From 03b0f483dcede0eb0455db11b265db4aa04c5f9d Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 22 Jan 2026 18:32:44 +0100 Subject: [PATCH 1/3] Finalize the renaming MAX_WAITSOCK --> ROBOT_TIMEOUT (3.2) The commit 6753a95c939359f9e06fb9f3dd199a0 changed some variables however for consistency MAX_WAITSOCK should have been completely changed to ROBOT_TIMEOUT . This PR suggests that. Moreover it changes the local variable robottimeout to robot_timeout. This fixes #2983 for 3.2 . --- testssl.sh | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index 5ecc90b..87a90e0 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20401,7 +20401,7 @@ run_robot() { local -i i subret len iteration testnum pubkeybytes local pubkeybits local vulnerable=false send_ccs_finished=true - local -i start_time end_time robottimeout=$ROBOT_TIMEOUT + local -i start_time end_time robot_timeout=$ROBOT_TIMEOUT local cve="CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168" local cwe="CWE-203" local jsonID="ROBOT" @@ -20566,7 +20566,7 @@ run_robot() { fi debugme echo "reading server error response..." start_time=$(LC_ALL=C date "+%s") - sockread 32768 $robottimeout + sockread 32768 $robot_timeout subret=$? if [[ $subret -eq 0 ]]; then end_time=$(LC_ALL=C date "+%s") @@ -20581,9 +20581,9 @@ run_robot() { # exchange message, measure the amount of time it took to # receive a response and set the timeout value for future # tests to 2 seconds longer than it took to receive a response. - [[ $iteration -ne 2 ]] && [[ $robottimeout -eq $MAX_WAITSOCK ]] && \ - [[ $((end_time-start_time)) -lt $((MAX_WAITSOCK-2)) ]] && \ - robottimeout=$((end_time-start_time+2)) + [[ $iteration -ne 2 ]] && [[ $robot_timeout -eq $ROBOT_TIMEOUT ]] && \ + [[ $((end_time-start_time)) -lt $((ROBOT_TIMEOUT-2)) ]] && \ + robot_timeout=$((end_time-start_time+2)) else response[testnum]="Timeout waiting for alert" fi @@ -20622,14 +20622,15 @@ run_robot() { # If the test was run with a short timeout and was found to be # potentially vulnerable due to some tests timing out, then # verify the results by rerunning with a longer timeout. - if [[ $robottimeout -eq $MAX_WAITSOCK ]]; then + if [[ $robot_timeout -eq $ROBOT_TIMEOUT ]]; then break elif [[ "${response[0]}" == "Timeout waiting for alert" ]] || \ [[ "${response[1]}" == "Timeout waiting for alert" ]] || \ [[ "${response[2]}" == "Timeout waiting for alert" ]] || \ [[ "${response[3]}" == "Timeout waiting for alert" ]] || \ [[ "${response[4]}" == "Timeout waiting for alert" ]]; then - robottimeout=10 + [[ "$DEBUG" -ge 3 ]] && echo "5x Timeout waiting for alert, $robot_timeout increasing to 10" + robot_timeout=10 else break fi @@ -21486,6 +21487,7 @@ HEADER_MAXSLEEP: $HEADER_MAXSLEEP MAX_WAITSOCK: $MAX_WAITSOCK HEARTBLEED_MAX_WAITSOCK: $HEARTBLEED_MAX_WAITSOCK CCS_MAX_WAITSOCK: $CCS_MAX_WAITSOCK +ROBOT_TIMEOUT: $ROBOT_TIMEOUT USLEEP_SND $USLEEP_SND USLEEP_REC $USLEEP_REC From dd83792c58017fec282e77117c149e128f0b7402 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 11 Feb 2026 19:38:00 +0100 Subject: [PATCH 2/3] Fix typo which fixes potential false positives --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 87a90e0..b0c364e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -207,7 +207,7 @@ MAX_HEADER_FAIL=${MAX_HEADER_FAIL:-2} # If this many failures for HTTP GET are MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this. CCS_MAX_WAITSOCK=${CCS_MAX_WAITSOCK:-5} # for the two CCS payload (each). There shouldn't be any reason to change this. HEARTBLEED_MAX_WAITSOCK=${HEARTBLEED_MAX_WAITSOCK:-8} # for the heartbleed payload. There shouldn't be any reason to change this. -ROBOT_TIMEOUT=${ROBOT_TIMEOUT:10} # Initial timeout for ROBOT check +ROBOT_TIMEOUT=${ROBOT_TIMEOUT:-10} # Initial timeout for ROBOT check STARTTLS_SLEEP=${STARTTLS_SLEEP:-10} # max time wait on a socket for STARTTLS. MySQL has a fixed value of 1 which can't be overwritten (#914) FAST_STARTTLS=${FAST_STARTTLS:-true} # at the cost of reliability decrease the handshakes for STARTTLS USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send From 0c92842024325de2d85651252bd47ecab0b38f63 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 11 Feb 2026 20:12:41 +0100 Subject: [PATCH 3/3] Google has KEMs wjhich openssl doesn't have yet --- t/12_diff_opensslversions.t | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/t/12_diff_opensslversions.t b/t/12_diff_opensslversions.t index e866df1..8799100 100755 --- a/t/12_diff_opensslversions.t +++ b/t/12_diff_opensslversions.t @@ -79,6 +79,10 @@ $cat_csvfile2 =~ s/HTTP_headerTime.*\n//g; $cat_csvfile =~ s/"engine_problem.*\n//g; $cat_csvfile2 =~ s/"engine_problem.*\n//g; +# Google has KEMs for TLS 1.3 which the local openssl has not - yet +$cat_csvfile =~ s/MLKEM1024 AESGCM/ECDH 253 AESGCM/g; +$cat_csvfile =~ s/MLKEM1024 ChaCha20/ECDH 253 ChaCha20/g; + # PR #2628. TL:DR; make the kx between tls_sockets() and openssl the same for this CI run $cat_csvfile =~ s/ECDH 256/ECDH 253/g; $cat_csvfile =~ s/ECDH\/MLKEM/ECDH 253 /g;