From a3f5dac46c8de2f2be74960ce332d6003b04e639 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 28 Nov 2018 12:10:30 -0500 Subject: [PATCH] Fix #1159 This PR fixes #1159. If tls_sockets() connects to a server using TLSv1.3, it cannot be assumed that the server's certificate is available, as testssl.sh may not have been able to decrypt the server's response. This can happen, for example, if X25519 was used for the key exchange and `$OPENSSL` does not support X25519. If the connection was successful, but the certificate could not be obtained, then this PR tries again using `$OPENSSL`. However, since `$OPENSSL` does not support TLSv1.3, this will only work if the server supports TLSv1.2 or earlier. --- testssl.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index ee6f1a3..ff9fe2c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8397,7 +8397,17 @@ run_server_defaults() { "all" success[0]=$? if [[ ${success[0]} -eq 0 ]] || [[ ${success[0]} -eq 2 ]]; then - mv $HOSTCERT $HOSTCERT.nosni + if [[ -s $HOSTCERT ]]; then + mv $HOSTCERT $HOSTCERT.nosni + else + # The connection was successful, but the certificate could + # not be obtained (probably because the connection was TLS 1.3 + # and $OPENSSL does not support the key exchange group that was + # selected). So, try again using OpenSSL (which will not use a TLS 1.3 + # ClientHello). + $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE $HOSTCERT.nosni + fi else >$HOSTCERT.nosni fi