From 43a0099fbc711453eebbdd0b939e6fcc7e5bbb8d Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Fri, 24 Jan 2025 18:46:07 +0100
Subject: [PATCH 1/2] Fix bug when legacy NPN is tested against a TLS 1.3 host

When testing a TLS 1.3 host s_client_options used TLS 1.3 ciphers to test
for NPN. As that is not implemented we nee dto make sure any other version
is used.

This PR ensures that --after testing whether it's a TLS 1.3-only host
where this test doesn't make any sense in the first place.

Fix for #2633
---
 testssl.sh | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index d5115c4..441dc74 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -11258,6 +11258,12 @@ npn_pre(){
           fileout "NPN" "WARN" "not tested $OPENSSL doesn't support NPN/SPDY"
           return 7
      fi
+     if "$TLS13_ONLY"; then
+          # https://github.com/openssl/openssl/issues/3665
+          pr_warning "There's no such thing as NPN on TLS 1.3-only hosts"
+          fileout "NPN" "WARN" "not possible for TLS 1.3-only hosts"
+          return 6
+     fi
      return 0
 }
 
@@ -11281,16 +11287,24 @@ alpn_pre(){
 run_npn() {
      local tmpstr
      local -i ret=0
+     local proto=""
      local jsonID="NPN"
 
      [[ -n "$STARTTLS" ]] && return 0
      "$FAST" && return 0
      pr_bold " NPN/SPDY   "
+
      if ! npn_pre; then
           outln
           return 0
      fi
-     $OPENSSL s_client $(s_client_options "-connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg "$NPN_PROTOs"") </dev/null 2>$ERRFILE >$TMPFILE
+
+     # TLS 1.3 s_client doesn't support -nextprotoneg when connecting with TLS 1.3. So we need to make sure it wont be used
+     # TLS13_ONLY is tested here again, just to be sure, see npn_pre
+     if "$HAS_TLS13" && ! $TLS13_ONLY ]] ; then
+           proto="-no_tls1_3"
+     fi
+     $OPENSSL s_client $(s_client_options "$proto -connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg "$NPN_PROTOs"") </dev/null 2>$ERRFILE >$TMPFILE
      [[ $? -ne 0 ]] && ret=1
      tmpstr="$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')"
      if [[ -z "$tmpstr" ]] || [[ "$tmpstr" == " " ]]; then

From d9b293f6c79c8de285c587cdcafc43c36b03cefe Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Fri, 24 Jan 2025 18:51:11 +0100
Subject: [PATCH 2/2] fix typo

---
 testssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 441dc74..6d99b1a 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -11299,7 +11299,7 @@ run_npn() {
           return 0
      fi
 
-     # TLS 1.3 s_client doesn't support -nextprotoneg when connecting with TLS 1.3. So we need to make sure it wont be used
+     # TLS 1.3 s_client doesn't support -nextprotoneg when connecting with TLS 1.3. So we need to make sure it won't be used
      # TLS13_ONLY is tested here again, just to be sure, see npn_pre
      if "$HAS_TLS13" && ! $TLS13_ONLY ]] ; then
            proto="-no_tls1_3"