- improved resilience in cipher order check

- improved also there compatibility with intolerant IIS6 servers
This commit is contained in:
Dirk 2015-09-14 12:54:54 +02:00
parent 09c06e0ffa
commit 467988fb0a

View File

@ -1547,7 +1547,12 @@ run_server_preference() {
pr_bold " Has server cipher order? " pr_bold " Has server cipher order? "
$OPENSSL s_client $STARTTLS -cipher $list_fwd -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS -cipher $list_fwd -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]] && [[ -z "$STARTTLS_PROTOCOL" ]]; then
pr_litemagenta "no matching cipher in this list found (pls report this): "
outln "$list_fwd . "
has_cipher_order=false
ret=6
elif [[ -n "$STARTTLS_PROTOCOL" ]]; then
# now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188 # now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188
# workaround is to connect with a protocol # workaround is to connect with a protocol
debugme out "(workaround #188) " debugme out "(workaround #188) "
@ -1564,6 +1569,7 @@ run_server_preference() {
if $has_cipher_order; then if $has_cipher_order; then
cipher1=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g') cipher1=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
$OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_reverse -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_reverse -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
# that worked above so no error handling here
cipher2=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g') cipher2=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
if [[ "$cipher1" != "$cipher2" ]]; then if [[ "$cipher1" != "$cipher2" ]]; then
@ -1576,9 +1582,13 @@ run_server_preference() {
[[ $DEBUG -ge 2 ]] && out " $cipher1 | $cipher2" [[ $DEBUG -ge 2 ]] && out " $cipher1 | $cipher2"
outln outln
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
pr_bold " Negotiated protocol " pr_bold " Negotiated protocol "
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
if [[ $? -ne 0 ]]; then
# 2 second try with $OPTIMAL_PROTO especially for intolerant IIS6 servers:
$OPENSSL s_client $STARTTLS $OPTIMAL_PROTO -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
[[ $? -ne 0 ]] && pr_litemagenta "Handshake error!"
fi
default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
case "$default_proto" in case "$default_proto" in
*TLSv1.2) pr_greenln $default_proto ;; *TLSv1.2) pr_greenln $default_proto ;;
@ -1587,7 +1597,7 @@ run_server_preference() {
*SSLv2) pr_redln $default_proto ;; *SSLv2) pr_redln $default_proto ;;
*SSLv3) pr_redln $default_proto ;; *SSLv3) pr_redln $default_proto ;;
"") pr_litemagenta "default proto empty"; [[ $OSSL_VER == 1.0.2* ]] && outln " (Hint: if IIS6 give OpenSSL 1.01 a try)" ;; "") pr_litemagenta "default proto empty"; [[ $OSSL_VER == 1.0.2* ]] && outln " (Hint: if IIS6 give OpenSSL 1.01 a try)" ;;
*) outln "$default_proto" ;; *) pr_litemagenta "FIXME line $LINENO: $default_proto" ;;
esac esac
pr_bold " Negotiated cipher " pr_bold " Negotiated cipher "
@ -1663,7 +1673,7 @@ run_server_preference() {
if [[ -z "$remark4default_cipher" ]]; then if [[ -z "$remark4default_cipher" ]]; then
cipher_pref_check cipher_pref_check
else else
outln "\n No further cipher order check as order is determined by the client" outln "\n No further cipher order check has been done as order is determined by the client"
fi fi
return 0 return 0
} }
@ -4877,4 +4887,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.377 2015/09/14 09:12:36 dirkw Exp $ # $Id: testssl.sh,v 1.378 2015/09/14 10:54:53 dirkw Exp $