mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
Fix false connectivity problem error
If OpenSSL reports an error, sclient_connect_successful() may incorrectly interpret it as a connectivity problem, leading testssl.sh to stop testing before it has completed. When not using "--ssl-native" mode, this happens if $OPENSSL does not support SSLv3, as both get_server_certificate() and run_beast() will attempt to connect using SSLv3 even if $OPENSSL does not support it. When using "--ssl-native" mode, this happens in multiple places if $OPENSSL does not support the protocol being used or if $OPENSSL does not support any of the ciphers that are specified in the command line. This PR fixes the above problems by adding checks for protocol support or for support for at least one cipher before calling $OPENSSL. run_client_simulation() also has a problem in "--ssl-native" mode of calling $OPENSSL with parameters that cause $OPENSSL to report an error, but this is already addressed by temporarily setting MAX_OSSL_FAIL to 100 during client simulation tests and then, after client simulation testing is complete, returning $MAX_OSSL_FAIL and $NR_OSSL_FAIL to the values they had before client simulation testing began.
This commit is contained in:
parent
eb3b3a1988
commit
d1782284f8
22
testssl.sh
22
testssl.sh
@ -4363,19 +4363,17 @@ locally_supported() {
|
|||||||
run_prototest_openssl() {
|
run_prototest_openssl() {
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
|
|
||||||
|
! locally_supported "$1" "$2" && return 7
|
||||||
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
ret=$?
|
ret=$?
|
||||||
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
if ! locally_supported "$1" "$2" ; then
|
# try again without $PROXY
|
||||||
ret=7
|
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
else # try again without $PROXY
|
sclient_connect_successful $? $TMPFILE
|
||||||
$OPENSSL s_client $(s_client_options "-state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
ret=$?
|
||||||
sclient_connect_successful $? $TMPFILE
|
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
ret=$?
|
grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
|
||||||
debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
|
||||||
grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
|
|
||||||
fi
|
|
||||||
tmpfile_handle $FUNCNAME$1.txt
|
tmpfile_handle $FUNCNAME$1.txt
|
||||||
return $ret
|
return $ret
|
||||||
|
|
||||||
@ -6388,6 +6386,7 @@ get_server_certificate() {
|
|||||||
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
|
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
|
||||||
for proto in $protocols_to_try; do
|
for proto in $protocols_to_try; do
|
||||||
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
|
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
|
||||||
|
[[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && continue
|
||||||
addcmd=""
|
addcmd=""
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
@ -6398,6 +6397,7 @@ get_server_certificate() {
|
|||||||
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
||||||
if [[ $success -eq 7 ]]; then
|
if [[ $success -eq 7 ]]; then
|
||||||
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
||||||
|
[[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && return 7
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
if [ -z "$1" ]; then
|
if [ -z "$1" ]; then
|
||||||
@ -12719,6 +12719,7 @@ run_sweet32() {
|
|||||||
nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
|
nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
|
||||||
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers))
|
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers))
|
||||||
for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
|
for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
|
||||||
|
[[ $nr_supported_ciphers -eq 0 ]] && break
|
||||||
! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue
|
! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue
|
||||||
if [[ "$proto" != "-no_ssl2" ]]; then
|
if [[ "$proto" != "-no_ssl2" ]]; then
|
||||||
"$FAST" && break
|
"$FAST" && break
|
||||||
@ -13116,7 +13117,7 @@ run_logjam() {
|
|||||||
tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff"
|
tls_sockets "03" "$exportdh_cipher_list_hex, 00,ff"
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
||||||
else
|
elif [[ $nr_supported_ciphers -ne 0 ]]; then
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportdh_cipher_list -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
@ -13496,6 +13497,7 @@ run_beast(){
|
|||||||
sigalg[nr_ciphers]=""
|
sigalg[nr_ciphers]=""
|
||||||
done
|
done
|
||||||
while true; do
|
while true; do
|
||||||
|
[[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && break
|
||||||
ciphers_to_test=""
|
ciphers_to_test=""
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
! "${ciphers_found[i]}" && "${ossl_supported[i]}" && ciphers_to_test+=":${ciph[i]}"
|
! "${ciphers_found[i]}" && "${ossl_supported[i]}" && ciphers_to_test+=":${ciph[i]}"
|
||||||
|
Loading…
Reference in New Issue
Block a user