Fix run_server_preference() in --ssl-native mode

This PR fixes two problems that occur when testing a server that supports TLSv1.3 using OpenSSL 1.1.1 in --ssl-native mode.

First, when testing whether the server has a cipher order, the value of $sclient_success is checked after each call to tls_sockets(), but $sclient_success. As the goal is just to verify that the connection was successful (and didn't downgrade), $? can be checked rather than $sclient_success. [When not in --ssl-native mode, this problem is masked since $sclient_success is set to 0 earlier in the function.]

The second problem is that line 6646 tries to copy "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt", but this file is currently only created (on line 6287) if tls_sockets() is used to determine the negotiated protocol. This PR fixes the problem by also populating "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt" when OpenSSL is used to determine the negotiated protocol.
This commit is contained in:
David Cooper 2020-01-13 10:51:34 -05:00 committed by GitHub
parent b8e2b35165
commit 855758b3af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -6293,6 +6293,7 @@ run_server_preference() {
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
cipher0=$(get_cipher $TMPFILE) cipher0=$(get_cipher $TMPFILE)
debugme tm_out "0 --> $cipher0\n" debugme tm_out "0 --> $cipher0\n"
cp $TMPFILE "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt"
else else
# 2 second try with $OPTIMAL_PROTO especially for intolerant IIS6 servers: # 2 second try with $OPTIMAL_PROTO especially for intolerant IIS6 servers:
$OPENSSL s_client $(s_client_options "$STARTTLS $OPTIMAL_PROTO $BUGS -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS $OPTIMAL_PROTO $BUGS -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE
@ -6309,12 +6310,12 @@ run_server_preference() {
# Some servers don't have a TLS 1.3 cipher order, see #1163 # Some servers don't have a TLS 1.3 cipher order, see #1163
if [[ "$default_proto" == TLSv1.3 ]]; then if [[ "$default_proto" == TLSv1.3 ]]; then
tls_sockets "04" "13,05, 13,04, 13,03, 13,02, 13,01, 00,ff" tls_sockets "04" "13,05, 13,04, 13,03, 13,02, 13,01, 00,ff"
[[ $sclient_success -ne 0 ]] && ret=1 && prln_fixme "something weird happened around line $((LINENO - 1))" [[ $? -ne 0 ]] && ret=1 && prln_fixme "something weird happened around line $((LINENO - 1))"
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
tls13_cipher1=$(get_cipher $TMPFILE) tls13_cipher1=$(get_cipher $TMPFILE)
debugme tm_out "TLS 1.3: --> $tls13_cipher1\n" debugme tm_out "TLS 1.3: --> $tls13_cipher1\n"
tls_sockets "04" "13,01, 13,02, 13,03, 13,04, 13,05, 00,ff" tls_sockets "04" "13,01, 13,02, 13,03, 13,04, 13,05, 00,ff"
[[ $sclient_success -ne 0 ]] && ret=1 && prln_fixme "something weird happened around line $((LINENO - 1))" [[ $? -ne 0 ]] && ret=1 && prln_fixme "something weird happened around line $((LINENO - 1))"
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
tls13_cipher2=$(get_cipher $TMPFILE) tls13_cipher2=$(get_cipher $TMPFILE)
debugme tm_out "TLS 1.3: --> $tls13_cipher2\n" debugme tm_out "TLS 1.3: --> $tls13_cipher2\n"