From f32d49ccf9bcd823e08ae60dad95ffa044f4fc29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Ribeiro?= <darklaw13@yahoo.co.uk>
Date: Thu, 10 Oct 2019 03:49:50 +0100
Subject: [PATCH 1/5] Add 2s timeout when connecting directly to node

---
 testssl.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 6300d43..3118dfb 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -10172,7 +10172,8 @@ fd_socket() {
                     break
                fi
           done
-     elif ! exec 5<>/dev/tcp/$nodeip/$PORT; then  #  2>/dev/null would remove an error message, but disables debugging
+     elif ! timeout 2 bash -c "exec 3<>/dev/tcp/$nodeip/$PORT" || \
+          ! exec 5<>/dev/tcp/$nodeip/$PORT; then  #  2>/dev/null would remove an error message, but disables debugging
           ((NR_SOCKET_FAIL++))
           connectivity_problem $NR_SOCKET_FAIL $MAX_SOCKET_FAIL "TCP connect problem" "repeated TCP connect problems, giving up"
           outln

From 83b212f581bba5ab9b69355c2d6a8074224c5e90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Ribeiro?= <darklaw13@yahoo.co.uk>
Date: Thu, 10 Oct 2019 04:10:57 +0100
Subject: [PATCH 2/5] Add argument --connect-timeout. Defaults to 3 min

This default value should not affect users not currently using the
timeout (Linux's default seems to be currently around 2 min).
---
 testssl.sh | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 3118dfb..94b6003 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -393,6 +393,7 @@ SERVER_COUNTER=0                        # Counter for multiple servers
 
 TLS_LOW_BYTE=""                         # For "secret" development stuff, see -q below
 HEX_CIPHER=""                           # "
+CONNECT_TIMEOUT=180
 
 
 ########### Global variables for parallel mass testing
@@ -10172,7 +10173,7 @@ fd_socket() {
                     break
                fi
           done
-     elif ! timeout 2 bash -c "exec 3<>/dev/tcp/$nodeip/$PORT" || \
+     elif ! timeout $CONNECT_TIMEOUT bash -c "exec 3<>/dev/tcp/$nodeip/$PORT" || \
           ! exec 5<>/dev/tcp/$nodeip/$PORT; then  #  2>/dev/null would remove an error message, but disables debugging
           ((NR_SOCKET_FAIL++))
           connectivity_problem $NR_SOCKET_FAIL $MAX_SOCKET_FAIL "TCP connect problem" "repeated TCP connect problems, giving up"
@@ -19461,6 +19462,10 @@ parse_cmd_line() {
                     OPENSSL_TIMEOUT="$(parse_opt_equal_sign "$1" "$2")"
                     [[ $? -eq 0 ]] && shift
                     ;;
+               --connect-timeout|--connect-timeout=*)
+                    CONNECT_TIMEOUT="$(parse_opt_equal_sign "$1" "$2")"
+                    [[ $? -eq 0 ]] && shift
+                    ;;
                --mapping|--mapping=*)
                     cipher_mapping="$(parse_opt_equal_sign "$1" "$2")"
                     [[ $? -eq 0 ]] && shift

From ae84d16a9154b736a4a40f47b506d7808d5c2529 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Ribeiro?= <darklaw13@yahoo.co.uk>
Date: Thu, 10 Oct 2019 04:18:16 +0100
Subject: [PATCH 3/5] Add reference to --connect-timeout to help()

---
 testssl.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testssl.sh b/testssl.sh
index 94b6003..df2bf97 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -16919,6 +16919,7 @@ tuning / connect options (most also can be preset via environment variables):
 
 output options (can also be preset via environment variables):
      --warnings <batch|off|false>  "batch" doesn't ask for a confirmation, "off" or "false" skips connection warnings
+     --connect-timeout <seconds>   useful to avoid hangers. Max <seconds> to wait for the TCP handshake to complete
      --openssl-timeout <seconds>   useful to avoid hangers. <seconds> to wait before openssl connect will be terminated
      --quiet                       don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
      --wide                        wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name

From 5485ebe4395061ba2f87124e61dbd9c043fb57c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Ribeiro?= <darklaw13@yahoo.co.uk>
Date: Thu, 10 Oct 2019 04:41:10 +0100
Subject: [PATCH 4/5] Update man page to include --connect-timeout

---
 doc/testssl.1 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/testssl.1 b/doc/testssl.1
index 89d925d..34a32c1 100644
--- a/doc/testssl.1
+++ b/doc/testssl.1
@@ -377,6 +377,9 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, Expect\-CT,\.\.\. , CSP
 \fB\-\-warnings <batch|off|false>\fR The warnings parameter determines how testssl\.sh will deal with situations where user input normally will be necessary\. There are a couple of options here\. \fBbatch\fR doesn\'t wait for a confirming keypress\. This is automatically being chosen for mass testing (\fB\-\-file\fR)\. \fB\-false\fR just skips the warning AND the confirmation\. Please note that there are conflicts where testssl\.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results\. Almost any other decision will be made as a best guess by testssl\.sh\. The same can be achieved by setting the environment variable \fBWARNINGS\fR\.
 .
 .P
+\fB\-\-connect\-timeout <seconds>\fR This is useful for direct TCP connections to a node\. If the node does not complete a TCP handshake (e\.g\. because it is down or behind a firewall) testssl\.sh may hang for ~2 minutes\. This parameter instructs testssl\.sh to wait at most \fBseconds\fR for the handshake to complete. This option only works if your OS has a \fBtimeout\fR binary installed\.
+.
+.P
 \fB\-\-openssl\-timeout <seconds>\fR This is especially useful for all connects using openssl and practically useful for mass testing\. It avoids the openssl connect to hang for ~2 minutes\. The expected parameter \fBseconds\fR instructs testssl\.sh to wait before the openssl connect will be terminated\. The option is only available if your OS has a timeout binary installed\. As there are different implementations of \fBtimeout\fR: It automatically calls the binary with the right parameters\. OPENSSL_TIMEOUT is the equivalent environment variable\.
 .
 .P

From e60cce9e1eed4c13bfddceb7cc23644f4cfcb7ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Ribeiro?= <darklaw13@yahoo.co.uk>
Date: Thu, 10 Oct 2019 04:54:47 +0100
Subject: [PATCH 5/5] Add quotes around CONNECT_TIMEOUT

I don't want to add any unnecessary vulnerabilities...
---
 testssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index df2bf97..d8075d0 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -10173,7 +10173,7 @@ fd_socket() {
                     break
                fi
           done
-     elif ! timeout $CONNECT_TIMEOUT bash -c "exec 3<>/dev/tcp/$nodeip/$PORT" || \
+     elif ! timeout "$CONNECT_TIMEOUT" bash -c "exec 3<>/dev/tcp/$nodeip/$PORT" || \
           ! exec 5<>/dev/tcp/$nodeip/$PORT; then  #  2>/dev/null would remove an error message, but disables debugging
           ((NR_SOCKET_FAIL++))
           connectivity_problem $NR_SOCKET_FAIL $MAX_SOCKET_FAIL "TCP connect problem" "repeated TCP connect problems, giving up"