Initial fix for #772

This commit provides a partial fix for #772.
This commit is contained in:
David Cooper 2017-07-03 16:24:02 -04:00
parent 8b076e9841
commit a264898f77
1 changed files with 51 additions and 34 deletions

View File

@ -270,6 +270,7 @@ HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables
HAS_SSL2=false HAS_SSL2=false
HAS_SSL3=false HAS_SSL3=false
HAS_NO_SSL2=false HAS_NO_SSL2=false
HAS_NOSERVERNAME=false
HAS_ALPN=false HAS_ALPN=false
HAS_SPDY=false HAS_SPDY=false
HAS_FALLBACK_SCSV=false HAS_FALLBACK_SCSV=false
@ -1293,6 +1294,29 @@ string_to_asciihex() {
} }
# Adjust options to $OPENSSL s_client based on OpenSSL version and protocol version
s_client_options() {
local options="$1"
# Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
[[ -n "$SNI" ]] && [[ " $options " =~ \ -ssl[2|3]\ ]] && options="$(sed "s/$SNI//" <<< "$options")"
# The server_name extension should not be included in the ClientHello unless
# the -servername option is provided. However, OpenSSL 1.1.1 will include the
# server_name extension unless the -noservername option is provided. So, if
# the command line doesn't include -servername and the -noservername option is
# supported, then add -noservername to the options.
"$HAS_NOSERVERNAME" && [[ ! " $options " =~ " -servername " ]] && options+=" -noservername"
# Newer versions of OpenSSL have dropped support for the -no_ssl2 option, so
# remove any -no_ssl2 option if the option isn't supported. (Since versions of
# OpenSSL that don't support -no_ssl2 also don't support SSLv2, the option
# isn't needed for these versions of OpenSSL.)
! "$HAS_NO_SSL2" && options="$(sed 's/-no_ssl2//' <<< "$options")"
tm_out "$options"
}
###### check code starts here ###### ###### check code starts here ######
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS) # determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
@ -1300,12 +1324,10 @@ string_to_asciihex() {
service_detection() { service_detection() {
local -i ret=0 local -i ret=0
local -i was_killed local -i was_killed
local addcmd=""
if ! "$CLIENT_AUTH"; then if ! "$CLIENT_AUTH"; then
# SNI is not standardardized for !HTTPS but fortunately for other protocols s_client doesn't seem to care # SNI is not standardardized for !HTTPS but fortunately for other protocols s_client doesn't seem to care
[[ ! "$1" =~ ssl ]] && addcmd="$SNI" printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$1 -quiet $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE &
printf "$GET_REQ11" | $OPENSSL s_client $1 -quiet $BUGS -connect $NODEIP:$PORT $PROXY $addcmd >$TMPFILE 2>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $HEADER_MAXSLEEP
was_killed=$? was_killed=$?
head $TMPFILE | grep -aq '^HTTP\/' && SERVICE=HTTP head $TMPFILE | grep -aq '^HTTP\/' && SERVICE=HTTP
@ -1358,7 +1380,7 @@ service_detection() {
#problems not handled: chunked #problems not handled: chunked
run_http_header() { run_http_header() {
local header addcmd="" local header
local -i ret local -i ret
local referer useragent local referer useragent
local url redirect local url redirect
@ -1368,13 +1390,12 @@ run_http_header() {
outln outln
[[ -z "$1" ]] && url="/" || url="$1" [[ -z "$1" ]] && url="/" || url="$1"
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI" printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $addcmd >$HEADERFILE 2>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $HEADER_MAXSLEEP
