From ac662f8699c7541a60d15ebfda76248245639370 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 8 Apr 2022 09:08:06 -0400 Subject: [PATCH] Improve compatibility with LibreSSL Older versions of LibreSSL that do not support TLS 1.3 only include a small list of curves in the supported_groups extension by default, so need to retry with curves explicitly defined even with versions of $OPENSSL that do not support TLS 1.3. --- testssl.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index acb6c05..5985c6a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -10328,18 +10328,17 @@ run_fs() { sclient_success=$? [[ $sclient_success -eq 0 ]] && [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]] && sclient_success=1 # Sometimes a TLS 1.3 ClientHello will fail, but a TLS 1.2 ClientHello will succeed. See #2131. - if [[ $sclient_success -ne 0 ]] && "$HAS_TLS13"; then + if [[ $sclient_success -ne 0 ]]; then # By default, OpenSSL 1.1.1 and above only include a few curves in the ClientHello, so in order # to test all curves, the -curves option must be added. In addition, OpenSSL limits the number of # curves that can be specified to 28. So, if more than 28 curves are supported, then the curves must # be tested in batches. + curves_list1="$(strip_trailing_space "$(strip_leading_space "$OSSL_SUPPORTED_CURVES")")" + curves_list1="${curves_list1// / }" if [[ "$(count_words "$OSSL_SUPPORTED_CURVES")" -le 28 ]]; then - curves_list1="$(strip_trailing_space "$(strip_leading_space "$OSSL_SUPPORTED_CURVES")")" curves_list1="${curves_list1// /:}" else # Place the first 28 supported curves in curves_list1 and the remainder in curves_list2. - curves_list1="$(strip_trailing_space "$(strip_leading_space "$OSSL_SUPPORTED_CURVES")")" - curves_list1="${curves_list1// / }" curves_list2="${curves_list1#* * * * * * * * * * * * * * * * * * * * * * * * * * * * }" curves_list1="${curves_list1%$curves_list2}" curves_list1="$(strip_trailing_space "$curves_list1")"