mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Merge pull request #1369 from dcooper16/run_protocols_ssl_native1
Fix issues with run_protocols() in --ssl-native mode
This commit is contained in:
Dirk Wetter
GitHub
commit
5c39ceafe1
42
testssl.sh
42
testssl.sh
@ -4784,8 +4784,8 @@ locally_supported() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# The protocol check in run_protocols needs to be redone. The using_socket part there kind of sucks.
|
# The protocol check in run_protocols needs to be redone. The using_sockets part there kind of sucks.
|
||||||
# 1) we need to have a variable where the results are being stored so that every other test doesn't have to do this agai
|
# 1) we need to have a variable where the results are being stored so that every other test doesn't have to do this again
|
||||||
# --> we have that but certain information like "downgraded" are not being passed. That's not ok for run_protocols()/
|
# --> we have that but certain information like "downgraded" are not being passed. That's not ok for run_protocols()/
|
||||||
# for all other functions we can use it
|
# for all other functions we can use it
|
||||||
# 2) the code is old and one can do that way better
|
# 2) the code is old and one can do that way better
|
||||||
@ -4796,17 +4796,24 @@ locally_supported() {
|
|||||||
run_prototest_openssl() {
|
run_prototest_openssl() {
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
|
|
||||||
! locally_supported "$1" && return 7
|
# check whether the protocol being tested is supported by $OPENSSL
|
||||||
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client "$1" -connect x 2>&1 | grep -aq "unknown option" && return 7
|
||||||
|
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>&1 </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
ret=$?
|
ret=$?
|
||||||
debugme grep -E "error|failure" $ERRFILE | grep -Eav "unable to get local|verify error"
|
debugme grep -E "error|failure" $ERRFILE | grep -Eav "unable to get local|verify error"
|
||||||
# try again without $PROXY
|
if [[ $ret -ne 0 ]]; then
|
||||||
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
if grep -aq "no cipher list" $TMPFILE; then
|
||||||
sclient_connect_successful $? $TMPFILE
|
ret=5 # <--- important indicator for SSL2 (maybe others, too)
|
||||||
ret=$?
|
else
|
||||||
debugme grep -E "error|failure" $ERRFILE | grep -Eav "unable to get local|verify error"
|
# try again without $PROXY
|
||||||
grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
|
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>&1 </dev/null
|
||||||
|
sclient_connect_successful $? $TMPFILE
|
||||||
|
ret=$?
|
||||||
|
debugme grep -E "error|failure" $ERRFILE | grep -Eav "unable to get local|verify error"
|
||||||
|
grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
|
||||||
|
fi
|
||||||
|
fi
|
||||||
tmpfile_handle ${FUNCNAME[0]}$1.txt
|
tmpfile_handle ${FUNCNAME[0]}$1.txt
|
||||||
return $ret
|
return $ret
|
||||||
|
|
||||||
@ -4963,11 +4970,12 @@ run_protocols() {
|
|||||||
fileout "$jsonID" "OK" "not offered"
|
fileout "$jsonID" "OK" "not offered"
|
||||||
add_tls_offered ssl2 no
|
add_tls_offered ssl2 no
|
||||||
;;
|
;;
|
||||||
5) pr_svrty_high "CVE-2015-3197: $supported_no_ciph2";
|
5) prln_svrty_high "CVE-2015-3197: $supported_no_ciph2";
|
||||||
fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310"
|
fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310"
|
||||||
add_tls_offered ssl2 yes
|
add_tls_offered ssl2 yes
|
||||||
;;
|
;;
|
||||||
7) fileout "$jsonID" "INFO" "not tested due to lack of local support"
|
7) prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\""
|
||||||
|
fileout "$jsonID" "INFO" "not tested due to lack of local support"
|
||||||
((ret++))
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -5030,7 +5038,7 @@ run_protocols() {
|
|||||||
# can only happen in debug mode
|
# can only happen in debug mode
|
||||||
pr_warning "strange reply, maybe a client side problem with SSLv3"; outln "$debug_recomm"
|
pr_warning "strange reply, maybe a client side problem with SSLv3"; outln "$debug_recomm"
|
||||||
else
|
else
|
||||||
# warning on screen came already from locally_supported()
|
prln_local_problem "$OPENSSL doesn't support \"s_client -ssl3\""
|
||||||
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -5107,7 +5115,7 @@ run_protocols() {
|
|||||||
# can only happen in debug mode
|
# can only happen in debug mode
|
||||||
pr_warning "strange reply, maybe a client side problem with TLS 1.0"; outln "$debug_recomm"
|
pr_warning "strange reply, maybe a client side problem with TLS 1.0"; outln "$debug_recomm"
|
||||||
else
|
else
|
||||||
# warning on screen came already from locally_supported()
|
prln_local_problem "$OPENSSL doesn't support \"s_client -tls1\""
|
||||||
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
||||||
fi
|
fi
|
||||||
((ret++))
|
((ret++))
|
||||||
@ -5188,7 +5196,7 @@ run_protocols() {
|
|||||||
# can only happen in debug mode
|
# can only happen in debug mode
|
||||||
pr_warning "strange reply, maybe a client side problem with TLS 1.1"; outln "$debug_recomm"
|
pr_warning "strange reply, maybe a client side problem with TLS 1.1"; outln "$debug_recomm"
|
||||||
else
|
else
|
||||||
# warning on screen came already from locally_supported()
|
prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_1\""
|
||||||
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
||||||
fi
|
fi
|
||||||
((ret++))
|
((ret++))
|
||||||
@ -5309,7 +5317,7 @@ run_protocols() {
|
|||||||
# can only happen in debug mode
|
# can only happen in debug mode
|
||||||
pr_warning "strange reply, maybe a client side problem with TLS 1.2"; outln "$debug_recomm"
|
pr_warning "strange reply, maybe a client side problem with TLS 1.2"; outln "$debug_recomm"
|
||||||
else
|
else
|
||||||
# warning on screen came already from locally_supported()
|
prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_2\""
|
||||||
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
||||||
fi
|
fi
|
||||||
((ret++))
|
((ret++))
|
||||||
@ -5462,7 +5470,7 @@ run_protocols() {
|
|||||||
# can only happen in debug mode
|
# can only happen in debug mode
|
||||||
prln_warning "strange reply, maybe a client side problem with TLS 1.3"; outln "$debug_recomm"
|
prln_warning "strange reply, maybe a client side problem with TLS 1.3"; outln "$debug_recomm"
|
||||||
else
|
else
|
||||||
# warning on screen came already from locally_supported()
|
prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_3\""
|
||||||
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
||||||
fi
|
fi
|
||||||
((ret++))
|
((ret++))
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user