Merge pull request #827 from dcooper16/OpenSSL_111_fix

Another fix for OpenSSL 1.1.1
This commit is contained in:
Dirk Wetter 2017-10-22 23:27:50 +02:00 committed by GitHub
commit b16a86cf46
1 changed files with 15 additions and 6 deletions

View File

@ -1393,6 +1393,7 @@ string_to_asciihex() {
# Adjust options to $OPENSSL s_client based on OpenSSL version and protocol version # Adjust options to $OPENSSL s_client based on OpenSSL version and protocol version
s_client_options() { s_client_options() {
local options="$1" local options="$1"
local ciphers
# Don't include the -servername option for an SSLv2 or SSLv3 ClientHello. # Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
[[ -n "$SNI" ]] && [[ " $options " =~ \ -ssl[2|3]\ ]] && options="${options//$SNI/}" [[ -n "$SNI" ]] && [[ " $options " =~ \ -ssl[2|3]\ ]] && options="${options//$SNI/}"
@ -1410,6 +1411,19 @@ s_client_options() {
# isn't needed for these versions of OpenSSL.) # isn't needed for these versions of OpenSSL.)
! "$HAS_NO_SSL2" && options="${options//-no_ssl2/}" ! "$HAS_NO_SSL2" && options="${options//-no_ssl2/}"
# If $OPENSSL is compiled with TLSv1.3 support and s_client is called without
# specifying a protocol, but specifying a list of ciphers that doesn't include
# any TLSv1.3 ciphers, then the command will always fail. So, if $OPENSSL supports
# TLSv1.3 and a cipher list is provided, but no protocol is specified, then add
# -no_tls1_3 if the list of ciphers doesn't include any TLSv1.3 ciphers.
if "$HAS_TLS13" && [[ " $options " =~ " -cipher " ]] && \
[[ ! " $options " =~ \ -ssl[2|3]\ ]] && \
[[ ! " $options " =~ \ -tls1\ ]] && [[ ! " $options " =~ \ -tls1_[1|2|3]\ ]]; then
ciphers="${options#* -cipher }"
ciphers="${ciphers%% *}"
[[ ! "$($OPENSSL ciphers "$ciphers")" =~ TLS13 ]] && options+=" -no_tls1_3"
fi
tm_out "$options" tm_out "$options"
} }
@ -2457,12 +2471,7 @@ std_cipherlists() {
"$FAST" && continue "$FAST" && continue
[[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
fi fi
# FIXME: This check won't be needed once PR #827 is approved. At that point just the "else" statement will be needed. $OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $proto") 2>$ERRFILE >$TMPFILE </dev/null
if "$HAS_TLS13" && [[ "$proto" == "-no_ssl2" ]] && [[ ! "$($OPENSSL ciphers "$1")" =~ TLS13 ]]; then
$OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $proto -no_tls1_3") 2>$ERRFILE >$TMPFILE </dev/null
else
$OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $proto") 2>$ERRFILE >$TMPFILE </dev/null
fi
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? sclient_success=$?
debugme cat $ERRFILE debugme cat $ERRFILE