mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
Merge pull request #1028 from dcooper16/fix_false_connectivity_problems
Fix false connectivity problem error
This commit is contained in:
commit
7ac63ec84b
12
testssl.sh
12
testssl.sh
@ -4363,19 +4363,17 @@ locally_supported() {
|
|||||||
run_prototest_openssl() {
|
run_prototest_openssl() {
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
|
|
||||||
|
! locally_supported "$1" "$2" && return 7
|
||||||
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
ret=$?
|
ret=$?
|
||||||
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
if ! locally_supported "$1" "$2" ; then
|
# try again without $PROXY
|
||||||
ret=7
|
|
||||||
else # try again without $PROXY
|
|
||||||
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
ret=$?
|
ret=$?
|
||||||
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
|
grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
|
||||||
fi
|
|
||||||
tmpfile_handle $FUNCNAME$1.txt
|
tmpfile_handle $FUNCNAME$1.txt
|
||||||
return $ret
|
return $ret
|
||||||
|
|
||||||
@ -6388,6 +6386,7 @@ get_server_certificate() {
|
|||||||
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
|
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
|
||||||
for proto in $protocols_to_try; do
|
for proto in $protocols_to_try; do
|
||||||
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
|
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
|
||||||
|
[[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && continue
|
||||||
addcmd=""
|
addcmd=""
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
@ -6398,6 +6397,7 @@ get_server_certificate() {
|
|||||||
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
||||||
if [[ $success -eq 7 ]]; then
|
if [[ $success -eq 7 ]]; then
|
||||||
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
||||||
|
[[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && return 7
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
if [ -z "$1" ]; then
|
if [ -z "$1" ]; then
|
||||||
@ -12719,6 +12719,7 @@ run_sweet32() {
|
|||||||
nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
|
nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
|
||||||
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers))
|
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers))
|
||||||
for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
|
for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
|
||||||
|
[[ $nr_supported_ciphers -eq 0 ]] && break
|
||||||
! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue
|
! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue
|
||||||
if [[ "$proto" != "-no_ssl2" ]]; then
|
if [[ "$proto" != "-no_ssl2" ]]; then
|
||||||
"$FAST" && break
|
"$FAST" && break
|
||||||
@ -13116,7 +13117,7 @@ run_logjam() {
|
|||||||
tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff"
|
tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff"
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
||||||
else
|
elif [[ $nr_supported_ciphers -ne 0 ]]; then
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
@ -13496,6 +13497,7 @@ run_beast(){
|
|||||||
sigalg[nr_ciphers]=""
|
sigalg[nr_ciphers]=""
|
||||||
done
|
done
|
||||||
while true; do
|
while true; do
|
||||||
|
[[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && break
|
||||||
ciphers_to_test=""
|
ciphers_to_test=""
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
! "${ciphers_found[i]}" && "${ossl_supported[i]}" && ciphers_to_test+=":${ciph[i]}"
|
! "${ciphers_found[i]}" && "${ossl_supported[i]}" && ciphers_to_test+=":${ciph[i]}"
|
||||||
|
Loading…
Reference in New Issue
Block a user