From a66e3cd3ada7112bb628d74ea4a9ed916381283f Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 3 Jan 2022 15:02:27 -0500 Subject: [PATCH] Improve check for client authentication Based on initial testing, this commit improves the check for client authentication in the case that the server only requests client authentication for specific URLs. However, it does not work correctly if the server supports TLS 1.3 and $OPENSSL is a version of LibreSSL that supports TLS 1.3 in s_client. The problem is that LibreSSL does not support post-handshake authentication with TLS 1.3 --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index facf0af..bf5dc5f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -21086,7 +21086,7 @@ determine_optimal_proto() { if [[ -z "$URL_PATH" ]] || [[ "$URL_PATH" == "/" ]]; then $OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI") $TMPFILE 2>>$ERRFILE else - safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -prexit -enable_pha") $TMPFILE 2>>$ERRFILE + safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -ign_eof -enable_pha") >$TMPFILE 2>>$ERRFILE fi if sclient_auth $? $TMPFILE; then