Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix #990

Browse Source 
There is at least one extension that will fail on a TLSv1.3 ClientHello if the psk_key_exchange_modes extension is not present (see #990). The PR adds the extension to TLSv1.3 ClientHello messages. OpenSSL, Firefox, and Chrome all include this extension in their ClientHello messages, so including it is unlikely to cause problems for any servers.
This commit is contained in:
David Cooper 2018-12-04 12:51:46 -05:00 committed by GitHub
parent e9c5435c0a
commit 93da0919a9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
testssl.sh
View File

@ -11905,7 +11905,7 @@ prepare_tls_clienthello() {
local extension_signature_algorithms extension_heartbeat session_id
local extension_session_ticket extension_next_protocol extension_padding
local extension_supported_groups="" extension_supported_point_formats=""
local extensions_key_share="" extn_type supported_groups_c2n=""
local extensions_key_share="" extn_type supported_groups_c2n="" extn_psk_mode=""
local extra_extensions extra_extensions_list="" extension_supported_versions=""
local offer_compression=false compression_methods
@ -12003,6 +12003,9 @@ prepare_tls_clienthello() {
extension_next_protocol="
33, 74, 00, 00"
extn_psk_mode="
00, 2d, 00, 02, 01, 01"
if "$ecc_cipher_suite_found"; then
# Supported Groups Extension
extension_supported_groups="
@ -12124,6 +12127,15 @@ prepare_tls_clienthello() {
fi
fi
# There does not seem to be any reason to include this extension. However, it appears that
# OpenSSL, Firefox, and Chrome include it in TLS 1.3 ClientHello messages, and there is at
# least one server that will fail the connection if it is absent
# (see https://github.com/drwetter/testssl.sh/issues/990).
if [[ "0x$tls_low_byte" -ge "0x04" ]] && [[ ! "$extra_extensions_list" =~ " 002d " ]]; then
[[ -n "$all_extensions" ]] && all_extensions+=","
all_extensions+="$extn_psk_mode"
fi
if [[ ! "$extra_extensions_list" =~ " 0023 " ]]; then
[[ -n "$all_extensions" ]] && all_extensions+=","
all_extensions+="$extension_session_ticket"
@ -15213,6 +15225,9 @@ run_grease() {
# values in the supported_versions extension.
# see https://www.ietf.org/mail-archive/web/tls/current/msg22319.html
# TODO: For servers that support TLSv1.3, check that servers don't require the
# psk_key_exchange_modes extension to be present in the ClientHello.
if ! "$bug_found"; then
outln " No bugs found."
fileout "$jsonID" "OK" "No bugs found."