mirror of
https://github.com/drwetter/testssl.sh.git
synced 2026-07-15 03:27:38 +02:00
Fix confusion when scanning TLS-1.3-only hosts
When scanning hosts which offer only TLS 1.3 under some circumstances (e.g. using MacOS) the scan stopped and prompted the user . It happened always when $OPENSSL supported TLS 1.3. It did not when this was not the case. This fixes that (see #3083) for 3.3dev by just skipping the rest in determine_optimal_proto() when TLS13_ONLY is true. Also it fixes missing line feeds for servoce detecttion and order in which DNS HTTPS RR are displayed.
This commit is contained in:
+10
-14
@@ -2623,13 +2623,13 @@ service_detection() {
|
||||
fi
|
||||
|
||||
jsonID="service"
|
||||
case $SERVICE in
|
||||
HTTP)
|
||||
if [[ $SERVICE == HTTP ]]; then
|
||||
if [[ $SERVICE == HTTP ]] || "$ASSUME_HTTP" || [[ -n "$MTLS" ]]; then
|
||||
dns_https_rr
|
||||
fi
|
||||
case $SERVICE in
|
||||
HTTP)
|
||||
pr_bold " Service detected"
|
||||
out ": $CORRECT_SPACES $SERVICE"
|
||||
outln ": $CORRECT_SPACES $SERVICE"
|
||||
fileout "${jsonID}" "INFO" "$SERVICE"
|
||||
;;
|
||||
IMAP|POP|SMTP|NNTP|MongoDB)
|
||||
@@ -2637,32 +2637,28 @@ service_detection() {
|
||||
out ": $CORRECT_SPACES $SERVICE, thus skipping HTTP specific checks"
|
||||
fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
|
||||
;;
|
||||
#FIXME: \/ \/ dns_https_rr
|
||||
*) pr_bold " Service detected:"; out " $CORRECT_SPACES"
|
||||
if [[ ! -z $MTLS ]]; then
|
||||
out " not identified, but mTLS authentication is set ==> trying HTTP checks"
|
||||
if [[ -n "$MTLS" ]]; then
|
||||
outln " not identified, but mTLS authentication is set ==> trying HTTP checks"
|
||||
SERVICE=HTTP
|
||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
||||
dns_https_rr
|
||||
elif [[ "$CLIENT_AUTH" == required ]] && [[ -z $MTLS ]]; then
|
||||
out " certificate-based authentication without providing client certificate and private key => skipping all HTTP checks" | tee $TMPFILE
|
||||
outln " certificate-based authentication without providing client certificate and private key => skipping all HTTP checks" | tee $TMPFILE
|
||||
fileout "${jsonID}" "INFO" "certificate-based authentication without providing client certificate and private key => skipping all HTTP checks"
|
||||
else
|
||||
out " Couldn't determine what's running on port $PORT"
|
||||
if "$ASSUME_HTTP"; then
|
||||
SERVICE=HTTP
|
||||
out " -- ASSUME_HTTP set though"
|
||||
outln " -- ASSUME_HTTP set though"
|
||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
||||
dns_https_rr
|
||||
else
|
||||
out ", assuming no HTTP service => skipping all HTTP checks"
|
||||
outln ", assuming no HTTP service => skipping all HTTP checks"
|
||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
outln
|
||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||
return 0
|
||||
}
|
||||
@@ -23891,7 +23887,6 @@ determine_optimal_proto() {
|
||||
TLS12_CIPHER_OFFERED="$(get_cipher $TMPFILE)"
|
||||
TLS12_CIPHER_OFFERED="$(openssl2hexcode "$TLS12_CIPHER_OFFERED")"
|
||||
[[ ${#TLS12_CIPHER_OFFERED} -eq 9 ]] && TLS12_CIPHER_OFFERED="${TLS12_CIPHER_OFFERED:2:2},${TLS12_CIPHER_OFFERED:7:2}" || TLS12_CIPHER_OFFERED=""
|
||||
fi
|
||||
|
||||
if [[ "$optimal_proto" == -ssl2 ]]; then
|
||||
prln_magenta "$NODEIP:$PORT appears to only support SSLv2."
|
||||
@@ -23966,6 +23961,7 @@ determine_optimal_proto() {
|
||||
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||
fi
|
||||
fi
|
||||
|
||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||
return 0
|
||||
|
||||
Reference in New Issue
Block a user