Fix false connectivity problem error

If OpenSSL reports an error, sclient_connect_successful() may incorrectly interpret it as a connectivity problem, leading testssl.sh to stop testing before it has completed. When not using "--ssl-native" mode, this happens if $OPENSSL does not support SSLv3, as both get_server_certificate() and run_beast() will attempt to connect using SSLv3 even if $OPENSSL does not support it. When using "--ssl-native" mode, this happens in multiple places if $OPENSSL does not support the protocol being used or if $OPENSSL does not support any of the ciphers that are specified in the command line. This PR fixes the above problems by adding checks for protocol support or for support for at least one cipher before calling $OPENSSL. run_client_simulation() also has a problem in "--ssl-native" mode of calling $OPENSSL with parameters that cause $OPENSSL to report an error, but this is already addressed by temporarily setting MAX_OSSL_FAIL to 100 during client simulation tests and then, after client simulation testing is complete, returning $MAX_OSSL_FAIL and $NR_OSSL_FAIL to the values they had before client simulation testing began.
2025-01-03 23:39:45 +01:00 · 2018-04-09 15:43:26 -04:00 · 2018-04-09 15:43:26 -04:00 · d1782284f8
commit d1782284f8
parent eb3b3a1988
1 changed files with 12 additions and 10 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -4363,19 +4363,17 @@ locally_supported() {
 run_prototest_openssl() {
     local -i ret=0

+     ! locally_supported "$1" "$2" && return 7
     $OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
     sclient_connect_successful $? $TMPFILE
     ret=$?
     debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
-     if ! locally_supported "$1" "$2" ; then
-          ret=7
-     else                                    # try again without $PROXY
-          $OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>$ERRFILE </dev/null
-          sclient_connect_successful $? $TMPFILE
-          ret=$?
-          debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
-          grep -aq "no cipher list" $TMPFILE && ret=5       # <--- important indicator for SSL2 (maybe others, too)
-     fi
+     # try again without $PROXY
+     $OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>$ERRFILE </dev/null
+     sclient_connect_successful $? $TMPFILE
+     ret=$?
+     debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
+     grep -aq "no cipher list" $TMPFILE && ret=5       # <--- important indicator for SSL2 (maybe others, too)
     tmpfile_handle $FUNCNAME$1.txt
     return $ret

@ -6388,6 +6386,7 @@ get_server_certificate() {
     sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
     for proto in $protocols_to_try; do
          [[ 1 -eq $(has_server_protocol $proto) ]] && continue
+          [[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && continue
          addcmd=""
          $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") </dev/null 2>$ERRFILE >$TMPFILE
          if sclient_connect_successful $? $TMPFILE; then
@ -6398,6 +6397,7 @@ get_server_certificate() {
     done                          # this loop is needed for IIS6 and others which have a handshake size limitations
     if [[ $success -eq 7 ]]; then
          # "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
+          [[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && return 7
          $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
          if ! sclient_connect_successful $? $TMPFILE; then
               if [ -z "$1" ]; then
@ -12719,6 +12719,7 @@ run_sweet32() {
          nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
          nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers))
          for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
+               [[ $nr_supported_ciphers -eq 0 ]] && break
               ! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue
               if [[ "$proto" != "-no_ssl2" ]]; then
                    "$FAST" && break
@ -13116,7 +13117,7 @@ run_logjam() {
          tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff"
          sclient_success=$?
          [[ $sclient_success -eq 2 ]] && sclient_success=0
-     else
+     elif [[ $nr_supported_ciphers -ne 0 ]]; then
          $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
          sclient_connect_successful $? $TMPFILE
          sclient_success=$?
@ -13496,6 +13497,7 @@ run_beast(){
               sigalg[nr_ciphers]=""
          done
          while true; do
+               [[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && break
               ciphers_to_test=""
               for (( i=0; i < nr_ciphers; i++ )); do
                    ! "${ciphers_found[i]}" && "${ossl_supported[i]}" && ciphers_to_test+=":${ciph[i]}"