mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-21 07:59:31 +01:00
Fix #1159
This PR fixes #1159. If tls_sockets() connects to a server using TLSv1.3, it cannot be assumed that the server's certificate is available, as testssl.sh may not have been able to decrypt the server's response. This can happen, for example, if X25519 was used for the key exchange and `$OPENSSL` does not support X25519. If the connection was successful, but the certificate could not be obtained, then this PR tries again using `$OPENSSL`. However, since `$OPENSSL` does not support TLSv1.3, this will only work if the server supports TLSv1.2 or earlier.
This commit is contained in:
parent
d2fe7567d3
commit
a3f5dac46c
12
testssl.sh
12
testssl.sh
@ -8397,7 +8397,17 @@ run_server_defaults() {
|
||||
"all"
|
||||
success[0]=$?
|
||||
if [[ ${success[0]} -eq 0 ]] || [[ ${success[0]} -eq 2 ]]; then
|
||||
mv $HOSTCERT $HOSTCERT.nosni
|
||||
if [[ -s $HOSTCERT ]]; then
|
||||
mv $HOSTCERT $HOSTCERT.nosni
|
||||
else
|
||||
# The connection was successful, but the certificate could
|
||||
# not be obtained (probably because the connection was TLS 1.3
|
||||
# and $OPENSSL does not support the key exchange group that was
|
||||
# selected). So, try again using OpenSSL (which will not use a TLS 1.3
|
||||
# ClientHello).
|
||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | \
|
||||
awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
||||
fi
|
||||
else
|
||||
>$HOSTCERT.nosni
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user