mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Fix handling of empty argument to "-nextprotoneg" parameter
s_client's manpage states for -nextprotoneg: "Empty list of protocols is treated specially and will cause the client to advertise support for the TLS extension but disconnect just after reciving ServerHello with a list of server supported protocols." Consequently, the previous workaround of just quoting an empty variable is insufficient and the "-nextprotoneg" parameter has to be removed entirely from the command-line in case of an empty argument. In other locations where "-nextprotoneg" is used - its argument cannot be empty ($NPN_PROTOs is initialized to a non- empty value and set read-only) or - its argument is intended to be empty (line 3724) or - the command will not be invoked at all (for-loop parameter, line 3725) This fixes #467 - again. Additionally this patch prefers usage of -alpn over -nextprotoneg if the openssl binary used supports it.
This commit is contained in:
parent
05fe064763
commit
4f04820c76
10
testssl.sh
10
testssl.sh
@ -3933,11 +3933,15 @@ sclient_connect_successful() {
|
|||||||
determine_tls_extensions() {
|
determine_tls_extensions() {
|
||||||
local proto addcmd
|
local proto addcmd
|
||||||
local success
|
local success
|
||||||
local alpn=""
|
local alpnOrNpnParam=""
|
||||||
local savedir
|
local savedir
|
||||||
local nrsaved
|
local nrsaved
|
||||||
|
|
||||||
"$HAS_ALPN" && alpn="h2-14,h2-15,h2"
|
if "$HAS_ALPN"; then
|
||||||
|
alpnOrNpnParam="-alpn \"http/1.1,spdy/1,spdy/2,spdy/3,stun.turn,stun.nat-discovery,h2,h2c,webrtc,c-webrtc,ftp\""
|
||||||
|
elif "$HAS_SPDY"; then
|
||||||
|
alpnOrNpnParam="-nextprotoneg \"h2-14,h2-15,h2\""
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ -n "$2" ]]; then
|
if [[ -n "$2" ]]; then
|
||||||
protocols_to_try="$2"
|
protocols_to_try="$2"
|
||||||
@ -3983,7 +3987,7 @@ determine_tls_extensions() {
|
|||||||
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
|
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
|
||||||
addcmd=""
|
addcmd=""
|
||||||
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
|
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
|
||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug -nextprotoneg "$alpn" -status </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $alpnOrNpnParam -status </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE && success=0 && break
|
sclient_connect_successful $? $TMPFILE && success=0 && break
|
||||||
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
||||||
if [[ $success -eq 7 ]]; then
|
if [[ $success -eq 7 ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user