run_ssl_poodle() when OpenSSL doesn't support SSLv3

If the version of OpenSSL being used doesn't support `s_client -ssl3` (e.g., OpenSSL 1.1.0), `run_ssl_poodle()` displays `not vulnerable (OK)` even though it can't test whether the server is vulnerable.

This PR fixes it so that a "Local problem" warning is displayed is `s_client -ssl3` isn't supported.

The PR also removes the `$SNI` from the call to `$OPENSSL s_client` since OpenSSL ignores the `-servername` directive for `-ssl3` anyways.
This commit is contained in:
David Cooper 2016-08-23 11:31:04 -04:00 committed by GitHub
parent 424cf233d1
commit 7dd1d15e9a
1 changed files with 2 additions and 1 deletions

View File

@ -6447,10 +6447,11 @@ run_ssl_poodle() {
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln
pr_bold " POODLE, SSL"; out " (CVE-2014-3566) "
locally_supported "-ssl3" || return 1
cbc_ciphers=$(actually_supported_ciphers $cbc_ciphers)
debugme echo $cbc_ciphers
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE
sclient_success=$?
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"