Fix #990

Some servers will respond with an alert to a ClientHello that does not indicate support for secure renegotiation, which may be signaled through either an extension or the 0x00,0xff "cipher suite." In some cases testssl.sh calls tls_sockets() without including "00,ff" in the list of cipher suites, which results in some servers rejecting a ClientHello that would otherwise result in a successful connection. This PR fixes the problem by adding "00,ff" to any ClientHello where it was previously missing, with one exception. If a TLSv1.3 ClientHello is being sent and only TLSv1.3 ciphers are listed, then the "00,ff" cipher suite is not added.
2025-01-03 23:39:45 +01:00 · 2018-02-13 11:55:24 -05:00 · 2018-02-13 11:55:24 -05:00 · 4ba52f3a99
commit 4ba52f3a99
parent 3633704fa5
1 changed files with 18 additions and 17 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -4632,7 +4632,7 @@ run_protocols() {
               fi
          fi
          if [[ ${#tls13_ciphers_to_test} -eq 9 ]]; then
-               tls13_ciphers_to_test="$TLS13_CIPHER, ${tls13_ciphers_to_test:2:2},${tls13_ciphers_to_test:7:2}"
+               tls13_ciphers_to_test="$TLS13_CIPHER, ${tls13_ciphers_to_test:2:2},${tls13_ciphers_to_test:7:2}, 00,ff"
          else
               tls13_ciphers_to_test="$TLS13_CIPHER,$TLS_CIPHER"
          fi
@ -6414,6 +6414,7 @@ certificate_transparency() {
                         ciphers+=", ${hexc:2:2},${hexc:7:2}"
                    fi
               done < <($OPENSSL ciphers -V $cipher 2>>$ERRFILE)
+               ciphers+=", 00,ff"
          fi
          [[ -z "$sni_used" ]] && sni="$SNI" && SNI=""
          tls_sockets "${tls_version:2:2}" "${ciphers:2}" "all" "00,12,00,00$extra_extns"
@ -7593,7 +7594,7 @@ run_pfs() {
          # All TLSv1.3 cipher suites offer robust PFS.
          sclient_success=0
     elif "$using_sockets"; then
-          tls_sockets "04" "${pfs_hex_cipher_list:2}"
+          tls_sockets "04" "${pfs_hex_cipher_list:2}, 00,ff"
          sclient_success=$?
          [[ $sclient_success -eq 2 ]] && sclient_success=0
     else
@ -7819,7 +7820,7 @@ run_pfs() {
                    [[ -z "$curves_to_test" ]] && break
                    len1=$(printf "%02x" "$((2*${#curves_to_test}/7))")
                    len2=$(printf "%02x" "$((2*${#curves_to_test}/7+2))")
-                    tls_sockets "$proto" "${ecdhe_cipher_list_hex:2}" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}"
+                    tls_sockets "$proto" "${ecdhe_cipher_list_hex:2}, 00,ff" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}"
                    sclient_success=$?
                    [[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break
                    temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
@ -7859,7 +7860,7 @@ run_pfs() {
          "$pfs_tls13_offered" && protos_to_try="04"
          if "$ffdhe_offered" && "$EXPERIMENTAL"; then
               # Check to see whether RFC 7919 is supported (see Section 4 of RFC 7919)
-               tls_sockets "03" "${ffdhe_cipher_list_hex:2}" "ephemeralkey" "00, 0a, 00, 04, 00, 02, 01, fb"
+               tls_sockets "03" "${ffdhe_cipher_list_hex:2}, 00,ff" "ephemeralkey" "00, 0a, 00, 04, 00, 02, 01, fb"
               sclient_success=$?
               if [[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]]; then
                    if "$pfs_tls13_offered"; then
@ -7878,7 +7879,7 @@ run_pfs() {
                    [[ -z "$curves_to_test" ]] && break
                    len1=$(printf "%02x" "$((2*${#curves_to_test}/7))")
                    len2=$(printf "%02x" "$((2*${#curves_to_test}/7+2))")
-                    tls_sockets "$proto" "${ffdhe_cipher_list_hex:2}" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}"
+                    tls_sockets "$proto" "${ffdhe_cipher_list_hex:2}, 00,ff" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}"
                    sclient_success=$?
                    [[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break
                    temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
@ -12415,7 +12416,7 @@ run_sweet32() {
          for proto in 03 02 01 00; do
               "$FAST" && [[ "$proto" != "03" ]] && break
               ! "$FAST" && [[ $(has_server_protocol "$proto") -eq 1 ]] && continue
-               tls_sockets "$proto" "${sweet32_ciphers_hex}"
+               tls_sockets "$proto" "${sweet32_ciphers_hex}, 00,ff"
               sclient_success=$?
               [[ $sclient_success -eq 2 ]] && sclient_success=0
               [[ $sclient_success -eq 0 ]] && break
@ -12478,7 +12479,7 @@ run_ssl_poodle() {
     # The openssl binary distributed has almost everything we need (PSK and KRB5 ciphers are typically missing).
     # Measurements show that there's little impact whether we use sockets or TLS here, so the default is sockets here
     if "$using_sockets"; then
-          tls_sockets "00" "$cbc_ciphers_hex"
+          tls_sockets "00" "$cbc_ciphers_hex, 00,ff"
          sclient_success=$?
     else
          if ! "$HAS_SSL3"; then
@ -12714,7 +12715,7 @@ run_freak() {
               addtl_warning="" ;;
     esac
     if "$using_sockets"; then
-          tls_sockets "03" "$exportrsa_tls_cipher_list_hex"
+          tls_sockets "03" "$exportrsa_tls_cipher_list_hex, 00,ff"
          sclient_success=$?
          [[ $sclient_success -eq 2 ]] && sclient_success=0
          if [[ $sclient_success -ne 0 ]]; then
@ -12817,7 +12818,7 @@ run_logjam() {

