Correct client_renego timing bug.

OpenSSL will buffer only the first command till the establishment of the
session.
In case of slow session establishment, we could:
  * loose some renego trys missing proper mitigation implementation
  * loose some renego trys missing a real vulnerable host if 2/3 of the
    tries are lost during session establishment (very slow startup).

Wait for the session to be fully establised before starting the renego
loop.
This commit is contained in:
Emmanuel Fusté 2024-02-13 14:40:53 +01:00
parent 62b5859d52
commit faae91edbc

View File

@ -17080,7 +17080,13 @@ run_renego() {
pr_svrty_medium "VULNERABLE (NOT ok)"; outln ", potential DoS threat"
fileout "$jsonID" "MEDIUM" "VULNERABLE, potential DoS threat" "$cve" "$cwe" "$hint"
else
(for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep $ssl_reneg_wait; done) | \
# Clear the log to not get the content of previous run before the execution of the new one.
echo -n > $TMPFILE
# If we dont wait for the session to be established on slow server, we will try to re-negotiate
# too early loosing all the attemps before the session establishment as OpenSSL will not buffer them
# (only the first will be till the establishement of the session).
(while [[ $(grep -ac '^SSL-Session:' $TMPFILE) -ne 1 ]]; do sleep 1; done; \
for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep $ssl_reneg_wait; done) | \
$OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &
pid=$!
( sleep $(($ssl_reneg_attempts*3)) && kill $pid && touch $TEMPDIR/was_killed ) >&2 2>/dev/null &