Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1028 from dcooper16/fix_false_connectivity_problems

Browse Source 
Fix false connectivity problem error
This commit is contained in:
Dirk Wetter 2018-04-10 17:18:12 +02:00 committed by GitHub
commit 7ac63ec84b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
testssl.sh
View File

@ -4363,19 +4363,17 @@ locally_supported() {
run_prototest_openssl() { run_prototest_openssl() {
local -i ret=0 local -i ret=0
! locally_supported "$1" "$2" && return 7
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
ret=$? ret=$?
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
if ! locally_supported "$1" "$2" ; then # try again without $PROXY
ret=7 $OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>$ERRFILE </dev/null
else # try again without $PROXY sclient_connect_successful $? $TMPFILE
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>$ERRFILE </dev/null ret=$?
sclient_connect_successful $? $TMPFILE debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
ret=$? grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
fi
tmpfile_handle $FUNCNAME$1.txt tmpfile_handle $FUNCNAME$1.txt
return $ret return $ret
@ -6388,6 +6386,7 @@ get_server_certificate() {
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
for proto in $protocols_to_try; do for proto in $protocols_to_try; do
[[ 1 -eq $(has_server_protocol $proto) ]] && continue [[ 1 -eq $(has_server_protocol $proto) ]] && continue
[[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && continue
addcmd="" addcmd=""
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") </dev/null 2>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
@ -6398,6 +6397,7 @@ get_server_certificate() {
done # this loop is needed for IIS6 and others which have a handshake size limitations done # this loop is needed for IIS6 and others which have a handshake size limitations
if [[ $success -eq 7 ]]; then if [[ $success -eq 7 ]]; then
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then: # "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
[[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && return 7
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
if ! sclient_connect_successful $? $TMPFILE; then if ! sclient_connect_successful $? $TMPFILE; then
if [ -z "$1" ]; then if [ -z "$1" ]; then
@ -12719,6 +12719,7 @@ run_sweet32() {
nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers) nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers)) nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers))
for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
[[ $nr_supported_ciphers -eq 0 ]] && break
! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue ! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue
if [[ "$proto" != "-no_ssl2" ]]; then if [[ "$proto" != "-no_ssl2" ]]; then
"$FAST" && break "$FAST" && break
@ -13116,7 +13117,7 @@ run_logjam() {
tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff" tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff"
sclient_success=$? sclient_success=$?
[[ $sclient_success -eq 2 ]] && sclient_success=0 [[ $sclient_success -eq 2 ]] && sclient_success=0
else elif [[ $nr_supported_ciphers -ne 0 ]]; then
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? sclient_success=$?
@ -13496,6 +13497,7 @@ run_beast(){
sigalg[nr_ciphers]="" sigalg[nr_ciphers]=""
done done
while true; do while true; do
[[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && break
ciphers_to_test="" ciphers_to_test=""
for (( i=0; i < nr_ciphers; i++ )); do for (( i=0; i < nr_ciphers; i++ )); do
! "${ciphers_found[i]}" && "${ossl_supported[i]}" && ciphers_to_test+=":${ciph[i]}" ! "${ciphers_found[i]}" && "${ossl_supported[i]}" && ciphers_to_test+=":${ciph[i]}"