mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-31 22:09:44 +01:00
Merge pull request #1378 from dcooper16/unsupported_ossl_protocols
Don't call s_client for unsupported protocol versions
This commit is contained in:
commit
45683f3452
47
testssl.sh
47
testssl.sh
@ -4083,6 +4083,7 @@ ciphers_by_strength() {
|
|||||||
fi
|
fi
|
||||||
else # no SSLv2
|
else # no SSLv2
|
||||||
nr_ossl_ciphers=0
|
nr_ossl_ciphers=0
|
||||||
|
if ( "$HAS_SSL3" || [[ $proto != -ssl3 ]] ) && ( "$HAS_TLS13" || [[ $proto != -tls1_3 ]] ); then
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
if "${ossl_supported[i]}"; then
|
if "${ossl_supported[i]}"; then
|
||||||
ciphers_found2[nr_ossl_ciphers]=false
|
ciphers_found2[nr_ossl_ciphers]=false
|
||||||
@ -4091,6 +4092,7 @@ ciphers_by_strength() {
|
|||||||
nr_ossl_ciphers+=1
|
nr_ossl_ciphers+=1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
fi
|
||||||
if [[ $nr_ossl_ciphers -eq 0 ]]; then
|
if [[ $nr_ossl_ciphers -eq 0 ]]; then
|
||||||
num_bundles=0
|
num_bundles=0
|
||||||
else
|
else
|
||||||
@ -14785,6 +14787,7 @@ run_tls_fallback_scsv() {
|
|||||||
high_proto="$p"
|
high_proto="$p"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
[[ "$p" == ssl3 ]] && ! "$HAS_SSL3" && continue
|
||||||
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
high_proto="$p"
|
high_proto="$p"
|
||||||
@ -14806,8 +14809,33 @@ run_tls_fallback_scsv() {
|
|||||||
fileout "$jsonID" "HIGH" "only SSLv3 supported"
|
fileout "$jsonID" "HIGH" "only SSLv3 supported"
|
||||||
return 0
|
return 0
|
||||||
;;
|
;;
|
||||||
*) prln_svrty_good "No fallback possible, TLS 1.3 is the only protocol (OK)"
|
*) if [[ $(has_server_protocol tls1_3) -eq 0 ]]; then
|
||||||
|
# If the server supports TLS 1.3, and does not support TLS 1.2, TLS 1.1,
|
||||||
|
# or TLS 1, then assume it does not support SSLv3, even if SSLv3 cannot
|
||||||
|
# be tested.
|
||||||
|
prln_svrty_good "No fallback possible, TLS 1.3 is the only protocol (OK)"
|
||||||
fileout "$jsonID" "OK" "only TLS 1.3 supported"
|
fileout "$jsonID" "OK" "only TLS 1.3 supported"
|
||||||
|
elif [[ $(has_server_protocol tls1_3) -eq 1 ]] && \
|
||||||
|
( [[ $(has_server_protocol ssl3) -eq 1 ]] || "$HAS_SSL3" ); then
|
||||||
|
# TLS 1.3, TLS 1.2, TLS 1.1, TLS 1, and SSLv3 are all not supported.
|
||||||
|
# This may be an SSLv2-only server, if $OPENSSL does not support SSLv2.
|
||||||
|
prln_warning "test failed (couldn't connect)"
|
||||||
|
fileout "$jsonID" "WARN" "Check failed. (couldn't connect)"
|
||||||
|
return 1
|
||||||
|
elif [[ $(has_server_protocol tls1_3) -eq 1 ]]; then
|
||||||
|
# If the server does not support TLS 1.3, TLS 1.2, TLS 1.1, or TLS 1, and
|
||||||
|
# support for SSLv3 cannot be tested, then treat it as HIGH severity, since
|
||||||
|
# it is very likely that SSLv3 is the only supported protocol.
|
||||||
|
prln_svrty_high "No fallback possible, TLS 1.3, TLS 1.2, TLS 1.1, and TLS 1 not supported"
|
||||||
|
fileout "$jsonID" "HIGH" "TLS 1.3, TLS 1.2, TLS 1.1, and TLS 1 not supported"
|
||||||
|
else
|
||||||
|
# TLS 1.2, TLS 1.1, and TLS 1 are not supported, but can't tell whether TLS 1.3 is supported.
|
||||||
|
# This could be a TLS 1.3 only server, an SSLv3 only server (if SSLv3 support cannot be tested),
|
||||||
|
# or a server that does not support SSLv3 or any TLS protocol. So, don't report a severity,
|
||||||
|
# since this could either be good or bad.
|
||||||
|
outln "No fallback possible, TLS 1.2, TLS 1.1, and TLS 1 not supported"
|
||||||
|
fileout "$jsonID" "INFO" "TLS 1.2, TLS 1.1, and TLS 1 not supported"
|
||||||
|
fi
|
||||||
return 0
|
return 0
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -14818,6 +14846,7 @@ run_tls_fallback_scsv() {
|
|||||||
low_proto="$p"
|
low_proto="$p"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
[[ "$p" == ssl3 ]] && ! "$HAS_SSL3" && continue
|
||||||
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
low_proto="$p"
|
low_proto="$p"
|
||||||
@ -14825,6 +14854,22 @@ run_tls_fallback_scsv() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if ! "$HAS_SSL3" && \
|
||||||
|
( [[ "$low_proto" == ssl3 ]] || \
|
||||||
|
( [[ "$high_proto" == tls1 ]] && [[ $(has_server_protocol "ssl3") -eq 2 ]] ) ); then
|
||||||
|
# If the protocol that the server would fall back to is SSLv3, but $OPENSSL does
|
||||||
|
# not support SSLv3, then the test cannot be performed. So, if $OPENSSL does not
|
||||||
|
# support SSLv3 and it is known that SSLv3 is the fallback protocol ($low_proto), then
|
||||||
|
# the test cannot be performed. Similarly, if SSLv3 could be the fallback protocol, but
|
||||||
|
# support for SSLv3 is unknown, then the test cannot be performed.
|
||||||
|
# NOTE: This check assumes that any server that suppports SSLv3 and either TLS 1.2 or
|
||||||
|
# TLS 1.1 would also support TLS 1. So, if $high_proto is not TLS 1, then it is assumed
|
||||||
|
# that either (1) $low_proto has already been set (to TLS1.1 or TLS 1) or (2) no protocol
|
||||||
|
# lower than $high_proto is offered.
|
||||||
|
prln_local_problem "Can't test: $OPENSSL does not support SSLv3"
|
||||||
|
fileout "$jsonID" "WARN" "Can't test: $OPENSSL does not support SSLv3"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
if [[ -z "$low_proto" ]]; then
|
if [[ -z "$low_proto" ]]; then
|
||||||
case "$high_proto" in
|
case "$high_proto" in
|
||||||
"tls1_2")
|
"tls1_2")
|
||||||
|
Loading…
Reference in New Issue
Block a user