Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX #884, FIX #885

Browse Source 
For servers with client authentication one would need to supply a x509
certificate to check session resumption by ID or ticket. This is not (yet?)
supported in testssl.sh.

This commit fixes the misleading error message so that it is clear what the
problem is.
This commit is contained in:
Dirk 2017-10-30 18:41:19 +01:00
parent bec17e1ad6
commit dca4da4736
1 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
testssl.sh
View File

@ -4753,6 +4753,7 @@ read_dhbits_from_file() {
# arg1: ID or empty. if empty resumption by ticket will be tested # arg1: ID or empty. if empty resumption by ticket will be tested
# return: 0: it has resumption, 1:nope, 2: can't tell # return: 0: it has resumption, 1:nope, 2: can't tell
sub_session_resumption() { sub_session_resumption() {
local ret ret1 ret2
local tmpfile=$(mktemp $TEMPDIR/session_resumption.$NODEIP.XXXXXX) local tmpfile=$(mktemp $TEMPDIR/session_resumption.$NODEIP.XXXXXX)
local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX) local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
local -a rw_line local -a rw_line
@ -4764,10 +4765,14 @@ sub_session_resumption() {
local byID=false local byID=false
local addcmd="" local addcmd=""
fi fi
"$CLIENT_AUTH" && return 2
"$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO" "$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO"
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
ret1=$?
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
ret2=$?
debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]"
# now get the line and compare the numbers read" and "writen" as a second criteria. # now get the line and compare the numbers read" and "writen" as a second criteria.
rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )" rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )"
rw_line=($rw_line) rw_line=($rw_line)
@ -4777,7 +4782,7 @@ sub_session_resumption() {
new_sid2=false new_sid2=false
fi fi
debugme echo "${rw_line[0]}, ${rw_line[1]}" debugme echo "${rw_line[0]}, ${rw_line[1]}"
#grep -aq "^New" "$tmpfile" && new_sid=true || new_sid=false # grep -aq "^New" "$tmpfile" && new_sid=true || new_sid=false
grep -aq "^Reused" "$tmpfile" && new_sid=false || new_sid=true grep -aq "^Reused" "$tmpfile" && new_sid=false || new_sid=true
if "$new_sid2" && "$new_sid"; then if "$new_sid2" && "$new_sid"; then
debugme echo -n "No session resumption " debugme echo -n "No session resumption "
@ -4786,8 +4791,8 @@ sub_session_resumption() {
debugme echo -n "Session resumption " debugme echo -n "Session resumption "
ret=0 ret=0
else else
debugme echo -n "unclear status: "$new_sid, "$new_sid2 -- " debugme echo -n "unclear status: $ret1, $ret2, $new_sid, $new_sid2 -- "
ret=2 ret=7
fi fi
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
"$byID" && echo "byID" || echo "by ticket" "$byID" && echo "byID" || echo "by ticket"
@ -6876,7 +6881,11 @@ run_server_defaults() {
out "Tickets no, " out "Tickets no, "
fileout "session_resumption_ticket" "INFO" "Session resumption via Session Tickets is not supported" fileout "session_resumption_ticket" "INFO" "Session resumption via Session Tickets is not supported"
;; ;;
2) SESS_RESUMPTION[2]="ticket=noclue" 2) SESS_RESUMPTION[2]="ticket=clientauth"
pr_warning "Client Auth: Ticket resumption test not supported / "
fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets couldn't be performed because client authentication is missing"
;;
7) SESS_RESUMPTION[2]="ticket=noclue"
pr_warning "Ticket resumption test failed, pls report / " pr_warning "Ticket resumption test failed, pls report / "
fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets failed, pls report" fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets failed, pls report"
;; ;;
@ -6897,7 +6906,12 @@ run_server_defaults() {
outln "ID: no" outln "ID: no"
fileout "session_resumption_id" "INFO" "Session resumption via Session ID is not supported" fileout "session_resumption_id" "INFO" "Session resumption via Session ID is not supported"
;; ;;
2) SESS_RESUMPTION[1]="ID=noclue" 2) SESS_RESUMPTION[1]="ID=clientauth"
[[ ${SESS_RESUMPTION[2]} =~ clientauth ]] || pr_warning "Client Auth: "
prln_warning "ID resumption resumption test not supported"
fileout "session_resumption_ID" "WARN" "resumption test via Session ID couldn't be performed because client authentication is missing"
;;
7) SESS_RESUMPTION[1]="ID=noclue"
prln_warning "ID resumption test failed, pls report" prln_warning "ID resumption test failed, pls report"
fileout "session_resumption_ID" "WARN" "resumption test via Session ID failed, pls report" fileout "session_resumption_ID" "WARN" "resumption test via Session ID failed, pls report"
;; ;;