mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
Dealing with OpenSSL connect problems (part1, framework)
In addition to 080840f655
and to
address #1005 eventually this is the first part of dealing
with connectivity problems. As opposed to the commit mentioned
above this is the counterpart for openssl which is useful for
just normal usage and for using --ssl-native.
It adds another global MAX_OSSL_FAIL (preset to 2) representing
a threshold how many unsucessful openssl connections are needed to
quit the whole scan. It should again reduce scan time in those
cases.
This is the framework part in sclient_connect_successful() which
is mainly commented out. The hooks will follow soon.
This commit is contained in:
parent
4a24454880
commit
7c015c5a13
30
testssl.sh
30
testssl.sh
@ -214,7 +214,8 @@ ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulati
|
|||||||
# tuning vars which cannot be set by a cmd line switch
|
# tuning vars which cannot be set by a cmd line switch
|
||||||
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
||||||
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
||||||
MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket conencts are reached we terminate
|
MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate
|
||||||
|
MAX_OSSL_FAIL=${MAX_OSSL_FAIL:-2} # If this many failures for s_client connects are reached we terminate
|
||||||
MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this.
|
MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this.
|
||||||
CCS_MAX_WAITSOCK=${CCS_MAX_WAITSOCK:-5} # for the two CCS payload (each). There shouldn't be any reason to change this.
|
CCS_MAX_WAITSOCK=${CCS_MAX_WAITSOCK:-5} # for the two CCS payload (each). There shouldn't be any reason to change this.
|
||||||
HEARTBLEED_MAX_WAITSOCK=${HEARTBLEED_MAX_WAITSOCK:-8} # for the heartbleed payload. There shouldn't be any reason to change this.
|
HEARTBLEED_MAX_WAITSOCK=${HEARTBLEED_MAX_WAITSOCK:-8} # for the heartbleed payload. There shouldn't be any reason to change this.
|
||||||
@ -255,7 +256,8 @@ GIVE_HINTS=false # give an addtional info to findings
|
|||||||
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
|
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
|
||||||
CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false}
|
CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false}
|
||||||
HAD_SLEPT=0
|
HAD_SLEPT=0
|
||||||
NR_SOCKET_FAIL=0
|
NR_SOCKET_FAIL=0 # Counter for socket failures
|
||||||
|
NR_OSSL_FAIL=0 # .. for OpenSSL connects
|
||||||
readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
||||||
# alpn_protos needs to be space-separated, not comma-seperated, including odd ones observerd @ facebook and others, old ones like h2-17 omitted as they could not be found
|
# alpn_protos needs to be space-separated, not comma-seperated, including odd ones observerd @ facebook and others, old ones like h2-17 omitted as they could not be found
|
||||||
readonly ALPN_PROTOs="h2 spdy/3.1 http/1.1 h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp"
|
readonly ALPN_PROTOs="h2 spdy/3.1 http/1.1 h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp"
|
||||||
@ -6109,12 +6111,30 @@ tls_time() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# core function determining whether handshake succeded or not
|
# core function determining whether handshake succeded or not
|
||||||
|
# arg1: return value of "openssl s_client connect"
|
||||||
|
# arg2: temporary file with the server hello
|
||||||
|
# arg3: error file
|
||||||
|
# returns 0 if connect was successful, 1 if not
|
||||||
|
#
|
||||||
sclient_connect_successful() {
|
sclient_connect_successful() {
|
||||||
[[ $1 -eq 0 ]] && return 0
|
[[ $1 -eq 0 ]] && return 0
|
||||||
[[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0
|
[[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0
|
||||||
# second check saved like
|
# further check like ~ fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1' not done.
|
||||||
# fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1
|
# what's left now is: master key empty and Session-ID not empty
|
||||||
# what's left now is: master key empty and Session-ID not empty ==> probably client-based auth with x509 certificate
|
# ==> probably client-based auth with x509 certificate. We handle that at other places
|
||||||
|
#
|
||||||
|
# But for rebustness we need to detected failures due to network / server problems
|
||||||
|
# Detection is as follows (stderr):
|
||||||
|
# ECONNREFUSED --> "socket: Bad file descriptor" or "connect: Connection refused" or (openssl 1.1.1):
|
||||||
|
# lines with "system library:connect:Connection refused" and "BIO_connect:connect error"
|
||||||
|
# EHOSTUNREACH --> "Bad file descriptor" or "connect: No route to host" or or (openssl 1.1.1):
|
||||||
|
# "connect:No route to host" and "BIO_connect:connect error"
|
||||||
|
# LANG=C egrep -q "Bad file descriptor|Connection refused|No route to host" "$3"
|
||||||
|
# [[ $? -ne 0 ]] || ((NR_OSSL_FAIL++))
|
||||||
|
# if [[ $NR_OSSL_FAIL -ge $MAX_OSSL_FAIL ]]; then
|
||||||
|
# [[ $MAX_SOCKET_FAIL -eq 1 ]] && fatal "TCP connect problem" -2
|
||||||
|
# fatal "repeated TCP connect problems, doesn't make sense to continue" -2
|
||||||
|
# fi
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user