From 429db592e2f5cdefcfb1535b2d96ce11737df00e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emmanuel=20Fust=C3=A9?= Date: Tue, 28 Nov 2023 14:41:25 +0100 Subject: [PATCH] Crudely detect exponential backoff as a mitigation --- testssl.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 6b694e4..3e14be7 100755 --- a/testssl.sh +++ b/testssl.sh @@ -17068,13 +17068,23 @@ run_renego() { else (for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep 1; done) | \ $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE - case $? in + tmp_result=$? + # If we are here, we have done two successfull renegotiation (-2) and do the loop + loop_reneg=$(($(grep -a '^RENEGOTIATING' $ERRFILE | wc -l)-2)) + # If we got less than 2/3 successfull attemps during the loop with 1s pause, we are in precence of exponential backoff. + if [[ $loop_reneg -le $(($ssl_reneg_attempts*2/3)) ]]; then + tmp_result=2 + fi + case $tmp_result in 0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat ($ssl_reneg_attempts attempts)" fileout "$jsonID" "HIGH" "VULNERABLE, DoS threat" "$cve" "$cwe" "$hint" ;; 1) pr_svrty_good "not vulnerable (OK)"; outln " -- mitigated (disconnect within $ssl_reneg_attempts)" fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe" ;; + 2) pr_svrty_good "not vulnerable (OK)"; outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in ${ssl_reneg_attempts}s)" + fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe" + ;; *) prln_warning "FIXME (bug): $sec_client_renego ($ssl_reneg_attempts tries)" fileout "$jsonID" "DEBUG" "FIXME (bug $ssl_reneg_attempts tries) $sec_client_renego" "$cve" "$cwe" ret=1