     # test for DH export ciphers first
     if "$using_sockets"; then
-          tls_sockets "03" "$exportdh_cipher_list_hex"
+          tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff"
          sclient_success=$?
          [[ $sclient_success -eq 2 ]] && sclient_success=0
     else
@ -12847,7 +12848,7 @@ run_logjam() {

     # Try all ciphers that use an ephemeral DH key. If successful, check whether the key uses a weak prime.
     if "$using_sockets"; then
-          tls_sockets "03" "$all_dh_ciphers" "ephemeralkey"
+          tls_sockets "03" "$all_dh_ciphers, 00,ff" "ephemeralkey"
          sclient_success=$?
          if [[ $sclient_success -eq 0 ]] || [[ $sclient_success -eq 2 ]]; then
               cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
@ -13189,7 +13190,7 @@ run_beast(){
                    "ssl3") proto_hex="00" ;;
                    "tls1") proto_hex="01" ;;
               esac
-               tls_sockets "$proto_hex" "$cbc_ciphers_hex"
+               tls_sockets "$proto_hex" "$cbc_ciphers_hex, 00,ff"
               [[ $? -eq 0 ]] || continue
          else
               $OPENSSL s_client $(s_client_options "-"$proto" -cipher "$cbc_cipher_list" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE </dev/null
@ -13369,7 +13370,7 @@ run_lucky13() {
     # Measurements show that there's little impact whether we use sockets or TLS here, so the default is sockets here

     if "$using_sockets"; then
-          tls_sockets "03" "${cbc_ciphers_hex}"
+          tls_sockets "03" "${cbc_ciphers_hex}, 00,ff"
          sclient_success=$?
          [[ "$sclient_success" -eq 2 ]] && sclient_success=0
     else
@ -13907,7 +13908,7 @@ run_grease() {
     # see https://datatracker.ietf.org/doc/draft-ietf-tls-grease
     if [[ "$proto" != "00" ]]; then
          # Send a ClientHello that lists all of the ECDHE cipher suites
-          tls_sockets "$proto" "$ecdhe_ciphers" "ephemeralkey"
+          tls_sockets "$proto" "$ecdhe_ciphers, 00,ff" "ephemeralkey"
          success=$?
          if [[ $success -eq 0 ]] || [[ $success -eq 2 ]]; then
               # Send the same ClientHello as before but with an unrecognized
@ -13939,7 +13940,7 @@ run_grease() {
                    00, 01, 00, 02, 00, 03, 00, 0f, 00, 10, 00, 11"
               fi
               debugme echo -e "\nSending ClientHello with unrecognized named group value in supported_groups extension."
-               tls_sockets "$proto" "$ecdhe_ciphers" "" "$extn"
+               tls_sockets "$proto" "$ecdhe_ciphers, 00,ff" "" "$extn"
               success=$?
               if [[ $success -ne 0 ]] && [[ $success -ne 2 ]]; then
                    prln_svrty_medium " Server fails if ClientHello contains a supported_groups extension with an unrecognized named group value (${grease_supported_groups[rnd]})."
@ -14068,7 +14069,7 @@ run_robot() {
     # ciphers that use AES in GCM or CBC mode, with the GCM ciphers
     # listed first, and then try all ciphers that use RSA key transport
     # if there is no connection on the first try.
-     tls_sockets "$tls_hexcode" "$aes_gcm_cbc_cipherlist"
+     tls_sockets "$tls_hexcode" "$aes_gcm_cbc_cipherlist, 00,ff"
     ret=$?
     if [[ $ret -eq 0 ]] || [[ $ret -eq 2 ]]; then
          cipherlist="$aes_gcm_cbc_cipherlist"
@ -14078,7 +14079,7 @@ run_robot() {
               cipherlist="$(strip_inconsistent_ciphers "$tls_hexcode" ", $cipherlist")"
               cipherlist="${cipherlist:2}"
          fi
-          tls_sockets "$tls_hexcode" "$cipherlist"
+          tls_sockets "$tls_hexcode" "$cipherlist, 00,ff"
          ret=$?
          if [[ $ret -eq 2 ]]; then
               tls_hexcode="${DETECTED_TLS_VERSION:2:2}"
@ -14116,7 +14117,7 @@ run_robot() {
               response[testnum]="untested"
          done
          for (( testnum=0; testnum < 5; testnum++ )); do
-               tls_sockets "$tls_hexcode" "$cipherlist" "all" "" "" "false"
+               tls_sockets "$tls_hexcode" "$cipherlist, 00,ff" "all" "" "" "false"

               # Create the padded premaster secret to encrypt. The padding should be
               # of the form "00 02 <random> 00 <TLS version> <premaster secret>."