Merge branch '2.9dev' into yaSSL_client_simulation

testssl.sh

@@ -262,6 +262,7 @@ SOCK_REPLY_FILE=""
 NW_STR=""
 LEN_STR=""
 SNI=""
+POODLE=""                               # keep vulnerability status for TLS_FALLBACK_SCSV
 OSSL_VER=""                             # openssl version, will be auto-determined
 OSSL_VER_MAJOR=0
 OSSL_VER_MINOR=0
@@ -1923,7 +1924,7 @@ emphasize_stuff_in_headers(){
                     -e "s/Win64/${html_yellow}Win64${html_off}/g" \
                     -e "s/Ubuntu/${html_yellow}Ubuntu${html_off}/g" \
                     -e "s/ubuntu/${html_yellow}ubuntu${html_off}/g" \
-                    -e "s/stretch//${html_yellow}stretch${html_off}/g" \
+                    -e "s/stretch/${html_yellow}stretch${html_off}/g" \
                     -e "s/jessie/${html_yellow}jessie${html_off}/g" \
                     -e "s/squeeze/${html_yellow}squeeze${html_off}/g" \
                     -e "s/wheezy/${html_yellow}wheezy${html_off}/g" \
@@ -9875,9 +9876,11 @@ run_ssl_poodle() {
           [[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
      fi
      if [[ $sclient_success -eq 0 ]]; then
+          POODLE=0
           pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
           fileout "poodle_ssl" "HIGH" "POODLE, SSL: VULNERABLE, uses SSLv3+CBC" "$cve" "$cwe" "$hint"
      else
+          POODLE=1
           pr_done_best "not vulnerable (OK)";
           if "$using_sockets"; then
                fileout "poodle_ssl" "OK" "POODLE, SSL: not vulnerable" "$cve" "$cwe"
@@ -9941,9 +9944,20 @@ run_tls_fallback_scsv() {
           $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE </dev/null
           if grep -q "CONNECTED(00" "$TMPFILE"; then
                if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
-                    pr_svrty_medium "Downgrade attack prevention NOT supported"
-                    fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
-                    ret=1
+                    if [[ -z "$POODLE" ]]; then
+                         pr_warning "Rerun including POODLE SSL check. "
+                         pr_svrty_medium "Downgrade attack prevention NOT supported"
+                         fileout "fallback_scsv" "WARNING" "TLS_FALLBACK_SCSV (RFC 7507): Downgrade attack prevention NOT supported. Pls rerun wity POODLE SSL check"
+                         ret=1
+                    elif [[ "$POODLE" -eq 0 ]]; then
+                         pr_svrty_high "Downgrade attack prevention NOT supported and vulnerable to POODLE SSL"
+                         fileout "fallback_scsv" "HIGH" "TLS_FALLBACK_SCSV (RFC 7507): Downgrade attack prevention NOT supported and vulnerable to POODLE SSL"
+                         ret=0
+                    else
+                         pr_svrty_medium "Downgrade attack prevention NOT supported"
+                         fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507): Downgrade attack prevention NOT supported"
+                         ret=1
+                    fi
                elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
                     pr_done_good "Downgrade attack prevention supported (OK)"
                     fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported"