From 5b26b9931b41d03bfc8516275eec101b6749c4b7 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 7 Apr 2022 14:09:16 -0400 Subject: [PATCH] Fix #2138 in 3.0 branch This commit fixes #2138 in the 3.0 branch. --- testssl.sh | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 6c5d622..c18165d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -912,14 +912,19 @@ fileout_insert_warning() { [[ "$CMDLINE=" =~ -iL ]] && return 0 # Note we still have the message on screen + in HTML which is not as optimal as it could be - if "$do_pretty_json"; then + if "$do_pretty_json" && "$JSONHEADER"; then echo -e " \"clientProblem${CLIENT_PROB_NO}\" : [" >>"$JSONFILE" CLIENT_PROB_NO=$((CLIENT_PROB_NO + 1)) FIRST_FINDING=true # make sure we don't have a comma here fi fileout "$1" "$2" "$3" if "$do_pretty_json"; then - echo -e "\n ]," >>"$JSONFILE" + if "$JSONHEADER"; then + echo -e "\n ]," >>"$JSONFILE" + else + echo -e ", " >>"$JSONFILE" + fi + FIRST_FINDING=true fi } @@ -18535,6 +18540,7 @@ determine_optimal_proto() { local all_failed=true local tmp="" local proto optimal_proto + local jsonID="optimal_proto" "$do_tls_sockets" && return 0 @@ -18601,6 +18607,7 @@ determine_optimal_proto() { if [[ "$optimal_proto" == -ssl2 ]]; then prln_magenta "$NODEIP:$PORT appears to only support SSLv2." + fileout "$jsonID" "WARN" "$NODEIP:$PORT appears to only support SSLv2." ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes" [[ $? -ne 0 ]] && exit $ERR_CLUELESS elif "$all_failed" && ! "$ALL_FAILED_SOCKETS"; then @@ -18608,6 +18615,7 @@ determine_optimal_proto() { pr_magenta " $NODE:$PORT appears to support TLS 1.3 ONLY. You better use --openssl=" if ! "$OSSL_SHORTCUT" || [[ ! -x /usr/bin/openssl ]] || /usr/bin/openssl s_client -tls1_3 2>&1 | grep -aiq "unknown option"; then outln + fileout "$jsonID" "WARN" "$NODE:$PORT appears to support TLS 1.3 ONLY, but $OPENSSL does not support TLS 1.3" ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes" [[ $? -ne 0 ]] && exit $ERR_CLUELESS MAX_OSSL_FAIL=10 @@ -18624,11 +18632,13 @@ determine_optimal_proto() { [[ "$(has_server_protocol "tls1_2")" -ne 0 ]] && [[ "$(has_server_protocol "tls1_1")" -ne 0 ]] && [[ "$(has_server_protocol "tls1")" -ne 0 ]]; then prln_magenta " $NODE:$PORT appears to support SSLv3 ONLY. You better use --openssl=" + fileout "$jsonID" "WARN" "$NODE:$PORT appears to support SSLv3 ONLY, but $OPENSSL does not support SSLv3." ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes" [[ $? -ne 0 ]] && exit $ERR_CLUELESS MAX_OSSL_FAIL=10 else prln_bold " Your OpenSSL cannot connect to $NODEIP:$PORT" + fileout "$jsonID" "WARN" "Your OpenSSL cannot connect to $NODEIP:$PORT." ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes" [[ $? -ne 0 ]] && exit $ERR_CLUELESS fi @@ -18636,8 +18646,10 @@ determine_optimal_proto() { outln if "$HAS_IPv6"; then pr_bold " Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT " + fileout "$jsonID" "WARN" "Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT doesn't seem to be a TLS/SSL enabled server." else pr_bold " $NODEIP:$PORT " + fileout "$jsonID" "WARN" "$NODEIP:$PORT doesn't seem to be a TLS/SSL enabled server." fi tmpfile_handle ${FUNCNAME[0]}.txt prln_bold "doesn't seem to be a TLS/SSL enabled server"; @@ -18649,6 +18661,7 @@ determine_optimal_proto() { # FIXME: Should we include some sort of "please report" note here? prln_magenta " Testing with $NODE:$PORT only worked using $OPENSSL." prln_magenta " Test results may be somewhat better if the --ssl-native option is used." + fileout "$jsonID" "WARN" "Testing with $NODE:$PORT only worked using $OPENSSL." ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes" [[ $? -ne 0 ]] && exit $ERR_CLUELESS fi