diff --git a/testssl.sh b/testssl.sh index 3375b8b..70beb27 100755 --- a/testssl.sh +++ b/testssl.sh @@ -214,7 +214,8 @@ ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulati # tuning vars which cannot be set by a cmd line switch EXPERIMENTAL=${EXPERIMENTAL:-false} HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header -MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket conencts are reached we terminate +MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate +MAX_OSSL_FAIL=${MAX_OSSL_FAIL:-2} # If this many failures for s_client connects are reached we terminate MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this. CCS_MAX_WAITSOCK=${CCS_MAX_WAITSOCK:-5} # for the two CCS payload (each). There shouldn't be any reason to change this. HEARTBLEED_MAX_WAITSOCK=${HEARTBLEED_MAX_WAITSOCK:-8} # for the heartbleed payload. There shouldn't be any reason to change this. @@ -255,7 +256,8 @@ GIVE_HINTS=false # give an addtional info to findings SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs) CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false} HAD_SLEPT=0 -NR_SOCKET_FAIL=0 +NR_SOCKET_FAIL=0 # Counter for socket failures +NR_OSSL_FAIL=0 # .. for OpenSSL connects readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1" # alpn_protos needs to be space-separated, not comma-seperated, including odd ones observerd @ facebook and others, old ones like h2-17 omitted as they could not be found readonly ALPN_PROTOs="h2 spdy/3.1 http/1.1 h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp" @@ -6109,12 +6111,30 @@ tls_time() { } # core function determining whether handshake succeded or not +# arg1: return value of "openssl s_client connect" +# arg2: temporary file with the server hello +# arg3: error file +# returns 0 if connect was successful, 1 if not +# sclient_connect_successful() { [[ $1 -eq 0 ]] && return 0 [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0 - # second check saved like - # fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1 - # what's left now is: master key empty and Session-ID not empty ==> probably client-based auth with x509 certificate + # further check like ~ fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1' not done. + # what's left now is: master key empty and Session-ID not empty + # ==> probably client-based auth with x509 certificate. We handle that at other places + # + # But for rebustness we need to detected failures due to network / server problems + # Detection is as follows (stderr): + # ECONNREFUSED --> "socket: Bad file descriptor" or "connect: Connection refused" or (openssl 1.1.1): + # lines with "system library:connect:Connection refused" and "BIO_connect:connect error" + # EHOSTUNREACH --> "Bad file descriptor" or "connect: No route to host" or or (openssl 1.1.1): + # "connect:No route to host" and "BIO_connect:connect error" +# LANG=C egrep -q "Bad file descriptor|Connection refused|No route to host" "$3" +# [[ $? -ne 0 ]] || ((NR_OSSL_FAIL++)) +# if [[ $NR_OSSL_FAIL -ge $MAX_OSSL_FAIL ]]; then +# [[ $MAX_SOCKET_FAIL -eq 1 ]] && fatal "TCP connect problem" -2 +# fatal "repeated TCP connect problems, doesn't make sense to continue" -2 +# fi return 1 }