Merge branch 'master' into server_preference_sslv2_fixes

This commit is contained in:
David Cooper 2016-07-26 13:36:15 -04:00
commit f9a4ab51b2

View File

@ -714,7 +714,7 @@ run_http_header() {
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $HEADER_MAXSLEEP
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
# we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it # we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it
# again in the foreground ito get an ccurate header time! # again in the foreground to get an accurate header time!
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE
NOW_TIME=$(date "+%s") NOW_TIME=$(date "+%s")
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
@ -3842,7 +3842,7 @@ tls_time() {
debugme out "$TLS_TIME" debugme out "$TLS_TIME"
outln outln
else else
pr_warning "SSLv3 through TLS 1.2 didn't return a timestamp" pr_warningln "SSLv3 through TLS 1.2 didn't return a timestamp"
fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2" fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2"
fi fi
return 0 return 0
@ -7121,6 +7121,7 @@ check4openssl_oldfarts() {
*) outln " Update openssl binaries or compile from github.com/PeterMosmans/openssl" ;; *) outln " Update openssl binaries or compile from github.com/PeterMosmans/openssl" ;;
esac esac
ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives "
[[ $? -ne 0 ]] && exit -2
fi fi
outln outln
} }
@ -7816,7 +7817,7 @@ sclient_auth() {
# #
determine_optimal_proto() { determine_optimal_proto() {
local all_failed local all_failed
local addcmd="" local sni=""
#TODO: maybe query known openssl version before this workaround. 1.0.1 doesn't need this #TODO: maybe query known openssl version before this workaround. 1.0.1 doesn't need this
@ -7834,8 +7835,9 @@ determine_optimal_proto() {
done done
debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO" debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO"
else else
for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2 ''; do for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do
$OPENSSL s_client $OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI </dev/null >$TMPFILE 2>>$ERRFILE [[ "$OPTIMAL_PROTO" =~ ssl ]] && sni="" || sni=$SNI
$OPENSSL s_client $OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $sni </dev/null >$TMPFILE 2>>$ERRFILE
if sclient_auth $? $TMPFILE; then if sclient_auth $? $TMPFILE; then
all_failed=1 all_failed=1
break break
@ -7843,6 +7845,11 @@ determine_optimal_proto() {
all_failed=0 all_failed=0
done done
debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO" debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO"
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then
pr_magentaln "$NODEIP:$PORT appears to only support SSLv2."
ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives "
[[ $? -ne 0 ]] && exit -2
fi
fi fi
grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190 grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190