From dca4da4736302402aa0679f99d0414c4115a72ba Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 30 Oct 2017 18:41:19 +0100 Subject: [PATCH] FIX #884, FIX #885 For servers with client authentication one would need to supply a x509 certificate to check session resumption by ID or ticket. This is not (yet?) supported in testssl.sh. This commit fixes the misleading error message so that it is clear what the problem is. --- testssl.sh | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index 6ac1cd7..33cdc81 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4753,6 +4753,7 @@ read_dhbits_from_file() { # arg1: ID or empty. if empty resumption by ticket will be tested # return: 0: it has resumption, 1:nope, 2: can't tell sub_session_resumption() { + local ret ret1 ret2 local tmpfile=$(mktemp $TEMPDIR/session_resumption.$NODEIP.XXXXXX) local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX) local -a rw_line @@ -4764,10 +4765,14 @@ sub_session_resumption() { local byID=false local addcmd="" fi + "$CLIENT_AUTH" && return 2 "$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO" $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") /dev/null + ret1=$? $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") $tmpfile 2>$ERRFILE + ret2=$? + debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]" # now get the line and compare the numbers read" and "writen" as a second criteria. rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )" rw_line=($rw_line) @@ -4777,7 +4782,7 @@ sub_session_resumption() { new_sid2=false fi debugme echo "${rw_line[0]}, ${rw_line[1]}" - #grep -aq "^New" "$tmpfile" && new_sid=true || new_sid=false + # grep -aq "^New" "$tmpfile" && new_sid=true || new_sid=false grep -aq "^Reused" "$tmpfile" && new_sid=false || new_sid=true if "$new_sid2" && "$new_sid"; then debugme echo -n "No session resumption " @@ -4786,8 +4791,8 @@ sub_session_resumption() { debugme echo -n "Session resumption " ret=0 else - debugme echo -n "unclear status: "$new_sid, "$new_sid2 -- " - ret=2 + debugme echo -n "unclear status: $ret1, $ret2, $new_sid, $new_sid2 -- " + ret=7 fi if [[ $DEBUG -ge 2 ]]; then "$byID" && echo "byID" || echo "by ticket" @@ -6876,7 +6881,11 @@ run_server_defaults() { out "Tickets no, " fileout "session_resumption_ticket" "INFO" "Session resumption via Session Tickets is not supported" ;; - 2) SESS_RESUMPTION[2]="ticket=noclue" + 2) SESS_RESUMPTION[2]="ticket=clientauth" + pr_warning "Client Auth: Ticket resumption test not supported / " + fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets couldn't be performed because client authentication is missing" + ;; + 7) SESS_RESUMPTION[2]="ticket=noclue" pr_warning "Ticket resumption test failed, pls report / " fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets failed, pls report" ;; @@ -6897,7 +6906,12 @@ run_server_defaults() { outln "ID: no" fileout "session_resumption_id" "INFO" "Session resumption via Session ID is not supported" ;; - 2) SESS_RESUMPTION[1]="ID=noclue" + 2) SESS_RESUMPTION[1]="ID=clientauth" + [[ ${SESS_RESUMPTION[2]} =~ clientauth ]] || pr_warning "Client Auth: " + prln_warning "ID resumption resumption test not supported" + fileout "session_resumption_ID" "WARN" "resumption test via Session ID couldn't be performed because client authentication is missing" + ;; + 7) SESS_RESUMPTION[1]="ID=noclue" prln_warning "ID resumption test failed, pls report" fileout "session_resumption_ID" "WARN" "resumption test via Session ID failed, pls report" ;;