Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-21 07:59:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix #1159

Browse Source 
This PR fixes #1159. If tls_sockets() connects to a server using TLSv1.3, it cannot be assumed that the server's certificate is available, as testssl.sh may not have been able to decrypt the server's response. This can happen, for example, if X25519 was used for the key exchange and `$OPENSSL` does not support X25519.

If the connection was successful, but the certificate could not be obtained, then this PR tries again using `$OPENSSL`. However, since `$OPENSSL` does not support TLSv1.3, this will only work if the server supports TLSv1.2 or earlier.
This commit is contained in:
David Cooper 2018-11-28 12:10:30 -05:00 committed by GitHub
parent d2fe7567d3
commit a3f5dac46c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
testssl.sh
View File

@ -8397,7 +8397,17 @@ run_server_defaults() {
"all" "all"
success[0]=$? success[0]=$?
if [[ ${success[0]} -eq 0 ]] || [[ ${success[0]} -eq 2 ]]; then if [[ ${success[0]} -eq 0 ]] || [[ ${success[0]} -eq 2 ]]; then
mv $HOSTCERT $HOSTCERT.nosni if [[ -s $HOSTCERT ]]; then
mv $HOSTCERT $HOSTCERT.nosni
else
# The connection was successful, but the certificate could
# not be obtained (probably because the connection was TLS 1.3
# and $OPENSSL does not support the key exchange group that was
# selected). So, try again using OpenSSL (which will not use a TLS 1.3
# ClientHello).
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | \
awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
fi
else else
>$HOSTCERT.nosni >$HOSTCERT.nosni
fi fi