Merge pull request #827 from dcooper16/OpenSSL_111_fix
Another fix for OpenSSL 1.1.1
This commit is contained in:
commit
b16a86cf46
21
testssl.sh
21
testssl.sh
|
@ -1393,6 +1393,7 @@ string_to_asciihex() {
|
||||||
# Adjust options to $OPENSSL s_client based on OpenSSL version and protocol version
|
# Adjust options to $OPENSSL s_client based on OpenSSL version and protocol version
|
||||||
s_client_options() {
|
s_client_options() {
|
||||||
local options="$1"
|
local options="$1"
|
||||||
|
local ciphers
|
||||||
|
|
||||||
# Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
|
# Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
|
||||||
[[ -n "$SNI" ]] && [[ " $options " =~ \ -ssl[2|3]\ ]] && options="${options//$SNI/}"
|
[[ -n "$SNI" ]] && [[ " $options " =~ \ -ssl[2|3]\ ]] && options="${options//$SNI/}"
|
||||||
|
@ -1410,6 +1411,19 @@ s_client_options() {
|
||||||
# isn't needed for these versions of OpenSSL.)
|
# isn't needed for these versions of OpenSSL.)
|
||||||
! "$HAS_NO_SSL2" && options="${options//-no_ssl2/}"
|
! "$HAS_NO_SSL2" && options="${options//-no_ssl2/}"
|
||||||
|
|
||||||
|
# If $OPENSSL is compiled with TLSv1.3 support and s_client is called without
|
||||||
|
# specifying a protocol, but specifying a list of ciphers that doesn't include
|
||||||
|
# any TLSv1.3 ciphers, then the command will always fail. So, if $OPENSSL supports
|
||||||
|
# TLSv1.3 and a cipher list is provided, but no protocol is specified, then add
|
||||||
|
# -no_tls1_3 if the list of ciphers doesn't include any TLSv1.3 ciphers.
|
||||||
|
if "$HAS_TLS13" && [[ " $options " =~ " -cipher " ]] && \
|
||||||
|
[[ ! " $options " =~ \ -ssl[2|3]\ ]] && \
|
||||||
|
[[ ! " $options " =~ \ -tls1\ ]] && [[ ! " $options " =~ \ -tls1_[1|2|3]\ ]]; then
|
||||||
|
ciphers="${options#* -cipher }"
|
||||||
|
ciphers="${ciphers%% *}"
|
||||||
|
[[ ! "$($OPENSSL ciphers "$ciphers")" =~ TLS13 ]] && options+=" -no_tls1_3"
|
||||||
|
fi
|
||||||
|
|
||||||
tm_out "$options"
|
tm_out "$options"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2457,12 +2471,7 @@ std_cipherlists() {
|
||||||
"$FAST" && continue
|
"$FAST" && continue
|
||||||
[[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
|
[[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
|
||||||
fi
|
fi
|
||||||
# FIXME: This check won't be needed once PR #827 is approved. At that point just the "else" statement will be needed.
|
$OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $proto") 2>$ERRFILE >$TMPFILE </dev/null
|
||||||
if "$HAS_TLS13" && [[ "$proto" == "-no_ssl2" ]] && [[ ! "$($OPENSSL ciphers "$1")" =~ TLS13 ]]; then
|
|
||||||
$OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $proto -no_tls1_3") 2>$ERRFILE >$TMPFILE </dev/null
|
|
||||||
else
|
|
||||||
$OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $proto") 2>$ERRFILE >$TMPFILE </dev/null
|
|
||||||
fi
|
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
debugme cat $ERRFILE
|
debugme cat $ERRFILE
|
||||||
|
|
Loading…
Reference in New Issue