From 4260ccbd1cf4d9302a148482e76fa5178fe04c64 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 4 Jan 2022 15:38:19 -0500 Subject: [PATCH] Report if couldn't test for client authentication This commit fixes determine_optimal_proto() and run_server_defaults() so that a "Local problem" is reported if a $URL_PATH is specified, the server is TLS 1.3-only, and $OPENSSL does not support -enable_pha (and the server does not offer client authentication as part of the initial TLS handshake). --- testssl.sh | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index e7eada0..7a30d4e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -10101,9 +10101,13 @@ run_server_defaults() { jsonID="clientAuth" pr_bold " Client Authentication " - outln "$CLIENT_AUTH" + if [[ "$CLIENT_AUTH" == unknown ]]; then + prln_local_problem "$OPENSSL doesn't support \"s_client -enable_pha\"" + else + outln "$CLIENT_AUTH" + fi fileout "$jsonID" "INFO" "$CLIENT_AUTH" - if [[ "$CLIENT_AUTH" != none ]]; then + if [[ "$CLIENT_AUTH" == optional ]] || [[ "$CLIENT_AUTH" == required ]]; then jsonID="clientAuth_CA_list" pr_bold " CA List for Client Auth " out_row_aligned "$CLIENT_AUTH_CA_LIST" " " @@ -21115,11 +21119,14 @@ determine_optimal_proto() { # post-handshake authentication, then test for client # authentication using a protocol version earlier than # TLS 1.3 (unless the server only is TLS 1.3-only). - if [[ "$tmp" == tls1_3 ]] && [[ -n "$URL_PATH" ]] && [[ "$URL_PATH" != / ]] && ! "$HAS_ENABLE_PHA" && \ - ( [[ "$(has_server_protocol "tls1_2")" -eq 0 ]] || [[ "$(has_server_protocol "tls1_1")" -eq 0 ]] || \ - [[ "$(has_server_protocol "tls1")" -eq 0 ]] || [[ "$(has_server_protocol "ssl3")" -eq 0 ]] ); then - safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -ign_eof -no_tls1_3") >$TEMPDIR/client_auth_test.txt 2>>$ERRFILE - sclient_auth $? $TEMPDIR/client_auth_test.txt + if [[ "$tmp" == tls1_3 ]] && [[ -n "$URL_PATH" ]] && [[ "$URL_PATH" != / ]] && ! "$HAS_ENABLE_PHA"; then + if [[ "$(has_server_protocol "tls1_2")" -eq 0 ]] || [[ "$(has_server_protocol "tls1_1")" -eq 0 ]] || \ + [[ "$(has_server_protocol "tls1")" -eq 0 ]] || [[ "$(has_server_protocol "ssl3")" -eq 0 ]]; then + safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -ign_eof -no_tls1_3") >$TEMPDIR/client_auth_test.txt 2>>$ERRFILE + sclient_auth $? $TEMPDIR/client_auth_test.txt + elif [[ "$CLIENT_AUTH" == none ]]; then + CLIENT_AUTH="unknown" + fi fi break fi