From 4ba52f3a991672542b8975893b9a7c48730c36d5 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 13 Feb 2018 11:55:24 -0500 Subject: [PATCH] Fix #990 Some servers will respond with an alert to a ClientHello that does not indicate support for secure renegotiation, which may be signaled through either an extension or the 0x00,0xff "cipher suite." In some cases testssl.sh calls tls_sockets() without including "00,ff" in the list of cipher suites, which results in some servers rejecting a ClientHello that would otherwise result in a successful connection. This PR fixes the problem by adding "00,ff" to any ClientHello where it was previously missing, with one exception. If a TLSv1.3 ClientHello is being sent and only TLSv1.3 ciphers are listed, then the "00,ff" cipher suite is not added. --- testssl.sh | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/testssl.sh b/testssl.sh index a653e5b..e23148f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4632,7 +4632,7 @@ run_protocols() { fi fi if [[ ${#tls13_ciphers_to_test} -eq 9 ]]; then - tls13_ciphers_to_test="$TLS13_CIPHER, ${tls13_ciphers_to_test:2:2},${tls13_ciphers_to_test:7:2}" + tls13_ciphers_to_test="$TLS13_CIPHER, ${tls13_ciphers_to_test:2:2},${tls13_ciphers_to_test:7:2}, 00,ff" else tls13_ciphers_to_test="$TLS13_CIPHER,$TLS_CIPHER" fi @@ -6414,6 +6414,7 @@ certificate_transparency() { ciphers+=", ${hexc:2:2},${hexc:7:2}" fi done < <($OPENSSL ciphers -V $cipher 2>>$ERRFILE) + ciphers+=", 00,ff" fi [[ -z "$sni_used" ]] && sni="$SNI" && SNI="" tls_sockets "${tls_version:2:2}" "${ciphers:2}" "all" "00,12,00,00$extra_extns" @@ -7593,7 +7594,7 @@ run_pfs() { # All TLSv1.3 cipher suites offer robust PFS. sclient_success=0 elif "$using_sockets"; then - tls_sockets "04" "${pfs_hex_cipher_list:2}" + tls_sockets "04" "${pfs_hex_cipher_list:2}, 00,ff" sclient_success=$? [[ $sclient_success -eq 2 ]] && sclient_success=0 else @@ -7819,7 +7820,7 @@ run_pfs() { [[ -z "$curves_to_test" ]] && break len1=$(printf "%02x" "$((2*${#curves_to_test}/7))") len2=$(printf "%02x" "$((2*${#curves_to_test}/7+2))") - tls_sockets "$proto" "${ecdhe_cipher_list_hex:2}" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}" + tls_sockets "$proto" "${ecdhe_cipher_list_hex:2}, 00,ff" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}" sclient_success=$? [[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt") @@ -7859,7 +7860,7 @@ run_pfs() { "$pfs_tls13_offered" && protos_to_try="04" if "$ffdhe_offered" && "$EXPERIMENTAL"; then # Check to see whether RFC 7919 is supported (see Section 4 of RFC 7919) - tls_sockets "03" "${ffdhe_cipher_list_hex:2}" "ephemeralkey" "00, 0a, 00, 04, 00, 02, 01, fb" + tls_sockets "03" "${ffdhe_cipher_list_hex:2}, 00,ff" "ephemeralkey" "00, 0a, 00, 04, 00, 02, 01, fb" sclient_success=$? if [[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]]; then if "$pfs_tls13_offered"; then @@ -7878,7 +7879,7 @@ run_pfs() { [[ -z "$curves_to_test" ]] && break len1=$(printf "%02x" "$((2*${#curves_to_test}/7))") len2=$(printf "%02x" "$((2*${#curves_to_test}/7+2))") - tls_sockets "$proto" "${ffdhe_cipher_list_hex:2}" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}" + tls_sockets "$proto" "${ffdhe_cipher_list_hex:2}, 00,ff" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}" sclient_success=$? [[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt") @@ -12415,7 +12416,7 @@ run_sweet32() { for proto in 03 02 01 00; do "$FAST" && [[ "$proto" != "03" ]] && break ! "$FAST" && [[ $(has_server_protocol "$proto") -eq 1 ]] && continue - tls_sockets "$proto" "${sweet32_ciphers_hex}" + tls_sockets "$proto" "${sweet32_ciphers_hex}, 00,ff" sclient_success=$? [[ $sclient_success -eq 2 ]] && sclient_success=0 [[ $sclient_success -eq 0 ]] && break @@ -12478,7 +12479,7 @@ run_ssl_poodle() { # The openssl binary distributed has almost everything we need (PSK and KRB5 ciphers are typically missing). # Measurements show that there's little impact whether we use sockets or TLS here, so the default is sockets here if "$using_sockets"; then - tls_sockets "00" "$cbc_ciphers_hex" + tls_sockets "00" "$cbc_ciphers_hex, 00,ff" sclient_success=$? else if ! "$HAS_SSL3"; then @@ -12714,7 +12715,7 @@ run_freak() { addtl_warning="" ;; esac if "$using_sockets"; then - tls_sockets "03" "$exportrsa_tls_cipher_list_hex" + tls_sockets "03" "$exportrsa_tls_cipher_list_hex, 00,ff" sclient_success=$? [[ $sclient_success -eq 2 ]] && sclient_success=0 if [[ $sclient_success -ne 0 ]]; then @@ -12817,7 +12818,7 @@ run_logjam() { # test for DH export ciphers first if "$using_sockets"; then - tls_sockets "03" "$exportdh_cipher_list_hex" + tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff" sclient_success=$? [[ $sclient_success -eq 2 ]] && sclient_success=0 else @@ -12847,7 +12848,7 @@ run_logjam() { # Try all ciphers that use an ephemeral DH key. If successful, check whether the key uses a weak prime. if "$using_sockets"; then - tls_sockets "03" "$all_dh_ciphers" "ephemeralkey" + tls_sockets "03" "$all_dh_ciphers, 00,ff" "ephemeralkey" sclient_success=$? if [[ $sclient_success -eq 0 ]] || [[ $sclient_success -eq 2 ]]; then cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE @@ -13189,7 +13190,7 @@ run_beast(){ "ssl3") proto_hex="00" ;; "tls1") proto_hex="01" ;; esac - tls_sockets "$proto_hex" "$cbc_ciphers_hex" + tls_sockets "$proto_hex" "$cbc_ciphers_hex, 00,ff" [[ $? -eq 0 ]] || continue else $OPENSSL s_client $(s_client_options "-"$proto" -cipher "$cbc_cipher_list" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE 00 ."