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
# we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it # we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it
# again in the foreground to get an accurate header time! # again in the foreground to get an accurate header time!
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $addcmd >$HEADERFILE 2>$ERRFILE printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE
NOW_TIME=$(date "+%s") NOW_TIME=$(date "+%s")
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
HAD_SLEPT=0 HAD_SLEPT=0
@ -2281,15 +2302,14 @@ std_cipherlists() {
local -i i len sclient_success local -i i len sclient_success
local sslv2_cipherlist detected_ssl2_ciphers local sslv2_cipherlist detected_ssl2_ciphers
local singlespaces local singlespaces
local proto="" addcmd="" local proto=""
local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")" local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")"
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && proto="$OPTIMAL_PROTO" [[ "$OPTIMAL_PROTO" == "-ssl2" ]] && proto="$OPTIMAL_PROTO"
pr_bold "$2 " # to be indented equal to server preferences pr_bold "$2 " # to be indented equal to server preferences
if [[ -n "$5" ]] || listciphers "$1" $proto; then if [[ -n "$5" ]] || listciphers "$1" $proto; then
if [[ -z "$5" ]] || ( "$FAST" && listciphers "$1" -tls1 ); then if [[ -z "$5" ]] || ( "$FAST" && listciphers "$1" -tls1 ); then
"$HAS_NO_SSL2" && addcmd="-no_ssl2" $OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI -no_ssl2") 2>$ERRFILE >$TMPFILE </dev/null
$OPENSSL s_client -cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $addcmd 2>$ERRFILE >$TMPFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? sclient_success=$?
debugme cat $ERRFILE debugme cat $ERRFILE
@ -2551,7 +2571,7 @@ run_cipher_match(){
local -a -i index local -a -i index
local -i nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 local -i nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0
local -i num_bundles mod_check bundle_size bundle end_of_bundle local -i num_bundles mod_check bundle_size bundle end_of_bundle
local addcmd dhlen has_dh_bits="$HAS_DH_BITS" local dhlen has_dh_bits="$HAS_DH_BITS"
local available local available
local -i sclient_success local -i sclient_success
local re='^[0-9A-Fa-f]+$' local re='^[0-9A-Fa-f]+$'
@ -2704,7 +2724,6 @@ run_cipher_match(){
[[ $mod_check -ne 0 ]] && bundle_size+=1 [[ $mod_check -ne 0 ]] && bundle_size+=1
fi fi
"$HAS_NO_SSL2" && addcmd="-no_ssl2" || addcmd=""
for (( bundle=0; bundle < num_bundles; bundle++ )); do for (( bundle=0; bundle < num_bundles; bundle++ )); do
end_of_bundle=$bundle*$bundle_size+$bundle_size end_of_bundle=$bundle*$bundle_size+$bundle_size
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers [[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
@ -2714,7 +2733,7 @@ run_cipher_match(){
! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}" ! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}"
done done
[[ -z "$ciphers_to_test" ]] && break [[ -z "$ciphers_to_test" ]] && break
$OPENSSL s_client $addcmd -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "-no_ssl2 -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful "$?" "$TMPFILE" || break sclient_connect_successful "$?" "$TMPFILE" || break
cipher=$(get_cipher $TMPFILE) cipher=$(get_cipher $TMPFILE)
[[ -z "$cipher" ]] && break [[ -z "$cipher" ]] && break
@ -2836,7 +2855,7 @@ run_allciphers() {
local -i i end_of_bundle bundle bundle_size num_bundles mod_check local -i i end_of_bundle bundle bundle_size num_bundles mod_check
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2 local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
local -i -a index local -i -a index
