From 5b0b771c5267c991be59b9777f9752fa4122c948 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Sun, 5 Oct 2025 18:19:41 +0200
Subject: [PATCH 1/2] Define vars for early data

It seems needed to introduce two variables for upcoming early data tests,
see #1186. This is not needed for OpenSSL as it introduced that
together with TLS 1.3. For LibreSSL it is though.
---
 testssl.sh | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 7693eee..8ff14b3 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -342,6 +342,8 @@ HAS_TLS12=false
 HAS_TLS13=false
 HAS_QUIC=false
 HAS2_QUIC=false                         # for automagically determined second OPENSSL version
+HAS_EARLYDATA=false
+HAS2_EARLYDATA=false
 HAS_X448=false
 HAS_X25519=false
 HAS_SIGALGS=false
@@ -21125,17 +21127,24 @@ find_openssl_binary() {
           $OPENSSL s_client -tls1_3 -sigalgs PSS+SHA256:PSS+SHA384 $NXCONNECT </dev/null 2>&1 | grep -aiq "unknown option" || HAS_SIGALGS=true
      fi
 
+     #reminder: at some point of time we should check $OPENSSL first, then $OPENSSL2
      if [[ -x $OPENSSL2 ]] && OPENSSL_CONF='' $OPENSSL2 s_client -quic 2>&1 | grep -qi 'QUIC requires ALPN'; then
-          HAS2_QUIC="true"
-     elif OPENSSL_CONF='' $OPENSSL s_client -quic 2>&1 | grep -qi 'QUIC requires ALPN'; then
-          HAS_QUIC="true"
+          HAS2_QUIC=true
+     elif $OPENSSL s_client -quic 2>&1 | grep -qi 'QUIC requires ALPN'; then
+          HAS_QUIC=true
+     fi
+
+     # Kind of fine this way as openssl 1.1.1 supports early_data, came with tls 1.3
+     if $OPENSSL s_client --help 2>&1 | grep -q early_data ; then
+          HAS_EARLYDATA=true
+     elif if OPENSSL_CONF='' $OPENSS2 s_client --help 2>&1 | grep -q early_data ; then
+          HAS2_EARLYDATA=true
      fi
 
      $OPENSSL s_client -noservername </dev/null 2>&1 | grep -aiq "unknown option" || HAS_NOSERVERNAME=true
      $OPENSSL s_client -ciphersuites </dev/null 2>&1 | grep -aiq "unknown option" || HAS_CIPHERSUITES=true
      $OPENSSL s_client -comp </dev/null 2>&1 | grep -aiq "unknown option" || HAS_COMP=true
      $OPENSSL s_client -no_comp </dev/null 2>&1 | grep -aiq "unknown option" || HAS_NO_COMP=true
-
      $OPENSSL ciphers @SECLEVEL=0:ALL > /dev/null 2> /dev/null && HAS_SECLEVEL=true
 
      OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")

From ffa1ffdbb3587a27a80e1f656c37c12102f35b83 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Sun, 5 Oct 2025 20:16:39 +0200
Subject: [PATCH 2/2] fix syntax

---
 testssl.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 8ff14b3..fe99d89 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -21135,9 +21135,9 @@ find_openssl_binary() {
      fi
 
      # Kind of fine this way as openssl 1.1.1 supports early_data, came with tls 1.3
-     if $OPENSSL s_client --help 2>&1 | grep -q early_data ; then
+     if $OPENSSL s_client -help 2>&1 | grep -q early_data ; then
           HAS_EARLYDATA=true
-     elif if OPENSSL_CONF='' $OPENSS2 s_client --help 2>&1 | grep -q early_data ; then
+     elif OPENSSL_CONF='' $OPENSS2 s_client --help 2>&1 | grep -q early_data ; then
           HAS2_EARLYDATA=true
      fi