Fix issue with run_protocols() in --ssl-native mode

This PR fixes a minor problem with run_protocols() in "--ssl-native" mode if $OPENSSL does not support TLS 1.3. Currently, the warning message that $OPENSSL does not support a protocol is printed when run_prototest_openssl() is called. This causes a problem for the output if $OPENSSL does not support TLS 1.3, since the run_prototest_openssl() is called before the results for TLS 1.2 are printed. The result is something like this:

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
Local problem: /home/cooper/Desktop/testssl.sh/bin/openssl.Linux.x86_64 doesn't support "s_client -tls1_3"
 TLS 1.2    offered (OK)
 TLS 1.3     NPN/SPDY   not offered
 ALPN/HTTP2 http/1.1 (offered)
This commit is contained in:
David Cooper 2019-11-06 15:58:38 -05:00 committed by GitHub
parent cd647ba2d0
commit 54fad800c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -4796,7 +4796,8 @@ locally_supported() {
run_prototest_openssl() { run_prototest_openssl() {
local -i ret=0 local -i ret=0
! locally_supported "$1" && return 7 # check whether the protocol being tested is supported by $OPENSSL
$OPENSSL s_client "$1" -connect x 2>&1 | grep -aq "unknown option" && return 7
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
ret=$? ret=$?
@ -4967,7 +4968,8 @@ run_protocols() {
fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310" fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310"
add_tls_offered ssl2 yes add_tls_offered ssl2 yes
;; ;;
7) fileout "$jsonID" "INFO" "not tested due to lack of local support" 7) prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\""
fileout "$jsonID" "INFO" "not tested due to lack of local support"
((ret++)) ((ret++))
;; ;;
esac esac
@ -5030,7 +5032,7 @@ run_protocols() {
# can only happen in debug mode # can only happen in debug mode
pr_warning "strange reply, maybe a client side problem with SSLv3"; outln "$debug_recomm" pr_warning "strange reply, maybe a client side problem with SSLv3"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() prln_local_problem "$OPENSSL doesn't support \"s_client -ssl3\""
fileout "$jsonID" "WARN" "not tested due to lack of local support" fileout "$jsonID" "WARN" "not tested due to lack of local support"
fi fi
;; ;;
@ -5107,7 +5109,7 @@ run_protocols() {
# can only happen in debug mode # can only happen in debug mode
pr_warning "strange reply, maybe a client side problem with TLS 1.0"; outln "$debug_recomm" pr_warning "strange reply, maybe a client side problem with TLS 1.0"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() prln_local_problem "$OPENSSL doesn't support \"s_client -tls1\""
fileout "$jsonID" "WARN" "not tested due to lack of local support" fileout "$jsonID" "WARN" "not tested due to lack of local support"
fi fi
((ret++)) ((ret++))
@ -5188,7 +5190,7 @@ run_protocols() {
# can only happen in debug mode # can only happen in debug mode
pr_warning "strange reply, maybe a client side problem with TLS 1.1"; outln "$debug_recomm" pr_warning "strange reply, maybe a client side problem with TLS 1.1"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_1\""
fileout "$jsonID" "WARN" "not tested due to lack of local support" fileout "$jsonID" "WARN" "not tested due to lack of local support"
fi fi
((ret++)) ((ret++))
@ -5309,7 +5311,7 @@ run_protocols() {
# can only happen in debug mode # can only happen in debug mode
pr_warning "strange reply, maybe a client side problem with TLS 1.2"; outln "$debug_recomm" pr_warning "strange reply, maybe a client side problem with TLS 1.2"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_2\""
fileout "$jsonID" "WARN" "not tested due to lack of local support" fileout "$jsonID" "WARN" "not tested due to lack of local support"
fi fi
((ret++)) ((ret++))
@ -5462,7 +5464,7 @@ run_protocols() {
# can only happen in debug mode # can only happen in debug mode
prln_warning "strange reply, maybe a client side problem with TLS 1.3"; outln "$debug_recomm" prln_warning "strange reply, maybe a client side problem with TLS 1.3"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_3\""
fileout "$jsonID" "WARN" "not tested due to lack of local support" fileout "$jsonID" "WARN" "not tested due to lack of local support"
fi fi
((ret++)) ((ret++))