Merge branch '2.9dev' into yaSSL_client_simulation

2025-11-03 23:35:26 +01:00 · 2017-07-25 08:48:05 -04:00
parent c370f2359b 3adb5ac71f
commit 6be478da0b
1 changed files with 18 additions and 4 deletions
--- a/testssl.sh
+++ b/testssl.sh
@@ -262,6 +262,7 @@ SOCK_REPLY_FILE=""
 NW_STR=""
 LEN_STR=""
 SNI=""
+POODLE=""                               # keep vulnerability status for TLS_FALLBACK_SCSV
 OSSL_VER=""                             # openssl version, will be auto-determined
 OSSL_VER_MAJOR=0
 OSSL_VER_MINOR=0
@@ -1923,7 +1924,7 @@ emphasize_stuff_in_headers(){
                    -e "s/Win64/${html_yellow}Win64${html_off}/g" \
                    -e "s/Ubuntu/${html_yellow}Ubuntu${html_off}/g" \
                    -e "s/ubuntu/${html_yellow}ubuntu${html_off}/g" \
-                    -e "s/stretch//${html_yellow}stretch${html_off}/g" \
+                    -e "s/stretch/${html_yellow}stretch${html_off}/g" \
                    -e "s/jessie/${html_yellow}jessie${html_off}/g" \
                    -e "s/squeeze/${html_yellow}squeeze${html_off}/g" \
                    -e "s/wheezy/${html_yellow}wheezy${html_off}/g" \
@@ -9875,9 +9876,11 @@ run_ssl_poodle() {
          [[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
     fi
     if [[ $sclient_success -eq 0 ]]; then
+          POODLE=0
          pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
          fileout "poodle_ssl" "HIGH" "POODLE, SSL: VULNERABLE, uses SSLv3+CBC" "$cve" "$cwe" "$hint"
     else
+          POODLE=1
          pr_done_best "not vulnerable (OK)";
          if "$using_sockets"; then
               fileout "poodle_ssl" "OK" "POODLE, SSL: not vulnerable" "$cve" "$cwe"
@@ -9941,9 +9944,20 @@ run_tls_fallback_scsv() {
          $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE </dev/null
          if grep -q "CONNECTED(00" "$TMPFILE"; then
               if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
+                    if [[ -z "$POODLE" ]]; then
+                         pr_warning "Rerun including POODLE SSL check. "
                         pr_svrty_medium "Downgrade attack prevention NOT supported"
-                    fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
+                         fileout "fallback_scsv" "WARNING" "TLS_FALLBACK_SCSV (RFC 7507): Downgrade attack prevention NOT supported. Pls rerun wity POODLE SSL check"
                         ret=1
+                    elif [[ "$POODLE" -eq 0 ]]; then
+                         pr_svrty_high "Downgrade attack prevention NOT supported and vulnerable to POODLE SSL"
+                         fileout "fallback_scsv" "HIGH" "TLS_FALLBACK_SCSV (RFC 7507): Downgrade attack prevention NOT supported and vulnerable to POODLE SSL"
+                         ret=0
+                    else
+                         pr_svrty_medium "Downgrade attack prevention NOT supported"
+                         fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507): Downgrade attack prevention NOT supported"
+                         ret=1
+                    fi
               elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
                    pr_done_good "Downgrade attack prevention supported (OK)"
                    fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported"