Improved connection failure conditions

As a kind of a pre-warning this commit allows the n-1 connection problem to
give feedback on the screen (that wasn't working before).

Also the message on the screen is now more clear and the manpage
gives better advice.

Related to #1172
This commit is contained in:
Dirk 2018-12-05 16:09:36 +01:00
parent 11cf06d6e9
commit 6fe5adbbc3
4 changed files with 18 additions and 15 deletions

View File

@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3 .\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3
. .
.TH "TESTSSL" "1" "November 2018" "" "" .TH "TESTSSL" "1" "December 2018" "" ""
. .
.SH "NAME" .SH "NAME"
\fBtestssl\fR \fBtestssl\fR
@ -521,13 +521,13 @@ MAX_WAIT_TEST is the maximum time (in seconds) to wait for a single test in para
CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl\.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl\.sh will use\. Please note that it overrides completely the builtin path of testssl\.sh which means that you will only test against the bundles you point to\. Also you might want to use ~/utils/create_ca_hashes\.sh to create the hashes for HPKP\. CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl\.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl\.sh will use\. Please note that it overrides completely the builtin path of testssl\.sh which means that you will only test against the bundles you point to\. Also you might want to use ~/utils/create_ca_hashes\.sh to create the hashes for HPKP\.
. .
.IP "\(bu" 4 .IP "\(bu" 4
MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connection may fail before the program gives up and terminates\. The default is 2\. MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connection may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fBFatal error: repeated openssl s_client connect problem, doesn\'t make sense to continue\fR\.
. .
.IP "\(bu" 4 .IP "\(bu" 4
MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fBFatal error: repeated TCP connect problems, giving up\fR\.
. .
.IP "\(bu" 4 .IP "\(bu" 4
MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can incerase the threshold when you spot messages lioke \fBFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR
. .
.IP "" 0 .IP "" 0
. .

View File

@ -462,9 +462,9 @@ after 3.0.</p>
<li>CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will <li>CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will
use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use ~/utils/create_ca_hashes.sh use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use ~/utils/create_ca_hashes.sh
to create the hashes for HPKP.</li> to create the hashes for HPKP.</li>
<li>MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2.</li> <li>MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like <code>Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue</code>.</li>
<li>MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2.</li> <li>MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like <code>Fatal error: repeated TCP connect problems, giving up</code>.</li>
<li>MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3.</li> <li>MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages lioke <code>Fatal error: repeated HTTP header connect problems, doesn't make sense to continue</code></li>
</ul> </ul>
@ -586,7 +586,7 @@ to create the hashes for HPKP.</li>
<ol class='man-decor man-foot man foot'> <ol class='man-decor man-foot man foot'>
<li class='tl'></li> <li class='tl'></li>
<li class='tc'>November 2018</li> <li class='tc'>December 2018</li>
<li class='tr'>testssl(1)</li> <li class='tr'>testssl(1)</li>
</ol> </ol>

View File

@ -393,9 +393,9 @@ Except the environment variables mentioned above which replace command line opti
* CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will * CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will
use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use ~/utils/create_ca_hashes.sh use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use ~/utils/create_ca_hashes.sh
to create the hashes for HPKP. to create the hashes for HPKP.
* MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. * MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like `Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue`.
* MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. * MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like `Fatal error: repeated TCP connect problems, giving up`.
* MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. * MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages lioke `Fatal error: repeated HTTP header connect problems, doesn't make sense to continue`
[comment]: # CAPATH [comment]: # CAPATH

View File

@ -1930,12 +1930,15 @@ service_detection() {
# 4: string for repeated occurrence of problem # 4: string for repeated occurrence of problem
# #
connectivity_problem() { connectivity_problem() {
if [[ $1 -lt $2 ]]; then
prln_warning "Oops: $3"
return 0
fi
if [[ $1 -ge $2 ]]; then if [[ $1 -ge $2 ]]; then
if [[ $2 -eq 1 ]]; then
fatal "$3" $ERR_CONNECT
fi
if [[ "$4" =~ openssl\ s_client\ connect ]] ; then if [[ "$4" =~ openssl\ s_client\ connect ]] ; then
fatal "$4" $ERR_CONNECT "consider increasing MAX_OSSL_FAIL (currently: $2)" fatal "$4" $ERR_CONNECT "Consider increasing MAX_OSSL_FAIL (currently: $2)"
elif [[ "$4" =~ repeated\ TCP\ connect ]]; then
fatal "$4" $ERR_CONNECT "Consider increasing MAX_SOCKET_FAIL (currently: $2)"
fi fi
fatal "$4" $ERR_CONNECT fatal "$4" $ERR_CONNECT
fi fi