manually resolved conflict from #839 + change it to new logic
This commit is contained in:
parent
f3dc53f554
commit
411accb66d
33
testssl.sh
33
testssl.sh
|
@ -3972,16 +3972,21 @@ run_prototest_openssl() {
|
||||||
# arg1: protocol
|
# arg1: protocol
|
||||||
# arg2: available (yes) or not (no)
|
# arg2: available (yes) or not (no)
|
||||||
add_tls_offered() {
|
add_tls_offered() {
|
||||||
|
<<<<<<< HEAD
|
||||||
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
|
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
|
||||||
# the ":" is mandatory here (and @ other palces), otherwise e.g. tls1 will match tls1_2
|
# the ":" is mandatory here (and @ other palces), otherwise e.g. tls1 will match tls1_2
|
||||||
:
|
:
|
||||||
else
|
else
|
||||||
PROTOS_OFFERED+="${1}:$2 "
|
PROTOS_OFFERED+="${1}:$2 "
|
||||||
fi
|
fi
|
||||||
|
=======
|
||||||
|
[[ "$PROTOS_OFFERED" =~ "$1 " ]] || PROTOS_OFFERED+="$1 "
|
||||||
|
>>>>>>> af15bd0f002c0523579b3807949fa54c05c793e3
|
||||||
}
|
}
|
||||||
|
|
||||||
# function which checks whether SSLv2 - TLS 1.2 is being offereed, see add_tls_offered()
|
# function which checks whether SSLv2 - TLS 1.2 is being offereed, see add_tls_offered()
|
||||||
has_server_protocol() {
|
has_server_protocol() {
|
||||||
|
<<<<<<< HEAD
|
||||||
local proto_val_pair
|
local proto_val_pair
|
||||||
|
|
||||||
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
|
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
|
||||||
|
@ -3999,6 +4004,9 @@ has_server_protocol() {
|
||||||
else
|
else
|
||||||
# if empty echo 2, hinting to the caller to check at additional cost/connect
|
# if empty echo 2, hinting to the caller to check at additional cost/connect
|
||||||
echo 2
|
echo 2
|
||||||
|
=======
|
||||||
|
if [[ "$PROTOS_OFFERED" =~ "$1 " ]]; then
|
||||||
|
>>>>>>> af15bd0f002c0523579b3807949fa54c05c793e3
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -4881,6 +4889,7 @@ run_server_preference() {
|
||||||
cipher[i]=""
|
cipher[i]=""
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
[[ -n "${cipher[i]}" ]] && add_tls_offered "$proto" yes
|
||||||
i=$((i + 1))
|
i=$((i + 1))
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -4997,7 +5006,7 @@ cipher_pref_check() {
|
||||||
|
|
||||||
pr_bold " Cipher order"
|
pr_bold " Cipher order"
|
||||||
|
|
||||||
tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n" | while read p proto_hex proto; do
|
while read p proto_hex proto; do
|
||||||
order=""; ciphers_found_with_sockets=false
|
order=""; ciphers_found_with_sockets=false
|
||||||
if [[ $p == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
|
if [[ $p == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
|
||||||
out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
||||||
|
@ -5168,12 +5177,13 @@ cipher_pref_check() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -n "$order" ]]; then
|
if [[ -n "$order" ]]; then
|
||||||
|
add_tls_offered "$p" yes
|
||||||
outln
|
outln
|
||||||
out "$(printf " %-10s " "$proto: ")"
|
out "$(printf " %-10s " "$proto: ")"
|
||||||
out "$(out_row_aligned_max_width "$order" " " $TERM_WIDTH)"
|
out "$(out_row_aligned_max_width "$order" " " $TERM_WIDTH)"
|
||||||
fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order"
|
fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order"
|
||||||
fi
|
fi
|
||||||
done
|
done <<< "$(tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n")"
|
||||||
outln
|
outln
|
||||||
|
|
||||||
outln
|
outln
|
||||||
|
@ -10808,9 +10818,17 @@ run_beast(){
|
||||||
|
|
||||||
# first determine whether it's mitigated by higher protocols
|
# first determine whether it's mitigated by higher protocols
|
||||||
for proto in tls1_1 tls1_2; do
|
for proto in tls1_1 tls1_2; do
|
||||||
|
if [[ $(has_server_protocol "$proto") -eq 0 ]]; then
|
||||||
|
case $proto in
|
||||||
|
tls1_1) higher_proto_supported+=" TLSv1.1" ;;
|
||||||
|
tls1_2) higher_proto_supported+=" TLSv1.2" ;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null
|
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
higher_proto_supported="$higher_proto_supported $(get_protocol $TMPFILE)"
|
higher_proto_supported+=" $(get_protocol $TMPFILE)"
|
||||||
|
add_tls_offered "$proto" yes
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -10820,14 +10838,18 @@ run_beast(){
|
||||||
out " "
|
out " "
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
if [[ "$proto" != "ssl3" ]] || "$HAS_SSL3"; then
|
|
||||||
[[ ! "$proto" =~ ssl ]] && sni="$SNI" || sni=""
|
[[ ! "$proto" =~ ssl ]] && sni="$SNI" || sni=""
|
||||||
|
if [[ $(has_server_protocol "$proto") -eq 0 ]]; then
|
||||||
|
sclient_success=0
|
||||||
|
elif [[ "$proto" != "ssl3" ]] || "$HAS_SSL3"; then
|
||||||
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
|
sclient_success=$?
|
||||||
else
|
else
|
||||||
tls_sockets "00" "$TLS_CIPHER"
|
tls_sockets "00" "$TLS_CIPHER"
|
||||||
|
sclient_success=$?
|
||||||
fi
|
fi
|
||||||
if [[ $? -ne 0 ]]; then # protocol supported?
|
if [[ $sclient_success -ne 0 ]]; then # protocol supported?
|
||||||
if "$continued"; then # second round: we hit TLS1
|
if "$continued"; then # second round: we hit TLS1
|
||||||
if "$HAS_SSL3" || "$using_sockets"; then
|
if "$HAS_SSL3" || "$using_sockets"; then
|
||||||
prln_done_good "no SSL3 or TLS1 (OK)"
|
prln_done_good "no SSL3 or TLS1 (OK)"
|
||||||
|
@ -10842,6 +10864,7 @@ run_beast(){
|
||||||
continue # protocol not supported, so we do not need to check each cipher with that protocol
|
continue # protocol not supported, so we do not need to check each cipher with that protocol
|
||||||
fi
|
fi
|
||||||
fi # protocol succeeded
|
fi # protocol succeeded
|
||||||
|
add_tls_offered "$proto" yes
|
||||||
|
|
||||||
# now we test in one shot with the precompiled ciphers
|
# now we test in one shot with the precompiled ciphers
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
|
|
Loading…
Reference in New Issue