From 23d311b1fc49970f0e0798b6154ee9cebd82556d Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 26 Jul 2016 11:10:20 -0400 Subject: [PATCH 1/3] SSLv2 fixes for determine_optimal_proto() This PR makes three changes to `determine_optimal_proto()`: * It no longer tries an empty string for `$OPTIMAL_PROTO` twice. * It does not include `-servername` for `-ssl2` or `-ssl3`, since some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options. * It displays a warning if `$OPTIMAL_PROTO` is `-ssl2`, since some tests in testssl.sh will not work correctly for SSLv2-only servers. --- testssl.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 5245616..0336251 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7811,7 +7811,7 @@ sclient_auth() { # determine_optimal_proto() { local all_failed - local addcmd="" + local sni="" #TODO: maybe query known openssl version before this workaround. 1.0.1 doesn't need this @@ -7829,8 +7829,9 @@ determine_optimal_proto() { done debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO" else - for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2 ''; do - $OPENSSL s_client $OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI $TMPFILE 2>>$ERRFILE + for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do + [[ "$OPTIMAL_PROTO" =~ ssl ]] && sni="" || sni=$SNI + $OPENSSL s_client $OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $sni $TMPFILE 2>>$ERRFILE if sclient_auth $? $TMPFILE; then all_failed=1 break @@ -7838,6 +7839,9 @@ determine_optimal_proto() { all_failed=0 done debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO" + pr_warningln "$NODEIP:$PORT appears to only support SSLv2." + ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " + [[ $? -ne 0 ]] && exit -2 fi grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190 From b43562aabf2d0e63e891b80e677f5db4560e09cd Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 26 Jul 2016 11:13:45 -0400 Subject: [PATCH 2/3] Update testssl.sh --- testssl.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 0336251..436b70e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7839,9 +7839,11 @@ determine_optimal_proto() { all_failed=0 done debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO" - pr_warningln "$NODEIP:$PORT appears to only support SSLv2." - ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " - [[ $? -ne 0 ]] && exit -2 + if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then + pr_warningln "$NODEIP:$PORT appears to only support SSLv2." + ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " + [[ $? -ne 0 ]] && exit -2 + fi fi grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190 From bc6367d3ad8a7104f046b77a58f35a4d0ecf1b52 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 26 Jul 2016 11:21:23 -0400 Subject: [PATCH 3/3] Update testssl.sh --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 436b70e..cb22fd7 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7840,7 +7840,7 @@ determine_optimal_proto() { done debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO" if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then - pr_warningln "$NODEIP:$PORT appears to only support SSLv2." + pr_magentaln "$NODEIP:$PORT appears to only support SSLv2." ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " [[ $? -ne 0 ]] && exit -2 fi