Merge pull request #678 from dcooper16/get_server_certificates_extensions

Remove extra call to s_client
2025-10-30 05:15:25 +01:00 · 2019-02-22 17:43:21 +01:00
parent 56e8520b79 64ac831a8d
commit 8fb0b70124
1 changed files with 12 additions and 9 deletions
--- a/testssl.sh
+++ b/testssl.sh
@@ -7122,7 +7122,12 @@ get_server_certificate() {
               fi
          fi
          cp $TEMPDIR/$NODEIP.parse_tls_serverhello.txt $TMPFILE
-          extract_new_tls_extensions $TMPFILE
+
+          # When "$2" is empty, get_server_certificate() is being called with SNI="".
+          # In case the extensions returned by the server differ depending on wheter
+          # SNI is provided or not, don't collect extensions when SNI="" (unless
+          # no DNS name was provided at the command line).
+          [[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
     else
          ciphers_to_test="$1"
          if [[ "$1" =~ aRSA ]] && [[ "$1" =~ eRSA ]]; then
@@ -7142,11 +7147,6 @@ get_server_certificate() {
          [[ "${ciphers_to_test:0:1}" == : ]] &&  ciphers_to_test="${ciphers_to_test:1}"
          [[ $(count_ciphers $(actually_supported_ciphers "$ciphers_to_test")) -ge 1 ]] || return 1

-          # this all needs to be moved into determine_tls_extensions()
-          >$TEMPDIR/tlsext.txt
-          # first shot w/o any protocol, then in turn we collect all extensions
-          $OPENSSL s_client $STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tlsextdebug -status </dev/null 2>$ERRFILE >$TMPFILE
-          sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
          for proto in $protocols_to_try; do
               [[ 1 -eq $(has_server_protocol $proto) ]] && continue
               [[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && continue
@@ -7154,7 +7154,6 @@ get_server_certificate() {
               $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status -msg") </dev/null 2>$ERRFILE >$TMPFILE
               if sclient_connect_successful $? $TMPFILE; then
                    success=0
-                    grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
                    break               # now we have the certificate
               fi
          done                          # this loop is needed for IIS6 and others which have a handshake size limitations
@@ -7169,7 +7168,6 @@ get_server_certificate() {
                    tmpfile_handle ${FUNCNAME[0]}.txt
                    return 7  # this is ugly, I know
               else
-                    grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
                    GOST_STATUS_PROBLEM=true
               fi
          fi
@@ -7179,7 +7177,12 @@ get_server_certificate() {
               "tls1") DETECTED_TLS_VERSION="0301" ;;
               "ssl3") DETECTED_TLS_VERSION="0300" ;;
          esac
-          extract_new_tls_extensions $TMPFILE
+          # When "$2" is empty, get_server_certificate() is being called with SNI="".
+          # In case the extensions returned by the server differ depending on wheter
+          # SNI is provided or not, don't collect extensions when SNI="" (unless
+          # no DNS name was provided at the command line).
+          [[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
+
          extract_certificates "$proto"
          extract_stapled_ocsp
          success=$?