From ca818c4dded199e027995d382c25ca690a32fb82 Mon Sep 17 00:00:00 2001 From: Steven Danneman Date: Wed, 12 Jul 2017 16:54:24 -0700 Subject: [PATCH] Fix CCS Injection detection for MySQL (yaSSL) Another yaSSL server incompatiblity. MySQL protects against CCS Injection by erroring if it sees to CCS requests before the handshake completes. But instead of returning a TLS alert, it seems to error up the stack to MySQL which returns it's own error message. Debug output looks like: --- sending client hello, reading server hello 1st reply: sending payload #2 with TLS version x03, x02: tls_content_type: 16 | tls_protocol: 0000 | byte6: 04 2nd reply: 00000000 16 00 00 02 ff 13 04 23 30 38 53 30 31 42 61 64 |.......#08S01Bad| 00000010 20 68 61 6e 64 73 68 61 6b 65 | handshake| 0000001a test failed, probably read buffer too small (16000002FF1304) --- This patch adds a custom check for this MySQL specific error, as far down in the error check path as I can. --- testssl.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 9e5d2fc..b55a5a6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9162,7 +9162,7 @@ run_ccs_injection(){ fi ret=0 elif [[ "$byte6" == "15" ]] && [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then - # decyption failed received + # decryption failed received pr_svrty_critical "VULNERABLE (NOT ok)" fileout "ccs" "CRITICAL" "CCS: VULNERABLE" "$cve" "$cwe" "$hint" ret=1 @@ -9174,6 +9174,11 @@ run_ccs_injection(){ out " - alert description type: $byte6" fileout "ccs" "WARN" "CCS: probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint" fi + elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then + # MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert + # Error: #08S01 Bad handshake + pr_done_best "not vulnerable (OK)" + fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe" elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then pr_warning "test failed" out ", probably read buffer too small (${tls_hello_ascii:0:14})"