mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
run_renego() and OpenSSL 1.1.1
run_renego() appears to produce a false positive if OpenSSL 1.1.1 is used and the server being tested supports TLSv1.3 (i.e., the server supports the same draft version of TLSv1.3 as the version of OpenSSL 1.1.1 being used does). This PR fixes the problem by telling calls to $OPENSSL s_client in run_renego() to not use TLSv1.3.
This commit is contained in:
parent
5c005ac139
commit
b9e67fcf29
12
testssl.sh
12
testssl.sh
@ -11815,18 +11815,20 @@ run_ticketbleed() {
|
|||||||
|
|
||||||
run_renego() {
|
run_renego() {
|
||||||
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
|
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
|
||||||
local legacycmd=""
|
local legacycmd="" proto="$OPTIMAL_PROTO"
|
||||||
local insecure_renogo_str="Secure Renegotiation IS NOT"
|
local insecure_renogo_str="Secure Renegotiation IS NOT"
|
||||||
local sec_renego sec_client_renego
|
local sec_renego sec_client_renego
|
||||||
local cve="CVE-2009-3555"
|
local cve="CVE-2009-3555"
|
||||||
local cwe="CWE-310"
|
local cwe="CWE-310"
|
||||||
local hint=""
|
local hint=""
|
||||||
|
|
||||||
|
"$HAS_TLS13" && [[ -z "$proto" ]] && proto="-no_tls1_3"
|
||||||
|
|
||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Renegotiation vulnerabilities " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Renegotiation vulnerabilities " && outln
|
||||||
|
|
||||||
pr_bold " Secure Renegotiation "; out "($cve) " # and RFC 5746, OSVDB 59968-59974
|
pr_bold " Secure Renegotiation "; out "($cve) " # and RFC 5746, OSVDB 59968-59974
|
||||||
# community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
|
# community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
|
||||||
$OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI $PROXY") 2>&1 </dev/null >$TMPFILE 2>$ERRFILE
|
$OPENSSL s_client $(s_client_options "$proto $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI $PROXY") 2>&1 </dev/null >$TMPFILE 2>$ERRFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
grep -iaq "$insecure_renogo_str" $TMPFILE
|
grep -iaq "$insecure_renogo_str" $TMPFILE
|
||||||
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
|
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
|
||||||
@ -11865,7 +11867,7 @@ run_renego() {
|
|||||||
1.0.1*|1.0.2*)
|
1.0.1*|1.0.2*)
|
||||||
legacycmd="-legacy_renegotiation"
|
legacycmd="-legacy_renegotiation"
|
||||||
;;
|
;;
|
||||||
0.9.9*|1.0*)
|
0.9.9*|1.0*|1.1*)
|
||||||
;; # all ok
|
;; # all ok
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -11876,7 +11878,7 @@ run_renego() {
|
|||||||
else
|
else
|
||||||
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
|
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
|
||||||
# msg enables us to look deeper into it while debugging
|
# msg enables us to look deeper into it while debugging
|
||||||
echo R | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY") >$TMPFILE 2>>$ERRFILE &
|
echo R | $OPENSSL s_client $(s_client_options "$proto $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY") >$TMPFILE 2>>$ERRFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
if [[ $? -eq 3 ]]; then
|
if [[ $? -eq 3 ]]; then
|
||||||
pr_done_good "likely not vulnerable (OK)"; outln ", timed out" # it hung
|
pr_done_good "likely not vulnerable (OK)"; outln ", timed out" # it hung
|
||||||
@ -11884,7 +11886,7 @@ run_renego() {
|
|||||||
sec_client_renego=1
|
sec_client_renego=1
|
||||||
else
|
else
|
||||||
# second try in the foreground as we are sure now it won't hang
|
# second try in the foreground as we are sure now it won't hang
|
||||||
echo R | $OPENSSL s_client $(s_client_options "$legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $SNI $PROXY") >$TMPFILE 2>>$ERRFILE
|
echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $SNI $PROXY") >$TMPFILE 2>>$ERRFILE
|
||||||
sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln!
|
sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln!
|
||||||
case "$sec_client_renego" in
|
case "$sec_client_renego" in
|
||||||
0) if [[ $SERVICE == "HTTP" ]]; then
|
0) if [[ $SERVICE == "HTTP" ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user