Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix infinite loop in run_pfs()

Browse Source 
This commit fixes an infinite loop in run_pfs() that occurs in cases in which $OPENSSL supports TLS 1.3 and the server supports all of the non-TLS 1.3 FS ciphers that $OPENSSL supports but not all of the TLS 1.3 ciphers that $OPENSSL supports.

The problem is that testing for supported ciphers using $OPENSSL, testing should stop if there are no more ciphers to test (because all of the ciphers supported by $OPENSSL have been determined to be supported by the server). However, currently testing only stops if both the list of TLS 1.3 ciphers and non-TLS 1.3 ciphers is empty. In the problematic case, only the list of non-TLS 1.3 ciphers is empty. Instead of stopping, s_client_options() is called with a -cipher option with an empty list, and s_client_options() simply removes the -cipher option from the command, resulting in a call to $OPENSSL s_client with a full list of non-TLS 1.3 ciphers. Since this call succeeds, the loop continues.

This commit fixes the problem by stopping TLS 1.3 ClientHello testing when the list of TLS 1.3 ciphers is empty and stopping non-TLS 1.3 ClientHello testing when the list of non-TLS 1.3 ciphers is empty.
This commit is contained in:
David Cooper 2022-11-01 14:16:43 -07:00 committed by GitHub
parent abdd51d815
commit b9271ba5ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
testssl.sh
View File

@ -9711,7 +9711,12 @@ run_pfs() {
fi
fi
done
[[ -z "$ciphers_to_test" ]] && [[ -z "$tls13_ciphers_to_test" ]] && break
if "$HAS_TLS13"; then
[[ "$proto" == -no_ssl2 ]] && [[ -z "$tls13_ciphers_to_test" ]] && break
[[ "$proto" == -no_tls1_3 ]] && [[ -z "$ciphers_to_test" ]] && break
else
[[ -z "$ciphers_to_test" ]] && break
fi
$OPENSSL s_client $(s_client_options "$proto -cipher "\'${ciphers_to_test:1}\'" -ciphersuites "\'${tls13_ciphers_to_test:1}\'" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE </dev/null
sclient_connect_successful $? $TMPFILE || break
pfs_cipher=$(get_cipher $TMPFILE)