Added HAS_ZLIB in run_crime(), declaration of CERT_COMPRESSION fixed

CERT_COMPRESSION was declared always with fast in ... so that the variable
was always false. This PR fixes that. In addition a informational line
that the new TLS extension has been added (if $DEBUG >3).

Also determine_optimal_proto() is not being run if devel mode
($do_tls_sockets) is enabled.

Furthermore as David added HAS_ZLIB as a global run_crime() now makes
use of it too.
This commit is contained in:
Dirk 2019-06-12 21:05:43 +02:00
parent 53ecacfcbb
commit 7a1fb0b3b9

View File

@ -299,7 +299,7 @@ ERRFILE=""
CLIENT_AUTH=false CLIENT_AUTH=false
TLS_TICKETS=false TLS_TICKETS=false
NO_SSL_SESSIONID=false NO_SSL_SESSIONID=false
CERT_COMPRESSION=false # secret flag to set in addition to --devel for certificate compression CERT_COMPRESSION=${CERT_COMPRESSION:-false} # secret flag to set in addition to --devel for certificate compression
HOSTCERT="" # File with host certificate, without intermediate certificate HOSTCERT="" # File with host certificate, without intermediate certificate
HEADERFILE="" HEADERFILE=""
HEADERVALUE="" HEADERVALUE=""
@ -14163,9 +14163,7 @@ run_crime() {
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln
pr_bold " CRIME, TLS " ; out "($cve) " pr_bold " CRIME, TLS " ; out "($cve) "
# first we need to test whether OpenSSL binary has zlib support if ! "$HAS_ZLIB"; then
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
if [[ $? -eq 0 ]]; then
if "$SSL_NATIVE"; then if "$SSL_NATIVE"; then
prln_local_problem "$OPENSSL lacks zlib support" prln_local_problem "$OPENSSL lacks zlib support"
fileout "CRIME_TLS" "WARN" "CRIME, TLS: Not tested. $OPENSSL lacks zlib support" "$cve" "$cwe" fileout "CRIME_TLS" "WARN" "CRIME, TLS: Not tested. $OPENSSL lacks zlib support" "$cve" "$cwe"
@ -17730,6 +17728,8 @@ determine_optimal_proto() {
local tmp="" local tmp=""
local using_sockets=true local using_sockets=true
"$do_tls_sockets" && return 0
>$ERRFILE >$ERRFILE
"$SSL_NATIVE" && using_sockets=false "$SSL_NATIVE" && using_sockets=false
@ -18999,6 +18999,7 @@ parse_cmd_line() {
# arg2: list of cipher suites / hostname/ip # arg2: list of cipher suites / hostname/ip
# arg3: hostname/ip # arg3: hostname/ip
HEX_CIPHER="$TLS12_CIPHER" HEX_CIPHER="$TLS12_CIPHER"
# DEBUG=3 ./testssl.sh --devel 04 "13,02, 13,01" google.com --> TLS 1.3
# DEBUG=3 ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de --> TLS 1.2, old CHACHA/POLY # DEBUG=3 ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de --> TLS 1.2, old CHACHA/POLY
# DEBUG=3 ./testssl.sh --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com --> new CHACHA/POLY # DEBUG=3 ./testssl.sh --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com --> new CHACHA/POLY
# DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0 # DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0
@ -19011,7 +19012,7 @@ parse_cmd_line() {
fi fi
shift shift
do_tls_sockets=true do_tls_sockets=true
outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}" outln "\nTLS_LOW_BYTE, HEX_CIPHER: \"${TLS_LOW_BYTE}\", \"${HEX_CIPHER}\""
;; ;;
--wide) --wide)
WIDE=true WIDE=true
@ -19355,6 +19356,7 @@ lets_roll() {
if [[ "$TLS_LOW_BYTE" == 04 ]]; then if [[ "$TLS_LOW_BYTE" == 04 ]]; then
if "$CERT_COMPRESSION"; then if "$CERT_COMPRESSION"; then
# See PR #1279 # See PR #1279
[[ $DEBUG -eq 3 ]] && tmln_out "including TLS extension certificate compression"
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01" tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01"
else else
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey" tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"