Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1337 from dcooper16/fix_session_resumption

Browse Source 
Fix sub_session_resumption()
This commit is contained in:
Dirk Wetter 2019-10-02 08:52:23 +02:00 committed by GitHub
commit cf00c8e8ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
testssl.sh
View File

@ -6055,8 +6055,9 @@ sub_session_resumption() {
local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX) local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
local -a rw_line local -a rw_line
local not_new_reused=false local not_new_reused=false
local protocol="$1"
if [[ "$1" == ID ]]; then if [[ "$2" == ID ]]; then
local byID=true local byID=true
local addcmd="-no_ticket" local addcmd="-no_ticket"
else else
@ -6067,7 +6068,21 @@ sub_session_resumption() {
fi fi
fi fi
"$CLIENT_AUTH" && return 3 "$CLIENT_AUTH" && return 3
"$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO" if "$HAS_NO_SSL2"; then
addcmd+=" -no_ssl2"
else
protocol=${protocol/\./_}
protocol=${protocol/v/}
protocol="-$(tolower $protocol)"
# In some cases a server will not support session tickets, but will support session resumption
# by ID. In such a case, it may be more likely to support session resumption with TLSv1.2 than
# with TLSv1.3. So, if testing a server that does not support session tickets and that supports
# both TLSv1.3 and TLSv1.2 for session resumption by ID, then use a TLSv1.2 ClientHello. (Note that
# the line below assumes that if $protocol is -tls1_3, then the server either supports TLSv1.2 or
# is TLSv1.3-only.
! "$TLS_TICKETS" && "$byID" && [[ $(has_server_protocol "tls1_2") -eq 0 ]] && protocol="-tls1_2"
addcmd+=" $protocol"
fi
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
ret1=$? ret1=$?
@ -8823,7 +8838,7 @@ certificate_info() {
run_server_defaults() { run_server_defaults() {
local ciph newhostcert sni local ciph newhostcert sni
local match_found local match_found
local sessticket_lifetime_hint="" lifetime unit local sessticket_lifetime_hint="" sessticket_proto="" lifetime unit
local -i i n local -i i n
local -i certs_found=0 local -i certs_found=0
local -i ret=0 local -i ret=0
@ -8890,6 +8905,7 @@ run_server_defaults() {
>$ERRFILE >$ERRFILE
if [[ -z "$sessticket_lifetime_hint" ]]; then if [[ -z "$sessticket_lifetime_hint" ]]; then
sessticket_lifetime_hint=$(awk '/session ticket life/ { if (!found) print; found=1 }' $TMPFILE) sessticket_lifetime_hint=$(awk '/session ticket life/ { if (!found) print; found=1 }' $TMPFILE)
sessticket_proto="$(get_protocol "$TMPFILE")"
fi fi
if [[ $n -le 7 ]]; then if [[ $n -le 7 ]]; then
@ -9042,7 +9058,10 @@ run_server_defaults() {
if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
>$ERRFILE >$ERRFILE
[[ -z "$sessticket_lifetime_hint" ]] && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE) if [[ -z "$sessticket_lifetime_hint" ]]; then
sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
sessticket_proto="$(get_protocol "$TMPFILE")"
fi
fi fi
if "$using_sockets" && ! "$TLS13_ONLY" && [[ -z "$sessticket_lifetime_hint" ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then if "$using_sockets" && ! "$TLS13_ONLY" && [[ -z "$sessticket_lifetime_hint" ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
if "$HAS_TLS13" && ( [[ -z "$OPTIMAL_PROTO" ]] || [[ "$OPTIMAL_PROTO" == -tls1_3 ]] ) ; then if "$HAS_TLS13" && ( [[ -z "$OPTIMAL_PROTO" ]] || [[ "$OPTIMAL_PROTO" == -tls1_3 ]] ) ; then
@ -9052,7 +9071,10 @@ run_server_defaults() {
else else
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS "$OPTIMAL_PROTO" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS "$OPTIMAL_PROTO" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>$ERRFILE >$TMPFILE
fi fi
sclient_connect_successful $? $TMPFILE && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE) if sclient_connect_successful $? $TMPFILE; then
sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
sessticket_proto="$(get_protocol "$TMPFILE")"
fi
fi fi
[[ -z "$sessticket_lifetime_hint" ]] && TLS_TICKETS=false || TLS_TICKETS=true [[ -z "$sessticket_lifetime_hint" ]] && TLS_TICKETS=false || TLS_TICKETS=true
@ -9122,7 +9144,7 @@ run_server_defaults() {
pr_bold " Session Resumption " pr_bold " Session Resumption "
jsonID="sessionresumption_ticket" jsonID="sessionresumption_ticket"
sub_session_resumption sub_session_resumption "$sessticket_proto"
case $? in case $? in
0) SESS_RESUMPTION[2]="ticket=yes" 0) SESS_RESUMPTION[2]="ticket=yes"
out "Tickets: yes, " out "Tickets: yes, "
@ -9154,7 +9176,7 @@ run_server_defaults() {
outln "ID: no" outln "ID: no"
fileout "$jsonID" "INFO" "No Session ID, no resumption" fileout "$jsonID" "INFO" "No Session ID, no resumption"
else else
sub_session_resumption ID sub_session_resumption "$sessticket_proto" ID
case $? in case $? in
0) SESS_RESUMPTION[1]="ID=yes" 0) SESS_RESUMPTION[1]="ID=yes"
outln "ID: yes" outln "ID: yes"