Merge pull request #678 from dcooper16/get_server_certificates_extensions

Remove extra call to s_client
This commit is contained in:
Dirk Wetter 2019-02-22 17:43:21 +01:00 committed by GitHub
commit 8fb0b70124
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 9 deletions

View File

@ -7122,7 +7122,12 @@ get_server_certificate() {
fi fi
fi fi
cp $TEMPDIR/$NODEIP.parse_tls_serverhello.txt $TMPFILE cp $TEMPDIR/$NODEIP.parse_tls_serverhello.txt $TMPFILE
extract_new_tls_extensions $TMPFILE
# When "$2" is empty, get_server_certificate() is being called with SNI="".
# In case the extensions returned by the server differ depending on wheter
# SNI is provided or not, don't collect extensions when SNI="" (unless
# no DNS name was provided at the command line).
[[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
else else
ciphers_to_test="$1" ciphers_to_test="$1"
if [[ "$1" =~ aRSA ]] && [[ "$1" =~ eRSA ]]; then if [[ "$1" =~ aRSA ]] && [[ "$1" =~ eRSA ]]; then
@ -7142,11 +7147,6 @@ get_server_certificate() {
[[ "${ciphers_to_test:0:1}" == : ]] && ciphers_to_test="${ciphers_to_test:1}" [[ "${ciphers_to_test:0:1}" == : ]] && ciphers_to_test="${ciphers_to_test:1}"
[[ $(count_ciphers $(actually_supported_ciphers "$ciphers_to_test")) -ge 1 ]] || return 1 [[ $(count_ciphers $(actually_supported_ciphers "$ciphers_to_test")) -ge 1 ]] || return 1
# this all needs to be moved into determine_tls_extensions()
>$TEMPDIR/tlsext.txt
# first shot w/o any protocol, then in turn we collect all extensions
$OPENSSL s_client $STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tlsextdebug -status </dev/null 2>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
for proto in $protocols_to_try; do for proto in $protocols_to_try; do
[[ 1 -eq $(has_server_protocol $proto) ]] && continue [[ 1 -eq $(has_server_protocol $proto) ]] && continue
[[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && continue [[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && continue
@ -7154,7 +7154,6 @@ get_server_certificate() {
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status -msg") </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status -msg") </dev/null 2>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
success=0 success=0
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
break # now we have the certificate break # now we have the certificate
fi fi
done # this loop is needed for IIS6 and others which have a handshake size limitations done # this loop is needed for IIS6 and others which have a handshake size limitations
@ -7169,7 +7168,6 @@ get_server_certificate() {
tmpfile_handle ${FUNCNAME[0]}.txt tmpfile_handle ${FUNCNAME[0]}.txt
return 7 # this is ugly, I know return 7 # this is ugly, I know
else else
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
GOST_STATUS_PROBLEM=true GOST_STATUS_PROBLEM=true
fi fi
fi fi
@ -7179,7 +7177,12 @@ get_server_certificate() {
"tls1") DETECTED_TLS_VERSION="0301" ;; "tls1") DETECTED_TLS_VERSION="0301" ;;
"ssl3") DETECTED_TLS_VERSION="0300" ;; "ssl3") DETECTED_TLS_VERSION="0300" ;;
esac esac
extract_new_tls_extensions $TMPFILE # When "$2" is empty, get_server_certificate() is being called with SNI="".
# In case the extensions returned by the server differ depending on wheter
# SNI is provided or not, don't collect extensions when SNI="" (unless
# no DNS name was provided at the command line).
[[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
extract_certificates "$proto" extract_certificates "$proto"
extract_stapled_ocsp extract_stapled_ocsp
success=$? success=$?