Simplify determine_sizelimitbug()
This PR takes advantage of the testing done by determine_optimal_sockets_params() in order to simplify determine_sizelimitbug(). By the time that determine_sizelimitbug() is called, determine_optimal_sockets_params() has already determined whether TLSv1.2 ClientHello with 128 ciphers (including 00FF) sent by tls_sockets() works, and it has set TLS12_CIPHER to a list of exactly 128 ciphers (including 00FF) that works with the server. So, determine_sizelimitbug() doesn't have to check whether the server supports TLSv1.2 and no longer needs to send tests using 127 or 128 ciphers. determine_sizelimitbug() can just perform one test with 129 ciphers, if the server supports TLSv1.2, and use the results to set $SERVER_SIZE_LIMIT_BUG.
This commit is contained in:
parent
35c69bee27
commit
4f462eb718
59
testssl.sh
59
testssl.sh
|
@ -18193,68 +18193,39 @@ determine_service() {
|
||||||
# Return value is 0 unless we have a problem executing
|
# Return value is 0 unless we have a problem executing
|
||||||
#
|
#
|
||||||
determine_sizelimitbug() {
|
determine_sizelimitbug() {
|
||||||
local test_ciphers='CC,14, CC,13, CC,15, C0,30, C0,2C, C0,28, C0,24, 00,A5, 00,A3, 00,A1, 00,9F, CC,A9, CC,A8, CC,AA, C0,AF, C0,AD, C0,A3, C0,9F, 00,6B, 00,6A, 00,69, 00,68, C0,77, C0,73, 00,C4, 00,C3, 00,C2, 00,C1, C0,32, C0,2E, C0,2A, C0,26, C0,79, C0,75, 00,9D, C0,A1, C0,9D, 00,3D, 00,C0, C0,3D, C0,3F, C0,41, C0,43, C0,45, C0,49, C0,4B, C0,4D, C0,4F, C0,51, C0,53, C0,55, C0,57, C0,59, C0,5D, C0,5F, C0,61, C0,63, C0,7B, C0,7D, C0,7F, C0,81, C0,83, C0,87, C0,89, C0,8B, C0,8D, 16,B7, 16,B8, 16,B9, 16,BA, C0,2F, C0,2B, C0,27, C0,23, 00,A4, 00,A2, 00,A0, 00,9E, C0,AE, C0,AC, C0,A2, C0,9E, C0,A0, C0,9C, 00,67, 00,40, 00,3F, 00,3E, C0,76, C0,72, 00,BE, 00,BD, 00,BC, 00,BB, C0,31, C0,2D, C0,29, C0,25, C0,78, C0,74, 00,9C, 00,3C, 00,BA, C0,3C, C0,3E, C0,40, C0,42, C0,44, C0,48, C0,4A, C0,4C, C0,4E, C0,50, C0,52, C0,54, C0,56, C0,58, C0,5C, C0,5E, C0,60, C0,62, C0,7A, C0,7C, C0,7E, C0,80, C0,82'
|
# overflow_cipher must be some cipher that does not appear in TLS12_CIPHER.
|
||||||
local overflow_cipher1='C0,86'
|
local overflow_cipher='C0,86'
|
||||||
local overflow_cipher2='C0,88'
|
local -i nr_ciphers
|
||||||
|
|
||||||
# For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
# For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
||||||
# Fixme: find out whether we can't skip this in general for STARTTLS
|
# Fixme: find out whether we can't skip this in general for STARTTLS
|
||||||
[[ "$STARTTLS" =~ ldap ]] && return 0
|
[[ "$STARTTLS" =~ ldap ]] && return 0
|
||||||
[[ "$STARTTLS" =~ irc ]] && return 0
|
[[ "$STARTTLS" =~ irc ]] && return 0
|
||||||
|
|
||||||
debugme echo -n "${FUNCNAME[0]} starting at # of ciphers (excl. 00FF): "
|
|
||||||
debugme echo "$(tr ' ' '\n' <<< "$test_ciphers" | wc -l)"
