diff --git a/testssl.sh b/testssl.sh index c8efdbf..2456b24 100755 --- a/testssl.sh +++ b/testssl.sh @@ -262,6 +262,7 @@ SOCK_REPLY_FILE="" NW_STR="" LEN_STR="" SNI="" +POODLE="" # keep vulnerability status for TLS_FALLBACK_SCSV OSSL_VER="" # openssl version, will be auto-determined OSSL_VER_MAJOR=0 OSSL_VER_MINOR=0 @@ -1923,7 +1924,7 @@ emphasize_stuff_in_headers(){ -e "s/Win64/${html_yellow}Win64${html_off}/g" \ -e "s/Ubuntu/${html_yellow}Ubuntu${html_off}/g" \ -e "s/ubuntu/${html_yellow}ubuntu${html_off}/g" \ - -e "s/stretch//${html_yellow}stretch${html_off}/g" \ + -e "s/stretch/${html_yellow}stretch${html_off}/g" \ -e "s/jessie/${html_yellow}jessie${html_off}/g" \ -e "s/squeeze/${html_yellow}squeeze${html_off}/g" \ -e "s/wheezy/${html_yellow}wheezy${html_off}/g" \ @@ -9859,9 +9860,11 @@ run_ssl_poodle() { [[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" fi if [[ $sclient_success -eq 0 ]]; then + POODLE=0 pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)" fileout "poodle_ssl" "HIGH" "POODLE, SSL: VULNERABLE, uses SSLv3+CBC" "$cve" "$cwe" "$hint" else + POODLE=1 pr_done_best "not vulnerable (OK)"; if "$using_sockets"; then fileout "poodle_ssl" "OK" "POODLE, SSL: not vulnerable" "$cve" "$cwe" @@ -9925,9 +9928,20 @@ run_tls_fallback_scsv() { $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE