Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 22:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update PROTOS_OFFERED

Browse Source 
In some rare cases, a connection to the server will fail with tls_sockets() but not with $OPENSSL. This can cause determine_optimal_sockets_params() to call add_proto_offered() to indicate that the protocol is not supported, and then determine_optimal_proto() to later call add_proto_offered() to indicate that it is supported. However, PROTOS_OFFERED does not get changed, since add_proto_offered() only modifies PROTOS_OFFERED if the protocol is not already listed.

This commit fixes the problem by allowing add_proto_offered() to change an entry for a protocol from "no" to "yes".

If determine_optimal_proto() happens to connect to the server using TLS 1.2, then this commit will set TLS12_CIPHER_OFFERED to the cipher from that connection, if TLS12_CIPHER_OFFERED was not set in determine_optimal_sockets_params(). This will allow run_protocols()'s test of a TLS 1.3 ClientHello to work better, if the problem is that no cipher supported by the server is included in TLS12_CIPHER or TLS12_CIPHER_2ND_TRY.
This commit is contained in:
David Cooper
2022-04-15 08:10:05 -04:00
parent 54e5469411
commit b90db257a1
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
testssl.sh
View File

@@ -5174,10 +5174,11 @@ run_prototest_openssl() {
# arg2: available (yes) or not (no)
add_proto_offered() {
# the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
# we got that protocol already
:
else
if [[ "$2" == yes ]] && [[ "$PROTOS_OFFERED" =~ $1:no ]]; then
# In rare cases, a protocol may be marked as not available even though it is
# (e.g., the connection fails with tls_sockets() but succeeds with $OPENSSL.
PROTOS_OFFERED="${PROTOS_OFFERED/$1:no/$1:$2}"
elif [[ ! "$PROTOS_OFFERED" =~ $1: ]]; then
PROTOS_OFFERED+="${1}:$2 "
fi
}
@@ -21341,6 +21342,10 @@ determine_optimal_proto() {
[[ "$(has_server_protocol "tls1_1")" -ne 0 ]] && [[ "$(has_server_protocol "tls1")" -ne 0 ]] &&
[[ "$(has_server_protocol "ssl3")" -ne 0 ]]; then
TLS13_ONLY=true
elif [[ -z "$TLS12_CIPHER_OFFERED" ]] && [[ "$(has_server_protocol "tls1_2")" -eq 0 ]] && [[ "$(get_protocol $TMPFILE)" == TLSv1.2 ]]; then
TLS12_CIPHER_OFFERED="$(get_cipher $TMPFILE)"
TLS12_CIPHER_OFFERED="$(openssl2hexcode "$TLS12_CIPHER_OFFERED")"
[[ ${#TLS12_CIPHER_OFFERED} -eq 9 ]] && TLS12_CIPHER_OFFERED="${TLS12_CIPHER_OFFERED:2:2},${TLS12_CIPHER_OFFERED:7:2}" || TLS12_CIPHER_OFFERED=""
fi
if [[ "$optimal_proto" == -ssl2 ]]; then