From 2ed317441f3320e1e3150dc579f9f97060591159 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 15 Jan 2020 12:11:57 +0100 Subject: [PATCH] Reimplement mitigation check (renegotiation->node.js) See #1070, kudos @poupas. In addition it checks whether the first result was positive (in terms of a finding). If so it does 4 rounds and checks the result. So that other servers won't be penalized with 4 seconds. --- testssl.sh | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index c2f9584..d902f60 100755 --- a/testssl.sh +++ b/testssl.sh @@ -14407,12 +14407,28 @@ run_renego() { echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln! case "$sec_client_renego" in - 0) if [[ $SERVICE == HTTP ]]; then - pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat" - fileout "$jsonID" "HIGH" "VULNERABLE, DoS threat" "$cve" "$cwe" "$hint" - else + 0) # We try again if server is HTTP. This could be either a node.js server or something else. + # node.js has a mitigation which allows 3x R and then blocks. So we test 4x + # This way we save a couple seconds as we weeded out the ones which are more robust + if [[ $SERVICE != HTTP ]]; then pr_svrty_medium "VULNERABLE (NOT ok)"; outln ", potential DoS threat" fileout "$jsonID" "MEDIUM" "VULNERABLE, potential DoS threat" "$cve" "$cwe" "$hint" + else + (for i in {1..4}; do echo R; sleep 1; done) | \ + $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE + case $? in + 0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat" + fileout "$jsonID" "HIGH" "VULNERABLE, DoS threat" "$cve" "$cwe" "$hint" + ;; + 1) pr_svrty_good "not vulnerable (OK)" + outln " -- mitigated" + fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe" + ;; + *) prln_warning "FIXME (bug): $sec_client_renego (4 tries)" + fileout "$jsonID" "DEBUG" "FIXME (bug 4 tries) $sec_client_renego" "$cve" "$cwe" + ret=1 + ;; + esac fi ;; 1)