mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Fix setting NO_SESSION_ID
With a TLS 1.3 connection using $OPENSSL, a session ID will only appears as part of a post-handshake session ticket. However, when $OPENSSL s_client is called as in determine_optimal_proto() (i.e., with "< /dev/null"), a post-handshake session ticket will not always be received, even if the server supports it. This can result in NO_SESSION_ID incorrectly being set to true. This commit fixes the issue by setting NO_SESSION_ID to true by default, and then setting it to false if a session ID is returned by any connection to the server.
This commit is contained in:
parent
6054be6dff
commit
cc74256091
20
testssl.sh
20
testssl.sh
@ -284,7 +284,7 @@ ERRFILE=""
|
|||||||
CLIENT_AUTH="none"
|
CLIENT_AUTH="none"
|
||||||
CLIENT_AUTH_CA_LIST=""
|
CLIENT_AUTH_CA_LIST=""
|
||||||
TLS_TICKETS=false
|
TLS_TICKETS=false
|
||||||
NO_SSL_SESSIONID=false
|
NO_SSL_SESSIONID=true
|
||||||
CERT_COMPRESSION=${CERT_COMPRESSION:-false} # secret flag to set in addition to --devel for certificate compression
|
CERT_COMPRESSION=${CERT_COMPRESSION:-false} # secret flag to set in addition to --devel for certificate compression
|
||||||
HOSTCERT="" # File with host certificate, without intermediate certificate
|
HOSTCERT="" # File with host certificate, without intermediate certificate
|
||||||
HEADERFILE=""
|
HEADERFILE=""
|
||||||
@ -7563,14 +7563,19 @@ tls_time() {
|
|||||||
#
|
#
|
||||||
sclient_connect_successful() {
|
sclient_connect_successful() {
|
||||||
local server_hello="$(cat -v "$2")"
|
local server_hello="$(cat -v "$2")"
|
||||||
|
local connect_success=false
|
||||||
local re='Master-Key: ([^\
|
local re='Master-Key: ([^\
|
||||||
]*)'
|
]*)'
|
||||||
|
|
||||||
[[ $1 -eq 0 ]] && return 0
|
[[ $1 -eq 0 ]] && connect_success=true
|
||||||
if [[ "$server_hello" =~ $re ]]; then
|
if ! "$connect_success" && [[ "$server_hello" =~ $re ]]; then
|
||||||
[[ -n "${BASH_REMATCH[1]}" ]] && return 0
|
[[ -n "${BASH_REMATCH[1]}" ]] && connect_success=true
|
||||||
|
fi
|
||||||
|
! "$connect_success" && [[ "$server_hello" =~ (New|Reused)", "(SSLv[23]|TLSv1(\.[0-3])?(\/SSLv3)?)", Cipher is "([A-Z0-9]+-[A-Za-z0-9\-]+|TLS_[A-Za-z0-9_]+) ]] && connect_success=true
|
||||||
|
if "$connect_success"; then
|
||||||
|
"$NO_SSL_SESSIONID" && [[ "$server_hello" =~ Session-ID:\ [a-fA-F0-9]{2,64} ]] && NO_SSL_SESSIONID=false
|
||||||
|
return 0
|
||||||
fi
|
fi
|
||||||
[[ "$server_hello" =~ (New|Reused)", "(SSLv[23]|TLSv1(\.[0-3])?(\/SSLv3)?)", Cipher is "([A-Z0-9]+-[A-Za-z0-9\-]+|TLS_[A-Za-z0-9_]+) ]] && return 0
|
|
||||||
# what's left now is: master key empty and Session-ID not empty
|
# what's left now is: master key empty and Session-ID not empty
|
||||||
# ==> probably client-based auth with x509 certificate. We handle that at other places
|
# ==> probably client-based auth with x509 certificate. We handle that at other places
|
||||||
#
|
#
|
||||||
@ -14194,6 +14199,7 @@ parse_tls_serverhello() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
[[ "0x${DETECTED_TLS_VERSION:2:2}" -le "0x03" ]] && [[ $tls_sid_len -gt 0 ]] && NO_SSL_SESSIONID=false
|
||||||
|
|
||||||
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
|
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
|
||||||
echo "Protocol : SSLv3" >> $TMPFILE
|
echo "Protocol : SSLv3" >> $TMPFILE
|
||||||
@ -21050,7 +21056,7 @@ sclient_auth() {
|
|||||||
connect_success=true
|
connect_success=true
|
||||||
|
|
||||||
if "$connect_success"; then
|
if "$connect_success"; then
|
||||||
[[ ! "$server_hello" =~ Session-ID:\ [a-fA-F0-9]{2,64} ]] && NO_SSL_SESSIONID=true
|
[[ "$server_hello" =~ Session-ID:\ [a-fA-F0-9]{2,64} ]] && NO_SSL_SESSIONID=false
|
||||||
# we needed to set this for later
|
# we needed to set this for later
|
||||||
|
|
||||||
if [[ "$server_hello" =~ \<\<\<\ (SSL\ [23]|TLS\ 1)(\.[0-3])?[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]]; then
|
if [[ "$server_hello" =~ \<\<\<\ (SSL\ [23]|TLS\ 1)(\.[0-3])?[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]]; then
|
||||||
@ -23285,7 +23291,7 @@ reset_hostdepended_vars() {
|
|||||||
KNOWN_OSSL_PROB=false
|
KNOWN_OSSL_PROB=false
|
||||||
TLS13_ONLY=false
|
TLS13_ONLY=false
|
||||||
CLIENT_AUTH="none"
|
CLIENT_AUTH="none"
|
||||||
NO_SSL_SESSIONID=false
|
NO_SSL_SESSIONID=true
|
||||||
DH_GROUP_OFFERED=""
|
DH_GROUP_OFFERED=""
|
||||||
DH_GROUP_LEN_P=0
|
DH_GROUP_LEN_P=0
|
||||||
KEY_SHARE_EXTN_NR="33"
|
KEY_SHARE_EXTN_NR="33"
|
||||||
|
Loading…
Reference in New Issue
Block a user