Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-01 06:19:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2360 from mum-viadee/run_renego_sni_patch

Browse Source 
Secure renegotiations tests need servername for servers that use SNI
This commit is contained in:
Dirk Wetter 2023-05-15 15:26:37 +02:00 committed by GitHub
commit be987d17a0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
testssl.sh
View File

@ -16896,7 +16896,7 @@ run_renego() {
local hint="" local hint=""
local jsonID="" local jsonID=""
local ssl_reneg_attempts=$SSL_RENEG_ATTEMPTS local ssl_reneg_attempts=$SSL_RENEG_ATTEMPTS
# No SNI needed here as there won't be two different SSL stacks for one IP # In cases where there's no default host configured we need SNI here as openssl then would return otherwise an error and the test will fail
"$HAS_TLS13" && [[ -z "$proto" ]] && proto="-no_tls1_3" "$HAS_TLS13" && [[ -z "$proto" ]] && proto="-no_tls1_3"
@ -16913,7 +16913,7 @@ run_renego() {
fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe" fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe"
else else
# first fingerprint for the Line "Secure Renegotiation IS NOT" or "Secure Renegotiation IS " # first fingerprint for the Line "Secure Renegotiation IS NOT" or "Secure Renegotiation IS "
$OPENSSL s_client $(s_client_options "$proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") 2>&1 </dev/null >$TMPFILE 2>$ERRFILE $OPENSSL s_client $(s_client_options "$proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") 2>&1 </dev/null >$TMPFILE 2>$ERRFILE
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
grep -iaq "Secure Renegotiation IS NOT" $TMPFILE grep -iaq "Secure Renegotiation IS NOT" $TMPFILE
sec_renego=$? # 0= Secure Renegotiation IS NOT supported sec_renego=$? # 0= Secure Renegotiation IS NOT supported
@ -16982,7 +16982,7 @@ run_renego() {
else else
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background # We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
# msg enables us to look deeper into it while debugging # msg enables us to look deeper into it while debugging
echo R | $OPENSSL s_client $(s_client_options "$proto $BUGS $legacycmd $STARTTLS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE & echo R | $OPENSSL s_client $(s_client_options "$proto $BUGS $legacycmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $HEADER_MAXSLEEP
if [[ $? -eq 3 ]]; then if [[ $? -eq 3 ]]; then
pr_svrty_good "likely not vulnerable (OK)"; outln ", timed out" # it hung pr_svrty_good "likely not vulnerable (OK)"; outln ", timed out" # it hung
@ -16990,7 +16990,7 @@ run_renego() {
sec_client_renego=1 sec_client_renego=1
else else
# second try in the foreground as we are sure now it won't hang # second try in the foreground as we are sure now it won't hang
echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE
sec_client_renego=$? sec_client_renego=$?
# 0 means client is renegotiating & doesn't return an error --> vuln! # 0 means client is renegotiating & doesn't return an error --> vuln!
# 1 means client tried to renegotiating but the server side errored then. You still see RENEGOTIATING in the output # 1 means client tried to renegotiating but the server side errored then. You still see RENEGOTIATING in the output
@ -17011,7 +17011,7 @@ run_renego() {
fileout "$jsonID" "MEDIUM" "VULNERABLE, potential DoS threat" "$cve" "$cwe" "$hint" fileout "$jsonID" "MEDIUM" "VULNERABLE, potential DoS threat" "$cve" "$cwe" "$hint"
else else
(for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep 1; done) | \ (for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep 1; done) | \
$OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE
case $? in case $? in
0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat ($ssl_reneg_attempts attempts)" 0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat ($ssl_reneg_attempts attempts)"
fileout "$jsonID" "HIGH" "VULNERABLE, DoS threat" "$cve" "$cwe" "$hint" fileout "$jsonID" "HIGH" "VULNERABLE, DoS threat" "$cve" "$cwe" "$hint"