Introduce SSL_REGEG_WAIT and reduce wait to 0.25s

Reduce wait between reneg test to 0.25s. Still robust and accelerates the test as now we do up to 10 renego tests. With the global loop timeout, the backoff identification seem unneeded. But if we switch to 0.25s, we no longuer trigger the global timeout so it is still valuable. Adjust write out messages as bash do not support floating point number arithmetic.
2024-12-29 04:49:44 +01:00 · 2024-01-12 11:30:35 +01:00 · 2024-01-12 11:30:35 +01:00 · de364b0c84
commit de364b0c84
parent 9b79e3917a
1 changed files with 7 additions and 3 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -233,6 +233,7 @@ DISPLAY_CIPHERNAMES="openssl"           # display OpenSSL ciphername (but both O
 declare UA_STD="TLS tester from $SWURL"
 declare -r UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0"
 SSL_RENEG_ATTEMPTS=${SSL_RENEG_ATTEMPTS:-10}       # number of times to check SSL Renegotiation
+SSL_RENEG_WAIT=${SSL_RENEG_WAIT:-0.25}   # time between SSL Renegotiation checks

 ########### Initialization part, further global vars just being declared here
 #
@ -16952,6 +16953,7 @@ run_renego() {
     local hint=""
     local jsonID=""
     local ssl_reneg_attempts=$SSL_RENEG_ATTEMPTS
+     local ssl_reneg_wait=$SSL_RENEG_WAIT
     # In cases where there's no default host configured we need SNI here as openssl then would return otherwise an error and the test will fail

     "$HAS_TLS13" && [[ -z "$proto" ]] && proto="-no_tls1_3"
@ -17074,7 +17076,7 @@ run_renego() {
                              pr_svrty_medium "VULNERABLE (NOT ok)"; outln ", potential DoS threat"
                              fileout "$jsonID" "MEDIUM" "VULNERABLE, potential DoS threat" "$cve" "$cwe" "$hint"
                         else
-                              (for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep 1; done) | \
+                              (for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep $ssl_reneg_wait; done) | \
                                   $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &
                              pid=$!
                              ( sleep $(($ssl_reneg_attempts*3)) && kill $pid && touch $TEMPDIR/was_killed ) >&2 2>/dev/null &
@ -17100,10 +17102,12 @@ run_renego() {
                                   1) pr_svrty_good "not vulnerable (OK)"; outln " -- mitigated (disconnect within $ssl_reneg_attempts)"
                                      fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
                                      ;;
-                                   2) pr_svrty_good "not vulnerable (OK)"; outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in ${ssl_reneg_attempts}s)"
+                                   2) pr_svrty_good "not vulnerable (OK)"; \
+                                           outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in ${ssl_reneg_attempts}x${ssl_reneg_wait}s)"
                                      fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
                                      ;;
-                                   3) pr_svrty_good "not vulnerable (OK)"; outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in $((${ssl_reneg_attempts}*3))s(timeout))"
+                                   3) pr_svrty_good "not vulnerable (OK)"; \
+                                           outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in $((${ssl_reneg_attempts}*3))s(timeout))"
                                      fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
                                      ;;
                                   *) prln_warning "FIXME (bug): $sec_client_renego ($ssl_reneg_attempts tries)"