diff --git a/testssl.sh b/testssl.sh index 173943c..acb6c05 100755 --- a/testssl.sh +++ b/testssl.sh @@ -10239,6 +10239,7 @@ run_fs() { local -a supported_curve local -i nr_supported_ciphers=0 nr_curves=0 nr_ossl_curves=0 i j low high local fs_ciphers curves_offered="" curves_to_test temp + local curves_option="" curves_list1="" curves_list2="" local len1 len2 curve_found local key_bitstring quality_str local -i len_dh_p quality @@ -10307,6 +10308,12 @@ run_fs() { tls_sockets "04" "${fs_hex_cipher_list:2}, 00,ff" sclient_success=$? [[ $sclient_success -eq 2 ]] && sclient_success=0 + # Sometimes a TLS 1.3 ClientHello will fail, but a TLS 1.2 ClientHello will succeed. See #2131. + if [[ $sclient_success -ne 0 ]]; then + tls_sockets "03" "${fs_hex_cipher_list:2}, 00,ff" + sclient_success=$? + [[ $sclient_success -eq 2 ]] && sclient_success=0 + fi else debugme echo $nr_supported_ciphers debugme echo $(actually_supported_osslciphers $fs_cipher_list "ALL") @@ -10320,6 +10327,38 @@ run_fs() { sclient_connect_successful $? $TMPFILE sclient_success=$? [[ $sclient_success -eq 0 ]] && [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]] && sclient_success=1 + # Sometimes a TLS 1.3 ClientHello will fail, but a TLS 1.2 ClientHello will succeed. See #2131. + if [[ $sclient_success -ne 0 ]] && "$HAS_TLS13"; then + # By default, OpenSSL 1.1.1 and above only include a few curves in the ClientHello, so in order + # to test all curves, the -curves option must be added. In addition, OpenSSL limits the number of + # curves that can be specified to 28. So, if more than 28 curves are supported, then the curves must + # be tested in batches. + if [[ "$(count_words "$OSSL_SUPPORTED_CURVES")" -le 28 ]]; then + curves_list1="$(strip_trailing_space "$(strip_leading_space "$OSSL_SUPPORTED_CURVES")")" + curves_list1="${curves_list1// /:}" + else + # Place the first 28 supported curves in curves_list1 and the remainder in curves_list2. + curves_list1="$(strip_trailing_space "$(strip_leading_space "$OSSL_SUPPORTED_CURVES")")" + curves_list1="${curves_list1// / }" + curves_list2="${curves_list1#* * * * * * * * * * * * * * * * * * * * * * * * * * * * }" + curves_list1="${curves_list1%$curves_list2}" + curves_list1="$(strip_trailing_space "$curves_list1")" + curves_list1="${curves_list1// /:}" + curves_list2="${curves_list2// /:}" + fi + curves_option="-curves $curves_list1" + $OPENSSL s_client $(s_client_options "-cipher $fs_cipher_list $curves_option $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE $TMPFILE