Fix run_logjam() in --ssl-native mode

This commit fixes a problem with run_logjam() when run in --ssl-native mode. If $OPENSSL does not support any DH export ciphers, then no test for such cipher is performed. However, the results of "test" is still checked, leading to testssl.sh incorrectly reporting that the server supports DH EXPORT ciphers.
This commit is contained in:
David Cooper 2020-04-23 14:52:14 -04:00
parent a45e9f52d5
commit bb1c649513

View File

@ -16413,15 +16413,13 @@ run_logjam() {
tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff" tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff"
sclient_success=$? sclient_success=$?
[[ $sclient_success -eq 2 ]] && sclient_success=0 [[ $sclient_success -eq 2 ]] && sclient_success=0
[[ $sclient_success -eq 0 ]] && vuln_exportdh_ciphers=true
elif [[ $nr_supported_ciphers -ne 0 ]]; then elif [[ $nr_supported_ciphers -ne 0 ]]; then
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? [[ $? -eq 0 ]] && vuln_exportdh_ciphers=true
debugme grep -Ea "error|failure" $ERRFILE | grep -Eav "unable to get local|verify error" debugme grep -Ea "error|failure" $ERRFILE | grep -Eav "unable to get local|verify error"
fi fi
[[ $sclient_success -eq 0 ]] && \
vuln_exportdh_ciphers=true || \
vuln_exportdh_ciphers=false
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
if "$using_sockets"; then if "$using_sockets"; then