Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enable run_npn() to use tls_sockets()

Browse Source 
LibreSSL does not support the -nextprotoneg option. This commit enhances run_npn() to use tls_sockets() when $HAS_NPN is false, rather than reporting that the check can not be performed.
This commit is contained in:
David Cooper
2025-02-14 12:25:39 -08:00
committed by GitHub
parent 4b4260831e
commit 96bd3072de
1 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
testssl.sh
View File

@@ -11253,7 +11253,7 @@ npn_pre(){
fileout "NPN" "WARN" "not tested as proxies do not support proxying it" fileout "NPN" "WARN" "not tested as proxies do not support proxying it"
return 1 return 1
fi fi
if ! "$HAS_NPN"; then if "$SSL_NATIVE" && ! "$HAS_NPN"; then
pr_local_problem "$OPENSSL doesn't support NPN/SPDY"; pr_local_problem "$OPENSSL doesn't support NPN/SPDY";
fileout "NPN" "WARN" "not tested $OPENSSL doesn't support NPN/SPDY" fileout "NPN" "WARN" "not tested $OPENSSL doesn't support NPN/SPDY"
return 7 return 7
@@ -11299,13 +11299,24 @@ run_npn() {
return 0 return 0
fi fi
# TLS 1.3 s_client doesn't support -nextprotoneg when connecting with TLS 1.3. So we need to make sure it won't be used if "$HAS_NPN"; then
# TLS13_ONLY is tested here again, just to be sure, see npn_pre # TLS 1.3 s_client doesn't support -nextprotoneg when connecting with TLS 1.3. So we need to make sure it won't be used
if "$HAS_TLS13" && ! $TLS13_ONLY ]] ; then # TLS13_ONLY is tested here again, just to be sure, see npn_pre
proto="-no_tls1_3" if "$HAS_TLS13" && ! $TLS13_ONLY ]] ; then
proto="-no_tls1_3"
fi
$OPENSSL s_client $(s_client_options "$proto -connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg "$NPN_PROTOs"") </dev/null 2>$ERRFILE >$TMPFILE
[[ $? -ne 0 ]] && ret=1
else
tls_sockets "03" "$TLS12_CIPHER" "all"
ret=$?
if [[ $ret -eq 0 ]] || [[ $ret -eq 2 ]]; then
ret=0
else
ret=1
fi
mv "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" "$TMPFILE"
fi fi
$OPENSSL s_client $(s_client_options "$proto -connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg "$NPN_PROTOs"") </dev/null 2>$ERRFILE >$TMPFILE
[[ $? -ne 0 ]] && ret=1
tmpstr="$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')" tmpstr="$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')"
if [[ -z "$tmpstr" ]] || [[ "$tmpstr" == " " ]]; then if [[ -z "$tmpstr" ]] || [[ "$tmpstr" == " " ]]; then
outln "not offered" outln "not offered"