From 95a7b7076533837df42eb8cc26c4734c99b5286c Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Fri, 9 Aug 2019 19:35:11 +0200
Subject: [PATCH] Fix misleading CVE in Secure Renegotiation

For some reason CVE-2009-3555 ended up in Secure Renegotiation,
whereas CVE-2009-3555 is in fact the Insecure Client-Side Renegotiation
vulnerability with the MiTM problem <= OpenSSl 0.9.8k.

This fixes that (see also #1086 and #933, #907) by removing the CVE #
from the output. Also tyhe output was changed for Secure Renegotiation
into supported/not vulnerable vs. Not supported / VULNERABLE

Some comments were added.
---
 testssl.sh | 53 ++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 34 insertions(+), 19 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 4f8c3d8..a03aecb 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -14050,35 +14050,37 @@ run_ticketbleed() {
      return $ret
 }
 
-
+# Overview @ http://www.exploresecurity.com/wp-content/uploads/custom/SSL_manual_cheatsheet.html
+#
 run_renego() {
-# no SNI here. Not needed as there won't be two different SSL stacks for one IP
      local legacycmd="" proto="$OPTIMAL_PROTO"
-     local insecure_renogo_str="Secure Renegotiation IS NOT"
      local sec_renego sec_client_renego
      local -i ret=0
-     local cve="CVE-2009-3555"
+     local cve=""
      local cwe="CWE-310"
      local hint=""
      local jsonID=""
+     # No SNI needed here as there won't be two different SSL stacks for one IP
 
      "$HAS_TLS13" && [[ -z "$proto" ]] && proto="-no_tls1_3"
 
      [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Renegotiation vulnerabilities " && outln
 
-     pr_bold " Secure Renegotiation "; out "($cve)      "    # and RFC 5746, OSVDB 59968-59974
-     jsonID="secure_renego"                                  # community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
-     $OPENSSL s_client $(s_client_options "$proto $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI $PROXY") 2>&1 </dev/null >$TMPFILE 2>$ERRFILE
+     pr_bold " Secure Renegotiation (RFC 5746)           "
+     jsonID="secure_renego"
+     # first fingerprint for the Line "Secure Renegotiation IS NOT" or "Secure Renegotiation IS "
+     $OPENSSL s_client $(s_client_options "$proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") 2>&1 </dev/null >$TMPFILE 2>$ERRFILE
      if sclient_connect_successful $? $TMPFILE; then
-          grep -iaq "$insecure_renogo_str" $TMPFILE
+          grep -iaq "Secure Renegotiation IS NOT" $TMPFILE
           sec_renego=$?                                                    # 0= Secure Renegotiation IS NOT supported
-#FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported"
+          # grep -iaq "Secure Renegotiation IS supported"
+          #FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported"
           case $sec_renego in
-               0)   prln_svrty_critical "VULNERABLE (NOT ok)"
+               0)   prln_svrty_critical "Not supported / VULNERABLE (NOT ok)"
                     fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
                     ;;
-               1)   prln_svrty_best "not vulnerable (OK)"
-                    fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
+               1)   prln_svrty_best "supported (OK)"
+                    fileout "$jsonID" "OK" "supported" "$cve" "$cwe"
                     ;;
                *)   prln_warning "FIXME (bug): $sec_renego"
                     fileout "$jsonID" "WARN" "FIXME (bug) $sec_renego" "$cve" "$cwe"
@@ -14089,10 +14091,18 @@ run_renego() {
           fileout "$jsonID" "WARN" "OpenSSL handshake didn't succeed" "$cve" "$cwe"
      fi
 
-     # see: https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
-     #      http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html -- head/get doesn't seem to be needed though
-     pr_bold " Secure Client-Initiated Renegotiation     "  # RFC 5746
+     # FIXME: Basically this can be done with sockets and we might have that information already
+     # see https://tools.ietf.org/html/rfc5746#section-3.4: 'The client MUST include either an empty "renegotiation_info"
+     # extension, or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the ClientHello. [..]
+     # When a ServerHello is received, the client MUST check if it includes the "renegotiation_info" extension:
+     # If the extension is not present, the server does not support secure renegotiation'
+
+
+     pr_bold " Secure Client-Initiated Renegotiation     "
      jsonID="secure_client_renego"
+     # see: https://blog.qualys.com/ssllabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
+     #      http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html -- head/get doesn't seem to be needed though
+     #      https://archive.fo/20130415224936/http://www.thc.org/thc-ssl-dos/, https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation
      case "$OSSL_VER" in
           0.9.8*)             # we need this for Mac OSX unfortunately
                case "$OSSL_VER_APPENDIX" in
@@ -14112,6 +14122,7 @@ run_renego() {
                ;;   # all ok
      esac
 
+
      if "$CLIENT_AUTH"; then
           prln_warning "client x509-based authentication prevents this from being tested"
           fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested"
@@ -14119,7 +14130,7 @@ run_renego() {
      else
           # We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
           # msg enables us to look deeper into it while debugging
-          echo R | $OPENSSL s_client $(s_client_options "$proto $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY") >$TMPFILE 2>>$ERRFILE &
+          echo R | $OPENSSL s_client $(s_client_options "$proto $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE &
           wait_kill $! $HEADER_MAXSLEEP
           if [[ $? -eq 3 ]]; then
                pr_svrty_good "likely not vulnerable (OK)"; outln ", timed out"        # it hung
@@ -14127,10 +14138,10 @@ run_renego() {
                sec_client_renego=1
           else
                # second try in the foreground as we are sure now it won't hang
-               echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $SNI $PROXY") >$TMPFILE 2>>$ERRFILE
+               echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE
                sec_client_renego=$?                                                  # 0=client is renegotiating & doesn't return an error --> vuln!
                case "$sec_client_renego" in
-                    0)   if [[ $SERVICE == "HTTP" ]]; then
+                    0)   if [[ $SERVICE == HTTP ]]; then
                               pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat"
                               fileout "$jsonID" "HIGH" "VULNERABLE, DoS threat" "$cve" "$cwe" "$hint"
                          else
@@ -14151,7 +14162,11 @@ run_renego() {
           fi
      fi
 
-     #FIXME Insecure Client-Initiated Renegotiation is missing ==> sockets
+     #pr_bold " Insecure Client-Initiated Renegotiation  "  # pre-RFC 5746, CVE-2009-3555
+     #jsonID="insecure_client_renego"
+     #
+     # https://www.openssl.org/news/vulnerabilities.html#y2009. It can only be tested with OpenSSL <=0.9.8k
+     # Insecure Client-Initiated Renegotiation is missing ==> sockets. When we complete the handshake ;-)
 
      tmpfile_handle ${FUNCNAME[0]}.txt
      return $ret