Merge pull request #2150 from dcooper16/no_session_id

Fix setting NO_SESSION_ID
This commit is contained in:
Dirk Wetter 2022-04-14 13:19:24 +02:00 committed by GitHub
commit 54e5469411
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 7 deletions

View File

@ -284,7 +284,7 @@ ERRFILE=""
CLIENT_AUTH="none" CLIENT_AUTH="none"
CLIENT_AUTH_CA_LIST="" CLIENT_AUTH_CA_LIST=""
TLS_TICKETS=false TLS_TICKETS=false
NO_SSL_SESSIONID=false NO_SSL_SESSIONID=true
CERT_COMPRESSION=${CERT_COMPRESSION:-false} # secret flag to set in addition to --devel for certificate compression CERT_COMPRESSION=${CERT_COMPRESSION:-false} # secret flag to set in addition to --devel for certificate compression
HOSTCERT="" # File with host certificate, without intermediate certificate HOSTCERT="" # File with host certificate, without intermediate certificate
HEADERFILE="" HEADERFILE=""
@ -7563,14 +7563,19 @@ tls_time() {
# #
sclient_connect_successful() { sclient_connect_successful() {
local server_hello="$(cat -v "$2")" local server_hello="$(cat -v "$2")"
local connect_success=false
local re='Master-Key: ([^\ local re='Master-Key: ([^\
]*)' ]*)'
[[ $1 -eq 0 ]] && return 0 [[ $1 -eq 0 ]] && connect_success=true
if [[ "$server_hello" =~ $re ]]; then if ! "$connect_success" && [[ "$server_hello" =~ $re ]]; then
[[ -n "${BASH_REMATCH[1]}" ]] && return 0 [[ -n "${BASH_REMATCH[1]}" ]] && connect_success=true
fi
! "$connect_success" && [[ "$server_hello" =~ (New|Reused)", "(SSLv[23]|TLSv1(\.[0-3])?(\/SSLv3)?)", Cipher is "([A-Z0-9]+-[A-Za-z0-9\-]+|TLS_[A-Za-z0-9_]+) ]] && connect_success=true
if "$connect_success"; then
"$NO_SSL_SESSIONID" && [[ "$server_hello" =~ Session-ID:\ [a-fA-F0-9]{2,64} ]] && NO_SSL_SESSIONID=false
return 0
fi fi
[[ "$server_hello" =~ (New|Reused)", "(SSLv[23]|TLSv1(\.[0-3])?(\/SSLv3)?)", Cipher is "([A-Z0-9]+-[A-Za-z0-9\-]+|TLS_[A-Za-z0-9_]+) ]] && return 0
# what's left now is: master key empty and Session-ID not empty # what's left now is: master key empty and Session-ID not empty
# ==> probably client-based auth with x509 certificate. We handle that at other places # ==> probably client-based auth with x509 certificate. We handle that at other places
# #
@ -14194,6 +14199,7 @@ parse_tls_serverhello() {
fi fi
done done
fi fi
[[ "0x${DETECTED_TLS_VERSION:2:2}" -le "0x03" ]] && [[ $tls_sid_len -gt 0 ]] && NO_SSL_SESSIONID=false
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
echo "Protocol : SSLv3" >> $TMPFILE echo "Protocol : SSLv3" >> $TMPFILE
@ -21050,7 +21056,7 @@ sclient_auth() {
connect_success=true connect_success=true
if "$connect_success"; then if "$connect_success"; then
[[ ! "$server_hello" =~ Session-ID:\ [a-fA-F0-9]{2,64} ]] && NO_SSL_SESSIONID=true [[ "$server_hello" =~ Session-ID:\ [a-fA-F0-9]{2,64} ]] && NO_SSL_SESSIONID=false
# we needed to set this for later # we needed to set this for later
if [[ "$server_hello" =~ \<\<\<\ (SSL\ [23]|TLS\ 1)(\.[0-3])?[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]]; then if [[ "$server_hello" =~ \<\<\<\ (SSL\ [23]|TLS\ 1)(\.[0-3])?[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]]; then
@ -23285,7 +23291,7 @@ reset_hostdepended_vars() {
KNOWN_OSSL_PROB=false KNOWN_OSSL_PROB=false
TLS13_ONLY=false TLS13_ONLY=false
CLIENT_AUTH="none" CLIENT_AUTH="none"
NO_SSL_SESSIONID=false NO_SSL_SESSIONID=true
DH_GROUP_OFFERED="" DH_GROUP_OFFERED=""
DH_GROUP_LEN_P=0 DH_GROUP_LEN_P=0
KEY_SHARE_EXTN_NR="33" KEY_SHARE_EXTN_NR="33"