mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
Merge pull request #678 from dcooper16/get_server_certificates_extensions
Remove extra call to s_client
This commit is contained in:
commit
8fb0b70124
21
testssl.sh
21
testssl.sh
@ -7122,7 +7122,12 @@ get_server_certificate() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
cp $TEMPDIR/$NODEIP.parse_tls_serverhello.txt $TMPFILE
|
cp $TEMPDIR/$NODEIP.parse_tls_serverhello.txt $TMPFILE
|
||||||
extract_new_tls_extensions $TMPFILE
|
|
||||||
|
# When "$2" is empty, get_server_certificate() is being called with SNI="".
|
||||||
|
# In case the extensions returned by the server differ depending on wheter
|
||||||
|
# SNI is provided or not, don't collect extensions when SNI="" (unless
|
||||||
|
# no DNS name was provided at the command line).
|
||||||
|
[[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
|
||||||
else
|
else
|
||||||
ciphers_to_test="$1"
|
ciphers_to_test="$1"
|
||||||
if [[ "$1" =~ aRSA ]] && [[ "$1" =~ eRSA ]]; then
|
if [[ "$1" =~ aRSA ]] && [[ "$1" =~ eRSA ]]; then
|
||||||
@ -7142,11 +7147,6 @@ get_server_certificate() {
|
|||||||
[[ "${ciphers_to_test:0:1}" == : ]] && ciphers_to_test="${ciphers_to_test:1}"
|
[[ "${ciphers_to_test:0:1}" == : ]] && ciphers_to_test="${ciphers_to_test:1}"
|
||||||
[[ $(count_ciphers $(actually_supported_ciphers "$ciphers_to_test")) -ge 1 ]] || return 1
|
[[ $(count_ciphers $(actually_supported_ciphers "$ciphers_to_test")) -ge 1 ]] || return 1
|
||||||
|
|
||||||
# this all needs to be moved into determine_tls_extensions()
|
|
||||||
>$TEMPDIR/tlsext.txt
|
|
||||||
# first shot w/o any protocol, then in turn we collect all extensions
|
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tlsextdebug -status </dev/null 2>$ERRFILE >$TMPFILE
|
|
||||||
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
|
|
||||||
for proto in $protocols_to_try; do
|
for proto in $protocols_to_try; do
|
||||||
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
|
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
|
||||||
[[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && continue
|
[[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && continue
|
||||||
@ -7154,7 +7154,6 @@ get_server_certificate() {
|
|||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status -msg") </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status -msg") </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
success=0
|
success=0
|
||||||
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
|
|
||||||
break # now we have the certificate
|
break # now we have the certificate
|
||||||
fi
|
fi
|
||||||
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
||||||
@ -7169,7 +7168,6 @@ get_server_certificate() {
|
|||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 7 # this is ugly, I know
|
return 7 # this is ugly, I know
|
||||||
else
|
else
|
||||||
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
|
|
||||||
GOST_STATUS_PROBLEM=true
|
GOST_STATUS_PROBLEM=true
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -7179,7 +7177,12 @@ get_server_certificate() {
|
|||||||
"tls1") DETECTED_TLS_VERSION="0301" ;;
|
"tls1") DETECTED_TLS_VERSION="0301" ;;
|
||||||
"ssl3") DETECTED_TLS_VERSION="0300" ;;
|
"ssl3") DETECTED_TLS_VERSION="0300" ;;
|
||||||
esac
|
esac
|
||||||
extract_new_tls_extensions $TMPFILE
|
# When "$2" is empty, get_server_certificate() is being called with SNI="".
|
||||||
|
# In case the extensions returned by the server differ depending on wheter
|
||||||
|
# SNI is provided or not, don't collect extensions when SNI="" (unless
|
||||||
|
# no DNS name was provided at the command line).
|
||||||
|
[[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
|
||||||
|
|
||||||
extract_certificates "$proto"
|
extract_certificates "$proto"
|
||||||
extract_stapled_ocsp
|
extract_stapled_ocsp
|
||||||
success=$?
|
success=$?
|
||||||
|
Loading…
Reference in New Issue
Block a user