Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 13:25:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix run_server_preference() for SSLv2 only server

Browse Source 
When run_server_preference() is run on a server that only supports SSLv2 it incorrectly reports that the server has a cipher order. The reason for this is that $list_fwd and $list_reverse only include one SSLv2 cipher.

In SSLv2 the server sends a list of all ciphers it supports in common with the client and the client chooses which cipher to use. As a result, the server cannot enforce a cipher order for SSLv2.

So, this PR fixes the problem in run_server_preference() by skipping the test for whether the server enforces a cipher order if $OPTIMAL_PROTO is -ssl2 and simply declares that the server does not enforce a cipher order.

Note that this PR is somewhat dependent on #1194, as #1194 needs to be applied in order for $OPTIMAL_PROTO to be set to -ssl2 when testing an SSLv2-only server.
This commit is contained in:
David Cooper
2019-02-12 13:44:55 -05:00
committed by GitHub
parent 5d1109a582
commit 90d36262ea
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
testssl.sh
View File

@@ -5941,7 +5941,7 @@ run_server_preference() {
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
tls13_cipher2=$(get_cipher $TMPFILE) tls13_cipher2=$(get_cipher $TMPFILE)
debugme tm_out "TLS 1.3: --> $tls13_cipher2\n" debugme tm_out "TLS 1.3: --> $tls13_cipher2\n"
else elif [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
[[ $DEBUG -ge 4 ]] && echo -e "\n Forward: ${list_fwd}\n ${tls13_list_fwd}" [[ $DEBUG -ge 4 ]] && echo -e "\n Forward: ${list_fwd}\n ${tls13_list_fwd}"
$OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd -ciphersuites $tls13_list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd") </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd -ciphersuites $tls13_list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd") </dev/null 2>$ERRFILE >$TMPFILE
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
@@ -5995,7 +5995,7 @@ run_server_preference() {
fileout "$jsonID" "OK" "server -- TLS 1.3 client determined" fileout "$jsonID" "OK" "server -- TLS 1.3 client determined"
cipher1="$tls13_cipher1" cipher1="$tls13_cipher1"
cipher2="$tls13_cipher2" cipher2="$tls13_cipher2"
elif [[ "$cipher1" != $cipher2 ]]; then elif [[ "$OPTIMAL_PROTO" == -ssl2 ]] || [[ "$cipher1" != $cipher2 ]]; then
# server used the different ends (ciphers) from the client hello # server used the different ends (ciphers) from the client hello
pr_svrty_high "nope (NOT ok)" pr_svrty_high "nope (NOT ok)"
limitedsense=" (limited sense as client will pick)" limitedsense=" (limited sense as client will pick)"