mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
Improve check for $low_proto in run_tls_fallback_scsv()
If $high_proto is set to something other than SSLv3, support for SSLv3 will not have been determined by determine_optimal_sockets_params(), but it may have been determined later (e.g., by run_protocols()). So, this commit changes the loop to always check for SSLv3 support (without calling "$OPENSSL s_client" if $HAS_SSL3 is false). The check for whether the fallback test can be performed is moved until after the loop
This commit is contained in:
parent
00f613f62d
commit
e457ff8cc1
22
testssl.sh
22
testssl.sh
@ -14840,16 +14840,12 @@ run_tls_fallback_scsv() {
|
|||||||
|
|
||||||
# Next find a second protocol that the server supports.
|
# Next find a second protocol that the server supports.
|
||||||
for p in $protos_to_try; do
|
for p in $protos_to_try; do
|
||||||
if [[ "$p" == ssl3 ]] && ! "$HAS_SSL3"; then
|
|
||||||
prln_local_problem "Can't test: $OPENSSL does not support SSLv3"
|
|
||||||
fileout "$jsonID" "WARN" "Can't test: $OPENSSL does not support SSLv3"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
[[ $(has_server_protocol "$p") -eq 1 ]] && continue
|
[[ $(has_server_protocol "$p") -eq 1 ]] && continue
|
||||||
if [[ $(has_server_protocol "$p") -eq 0 ]]; then
|
if [[ $(has_server_protocol "$p") -eq 0 ]]; then
|
||||||
low_proto="$p"
|
low_proto="$p"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
[[ "$p" == ssl3 ]] && ! "$HAS_SSL3" && continue
|
||||||
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
low_proto="$p"
|
low_proto="$p"
|
||||||
@ -14857,6 +14853,22 @@ run_tls_fallback_scsv() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if ! "$HAS_SSL3" && \
|
||||||
|
( [[ "$low_proto" == ssl3 ]] || \
|
||||||
|
( [[ "$high_proto" == tls1 ]] && [[ $(has_server_protocol "$p") -eq 2 ]] ) ); then
|
||||||
|
# If the protocol that the server would fall back to is SSLv3, but $OPENSSL does
|
||||||
|
# not support SSLv3, then the test cannot be performed. So, if $OPENSSL does not
|
||||||
|
# support SSLv3 and it is known that SSLv3 is the fallback protocol ($low_proto), then
|
||||||
|
# the test cannot be performed. Similarly, if SSLv3 could be the fallback protocol, but
|
||||||
|
# support for SSLv3 is unknown, then the test cannot be performed.
|
||||||
|
# NOTE: This check assumes that any server that suppports SSLv3 and either TLS 1.2 or
|
||||||
|
# TLS 1.1 would also support TLS 1. So, if $high_proto is not TLS 1, then it is assumed
|
||||||
|
# that either (1) $low_proto has already been set (to TLS1.1 or TLS 1) or (2) no protocol
|
||||||
|
# lower than $high_proto is offered.
|
||||||
|
prln_local_problem "Can't test: $OPENSSL does not support SSLv3"
|
||||||
|
fileout "$jsonID" "WARN" "Can't test: $OPENSSL does not support SSLv3"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
if [[ -z "$low_proto" ]]; then
|
if [[ -z "$low_proto" ]]; then
|
||||||
case "$high_proto" in
|
case "$high_proto" in
|
||||||
"tls1_2")
|
"tls1_2")
|
||||||
|
Loading…
Reference in New Issue
Block a user