Merge pull request #1337 from dcooper16/fix_session_resumption

Fix sub_session_resumption()
2025-01-01 06:19:44 +01:00 · 2019-10-02 08:52:23 +02:00 · 2019-10-02 08:52:23 +02:00 · cf00c8e8ac
commit cf00c8e8ac
parent e492b5761d 644d7c839e
1 changed files with 29 additions and 7 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -6055,8 +6055,9 @@ sub_session_resumption() {
     local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
     local -a rw_line
     local not_new_reused=false
+     local protocol="$1"

-     if [[ "$1" == ID ]]; then
+     if [[ "$2" == ID ]]; then
          local byID=true
          local addcmd="-no_ticket"
     else
@ -6067,7 +6068,21 @@ sub_session_resumption() {
          fi
     fi
     "$CLIENT_AUTH" && return 3
-     "$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO"
+     if "$HAS_NO_SSL2"; then
+          addcmd+=" -no_ssl2"
+     else
+          protocol=${protocol/\./_}
+          protocol=${protocol/v/}
+          protocol="-$(tolower $protocol)"
+          # In some cases a server will not support session tickets, but will support session resumption
+          # by ID. In such a case, it may be more likely to support session resumption with TLSv1.2 than
+          # with TLSv1.3. So, if testing a server that does not support session tickets and that supports
+          # both TLSv1.3 and TLSv1.2 for session resumption by ID, then use a TLSv1.2 ClientHello. (Note that
+          # the line below assumes that if $protocol is -tls1_3, then the server either supports TLSv1.2 or
+          # is TLSv1.3-only.
+          ! "$TLS_TICKETS" && "$byID" && [[ $(has_server_protocol "tls1_2") -eq 0 ]] && protocol="-tls1_2" 
+          addcmd+=" $protocol"
+     fi

     $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
     ret1=$?
@ -8823,7 +8838,7 @@ certificate_info() {
 run_server_defaults() {
     local ciph newhostcert sni
     local match_found
-     local sessticket_lifetime_hint="" lifetime unit
+     local sessticket_lifetime_hint="" sessticket_proto="" lifetime unit
     local -i i n
     local -i certs_found=0
     local -i ret=0
@ -8890,6 +8905,7 @@ run_server_defaults() {
                    >$ERRFILE
                    if [[ -z "$sessticket_lifetime_hint" ]]; then
                         sessticket_lifetime_hint=$(awk '/session ticket life/ { if (!found) print; found=1 }' $TMPFILE)
+                         sessticket_proto="$(get_protocol "$TMPFILE")"
                    fi

                    if [[ $n -le 7 ]]; then
@ -9042,7 +9058,10 @@ run_server_defaults() {
     if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
          cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
          >$ERRFILE
-          [[ -z "$sessticket_lifetime_hint" ]] && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
+          if [[ -z "$sessticket_lifetime_hint" ]]; then
+               sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
+               sessticket_proto="$(get_protocol "$TMPFILE")"
+          fi
     fi
     if "$using_sockets" && ! "$TLS13_ONLY" && [[ -z "$sessticket_lifetime_hint" ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
          if "$HAS_TLS13" && ( [[ -z "$OPTIMAL_PROTO" ]] || [[ "$OPTIMAL_PROTO" == -tls1_3 ]] ) ; then
@ -9052,7 +9071,10 @@ run_server_defaults() {
          else
               $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS "$OPTIMAL_PROTO" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>$ERRFILE >$TMPFILE
          fi
-          sclient_connect_successful $? $TMPFILE && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
+          if sclient_connect_successful $? $TMPFILE; then
+               sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
+               sessticket_proto="$(get_protocol "$TMPFILE")"
+          fi
     fi
     [[ -z "$sessticket_lifetime_hint" ]] && TLS_TICKETS=false || TLS_TICKETS=true

@ -9122,7 +9144,7 @@ run_server_defaults() {

     pr_bold " Session Resumption           "
     jsonID="sessionresumption_ticket"
-     sub_session_resumption
+     sub_session_resumption "$sessticket_proto"
     case $? in
          0) SESS_RESUMPTION[2]="ticket=yes"
             out "Tickets: yes, "
@ -9154,7 +9176,7 @@ run_server_defaults() {
          outln "ID: no"
          fileout "$jsonID" "INFO" "No Session ID, no resumption"
     else
-          sub_session_resumption ID
+          sub_session_resumption "$sessticket_proto" ID
          case $? in
               0) SESS_RESUMPTION[1]="ID=yes"
                  outln "ID: yes"