||||||
local proto optimal_proto
|
local proto optimal_proto
|
||||||
|
local jsonID="optimal_proto"
|
||||||
|
|
||||||
"$do_tls_sockets" && return 0
|
"$do_tls_sockets" && return 0
|
||||||
|
|
||||||
|
@ -21328,6 +21334,7 @@ determine_optimal_proto() {
|
||||||
|
|
||||||
if [[ "$optimal_proto" == -ssl2 ]]; then
|
if [[ "$optimal_proto" == -ssl2 ]]; then
|
||||||
prln_magenta "$NODEIP:$PORT appears to only support SSLv2."
|
prln_magenta "$NODEIP:$PORT appears to only support SSLv2."
|
||||||
|
fileout "$jsonID" "WARN" "$NODEIP:$PORT appears to only support SSLv2."
|
||||||
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
elif "$all_failed" && ! "$ALL_FAILED_SOCKETS"; then
|
elif "$all_failed" && ! "$ALL_FAILED_SOCKETS"; then
|
||||||
|
@ -21335,6 +21342,7 @@ determine_optimal_proto() {
|
||||||
pr_magenta " $NODE:$PORT appears to support TLS 1.3 ONLY. You better use --openssl=<path_to_openssl_supporting_TLS_1.3>"
|
pr_magenta " $NODE:$PORT appears to support TLS 1.3 ONLY. You better use --openssl=<path_to_openssl_supporting_TLS_1.3>"
|
||||||
if ! "$OSSL_SHORTCUT" || [[ ! -x /usr/bin/openssl ]] || /usr/bin/openssl s_client -tls1_3 2>&1 | grep -aiq "unknown option"; then
|
if ! "$OSSL_SHORTCUT" || [[ ! -x /usr/bin/openssl ]] || /usr/bin/openssl s_client -tls1_3 2>&1 | grep -aiq "unknown option"; then
|
||||||
outln
|
outln
|
||||||
|
fileout "$jsonID" "WARN" "$NODE:$PORT appears to support TLS 1.3 ONLY, but $OPENSSL does not support TLS 1.3"
|
||||||
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
|
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
MAX_OSSL_FAIL=10
|
MAX_OSSL_FAIL=10
|
||||||
|
@ -21351,11 +21359,13 @@ determine_optimal_proto() {
|
||||||
[[ "$(has_server_protocol "tls1_2")" -ne 0 ]] && [[ "$(has_server_protocol "tls1_1")" -ne 0 ]] &&
|
[[ "$(has_server_protocol "tls1_2")" -ne 0 ]] && [[ "$(has_server_protocol "tls1_1")" -ne 0 ]] &&
|
||||||
[[ "$(has_server_protocol "tls1")" -ne 0 ]]; then
|
[[ "$(has_server_protocol "tls1")" -ne 0 ]]; then
|
||||||
prln_magenta " $NODE:$PORT appears to support SSLv3 ONLY. You better use --openssl=<path_to_openssl_supporting_SSL_3>"
|
prln_magenta " $NODE:$PORT appears to support SSLv3 ONLY. You better use --openssl=<path_to_openssl_supporting_SSL_3>"
|
||||||
|
fileout "$jsonID" "WARN" "$NODE:$PORT appears to support SSLv3 ONLY, but $OPENSSL does not support SSLv3."
|
||||||
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
|
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
MAX_OSSL_FAIL=10
|
MAX_OSSL_FAIL=10
|
||||||
else
|
else
|
||||||
prln_bold " Your OpenSSL cannot connect to $NODEIP:$PORT"
|
prln_bold " Your OpenSSL cannot connect to $NODEIP:$PORT"
|
||||||
|
fileout "$jsonID" "WARN" "Your OpenSSL cannot connect to $NODEIP:$PORT."
|
||||||
ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes"
|
ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes"
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
fi
|
fi
|
||||||
|
@ -21363,8 +21373,10 @@ determine_optimal_proto() {
|
||||||
outln
|
outln
|
||||||
if "$HAS_IPv6"; then
|
if "$HAS_IPv6"; then
|
||||||
pr_bold " Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT "
|
pr_bold " Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT "
|
||||||
|
fileout "$jsonID" "WARN" "Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT doesn't seem to be a TLS/SSL enabled server."
|
||||||
else
|
else
|
||||||
pr_bold " $NODEIP:$PORT "
|
pr_bold " $NODEIP:$PORT "
|
||||||
|
fileout "$jsonID" "WARN" "$NODEIP:$PORT doesn't seem to be a TLS/SSL enabled server."
|
||||||
fi
|
fi
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
prln_bold "doesn't seem to be a TLS/SSL enabled server";
|
prln_bold "doesn't seem to be a TLS/SSL enabled server";
|
||||||
|
@ -21376,6 +21388,7 @@ determine_optimal_proto() {
|
||||||
# FIXME: Should we include some sort of "please report" note here?
|
# FIXME: Should we include some sort of "please report" note here?
|
||||||
prln_magenta " Testing with $NODE:$PORT only worked using $OPENSSL."
|
prln_magenta " Testing with $NODE:$PORT only worked using $OPENSSL."
|
||||||
prln_magenta " Test results may be somewhat better if the --ssl-native option is used."
|
prln_magenta " Test results may be somewhat better if the --ssl-native option is used."
|
||||||
|
fileout "$jsonID" "WARN" "Testing with $NODE:$PORT only worked using $OPENSSL."
|
||||||
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in New Issue