mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-19 06:59:30 +01:00
manually resolved conflict from #839 + change it to new logic
This commit is contained in:
parent
f3dc53f554
commit
411accb66d
39
testssl.sh
39
testssl.sh
@ -3972,16 +3972,21 @@ run_prototest_openssl() {
|
||||
# arg1: protocol
|
||||
# arg2: available (yes) or not (no)
|
||||
add_tls_offered() {
|
||||
<<<<<<< HEAD
|
||||
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
|
||||
# the ":" is mandatory here (and @ other palces), otherwise e.g. tls1 will match tls1_2
|
||||
:
|
||||
else
|
||||
PROTOS_OFFERED+="${1}:$2 "
|
||||
fi
|
||||
=======
|
||||
[[ "$PROTOS_OFFERED" =~ "$1 " ]] || PROTOS_OFFERED+="$1 "
|
||||
>>>>>>> af15bd0f002c0523579b3807949fa54c05c793e3
|
||||
}
|
||||
|
||||
# function which checks whether SSLv2 - TLS 1.2 is being offereed, see add_tls_offered()
|
||||
has_server_protocol() {
|
||||
<<<<<<< HEAD
|
||||
local proto_val_pair
|
||||
|
||||
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
|
||||
@ -3999,6 +4004,9 @@ has_server_protocol() {
|
||||
else
|
||||
# if empty echo 2, hinting to the caller to check at additional cost/connect
|
||||
echo 2
|
||||
=======
|
||||
if [[ "$PROTOS_OFFERED" =~ "$1 " ]]; then
|
||||
>>>>>>> af15bd0f002c0523579b3807949fa54c05c793e3
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
@ -4881,6 +4889,7 @@ run_server_preference() {
|
||||
cipher[i]=""
|
||||
fi
|
||||
fi
|
||||
[[ -n "${cipher[i]}" ]] && add_tls_offered "$proto" yes
|
||||
i=$((i + 1))
|
||||
done
|
||||
|
||||
@ -4997,7 +5006,7 @@ cipher_pref_check() {
|
||||
|
||||
pr_bold " Cipher order"
|
||||
|
||||
tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n" | while read p proto_hex proto; do
|
||||
while read p proto_hex proto; do
|
||||
order=""; ciphers_found_with_sockets=false
|
||||
if [[ $p == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
|
||||
out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
||||
@ -5168,12 +5177,13 @@ cipher_pref_check() {
|
||||
fi
|
||||
|
||||
if [[ -n "$order" ]]; then
|
||||
add_tls_offered "$p" yes
|
||||
outln
|
||||
out "$(printf " %-10s " "$proto: ")"
|
||||
out "$(out_row_aligned_max_width "$order" " " $TERM_WIDTH)"
|
||||
fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order"
|
||||
fi
|
||||
done
|
||||
done <<< "$(tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n")"
|
||||
outln
|
||||
|
||||
outln
|
||||
@ -10808,9 +10818,17 @@ run_beast(){
|
||||
|
||||
# first determine whether it's mitigated by higher protocols
|
||||
for proto in tls1_1 tls1_2; do
|
||||
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null
|
||||
if sclient_connect_successful $? $TMPFILE; then
|
||||
higher_proto_supported="$higher_proto_supported $(get_protocol $TMPFILE)"
|
||||
if [[ $(has_server_protocol "$proto") -eq 0 ]]; then
|
||||
case $proto in
|
||||
tls1_1) higher_proto_supported+=" TLSv1.1" ;;
|
||||
tls1_2) higher_proto_supported+=" TLSv1.2" ;;
|
||||
esac
|
||||
else
|
||||
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null
|
||||
if sclient_connect_successful $? $TMPFILE; then
|
||||
higher_proto_supported+=" $(get_protocol $TMPFILE)"
|
||||
add_tls_offered "$proto" yes
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
@ -10820,14 +10838,18 @@ run_beast(){
|
||||
out " "
|
||||
continue
|
||||
fi
|
||||
if [[ "$proto" != "ssl3" ]] || "$HAS_SSL3"; then
|
||||
[[ ! "$proto" =~ ssl ]] && sni="$SNI" || sni=""
|
||||
[[ ! "$proto" =~ ssl ]] && sni="$SNI" || sni=""
|
||||
if [[ $(has_server_protocol "$proto") -eq 0 ]]; then
|
||||
sclient_success=0
|
||||
elif [[ "$proto" != "ssl3" ]] || "$HAS_SSL3"; then
|
||||
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>>$ERRFILE </dev/null
|
||||
sclient_connect_successful $? $TMPFILE
|
||||
sclient_success=$?
|
||||
else
|
||||
tls_sockets "00" "$TLS_CIPHER"
|
||||
sclient_success=$?
|
||||
fi
|
||||
if [[ $? -ne 0 ]]; then # protocol supported?
|
||||
if [[ $sclient_success -ne 0 ]]; then # protocol supported?
|
||||
if "$continued"; then # second round: we hit TLS1
|
||||
if "$HAS_SSL3" || "$using_sockets"; then
|
||||
prln_done_good "no SSL3 or TLS1 (OK)"
|
||||
@ -10842,6 +10864,7 @@ run_beast(){
|
||||
continue # protocol not supported, so we do not need to check each cipher with that protocol
|
||||
fi
|
||||
fi # protocol succeeded
|
||||
add_tls_offered "$proto" yes
|
||||
|
||||
# now we test in one shot with the precompiled ciphers
|
||||
if "$using_sockets"; then
|
||||
|
Loading…
Reference in New Issue
Block a user