Merge pull request #2360 from mum-viadee/run_renego_sni_patch

Secure renegotiations tests need servername for servers that use SNI
This commit is contained in:
Dirk Wetter 2023-05-15 15:26:37 +02:00 committed by GitHub
commit be987d17a0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -16896,7 +16896,7 @@ run_renego() {
local hint=""
local jsonID=""
local ssl_reneg_attempts=$SSL_RENEG_ATTEMPTS
# No SNI needed here as there won't be two different SSL stacks for one IP
# In cases where there's no default host configured we need SNI here as openssl then would return otherwise an error and the test will fail
"$HAS_TLS13" && [[ -z "$proto" ]] && proto="-no_tls1_3"
@ -16913,7 +16913,7 @@ run_renego() {
fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe"
else
# first fingerprint for the Line "Secure Renegotiation IS NOT" or "Secure Renegotiation IS "
$OPENSSL s_client $(s_client_options "$proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") 2>&1 </dev/null >$TMPFILE 2>$ERRFILE
$OPENSSL s_client $(s_client_options "$proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") 2>&1 </dev/null >$TMPFILE 2>$ERRFILE
if sclient_connect_successful $? $TMPFILE; then
grep -iaq "Secure Renegotiation IS NOT" $TMPFILE
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
@ -16982,7 +16982,7 @@ run_renego() {
else
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
# msg enables us to look deeper into it while debugging
echo R | $OPENSSL s_client $(s_client_options "$proto $BUGS $legacycmd $STARTTLS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE &
echo R | $OPENSSL s_client $(s_client_options "$proto $BUGS $legacycmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP
if [[ $? -eq 3 ]]; then
pr_svrty_good "likely not vulnerable (OK)"; outln ", timed out" # it hung
@ -16990,7 +16990,7 @@ run_renego() {
sec_client_renego=1
else
# second try in the foreground as we are sure now it won't hang
echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE
echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE
sec_client_renego=$?
# 0 means client is renegotiating & doesn't return an error --> vuln!
# 1 means client tried to renegotiating but the server side errored then. You still see RENEGOTIATING in the output
@ -17011,7 +17011,7 @@ run_renego() {
fileout "$jsonID" "MEDIUM" "VULNERABLE, potential DoS threat" "$cve" "$cwe" "$hint"
else
(for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep 1; done) | \
$OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE
$OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE
case $? in
0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat ($ssl_reneg_attempts attempts)"
fileout "$jsonID" "HIGH" "VULNERABLE, DoS threat" "$cve" "$cwe" "$hint"