mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 04:49:44 +01:00
Small important fixes:
- In case of multiple IP testing, clear ERRFILE bettween runs - Zero return value with server connection close should be taken into account in the looping logic case too. Add it. - Break the wait loop in case of connection close for faster result. - Ignore "notAfter" in the wait loop for expired certificates. - Indentation and tab cleanup. Tested on 57 url with previously suspicious results with success. No regressions on 50 others.
This commit is contained in:
parent
979a22c126
commit
6d80ec189f
14
testssl.sh
14
testssl.sh
@ -17060,6 +17060,8 @@ run_renego() {
|
||||
# We will need $ERRFILE for mitigation detection
|
||||
if [[ $ERRFILE =~ dev.null ]]; then
|
||||
ERRFILE=$TEMPDIR/errorfile.txt || exit $ERR_FCREATE
|
||||
# cleanup previous run if any (multiple IP)
|
||||
rm -f $ERRFILE
|
||||
restore_errfile=1
|
||||
else
|
||||
restore_errfile=0
|
||||
@ -17105,14 +17107,16 @@ run_renego() {
|
||||
(j=0; while [[ $(grep -ac '^SSL-Session:' $TMPFILE) -ne 1 ]] && [[ $j -lt 30 ]]; do sleep $ssl_reneg_wait; ((j++)); done; \
|
||||
for ((i=0; i < ssl_reneg_attempts; i++ )); do sleep $ssl_reneg_wait; echo R; k=0; \
|
||||
while [[ $(grep -ac '^RENEGOTIATING' $ERRFILE) -ne $((i+3)) ]] && [[ -f $TEMPDIR/allowed_to_loop ]] \
|
||||
&& [[ $(tail -n1 $ERRFILE |grep -acE '^(RENEGOTIATING|depth|verify)') -eq 1 ]] && [[ $k -lt 120 ]]; \
|
||||
do sleep $ssl_reneg_wait; ((k++)); done; \
|
||||
&& [[ $(tail -n1 $ERRFILE |grep -acE '^(RENEGOTIATING|depth|verify|notAfter)') -eq 1 ]] \
|
||||
&& [[ $k -lt 120 ]]; \
|
||||
do sleep $ssl_reneg_wait; ((k++)); if (tail -5 $TMPFILE| grep -qa '^closed'); then sleep 1; break; fi; done; \
|
||||
done) | \
|
||||
$OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &
|
||||
pid=$!
|
||||
( sleep $((ssl_reneg_attempts*3)) && kill $pid && touch $TEMPDIR/was_killed ) >&2 2>/dev/null &
|
||||
watcher=$!
|
||||
# Trick to get the return value of the openssl command, output redirection and a timeout. Yes, some target hang/block after some tries.
|
||||
# Trick to get the return value of the openssl command, output redirection and a timeout.
|
||||
# Yes, some target hang/block after some tries.
|
||||
wait $pid
|
||||
tmp_result=$?
|
||||
pkill -HUP -P $watcher
|
||||
@ -17120,6 +17124,10 @@ run_renego() {
|
||||
rm -f $TEMPDIR/allowed_to_loop
|
||||
# If we are here, we have done two successful renegotiation (-2) and do the loop
|
||||
loop_reneg=$(($(grep -ac '^RENEGOTIATING' $ERRFILE)-2))
|
||||
# As above, some servers close the connection and return value is zero
|
||||
if (tail -5 $TMPFILE| grep -qa '^closed'); then
|
||||
tmp_result=1
|
||||
fi
|
||||
if [[ -f $TEMPDIR/was_killed ]]; then
|
||||
tmp_result=2
|
||||
rm -f $TEMPDIR/was_killed
|
||||
|
Loading…
Reference in New Issue
Block a user