run_ssl_poodle() when OpenSSL doesn't support SSLv3
If the version of OpenSSL being used doesn't support `s_client -ssl3` (e.g., OpenSSL 1.1.0), `run_ssl_poodle()` displays `not vulnerable (OK)` even though it can't test whether the server is vulnerable. This PR fixes it so that a "Local problem" warning is displayed is `s_client -ssl3` isn't supported. The PR also removes the `$SNI` from the call to `$OPENSSL s_client` since OpenSSL ignores the `-servername` directive for `-ssl3` anyways.
This commit is contained in:
parent
424cf233d1
commit
7dd1d15e9a
|
@ -6447,10 +6447,11 @@ run_ssl_poodle() {
|
|||
|
||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln
|
||||
pr_bold " POODLE, SSL"; out " (CVE-2014-3566) "
|
||||
locally_supported "-ssl3" || return 1
|
||||
cbc_ciphers=$(actually_supported_ciphers $cbc_ciphers)
|
||||
|
||||
debugme echo $cbc_ciphers
|
||||
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
||||
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
|
||||
sclient_connect_successful $? $TMPFILE
|
||||
sclient_success=$?
|
||||
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||
|
|
Loading…
Reference in New Issue