From 4e01f86c99435a632e2ca018c8513b4d9fbc58e8 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Sat, 7 Aug 2021 15:20:09 +0200
Subject: [PATCH 1/2] Redirect debugme() outputs to stderr (3.1dev)

... to address #1956 and other places. Similar to #1957,
only for the 3.1dev rolling release branch.

Also it changes debugme1() back? to output debug
statements only when $DEBUG >= 1. Per default here
also stderr is used.
---
 testssl.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index f925eef..7e3a604 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -780,11 +780,11 @@ get_last_char() {
 }
                          # Checking for last char. If already a separator supplied, we don't need an additional one
 debugme() {
-     [[ "$DEBUG" -ge 2 ]] && "$@"
+     [[ "$DEBUG" -ge 2 ]] && "$@" >&2
      return 0
 }
 
-debugme1() { [[ "$DEBUG" -ge 2 ]] && "$@"; }
+debugme1() { [[ "$DEBUG" -ge 1 ]] && "$@" >&2; }
 
 hex2dec() {
      echo $((16#$1))
@@ -9124,7 +9124,7 @@ certificate_info() {
           out "no "
           fileout "${jsonID}${json_postfix}" "INFO" "no"
      fi
-     debugme1 echo -n "($(newline_to_spaces "$policy_oid"))"
+     debugme echo -n "($(newline_to_spaces "$policy_oid"))"
      outln
 #TODO: check browser OIDs:
 #         https://dxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp
@@ -9224,7 +9224,7 @@ certificate_info() {
      else
           # All is fine with validity period
           # We ignore for now certificates < 2018/03/01. On the screen we only show debug info
-          debugme1 echo "${spaces}DEBUG: all is fine with total certificate life time"
+          debugme echo "${spaces}DEBUG: all is fine with total certificate life time"
           fileout "cert_extlifeSpan${json_postfix}" "OK" "certificate has no extended life time according to browser forum"
      fi
 
@@ -17800,7 +17800,7 @@ run_winshock() {
      if [[ "$(has_server_protocol "tls1_3")" -eq 0 ]] ; then
           # There's no MS server supporting TLS 1.3. Winshock was way back in time
           pr_svrty_best "not vulnerable (OK)"
-          debugme1 echo " - TLS 1.3 found"
+          debugme echo " - TLS 1.3 found"
           fileout "$jsonID" "OK" "not vulnerable " "$cve" "$cwe"
           outln
           return 0

From 3f8c62dc41cbed0d50e1857c50ef71b2c9c59aff Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Sat, 7 Aug 2021 15:26:51 +0200
Subject: [PATCH 2/2] Change debugme1 calls to include redirection from stderr
 back to stdout

The fact that debugme1() redirects to stderr and the calls to this functions
redo that is deliberately as in the future we might want to use debugme1
without redirection.
---
 testssl.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 7e3a604..34c9f20 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -7505,7 +7505,7 @@ determine_tls_extensions() {
      fi
 
      # Keep it "on file" for debugging purposes
-     debugme1 safe_echo "$TLS_EXTENSIONS" >"$TEMPDIR/$NODE.$NODEIP.tls_extensions.txt"
+     debugme1 safe_echo "$TLS_EXTENSIONS" 2>&1 >"$TEMPDIR/$NODE.$NODEIP.tls_extensions.txt"
 
      return $success
 }
@@ -10382,7 +10382,7 @@ run_fs() {
      CURVES_OFFERED="$curves_offered"
      CURVES_OFFERED=$(strip_trailing_space "$CURVES_OFFERED")
      # Keep it "on file" for debugging purposes
-     debugme1 safe_echo "$CURVES_OFFERED" >"$TEMPDIR/$NODE.$NODEIP.curves_offered.txt"
+     debugme1 safe_echo "$CURVES_OFFERED" 2>&1 >"$TEMPDIR/$NODE.$NODEIP.curves_offered.txt"
 
      # find out what groups are supported.
      if "$using_sockets" && ( "$fs_tls13_offered" || "$ffdhe_offered" ); then