Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix check_tls12_pref()

Browse Source 
This is a minor bug when performing run_server_preference() if the server cannot handle ClientHello messages with more than 128 ciphers (i.e., $SERVER_SIZE_LIMIT_BUG is true) and the server supports at least one cipher in 'CAMELLIA:IDEA:KRB5:PSK:SRP:aNULL:eNULL'.

The problem is that `$OPENSSL s_client` is called with a cipher list such as
   ECDHE-RSA-AES256-GCM-SHA384:CAMELLIA256-SHA:AES256-SHA256
then
   ECDHE-RSA-AES256-GCM-SHA384:CAMELLIA256-SHA:AES256-SHA256:-CAMELLIA256-SHA
then
   ECDHE-RSA-AES256-GCM-SHA384:CAMELLIA256-SHA:AES256-SHA256:-CAMELLIA256-SHA:-AES256-SHA256
and finally
   ECDHE-RSA-AES256-GCM-SHA384:CAMELLIA256-SHA:AES256-SHA256:-CAMELLIA256-SHA:-AES256-SHA256:-ECDHE-RSA-AES256-GCM-SHA384

The last call to $OPENSSL s_client produces an error since the list of ciphers to send is empty, and this results in connectivity_problem() being called to print a "openssl s_client connect problem" warning. 

This PR fixes the problem by constructing a list of ciphers to test for and by not calling $OPENSSL s_client if the list is empty.
This commit is contained in:
David Cooper 2019-02-15 14:28:56 -05:00 committed by GitHub
parent e27b03dff8
commit e0ce496a45
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
testssl.sh
View File

@ -6270,7 +6270,7 @@ run_server_preference() {
check_tls12_pref() {
local batchremoved="-CAMELLIA:-IDEA:-KRB5:-PSK:-SRP:-aNULL:-eNULL"
local batchremoved_success=false
local tested_cipher=""
local tested_cipher="" cipher ciphers_to_test
local order=""
local -i nr_ciphers_found_r1=0 nr_ciphers_found_r2=0
@ -6309,11 +6309,15 @@ check_tls12_pref() {
if "$batchremoved_success"; then
# now we combine the two cipher sets from both while loops
[[ "${order:0:1}" == " " ]] && order="${order:1}"
combined_ciphers="${order// /:}"
combined_ciphers="$order"
order="" ; tested_cipher=""
while true; do
$OPENSSL s_client $(s_client_options "$STARTTLS -tls1_2 $BUGS -cipher "$combined_ciphers$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE
ciphers_to_test=""
for cipher in $combined_ciphers; do
[[ ! "$tested_cipher:" =~ :-$cipher: ]] && ciphers_to_test+=":$cipher"
done
[[ -z "$ciphers_to_test" ]] && break
$OPENSSL s_client $(s_client_options "$STARTTLS -tls1_2 $BUGS -cipher "${ciphers_to_test:1}" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE ; then
cipher=$(get_cipher $TMPFILE)
order+=" $cipher"
@ -6321,7 +6325,7 @@ check_tls12_pref() {
nr_ciphers_found_r2+=1
"$FAST" && break
else
# nothing left, we're done
# This shouldn't happen.
break
fi
done