mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
Address 4xx after STARTTLS handshake seems to have succeeded
In certain cases (see e.g. #939) the server side "kind of" falls back from a TLS channel to the underlying plaintext STARTTLS with a 5xx or 4xx. This PR adds the detection of 4xx for all protocols (if STARTTLS has been used) and labels the detection as "likely not av" (and keeps the warning). This leads to two JSON/CSV objects in those cases. The detection isn't quite perfect as the issue #939 shows the first TLS message fragment resembles a TLS alert. As noticed it also removes the recommendation to increase the debug level if the level is already sufficient.
This commit is contained in:
parent
50f7c93046
commit
ffd89f8dea
57
testssl.sh
57
testssl.sh
@ -1036,7 +1036,9 @@ hex2dec() {
|
|||||||
# convert 414243 into ABC
|
# convert 414243 into ABC
|
||||||
hex2ascii() {
|
hex2ascii() {
|
||||||
for (( i=0; i<${#1}; i+=2 )); do
|
for (( i=0; i<${#1}; i+=2 )); do
|
||||||
printf "\x${1:$i:2}"
|
# 2>/dev/null added because 'warning: command substitution: ignored null byte in input'
|
||||||
|
# --> didn't help though
|
||||||
|
printf "\x${1:$i:2}" 2>/dev/null
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4394,8 +4396,7 @@ run_protocols() {
|
|||||||
local key_share_extn_nr="$KEY_SHARE_EXTN_NR"
|
local key_share_extn_nr="$KEY_SHARE_EXTN_NR"
|
||||||
local lines nr_ciphers_detected
|
local lines nr_ciphers_detected
|
||||||
local tls13_ciphers_to_test=""
|
local tls13_ciphers_to_test=""
|
||||||
local drafts_offered=""
|
local drafts_offered="" debug_recomm=""
|
||||||
local debug_recomm=", rerun with DEBUG>=2"
|
|
||||||
local -i ret=0 subret=0
|
local -i ret=0 subret=0
|
||||||
local jsonID="SSLv2"
|
local jsonID="SSLv2"
|
||||||
|
|
||||||
@ -4413,6 +4414,7 @@ run_protocols() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
[[ "$DEBUG" -le 1 ]] && debug_recomm=", rerun w DEBUG>=2 or --ssl-native"
|
||||||
|
|
||||||
pr_bold " SSLv2 ";
|
pr_bold " SSLv2 ";
|
||||||
if ! "$SSL_NATIVE"; then
|
if ! "$SSL_NATIVE"; then
|
||||||
@ -4439,9 +4441,11 @@ run_protocols() {
|
|||||||
fileout "$jsonID" "OK" "not offered"
|
fileout "$jsonID" "OK" "not offered"
|
||||||
add_tls_offered ssl2 no
|
add_tls_offered ssl2 no
|
||||||
;;
|
;;
|
||||||
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
|
4) out "likely "; pr_svrty_best "not offered (OK), "
|
||||||
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
|
fileout "$jsonID" "OK" "likely not offered"
|
||||||
((ret++))
|
add_tls_offered ssl2 no
|
||||||
|
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
|
||||||
|
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
|
||||||
;;
|
;;
|
||||||
3) lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
3) lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
||||||
[[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) "
|
[[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) "
|
||||||
@ -4517,8 +4521,11 @@ run_protocols() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
|
4) out "likely "; pr_svrty_best "not offered (OK), "
|
||||||
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
|
fileout "$jsonID" "OK" "not offered"
|
||||||
|
add_tls_offered ssl3 no
|
||||||
|
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
|
||||||
|
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
|
||||||
;;
|
;;
|
||||||
5) pr_svrty_high "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
|
5) pr_svrty_high "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
|
||||||
fileout "$jsonID" "HIGH" "$supported_no_ciph1"
|
fileout "$jsonID" "HIGH" "$supported_no_ciph1"
|
||||||
@ -4581,8 +4588,11 @@ run_protocols() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
|
4) out "likely not offered, "
|
||||||
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
|
fileout "$jsonID" "INFO" "likely not offered"
|
||||||
|
add_tls_offered tls1 no
|
||||||
|
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
|
||||||
|
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
|
||||||
;;
|
;;
|
||||||
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
|
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
|
||||||
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
||||||
@ -4649,8 +4659,11 @@ run_protocols() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
|
4) out "likely not offered, "
|
||||||
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
|
fileout "$jsonID" "INFO" "is not offered"
|
||||||
|
add_tls_offered tls1_1 no
|
||||||
|
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
|
||||||
|
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
|
||||||
;;
|
;;
|
||||||
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
|
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
|
||||||
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
||||||
@ -4728,8 +4741,11 @@ run_protocols() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
|
4) out "likely "; pr_svrty_medium "not offered, "
|
||||||
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
|
fileout "$jsonID" "MEDIUM" "not offered"
|
||||||
|
add_tls_offered tls1_2 no
|
||||||
|
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
|
||||||
|
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
|
||||||
;;
|
;;
|
||||||
5) outln "$supported_no_ciph1" # protocol detected, but no cipher --> comes from run_prototest_openssl
|
5) outln "$supported_no_ciph1" # protocol detected, but no cipher --> comes from run_prototest_openssl
|
||||||
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
||||||
@ -4873,8 +4889,11 @@ run_protocols() {
|
|||||||
fi
|
fi
|
||||||
add_tls_offered tls1_3 no
|
add_tls_offered tls1_3 no
|
||||||
;;
|
;;
|
||||||
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
|
4) out "likely not offered, "
|
||||||
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
|
fileout "$jsonID" "INFO" "not offered"
|
||||||
|
add_tls_offered tls1_3 no
|
||||||
|
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
|
||||||
|
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
|
||||||
;;
|
;;
|
||||||
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
|
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
|
||||||
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
||||||
@ -9840,9 +9859,9 @@ parse_tls_serverhello() {
|
|||||||
tmln_out
|
tmln_out
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $tls_content_type == "35" ]] && "$do_starttls"; then
|
if "$do_starttls" && ( [[ $tls_content_type == 35 ]] || [[ $tls_content_type == 34 ]] ); then
|
||||||
# this could be a 500/5xx for some weird reason where the STARTTLS handshake failed
|
# STARTTLS handshake failed and server replied plaintext with a 5xx or 4xx
|
||||||
debugme echo "$(hex2ascii "$tls_hello_ascii")"
|
[[ $DEBUG -ge 2 ]] && printf "%s\n" "$(hex2ascii "$tls_hello_ascii" 2>/dev/null)"
|
||||||
[[ $DEBUG -ge 1 ]] && tmpfile_handle $FUNCNAME.txt
|
[[ $DEBUG -ge 1 ]] && tmpfile_handle $FUNCNAME.txt
|
||||||
return 4
|
return 4
|
||||||
elif [[ $tls_content_type != "14" ]] && [[ $tls_content_type != "15" ]] && \
|
elif [[ $tls_content_type != "14" ]] && [[ $tls_content_type != "15" ]] && \
|
||||||
|
Loading…
Reference in New Issue
Block a user