From 6fe5adbbc3e377dc6e88833c4896bf9749219f1d Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 5 Dec 2018 16:09:36 +0100 Subject: [PATCH] Improved connection failure conditions As a kind of a pre-warning this commit allows the n-1 connection problem to give feedback on the screen (that wasn't working before). Also the message on the screen is now more clear and the manpage gives better advice. Related to #1172 --- doc/testssl.1 | 8 ++++---- doc/testssl.1.html | 8 ++++---- doc/testssl.1.md | 6 +++--- testssl.sh | 11 +++++++---- 4 files changed, 18 insertions(+), 15 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index e3e12da..9652392 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "TESTSSL" "1" "November 2018" "" "" +.TH "TESTSSL" "1" "December 2018" "" "" . .SH "NAME" \fBtestssl\fR @@ -521,13 +521,13 @@ MAX_WAIT_TEST is the maximum time (in seconds) to wait for a single test in para CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl\.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl\.sh will use\. Please note that it overrides completely the builtin path of testssl\.sh which means that you will only test against the bundles you point to\. Also you might want to use ~/utils/create_ca_hashes\.sh to create the hashes for HPKP\. . .IP "\(bu" 4 -MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connection may fail before the program gives up and terminates\. The default is 2\. +MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connection may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fBFatal error: repeated openssl s_client connect problem, doesn\'t make sense to continue\fR\. . .IP "\(bu" 4 -MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. +MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fBFatal error: repeated TCP connect problems, giving up\fR\. . .IP "\(bu" 4 -MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. +MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can incerase the threshold when you spot messages lioke \fBFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR . .IP "" 0 . diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 7c0dab2..fa6171b 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -462,9 +462,9 @@ after 3.0.

  • CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use ~/utils/create_ca_hashes.sh to create the hashes for HPKP.
  • -
  • MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2.
  • -
  • MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2.
  • -
  • MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3.
  • +
  • MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue.
  • +
  • MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like Fatal error: repeated TCP connect problems, giving up.
  • +
  • MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages lioke Fatal error: repeated HTTP header connect problems, doesn't make sense to continue
  • @@ -586,7 +586,7 @@ to create the hashes for HPKP.
    1. -
    2. November 2018
    3. +
    4. December 2018
    5. testssl(1)
    diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 6210647..dc884e4 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -393,9 +393,9 @@ Except the environment variables mentioned above which replace command line opti * CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use ~/utils/create_ca_hashes.sh to create the hashes for HPKP. -* MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. -* MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. -* MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. +* MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like `Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue`. +* MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like `Fatal error: repeated TCP connect problems, giving up`. +* MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages lioke `Fatal error: repeated HTTP header connect problems, doesn't make sense to continue` [comment]: # CAPATH diff --git a/testssl.sh b/testssl.sh index 2837a98..2fad61d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1930,12 +1930,15 @@ service_detection() { # 4: string for repeated occurrence of problem # connectivity_problem() { + if [[ $1 -lt $2 ]]; then + prln_warning "Oops: $3" + return 0 + fi if [[ $1 -ge $2 ]]; then - if [[ $2 -eq 1 ]]; then - fatal "$3" $ERR_CONNECT - fi if [[ "$4" =~ openssl\ s_client\ connect ]] ; then - fatal "$4" $ERR_CONNECT "consider increasing MAX_OSSL_FAIL (currently: $2)" + fatal "$4" $ERR_CONNECT "Consider increasing MAX_OSSL_FAIL (currently: $2)" + elif [[ "$4" =~ repeated\ TCP\ connect ]]; then + fatal "$4" $ERR_CONNECT "Consider increasing MAX_SOCKET_FAIL (currently: $2)" fi fatal "$4" $ERR_CONNECT fi