From d1782284f80c684592911ad5d1dcef9f92770eb1 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 9 Apr 2018 15:43:26 -0400 Subject: [PATCH] Fix false connectivity problem error If OpenSSL reports an error, sclient_connect_successful() may incorrectly interpret it as a connectivity problem, leading testssl.sh to stop testing before it has completed. When not using "--ssl-native" mode, this happens if $OPENSSL does not support SSLv3, as both get_server_certificate() and run_beast() will attempt to connect using SSLv3 even if $OPENSSL does not support it. When using "--ssl-native" mode, this happens in multiple places if $OPENSSL does not support the protocol being used or if $OPENSSL does not support any of the ciphers that are specified in the command line. This PR fixes the above problems by adding checks for protocol support or for support for at least one cipher before calling $OPENSSL. run_client_simulation() also has a problem in "--ssl-native" mode of calling $OPENSSL with parameters that cause $OPENSSL to report an error, but this is already addressed by temporarily setting MAX_OSSL_FAIL to 100 during client simulation tests and then, after client simulation testing is complete, returning $MAX_OSSL_FAIL and $NR_OSSL_FAIL to the values they had before client simulation testing began. --- testssl.sh | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/testssl.sh b/testssl.sh index 2f80243..3b693ef 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4363,19 +4363,17 @@ locally_supported() { run_prototest_openssl() { local -i ret=0 + ! locally_supported "$1" "$2" && return 7 $OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TEMPDIR/tlsext.txt for proto in $protocols_to_try; do [[ 1 -eq $(has_server_protocol $proto) ]] && continue + [[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && continue addcmd="" $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") $ERRFILE >$TMPFILE if sclient_connect_successful $? $TMPFILE; then @@ -6398,6 +6397,7 @@ get_server_certificate() { done # this loop is needed for IIS6 and others which have a handshake size limitations if [[ $success -eq 7 ]]; then # "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then: + [[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && return 7 $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") >$ERRFILE >$TMPFILE if ! sclient_connect_successful $? $TMPFILE; then if [ -z "$1" ]; then @@ -12719,6 +12719,7 @@ run_sweet32() { nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers) nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers)) for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do + [[ $nr_supported_ciphers -eq 0 ]] && break ! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue if [[ "$proto" != "-no_ssl2" ]]; then "$FAST" && break @@ -13116,7 +13117,7 @@ run_logjam() { tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff" sclient_success=$? [[ $sclient_success -eq 2 ]] && sclient_success=0 - else + elif [[ $nr_supported_ciphers -ne 0 ]]; then $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE