Fix #1159

This PR fixes #1159. If tls_sockets() connects to a server using TLSv1.3, it cannot be assumed that the server's certificate is available, as testssl.sh may not have been able to decrypt the server's response. This can happen, for example, if X25519 was used for the key exchange and `$OPENSSL` does not support X25519. If the connection was successful, but the certificate could not be obtained, then this PR tries again using `$OPENSSL`. However, since `$OPENSSL` does not support TLSv1.3, this will only work if the server supports TLSv1.2 or earlier.
2025-01-20 23:49:30 +01:00 · 2018-11-28 12:10:30 -05:00 · 2018-11-28 12:10:30 -05:00 · a3f5dac46c
commit a3f5dac46c
parent d2fe7567d3
1 changed files with 11 additions and 1 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -8397,7 +8397,17 @@ run_server_defaults() {
                            "all"
               success[0]=$?
               if [[ ${success[0]} -eq 0 ]] || [[ ${success[0]} -eq 2 ]]; then
-                    mv $HOSTCERT $HOSTCERT.nosni
+                    if [[ -s $HOSTCERT ]]; then
+                         mv $HOSTCERT $HOSTCERT.nosni
+                    else
+                         # The connection was successful, but the certificate could
+                         # not be obtained (probably because the connection was TLS 1.3
+                         # and $OPENSSL does not support the key exchange group that was
+                         # selected). So, try again using OpenSSL (which will not use a TLS 1.3
+                         # ClientHello).
+                         $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | \
+                              awk '/-----BEGIN/,/-----END/ { print $0 }'  >$HOSTCERT.nosni
+                    fi
               else
                    >$HOSTCERT.nosni
               fi