From 7a1fb0b3b9d69bae9f6d6afb3693423ba747f4e1 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 12 Jun 2019 21:05:43 +0200 Subject: [PATCH] Added HAS_ZLIB in run_crime(), declaration of CERT_COMPRESSION fixed CERT_COMPRESSION was declared always with fast in ... so that the variable was always false. This PR fixes that. In addition a informational line that the new TLS extension has been added (if $DEBUG >3). Also determine_optimal_proto() is not being run if devel mode ($do_tls_sockets) is enabled. Furthermore as David added HAS_ZLIB as a global run_crime() now makes use of it too. --- testssl.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 25488be..5345620 100755 --- a/testssl.sh +++ b/testssl.sh @@ -299,8 +299,8 @@ ERRFILE="" CLIENT_AUTH=false TLS_TICKETS=false NO_SSL_SESSIONID=false -CERT_COMPRESSION=false # secret flag to set in addition to --devel for certificate compression -HOSTCERT="" # File with host certificate, without intermediate certificate +CERT_COMPRESSION=${CERT_COMPRESSION:-false} # secret flag to set in addition to --devel for certificate compression +HOSTCERT="" # File with host certificate, without intermediate certificate HEADERFILE="" HEADERVALUE="" HTTP_STATUS_CODE="" @@ -14163,9 +14163,7 @@ run_crime() { [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln pr_bold " CRIME, TLS " ; out "($cve) " - # first we need to test whether OpenSSL binary has zlib support - $OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout $ERRFILE "$SSL_NATIVE" && using_sockets=false @@ -18999,6 +18999,7 @@ parse_cmd_line() { # arg2: list of cipher suites / hostname/ip # arg3: hostname/ip HEX_CIPHER="$TLS12_CIPHER" + # DEBUG=3 ./testssl.sh --devel 04 "13,02, 13,01" google.com --> TLS 1.3 # DEBUG=3 ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de --> TLS 1.2, old CHACHA/POLY # DEBUG=3 ./testssl.sh --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com --> new CHACHA/POLY # DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0 @@ -19011,7 +19012,7 @@ parse_cmd_line() { fi shift do_tls_sockets=true - outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}" + outln "\nTLS_LOW_BYTE, HEX_CIPHER: \"${TLS_LOW_BYTE}\", \"${HEX_CIPHER}\"" ;; --wide) WIDE=true @@ -19355,6 +19356,7 @@ lets_roll() { if [[ "$TLS_LOW_BYTE" == 04 ]]; then if "$CERT_COMPRESSION"; then # See PR #1279 + [[ $DEBUG -eq 3 ]] && tmln_out "including TLS extension certificate compression" tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01" else tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"