mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 16:39:30 +01:00
Fix #990
There is at least one extension that will fail on a TLSv1.3 ClientHello if the psk_key_exchange_modes extension is not present (see #990). The PR adds the extension to TLSv1.3 ClientHello messages. OpenSSL, Firefox, and Chrome all include this extension in their ClientHello messages, so including it is unlikely to cause problems for any servers.
This commit is contained in:
parent
e9c5435c0a
commit
93da0919a9
17
testssl.sh
17
testssl.sh
@ -11905,7 +11905,7 @@ prepare_tls_clienthello() {
|
|||||||
local extension_signature_algorithms extension_heartbeat session_id
|
local extension_signature_algorithms extension_heartbeat session_id
|
||||||
local extension_session_ticket extension_next_protocol extension_padding
|
local extension_session_ticket extension_next_protocol extension_padding
|
||||||
local extension_supported_groups="" extension_supported_point_formats=""
|
local extension_supported_groups="" extension_supported_point_formats=""
|
||||||
local extensions_key_share="" extn_type supported_groups_c2n=""
|
local extensions_key_share="" extn_type supported_groups_c2n="" extn_psk_mode=""
|
||||||
local extra_extensions extra_extensions_list="" extension_supported_versions=""
|
local extra_extensions extra_extensions_list="" extension_supported_versions=""
|
||||||
local offer_compression=false compression_methods
|
local offer_compression=false compression_methods
|
||||||
|
|
||||||
@ -12003,6 +12003,9 @@ prepare_tls_clienthello() {
|
|||||||
extension_next_protocol="
|
extension_next_protocol="
|
||||||
33, 74, 00, 00"
|
33, 74, 00, 00"
|
||||||
|
|
||||||
|
extn_psk_mode="
|
||||||
|
00, 2d, 00, 02, 01, 01"
|
||||||
|
|
||||||
if "$ecc_cipher_suite_found"; then
|
if "$ecc_cipher_suite_found"; then
|
||||||
# Supported Groups Extension
|
# Supported Groups Extension
|
||||||
extension_supported_groups="
|
extension_supported_groups="
|
||||||
@ -12124,6 +12127,15 @@ prepare_tls_clienthello() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# There does not seem to be any reason to include this extension. However, it appears that
|
||||||
|
# OpenSSL, Firefox, and Chrome include it in TLS 1.3 ClientHello messages, and there is at
|
||||||
|
# least one server that will fail the connection if it is absent
|
||||||
|
# (see https://github.com/drwetter/testssl.sh/issues/990).
|
||||||
|
if [[ "0x$tls_low_byte" -ge "0x04" ]] && [[ ! "$extra_extensions_list" =~ " 002d " ]]; then
|
||||||
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
|
all_extensions+="$extn_psk_mode"
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ ! "$extra_extensions_list" =~ " 0023 " ]]; then
|
if [[ ! "$extra_extensions_list" =~ " 0023 " ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extension_session_ticket"
|
all_extensions+="$extension_session_ticket"
|
||||||
@ -15213,6 +15225,9 @@ run_grease() {
|
|||||||
# values in the supported_versions extension.
|
# values in the supported_versions extension.
|
||||||
# see https://www.ietf.org/mail-archive/web/tls/current/msg22319.html
|
# see https://www.ietf.org/mail-archive/web/tls/current/msg22319.html
|
||||||
|
|
||||||
|
# TODO: For servers that support TLSv1.3, check that servers don't require the
|
||||||
|
# psk_key_exchange_modes extension to be present in the ClientHello.
|
||||||
|
|
||||||
if ! "$bug_found"; then
|
if ! "$bug_found"; then
|
||||||
outln " No bugs found."
|
outln " No bugs found."
|
||||||
fileout "$jsonID" "OK" "No bugs found."
|
fileout "$jsonID" "OK" "No bugs found."
|
||||||
|
Loading…
Reference in New Issue
Block a user