From 12e3a3314adbe4aaac387697d879129b5994dea3 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 24 Aug 2016 10:14:12 -0400 Subject: [PATCH] OpenSSL 1.1.0 doesn't have "-no_ssl2" option With OpenSSL 1.1.0, `s_client -no_ssl2` fails with an "unknown option" error. At the moment the `-no_ssl2` option is only used in two functions, `run_client_simulation()` and `run_crime()`. In `run_crime()`, the `-no_ssl2` option is only included if the OpenSSL version is 0.9.8. This PR checks whether the OpenSSL version in use supports the `-no_ssl2` option, and if it doesn't, it removes it from the calls to `s_client` in `run_client_simulation()`. --- testssl.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/testssl.sh b/testssl.sh index 1d91590..54086ff 100755 --- a/testssl.sh +++ b/testssl.sh @@ -212,6 +212,7 @@ OSSL_VER_APPENDIX="none" HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables HAS_SSL2=false HAS_SSL3=false +HAS_NO_SSL2=false HAS_ALPN=false HAS_SPDY=false ADD_RFC_STR="rfc" # display RFC ciphernames @@ -2798,6 +2799,7 @@ run_client_simulation() { [[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE fi else + ! "$HAS_NO_SSL2" && protos[i]="$(sed 's/-no_ssl2//' <<< "${protos[i]}")" $OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} &1 | grep -aq "unknown option" || \ HAS_SSL3=true + $OPENSSL s_client -no_ssl2 2>&1 | grep -aq "unknown option" || \ + HAS_NO_SSL2=true + $OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \ HAS_ALPN=true @@ -7270,6 +7275,7 @@ OPENSSL_CONF: $OPENSSL_CONF HAS_IPv6: $HAS_IPv6 HAS_SSL2: $HAS_SSL2 HAS_SSL3: $HAS_SSL3 +HAS_NO_SSL2: $HAS_NO_SSL2 HAS_SPDY: $HAS_SPDY HAS_ALPN: $HAS_ALPN