From 7fb688a9d619c31b03f8194e04b3b2f594daf281 Mon Sep 17 00:00:00 2001
From: David Cooper <david.cooper@nist.gov>
Date: Mon, 3 Jan 2022 15:02:27 -0500
Subject: [PATCH] Improve check for client authentication

Based on initial testing, this commit improves the check for client authentication in the case that the server only requests client authentication for specific URLs. However, it does not work correctly if the server supports TLS 1.3 and $OPENSSL is a version of LibreSSL that supports TLS 1.3 in s_client. The problem is that LibreSSL does not support post-handshake authentication with TLS 1.3
---
 testssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index facf0af..bf5dc5f 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -21086,7 +21086,7 @@ determine_optimal_proto() {
                if [[ -z "$URL_PATH" ]] || [[ "$URL_PATH" == "/" ]]; then
                     $OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI") </dev/null >$TMPFILE 2>>$ERRFILE
                else
-                    safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -prexit -enable_pha") </dev/null >$TMPFILE 2>>$ERRFILE
+                    safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -ign_eof -enable_pha") >$TMPFILE 2>>$ERRFILE
                fi
                
                if sclient_auth $? $TMPFILE; then