mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-19 06:59:30 +01:00
Fix "ID resumption test failed" under Darwin
Under Darwin using LibreSSL it was not possible to test for session resumption by session ID. This fixes #2096 by checking not only the return value of the s_client hello but also whether a probable certificate is being returned.
This commit is contained in:
parent
ccef30ae8b
commit
e1711a7ccb
19
testssl.sh
19
testssl.sh
@ -6521,17 +6521,22 @@ sub_session_resumption() {
|
|||||||
addcmd+=" $protocol"
|
addcmd+=" $protocol"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>$tmpfile
|
||||||
ret1=$?
|
ret1=$?
|
||||||
if [[ $ret1 -ne 0 ]]; then
|
if [[ $ret1 -ne 0 ]]; then
|
||||||
debugme echo -n "Couldn't connect #1 "
|
# MacOS and LibreSSL return 1 here, that's why we need to check whether the handshake contains e.g. a certificate
|
||||||
return 7
|
if [[ ! $(<$tmpfile) =~ -----.*\ CERTIFICATE----- ]]; then
|
||||||
|
debugme echo -n "Couldn't connect #1 "
|
||||||
|
return 7
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
if "$byID" && [[ ! "$OSSL_NAME" =~ LibreSSL ]] && \
|
if "$byID" && [[ ! "$OSSL_NAME" =~ LibreSSL ]] && \
|
||||||
( [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || [[ $OSSL_VER_MAJOR == 3 ]] ) && \
|
( [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || [[ $OSSL_VER_MAJOR == 3 ]] ) && \
|
||||||
[[ ! -s "$sess_data" ]]; then
|
[[ ! -s "$sess_data" ]]; then
|
||||||
# it seems OpenSSL indicates no Session ID resumption by just not generating output
|
# it seems OpenSSL indicates no Session ID resumption by just not generating output
|
||||||
debugme echo -n "No session resumption byID (empty file)"
|
debugme echo -n "No session resumption byID (empty file)"
|
||||||
|
# If we want to check the presence of session data:
|
||||||
|
# [[ ! $(<$sess_data) =~ -----.*\ SSL\ SESSION\ PARAMETERS----- ]]
|
||||||
ret=2
|
ret=2
|
||||||
else
|
else
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
|
||||||
@ -6541,8 +6546,10 @@ sub_session_resumption() {
|
|||||||
[[ -s "$sess_data" ]] && echo "not empty" || echo "empty"
|
[[ -s "$sess_data" ]] && echo "not empty" || echo "empty"
|
||||||
fi
|
fi
|
||||||
if [[ $ret2 -ne 0 ]]; then
|
if [[ $ret2 -ne 0 ]]; then
|
||||||
debugme echo -n "Couldn't connect #2 "
|
if [[ ! $(<$tmpfile) =~ -----.*\ CERTIFICATE----- ]]; then
|
||||||
return 7
|
debugme echo -n "Couldn't connect #2 "
|
||||||
|
return 7
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
# "Reused" indicates session material was reused, "New": not
|
# "Reused" indicates session material was reused, "New": not
|
||||||
if grep -aq "^Reused" "$tmpfile"; then
|
if grep -aq "^Reused" "$tmpfile"; then
|
||||||
@ -6553,7 +6560,7 @@ sub_session_resumption() {
|
|||||||
debugme echo -n "Problem with 2nd ServerHello "
|
debugme echo -n "Problem with 2nd ServerHello "
|
||||||
fi
|
fi
|
||||||
# Now get the line and compare the numbers "read" and "written" as a second criteria.
|
# Now get the line and compare the numbers "read" and "written" as a second criteria.
|
||||||
# If the "read" number is bigger: a new session ID was probably used
|
# If the "read" number is bigger: a new session ID was probably used.
|
||||||
rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )"
|
rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )"
|
||||||
rw_line=($rw_line)
|
rw_line=($rw_line)
|
||||||
if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then
|
if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user