local dhlen available ciphers_to_test supported_sslv2_ciphers addcmd="" local dhlen available ciphers_to_test supported_sslv2_ciphers
local has_dh_bits="$HAS_DH_BITS" local has_dh_bits="$HAS_DH_BITS"
local using_sockets=true local using_sockets=true
@ -2961,7 +2980,6 @@ run_allciphers() {
[[ $mod_check -ne 0 ]] && bundle_size+=1 [[ $mod_check -ne 0 ]] && bundle_size+=1
fi fi
"$HAS_NO_SSL2" && addcmd="-no_ssl2"
for (( bundle=0; bundle < num_bundles; bundle++ )); do for (( bundle=0; bundle < num_bundles; bundle++ )); do
end_of_bundle=$bundle*$bundle_size+$bundle_size end_of_bundle=$bundle*$bundle_size+$bundle_size
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers [[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
@ -2972,7 +2990,7 @@ run_allciphers() {
done done
success=1 success=1
if [[ -n "$ciphers_to_test" ]]; then if [[ -n "$ciphers_to_test" ]]; then
$OPENSSL s_client $addcmd -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "-no_ssl2 -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful "$?" "$TMPFILE" sclient_connect_successful "$?" "$TMPFILE"
if [[ "$?" -eq 0 ]]; then if [[ "$?" -eq 0 ]]; then
cipher=$(get_cipher $TMPFILE) cipher=$(get_cipher $TMPFILE)
@ -3089,7 +3107,7 @@ run_cipher_per_proto() {
local -a hexcode2 ciph2 rfc_ciph2 local -a hexcode2 ciph2 rfc_ciph2
local -i i bundle end_of_bundle bundle_size num_bundles mod_check local -i i bundle end_of_bundle bundle_size num_bundles mod_check
local -a ciphers_found ciphers_found2 sigalg ossl_supported index local -a ciphers_found ciphers_found2 sigalg ossl_supported index
local dhlen supported_sslv2_ciphers ciphers_to_test addcmd sni temp local dhlen supported_sslv2_ciphers ciphers_to_test addcmd temp
local available local available
local id local id
local has_dh_bits="$HAS_DH_BITS" local has_dh_bits="$HAS_DH_BITS"
@ -3248,8 +3266,6 @@ run_cipher_per_proto() {
[[ $mod_check -ne 0 ]] && bundle_size+=1 [[ $mod_check -ne 0 ]] && bundle_size+=1
fi fi
sni=""
[[ ! "$proto" =~ ssl ]] && sni="$SNI"
for (( bundle=0; bundle < num_bundles; bundle++ )); do for (( bundle=0; bundle < num_bundles; bundle++ )); do
end_of_bundle=$bundle*$bundle_size+$bundle_size end_of_bundle=$bundle*$bundle_size+$bundle_size
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers [[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
@ -3260,7 +3276,7 @@ run_cipher_per_proto() {
done done
success=1 success=1
if [[ -n "$ciphers_to_test" ]]; then if [[ -n "$ciphers_to_test" ]]; then
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "-cipher "${ciphers_to_test:1}" $proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful "$?" "$TMPFILE" sclient_connect_successful "$?" "$TMPFILE"
if [[ "$?" -eq 0 ]]; then if [[ "$?" -eq 0 ]]; then
cipher=$(get_cipher $TMPFILE) cipher=$(get_cipher $TMPFILE)
@ -3636,6 +3652,7 @@ run_client_simulation() {
local name tls proto cipher temp what_dh bits curve local name tls proto cipher temp what_dh bits curve
local has_dh_bits using_sockets=true local has_dh_bits using_sockets=true
local client_service local client_service
local options
# source the external file # source the external file
. "$TESTSSL_INSTALL_DIR/etc/client-simulation.txt" 2>/dev/null . "$TESTSSL_INSTALL_DIR/etc/client-simulation.txt" 2>/dev/null
@ -3701,9 +3718,9 @@ run_client_simulation() {
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE [[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
fi fi
else else
"$HAS_NO_SSL2" || protos[i]="$(sed 's/-no_ssl2//' <<< "${protos[i]}")" options="$(s_client_options "-cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null" debugme echo "$OPENSSL s_client $options </dev/null"
$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE $OPENSSL s_client $options </dev/null >$TMPFILE 2>$ERRFILE
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? sclient_success=$?
