From 7dd1d15e9a2779a0c687ebcb719193b382fc8cda Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 23 Aug 2016 11:31:04 -0400 Subject: [PATCH 1/2] run_ssl_poodle() when OpenSSL doesn't support SSLv3 If the version of OpenSSL being used doesn't support `s_client -ssl3` (e.g., OpenSSL 1.1.0), `run_ssl_poodle()` displays `not vulnerable (OK)` even though it can't test whether the server is vulnerable. This PR fixes it so that a "Local problem" warning is displayed is `s_client -ssl3` isn't supported. The PR also removes the `$SNI` from the call to `$OPENSSL s_client` since OpenSSL ignores the `-servername` directive for `-ssl3` anyways. --- testssl.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 1d91590..fb6cd1d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6447,10 +6447,11 @@ run_ssl_poodle() { [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln pr_bold " POODLE, SSL"; out " (CVE-2014-3566) " + locally_supported "-ssl3" || return 1 cbc_ciphers=$(actually_supported_ciphers $cbc_ciphers) debugme echo $cbc_ciphers - $OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE Date: Tue, 23 Aug 2016 11:35:03 -0400 Subject: [PATCH 2/2] Return 0 even if test couldn't be performed --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index fb6cd1d..f8ba8c5 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6447,7 +6447,7 @@ run_ssl_poodle() { [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln pr_bold " POODLE, SSL"; out " (CVE-2014-3566) " - locally_supported "-ssl3" || return 1 + locally_supported "-ssl3" || return 0 cbc_ciphers=$(actually_supported_ciphers $cbc_ciphers) debugme echo $cbc_ciphers