mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
Merge pull request #1049 from dcooper16/dont_offer_compression
Don't offer TLS compression by default
This commit is contained in:
commit
b6c527598b
27
testssl.sh
27
testssl.sh
@ -316,6 +316,8 @@ HAS_PKEY=false
|
|||||||
HAS_NO_SSL2=false
|
HAS_NO_SSL2=false
|
||||||
HAS_NOSERVERNAME=false
|
HAS_NOSERVERNAME=false
|
||||||
HAS_CIPHERSUITES=false
|
HAS_CIPHERSUITES=false
|
||||||
|
HAS_COMP=false
|
||||||
|
HAS_NO_COMP=false
|
||||||
HAS_ALPN=false
|
HAS_ALPN=false
|
||||||
HAS_NPN=false
|
HAS_NPN=false
|
||||||
HAS_FALLBACK_SCSV=false
|
HAS_FALLBACK_SCSV=false
|
||||||
@ -1620,6 +1622,20 @@ s_client_options() {
|
|||||||
# isn't needed for these versions of OpenSSL.)
|
# isn't needed for these versions of OpenSSL.)
|
||||||
! "$HAS_NO_SSL2" && options="${options//-no_ssl2/}"
|
! "$HAS_NO_SSL2" && options="${options//-no_ssl2/}"
|
||||||
|
|
||||||
|
# At least one server will fail under some circumstances if compression methods are offered.
|
||||||
|
# So, only offer compression methds if necessary for the test. In OpenSSL 1.1.0 and
|
||||||
|
# 1.1.1 compression is only offered if the "-comp" option is provided.
|
||||||
|
# OpenSSL 1.0.0, 1.0.1, and 1.0.2 offer compression unless the "-no_comp" option is provided.
|
||||||
|
# OpenSSL 0.9.8 does not support either the "-comp" or the "-no_comp" option.
|
||||||
|
if [[ " $options " =~ " -comp " ]]; then
|
||||||
|
# Compression is needed for the test. So, remove "-comp" if it isn't supported, but
|
||||||
|
# otherwise make no changes.
|
||||||
|
! "$HAS_COMP" && options="${options//-comp/}"
|
||||||
|
else
|
||||||
|
# Compression is not needed. So, specify "-no_comp" if that option is supported.
|
||||||
|
"$HAS_NO_COMP" && options+=" -no_comp"
|
||||||
|
fi
|
||||||
|
|
||||||
# If $OPENSSL is compiled with TLSv1.3 support and s_client is called without
|
# If $OPENSSL is compiled with TLSv1.3 support and s_client is called without
|
||||||
# specifying a protocol, but specifying a list of ciphers that doesn't include
|
# specifying a protocol, but specifying a list of ciphers that doesn't include
|
||||||
# any TLSv1.3 ciphers, then the command will always fail. So, if $OPENSSL supports
|
# any TLSv1.3 ciphers, then the command will always fail. So, if $OPENSSL supports
|
||||||
@ -12723,11 +12739,8 @@ run_crime() {
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
[[ "$OSSL_VER" == "0.9.8"* ]] && addcmd="-no_ssl2"
|
[[ "$OSSL_VER" == "0.9.8"* ]] && addcmd="-no_ssl2"
|
||||||
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then
|
|
||||||
addcmd="-comp"
|
|
||||||
fi
|
|
||||||
"$HAS_TLS13" && [[ -z "$OPTIMAL_PROTO" ]] && addcmd+=" -no_tls1_3"
|
"$HAS_TLS13" && [[ -z "$OPTIMAL_PROTO" ]] && addcmd+=" -no_tls1_3"
|
||||||
$OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI") </dev/null &>$TMPFILE
|
$OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -comp $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI") </dev/null &>$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
fi
|
fi
|
||||||
@ -14942,6 +14955,12 @@ find_openssl_binary() {
|
|||||||
$OPENSSL s_client -ciphersuites -connect x 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -ciphersuites -connect x 2>&1 | grep -aq "unknown option" || \
|
||||||
HAS_CIPHERSUITES=true
|
HAS_CIPHERSUITES=true
|
||||||
|
|
||||||
|
$OPENSSL s_client -comp -connect x 2>&1 | grep -aq "unknown option" || \
|
||||||
|
HAS_COMP=true
|
||||||
|
|
||||||
|
$OPENSSL s_client -no_comp -connect x 2>&1 | grep -aq "unknown option" || \
|
||||||
|
HAS_NO_COMP=true
|
||||||
|
|
||||||
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
||||||
|
|
||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
|
Loading…
Reference in New Issue
Block a user