|
|
||||||
# Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practise. Thus
|
# Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practise. Thus
|
||||||
# we assume if TLS 1.2 is not supported, the server has no cipher size limit bug. It still may,
|
# we assume if TLS 1.2 is not supported, the server has no cipher size limit bug. It still may,
|
||||||
# theoretically, but in a regular check with testssl.sh we won't hit this limit with lower protocols.
|
# theoretically, but in a regular check with testssl.sh we won't hit this limit with lower protocols.
|
||||||
# Upon calling this function we may know already whether TLS 1.2 is supported. If not we just
|
# Upon calling this function we already know whether TLS 1.2 is supported. If TLS 1.2 is supported, we
|
||||||
# check for it (and add it to the known protocols to be supported).
|
# send 129 ciphers (including 00FF) and check whether it works.
|
||||||
# Then we send 127 ciphers, check whether they work, and increase it by one and check again. The
|
|
||||||
# limit bug should occur @ 128 ciphers. To be sure we test until 129 ciphers.
|
|
||||||
|
|
||||||
if [[ 1 -eq $(has_server_protocol 03) ]]; then
|
if [[ 1 -eq $(has_server_protocol 03) ]]; then
|
||||||
SERVER_SIZE_LIMIT_BUG=false
|
SERVER_SIZE_LIMIT_BUG=false
|
||||||
elif [[ 0 -eq $(has_server_protocol 03) ]]; then
|
else
|
||||||
debugme echo "Sending 127 ciphers"
|
if [[ "$DEBUG" -ge 1 ]]; then
|
||||||
tls_sockets 03 "${test_ciphers}, 00,FF"
|
nr_ciphers="$(tr ' ' '\n' <<< "${overflow_cipher}, $TLS12_CIPHER" | sed -e '/^$/d' | wc -l)"
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $nr_ciphers -ne 129 ]]; then
|
||||||
debugme echo "Sending 128 ciphers"
|
prln_warning "FIXME line $LINENO, ${FUNCNAME[0]} sending $nr_ciphers ciphers rather than 129."
|
||||||
tls_sockets 03 "${test_ciphers}, ${overflow_cipher1}, 00,FF"
|
|
||||||
if [[ $? -ne 0 ]]; then
|
|
||||||
SERVER_SIZE_LIMIT_BUG=true
|
|
||||||
else
|
else
|
||||||
debugme echo "Sending 129 ciphers"
|
debugme echo "${FUNCNAME[0]} sending $nr_ciphers ciphers"
|
||||||
tls_sockets 03 "${test_ciphers}, ${overflow_cipher1}, ${overflow_cipher2}, 00,FF"
|
|
||||||
if [[ $? -ne 0 ]]; then
|
|
||||||
SERVER_SIZE_LIMIT_BUG=true
|
|
||||||
else
|
|
||||||
SERVER_SIZE_LIMIT_BUG=false
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
debugme echo -e "\nSERVER_SIZE_LIMIT_BUG: $SERVER_SIZE_LIMIT_BUG"
|
|
||||||
else
|
|
||||||
pr_warning "FIXME line $LINENO, TLS 1.2 handshake in ${FUNCNAME[0]} failed"
|
|
||||||
return 1
|
|
||||||
fi
|
fi
|
||||||
elif [[ 2 -eq $(has_server_protocol 03) ]]; then
|
tls_sockets 03 "${overflow_cipher}, ${TLS12_CIPHER}"
|
||||||
tls_sockets 03 "${test_ciphers}, 00,FF"
|
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
add_tls_offered tls1_2 yes
|
SERVER_SIZE_LIMIT_BUG=false
|
||||||
tls_sockets 03 "${test_ciphers}, ${overflow_cipher1}, 00,FF"
|
|
||||||
if [[ $? -ne 0 ]]; then
|
|
||||||
SERVER_SIZE_LIMIT_BUG=true
|
|
||||||
else
|
|
||||||
tls_sockets 03 "${test_ciphers}, ${overflow_cipher1}, ${overflow_cipher2}, 00,FF"
|
|
||||||
if [[ $? -ne 0 ]]; then
|
|
||||||
SERVER_SIZE_LIMIT_BUG=true
|
|
||||||
else
|
|
||||||
SERVER_SIZE_LIMIT_BUG=false
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
debugme echo -e "\nSERVER_SIZE_LIMIT_BUG: $SERVER_SIZE_LIMIT_BUG"
|
|
||||||
else
|
else
|
||||||
debugme echo -e "\nNo TLS 1.2 in ${FUNCNAME[0]} found"
|
SERVER_SIZE_LIMIT_BUG=true
|
||||||
fi
|
fi
|
||||||
|
debugme echo -e "\nSERVER_SIZE_LIMIT_BUG: $SERVER_SIZE_LIMIT_BUG"
|
||||||
fi
|
fi
|
||||||
if "$SERVER_SIZE_LIMIT_BUG"; then
|
if "$SERVER_SIZE_LIMIT_BUG"; then
|
||||||
out " Pre-test: "
|
out " Pre-test: "
|
||||||
|
|
Loading…
Reference in New Issue