Improve check for $low_proto in run_tls_fallback_scsv()

If $high_proto is set to something other than SSLv3, support for SSLv3 will not have been determined by determine_optimal_sockets_params(), but it may have been determined later (e.g., by run_protocols()). So, this commit changes the loop to always check for SSLv3 support (without calling "$OPENSSL s_client" if $HAS_SSL3 is false). The check for whether the fallback test can be performed is moved until after the loop
2025-01-01 06:19:44 +01:00 · 2019-11-15 10:03:04 -05:00 · 2019-11-15 10:03:04 -05:00 · e457ff8cc1
commit e457ff8cc1
parent 00f613f62d
1 changed files with 17 additions and 5 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -14840,16 +14840,12 @@ run_tls_fallback_scsv() {

     # Next find a second protocol that the server supports.
     for p in $protos_to_try; do
-          if [[ "$p" == ssl3 ]] && ! "$HAS_SSL3"; then
-               prln_local_problem "Can't test: $OPENSSL does not support SSLv3"
-               fileout "$jsonID" "WARN" "Can't test: $OPENSSL does not support SSLv3"
-               return 1
-          fi
          [[ $(has_server_protocol "$p") -eq 1 ]] && continue
          if [[ $(has_server_protocol "$p") -eq 0 ]]; then
               low_proto="$p"
               break
          fi
+          [[ "$p" == ssl3 ]] && ! "$HAS_SSL3" && continue
          $OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
          if sclient_connect_successful $? $TMPFILE; then
               low_proto="$p"
@ -14857,6 +14853,22 @@ run_tls_fallback_scsv() {
          fi
     done

+     if ! "$HAS_SSL3" && \
+         ( [[ "$low_proto" == ssl3 ]] || \
+           ( [[ "$high_proto" == tls1 ]] && [[ $(has_server_protocol "$p") -eq 2 ]] ) ); then
+          # If the protocol that the server would fall back to is SSLv3, but $OPENSSL does
+          # not support SSLv3, then the test cannot be performed. So, if $OPENSSL does not
+          # support SSLv3 and it is known that SSLv3 is the fallback protocol ($low_proto), then
+          # the test cannot be performed. Similarly, if SSLv3 could be the fallback protocol, but
+          # support for SSLv3 is unknown, then the test cannot be performed.
+          # NOTE: This check assumes that any server that suppports SSLv3 and either TLS 1.2 or
+          # TLS 1.1 would also support TLS 1. So, if $high_proto is not TLS 1, then it is assumed
+          # that either (1) $low_proto has already been set (to TLS1.1 or TLS 1) or (2) no protocol
+          # lower than $high_proto is offered.
+          prln_local_problem "Can't test: $OPENSSL does not support SSLv3"
+          fileout "$jsonID" "WARN" "Can't test: $OPENSSL does not support SSLv3"
+          return 1
+     fi
     if [[ -z "$low_proto" ]]; then
          case "$high_proto" in
               "tls1_2")