From 43fade414c4eedd44fdf9ef0f4d7c5cb4da65870 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 10 Nov 2022 11:24:56 -0800 Subject: [PATCH] Fix #2271 This commit fixes #2271 by adding the `-no_ssl2` option to the call to get_host_cert() in run_drown(). There is at least one server that causes OpenSSL to hang if this call to get_host_cert() results in an SSLv2 ClientHello being sent. Since this call to get_host_cert() only needs to find the server's certificate in cases in which the server does not support SSLv2, there is no need to send an SSLv2 ClientHello. --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 38ef6f4..eac2328 100755 --- a/testssl.sh +++ b/testssl.sh @@ -17998,7 +17998,7 @@ run_drown() { # to $CERT_FINGERPRINT_SHA2, so if $CERT_FINGERPRINT_SHA2 is not empty, but # $RSA_CERT_FINGERPRINT_SHA2 is empty, then the server doesn't have an RSA certificate. if [[ -z "$CERT_FINGERPRINT_SHA2" ]]; then - get_host_cert "-cipher aRSA" + get_host_cert "-cipher aRSA -no_ssl2" [[ $? -eq 0 ]] && cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed -e 's/^.*Fingerprint=//' -e 's/://g' )" else cert_fingerprint_sha2="$RSA_CERT_FINGERPRINT_SHA2"