diff --git a/testssl.sh b/testssl.sh index 30cda19..6300d43 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6055,8 +6055,9 @@ sub_session_resumption() { local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX) local -a rw_line local not_new_reused=false + local protocol="$1" - if [[ "$1" == ID ]]; then + if [[ "$2" == ID ]]; then local byID=true local addcmd="-no_ticket" else @@ -6067,7 +6068,21 @@ sub_session_resumption() { fi fi "$CLIENT_AUTH" && return 3 - "$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO" + if "$HAS_NO_SSL2"; then + addcmd+=" -no_ssl2" + else + protocol=${protocol/\./_} + protocol=${protocol/v/} + protocol="-$(tolower $protocol)" + # In some cases a server will not support session tickets, but will support session resumption + # by ID. In such a case, it may be more likely to support session resumption with TLSv1.2 than + # with TLSv1.3. So, if testing a server that does not support session tickets and that supports + # both TLSv1.3 and TLSv1.2 for session resumption by ID, then use a TLSv1.2 ClientHello. (Note that + # the line below assumes that if $protocol is -tls1_3, then the server either supports TLSv1.2 or + # is TLSv1.3-only. + ! "$TLS_TICKETS" && "$byID" && [[ $(has_server_protocol "tls1_2") -eq 0 ]] && protocol="-tls1_2" + addcmd+=" $protocol" + fi $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") /dev/null ret1=$? @@ -8823,7 +8838,7 @@ certificate_info() { run_server_defaults() { local ciph newhostcert sni local match_found - local sessticket_lifetime_hint="" lifetime unit + local sessticket_lifetime_hint="" sessticket_proto="" lifetime unit local -i i n local -i certs_found=0 local -i ret=0 @@ -8890,6 +8905,7 @@ run_server_defaults() { >$ERRFILE if [[ -z "$sessticket_lifetime_hint" ]]; then sessticket_lifetime_hint=$(awk '/session ticket life/ { if (!found) print; found=1 }' $TMPFILE) + sessticket_proto="$(get_protocol "$TMPFILE")" fi if [[ $n -le 7 ]]; then @@ -9042,7 +9058,10 @@ run_server_defaults() { if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE >$ERRFILE - [[ -z "$sessticket_lifetime_hint" ]] && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE) + if [[ -z "$sessticket_lifetime_hint" ]]; then + sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE) + sessticket_proto="$(get_protocol "$TMPFILE")" + fi fi if "$using_sockets" && ! "$TLS13_ONLY" && [[ -z "$sessticket_lifetime_hint" ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then if "$HAS_TLS13" && ( [[ -z "$OPTIMAL_PROTO" ]] || [[ "$OPTIMAL_PROTO" == -tls1_3 ]] ) ; then @@ -9052,7 +9071,10 @@ run_server_defaults() { else $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS "$OPTIMAL_PROTO" -connect $NODEIP:$PORT $PROXY $SNI") $ERRFILE >$TMPFILE fi - sclient_connect_successful $? $TMPFILE && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE) + if sclient_connect_successful $? $TMPFILE; then + sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE) + sessticket_proto="$(get_protocol "$TMPFILE")" + fi fi [[ -z "$sessticket_lifetime_hint" ]] && TLS_TICKETS=false || TLS_TICKETS=true @@ -9122,7 +9144,7 @@ run_server_defaults() { pr_bold " Session Resumption " jsonID="sessionresumption_ticket" - sub_session_resumption + sub_session_resumption "$sessticket_proto" case $? in 0) SESS_RESUMPTION[2]="ticket=yes" out "Tickets: yes, " @@ -9154,7 +9176,7 @@ run_server_defaults() { outln "ID: no" fileout "$jsonID" "INFO" "No Session ID, no resumption" else - sub_session_resumption ID + sub_session_resumption "$sessticket_proto" ID case $? in 0) SESS_RESUMPTION[1]="ID=yes" outln "ID: yes"