fi fi
@ -5335,7 +5352,7 @@ determine_tls_extensions() {
# arg1 is "-cipher <OpenSSL cipher>" or empty # arg1 is "-cipher <OpenSSL cipher>" or empty
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried) # arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
get_server_certificate() { get_server_certificate() {
local protocols_to_try proto addcmd local protocols_to_try proto
local success local success
local npn_params="" line local npn_params="" line
local savedir local savedir
@ -5391,8 +5408,7 @@ get_server_certificate() {
for proto in $protocols_to_try; do for proto in $protocols_to_try; do
# we could know here which protcols are supported # we could know here which protcols are supported
addcmd="" addcmd=""
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI" $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") </dev/null 2>$ERRFILE >$TMPFILE
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $npn_params -status </dev/null 2>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
success=0 success=0
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
@ -5401,7 +5417,7 @@ get_server_certificate() {
done # this loop is needed for IIS6 and others which have a handshake size limitations done # this loop is needed for IIS6 and others which have a handshake size limitations
if [[ $success -eq 7 ]]; then if [[ $success -eq 7 ]]; then
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then: # "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
if ! sclient_connect_successful $? $TMPFILE; then if ! sclient_connect_successful $? $TMPFILE; then
if [ -z "$1" ]; then if [ -z "$1" ]; then
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))" prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
@ -5951,7 +5967,7 @@ certificate_info() {
if [[ -n "$sni_used" ]]; then if [[ -n "$sni_used" ]]; then
# no cipher suites specified here. We just want the default vhost subject # no cipher suites specified here. We just want the default vhost subject
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")" cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject" [[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
@ -10209,7 +10225,7 @@ run_freak() {
local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03" local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03"
local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80" local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80"
local detected_ssl2_ciphers local detected_ssl2_ciphers
local addcmd="" addtl_warning="" hexc local addtl_warning="" hexc
local cve="CVE-2015-0204" local cve="CVE-2015-0204"
local cwe="CWE-310" local cwe="CWE-310"
local hint="" local hint=""
@ -10254,8 +10270,7 @@ run_freak() {
fi fi
fi fi
else else
"$HAS_NO_SSL2" && addcmd="-no_ssl2" || addcmd="" $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $SNI -no_ssl2") >$TMPFILE 2>$ERRFILE </dev/null
$OPENSSL s_client $STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $SNI $addcmd >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? sclient_success=$?
debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
@ -10918,7 +10933,7 @@ run_rc4() {
local -i i local -i i
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2 local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
local -i -a index local -i -a index
local dhlen available="" ciphers_to_test supported_sslv2_ciphers addcmd="" local dhlen available="" ciphers_to_test supported_sslv2_ciphers
local has_dh_bits="$HAS_DH_BITS" rc4_detected="" local has_dh_bits="$HAS_DH_BITS" rc4_detected=""
local using_sockets=true local using_sockets=true
local cve="CVE-2013-2566, CVE-2015-2808" local cve="CVE-2013-2566, CVE-2015-2808"
@ -11032,7 +11047,6 @@ run_rc4() {
fi fi
done done
"$HAS_NO_SSL2" && addcmd="-no_ssl2"
for (( success=0; success==0 ; 1 )); do for (( success=0; success==0 ; 1 )); do
ciphers_to_test="" ciphers_to_test=""
for (( i=0; i < nr_ossl_ciphers; i++ )); do for (( i=0; i < nr_ossl_ciphers; i++ )); do
@ -11040,7 +11054,7 @@ run_rc4() {
done done
success=1 success=1
if [[ -n "$ciphers_to_test" ]]; then if [[ -n "$ciphers_to_test" ]]; then
$OPENSSL s_client $addcmd -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "-no_ssl2 -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful "$?" "$TMPFILE" sclient_connect_successful "$?" "$TMPFILE"
if [[ "$?" -eq 0 ]]; then if [[ "$?" -eq 0 ]]; then
cipher=$(get_cipher $TMPFILE) cipher=$(get_cipher $TMPFILE)
@ -11347,6 +11361,9 @@ find_openssl_binary() {
$OPENSSL s_client -no_ssl2 -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -no_ssl2 -connect x 2>&1 | grep -aq "unknown option" || \
HAS_NO_SSL2=true HAS_NO_SSL2=true
$OPENSSL s_client -noservername -connect x 2>&1 | grep -aq "unknown option" || \
HAS_NOSERVERNAME=true
$OPENSSL s_client -help 2>$s_client_has $OPENSSL s_client -help 2>$s_client_has
$OPENSSL s_client -starttls foo 2>$s_client_starttls_has $OPENSSL s_client -starttls foo 2>$s_client_starttls_has