From b9271ba5ec96c5157534bd581dd956085a87cd24 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 1 Nov 2022 14:16:43 -0700 Subject: [PATCH] Fix infinite loop in run_pfs() This commit fixes an infinite loop in run_pfs() that occurs in cases in which $OPENSSL supports TLS 1.3 and the server supports all of the non-TLS 1.3 FS ciphers that $OPENSSL supports but not all of the TLS 1.3 ciphers that $OPENSSL supports. The problem is that testing for supported ciphers using $OPENSSL, testing should stop if there are no more ciphers to test (because all of the ciphers supported by $OPENSSL have been determined to be supported by the server). However, currently testing only stops if both the list of TLS 1.3 ciphers and non-TLS 1.3 ciphers is empty. In the problematic case, only the list of non-TLS 1.3 ciphers is empty. Instead of stopping, s_client_options() is called with a -cipher option with an empty list, and s_client_options() simply removes the -cipher option from the command, resulting in a call to $OPENSSL s_client with a full list of non-TLS 1.3 ciphers. Since this call succeeds, the loop continues. This commit fixes the problem by stopping TLS 1.3 ClientHello testing when the list of TLS 1.3 ciphers is empty and stopping non-TLS 1.3 ClientHello testing when the list of non-TLS 1.3 ciphers is empty. --- testssl.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 0c329d9..ab0f676 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9711,7 +9711,12 @@ run_pfs() { fi fi done - [[ -z "$ciphers_to_test" ]] && [[ -z "$tls13_ciphers_to_test" ]] && break + if "$HAS_TLS13"; then + [[ "$proto" == -no_ssl2 ]] && [[ -z "$tls13_ciphers_to_test" ]] && break + [[ "$proto" == -no_tls1_3 ]] && [[ -z "$ciphers_to_test" ]] && break + else + [[ -z "$ciphers_to_test" ]] && break + fi $OPENSSL s_client $(s_client_options "$proto -cipher "\'${ciphers_to_test:1}\'" -ciphersuites "\'${tls13_ciphers_to_test:1}\'" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE