mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
Fix tls_sockets() when SNI empty
`socksend_tls_clienthello()` always includes a server name extension in the ClientHello (for TLS 1.0 and above), even if `$SNI` is empty. If `$NODE` is an IP address, then the IP address is placed in the extension, even though RFC 6066 says that only DNS names are supported in the extension. This PR changes `socksend_tls_clienthello()` so that the server name extension is only included in the ClientHello is `$SNI` is not empty.
This commit is contained in:
parent
2313aee22d
commit
a9002ba6e6
48
testssl.sh
48
testssl.sh
@ -5747,20 +5747,22 @@ socksend_tls_clienthello() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
#formatted example for SNI
|
if [[ -n "$SNI" ]]; then
|
||||||
#00 00 # extension server_name
|
#formatted example for SNI
|
||||||
#00 1a # length = the following +2 = server_name length + 5
|
#00 00 # extension server_name
|
||||||
#00 18 # server_name list_length = server_name length +3
|
#00 1a # length = the following +2 = server_name length + 5
|
||||||
#00 # server_name type (hostname)
|
#00 18 # server_name list_length = server_name length +3
|
||||||
#00 15 # server_name length
|
#00 # server_name type (hostname)
|
||||||
#66 66 66 66 66 66 2e 66 66 66 66 66 66 66 66 66 66 2e 66 66 66 target.mydomain1.tld # server_name target
|
#00 15 # server_name length
|
||||||
len_servername=${#NODE}
|
#66 66 66 66 66 66 2e 66 66 66 66 66 66 66 66 66 66 2e 66 66 66 target.mydomain1.tld # server_name target
|
||||||
hexdump_format_str="$len_servername/1 \"%02x,\""
|
len_servername=${#NODE}
|
||||||
servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}" | sed 's/,$//')
|
hexdump_format_str="$len_servername/1 \"%02x,\""
|
||||||
# convert lengths we need to fill in from dec to hex:
|
servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}" | sed 's/,$//')
|
||||||
len_servername_hex=$(printf "%02x\n" $len_servername)
|
# convert lengths we need to fill in from dec to hex:
|
||||||
len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
|
len_servername_hex=$(printf "%02x\n" $len_servername)
|
||||||
len_sni_ext=$(printf "%02x\n" $((len_servername+5)))
|
len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
|
||||||
|
len_sni_ext=$(printf "%02x\n" $((len_servername+5)))
|
||||||
|
fi
|
||||||
|
|
||||||
extension_signature_algorithms="
|
extension_signature_algorithms="
|
||||||
00, 0d, # Type: signature_algorithms , see RFC 5246
|
00, 0d, # Type: signature_algorithms , see RFC 5246
|
||||||
@ -5790,16 +5792,20 @@ socksend_tls_clienthello() {
|
|||||||
01, 00"
|
01, 00"
|
||||||
|
|
||||||
all_extensions="
|
all_extensions="
|
||||||
00, 00 # extension server_name
|
$extension_heartbeat
|
||||||
,00, $len_sni_ext # length SNI EXT
|
|
||||||
,00, $len_sni_listlen # server_name list_length
|
|
||||||
,00 # server_name type (hostname)
|
|
||||||
,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
|
|
||||||
,$servername_hexstr # server_name target
|
|
||||||
,$extension_heartbeat
|
|
||||||
,$extension_session_ticket
|
,$extension_session_ticket
|
||||||
,$extension_next_protocol"
|
,$extension_next_protocol"
|
||||||
|
|
||||||
|
if [[ -n "$SNI" ]]; then
|
||||||
|
all_extensions="$all_extensions
|
||||||
|
,00, 00 # extension server_name
|
||||||
|
,00, $len_sni_ext # length SNI EXT
|
||||||
|
,00, $len_sni_listlen # server_name list_length
|
||||||
|
,00 # server_name type (hostname)
|
||||||
|
,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
|
||||||
|
,$servername_hexstr" # server_name target
|
||||||
|
fi
|
||||||
|
|
||||||
# RFC 5246 says that clients MUST NOT offer the signature algorithms
|
# RFC 5246 says that clients MUST NOT offer the signature algorithms
|
||||||
# extension if they are offering TLS versions prior to 1.2.
|
# extension if they are offering TLS versions prior to 1.2.
|
||||||
if [[ "0x$tls_low_byte" -ge "0x03" ]]; then
|
if [[ "0x$tls_low_byte" -ge "0x03" ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user