From 615a93e69e881d526c063ce4b85247dcd56404ed Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Sat, 22 Jul 2017 20:57:32 +0200
Subject: [PATCH 1/2] in html mode the sed statement for the server banner had
 and error resulting in sed messages like "unknown option to s"

---
 testssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 6a42a73..1e71df6 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -1923,7 +1923,7 @@ emphasize_stuff_in_headers(){
                     -e "s/Win64/${html_yellow}Win64${html_off}/g" \
                     -e "s/Ubuntu/${html_yellow}Ubuntu${html_off}/g" \
                     -e "s/ubuntu/${html_yellow}ubuntu${html_off}/g" \
-                    -e "s/stretch//${html_yellow}stretch${html_off}/g" \
+                    -e "s/stretch/${html_yellow}stretch${html_off}/g" \
                     -e "s/jessie/${html_yellow}jessie${html_off}/g" \
                     -e "s/squeeze/${html_yellow}squeeze${html_off}/g" \
                     -e "s/wheezy/${html_yellow}wheezy${html_off}/g" \

From 3adb5ac71f70f618d5640119e95fea7d8fe6676e Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Tue, 25 Jul 2017 10:54:01 +0200
Subject: [PATCH 2/2] Logic for POODLE && TLS_FALLBACK_SCSV

If vulnernable to POODLE and has no TLS_FALLBACK_SCSV ==> HIGH.
If only run the fallback check and it has none, still label it as MEDIUM but issue
a clear warning that test under this circumstances is incomplete.
---
 testssl.sh | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 1e71df6..e4179c7 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -262,6 +262,7 @@ SOCK_REPLY_FILE=""
 NW_STR=""
 LEN_STR=""
 SNI=""
+POODLE=""                               # keep vulnerability status for TLS_FALLBACK_SCSV
 OSSL_VER=""                             # openssl version, will be auto-determined
 OSSL_VER_MAJOR=0
 OSSL_VER_MINOR=0
@@ -9859,9 +9860,11 @@ run_ssl_poodle() {
           [[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
      fi
      if [[ $sclient_success -eq 0 ]]; then
+          POODLE=0
           pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
           fileout "poodle_ssl" "HIGH" "POODLE, SSL: VULNERABLE, uses SSLv3+CBC" "$cve" "$cwe" "$hint"
      else
+          POODLE=1
           pr_done_best "not vulnerable (OK)";
           if "$using_sockets"; then
                fileout "poodle_ssl" "OK" "POODLE, SSL: not vulnerable" "$cve" "$cwe"
@@ -9925,9 +9928,20 @@ run_tls_fallback_scsv() {
           $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE </dev/null
           if grep -q "CONNECTED(00" "$TMPFILE"; then
                if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
-                    pr_svrty_medium "Downgrade attack prevention NOT supported"
-                    fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
-                    ret=1
+                    if [[ -z "$POODLE" ]]; then
+                         pr_warning "Rerun including POODLE SSL check. "
+                         pr_svrty_medium "Downgrade attack prevention NOT supported"
+                         fileout "fallback_scsv" "WARNING" "TLS_FALLBACK_SCSV (RFC 7507): Downgrade attack prevention NOT supported. Pls rerun wity POODLE SSL check"
+                         ret=1
+                    elif [[ "$POODLE" -eq 0 ]]; then
+                         pr_svrty_high "Downgrade attack prevention NOT supported and vulnerable to POODLE SSL"
+                         fileout "fallback_scsv" "HIGH" "TLS_FALLBACK_SCSV (RFC 7507): Downgrade attack prevention NOT supported and vulnerable to POODLE SSL"
+                         ret=0
+                    else
+                         pr_svrty_medium "Downgrade attack prevention NOT supported"
+                         fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507): Downgrade attack prevention NOT supported"
+                         ret=1
+                    fi
                elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
                     pr_done_good "Downgrade attack prevention supported (OK)"
                     fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported"