From 7c015c5a13172f943e04fd91db5cf6f59796bf25 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Thu, 22 Mar 2018 16:59:57 +0100
Subject: [PATCH] Dealing with OpenSSL connect problems (part1, framework)

In addition to 080840f655ae8f99c7ef66db08117678c2349a2c and to
address #1005 eventually this is the first part of dealing
with connectivity problems. As opposed to the commit mentioned
above this is the counterpart for openssl which is useful for
just normal usage and for using --ssl-native.

It adds another global MAX_OSSL_FAIL (preset to 2) representing
a threshold how many unsucessful openssl connections are needed to
quit the whole scan. It should again reduce scan time in those
cases.

This is the framework part in sclient_connect_successful() which
is mainly commented out. The hooks will follow soon.
---
 testssl.sh | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 3375b8b..70beb27 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -214,7 +214,8 @@ ALL_CLIENTS=${ALL_CLIENTS:-false}       # do you want to run all client simulati
 # tuning vars which cannot be set by a cmd line switch
 EXPERIMENTAL=${EXPERIMENTAL:-false}
 HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5}   # we wait this long before killing the process to retrieve a service banner / http header
-MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2}   # If this many failures for TCP socket conencts are reached we terminate
+MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2}   # If this many failures for TCP socket connects are reached we terminate
+MAX_OSSL_FAIL=${MAX_OSSL_FAIL:-2}       # If this many failures for s_client connects are reached we terminate
 MAX_WAITSOCK=${MAX_WAITSOCK:-10}        # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this.
 CCS_MAX_WAITSOCK=${CCS_MAX_WAITSOCK:-5} # for the two CCS payload (each). There shouldn't be any reason to change this.
 HEARTBLEED_MAX_WAITSOCK=${HEARTBLEED_MAX_WAITSOCK:-8}      # for the heartbleed payload. There shouldn't be any reason to change this.
@@ -255,7 +256,8 @@ GIVE_HINTS=false                        # give an addtional info to findings
 SERVER_SIZE_LIMIT_BUG=false             # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
 CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false}
 HAD_SLEPT=0
-NR_SOCKET_FAIL=0
+NR_SOCKET_FAIL=0                        # Counter for socket failures
+NR_OSSL_FAIL=0                          # .. for OpenSSL connects
 readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
 # alpn_protos needs to be space-separated, not comma-seperated, including odd ones observerd @ facebook and others, old ones like h2-17 omitted as they could not be found
 readonly ALPN_PROTOs="h2 spdy/3.1 http/1.1 h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp"
@@ -6109,12 +6111,30 @@ tls_time() {
 }
 
 # core function determining whether handshake succeded or not
+# arg1: return value of "openssl s_client connect"
+# arg2: temporary file with the server hello
+# arg3: error file
+# returns 0 if connect was successful, 1 if not
+#
 sclient_connect_successful() {
      [[ $1 -eq 0 ]] && return 0
      [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0
-     # second check saved like
-     # fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1
-     # what's left now is: master key empty and Session-ID not empty ==> probably client-based auth with x509 certificate
+     # further check like ~  fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1' not done.
+     # what's left now is: master key empty and Session-ID not empty
+     # ==> probably client-based auth with x509 certificate. We handle that at other places
+     #
+     # But for rebustness we need to detected failures due to network / server problems
+     # Detection is as follows (stderr):
+     # ECONNREFUSED --> "socket: Bad file descriptor" or "connect: Connection refused" or (openssl 1.1.1):
+     #                  lines with "system library:connect:Connection refused" and "BIO_connect:connect error"
+     # EHOSTUNREACH --> "Bad file descriptor" or "connect: No route to host" or or (openssl 1.1.1):
+     #                  "connect:No route to host" and "BIO_connect:connect error"
+#     LANG=C egrep -q "Bad file descriptor|Connection refused|No route to host" "$3"
+#     [[ $? -ne 0 ]] || ((NR_OSSL_FAIL++))
+#     if [[ $NR_OSSL_FAIL -ge $MAX_OSSL_FAIL ]]; then
+#          [[ $MAX_SOCKET_FAIL -eq 1 ]] && fatal "TCP connect problem" -2
+#          fatal "repeated TCP connect problems, doesn't make sense to continue" -2
+#     fi
      return 1
 }