- In case of multiple IP testing, clear ERRFILE bettween runs
- Zero return value with server connection close should be taken into
account in the looping logic case too. Add it.
- Break the wait loop in case of connection close for faster result.
- Ignore "notAfter" in the wait loop for expired certificates.
- Indentation and tab cleanup.
Tested on 57 url with previously suspicious results with success. No
regressions on 50 others.
There is a race condition if openssl exit during a renego but after
the RENEGOTIATING printing.
In this case we could issue a R before the process exit and be blocked
in the waiting loop.
With the safety guards in place (loop count + timeout) this is harmless
but not optimal.
Fix this by:
- reordering the sleep vs echo to let the process exit and catch the
pipe error more frequently.
- exit the while loop if RENEGOTIATING is not the last log line. We
will catch the pipe error on the next for loop echo.
- correct the k variable initialisation
- correct the for (( ; ; )) variable $ convention usage
- reduce the while loop count limit to 120 to align with the global
timeout
The heuristic is too fragile and timing dependant.
- As for the initial TLS negociation, wait for the result of the
renegociation request before sending the next one.
- Remove the result ratio calculation and message as we now reach the
timeout in case of exponential backoff or connection hang.
This commit depend on the fix of the timeout, broken by the zombi fix.
The zombi fix did too much modifications breaking the global time-out
function.
As the wait $pid failed, we no longer create the watchdog file.
Fix by reverting unnecessary changes.
The actual code grep for "MongoDB" keyword in the head of the HTTP
session.
In case of "compressed" HTML, a big page is on one line.
On a IT page, we could encounter the "MongoDB" keyword and
miss-identify the application protocol.
Fixed by matching on a longuer string taken from a live MogoDB
server.
OpenSSL will buffer only the first command till the establishment of the
session.
In case of slow session establishment, we could:
* loose some renego trys missing proper mitigation implementation
* loose some renego trys missing a real vulnerable host if 2/3 of the
tries are lost during session establishment (very slow startup).
Wait for the session to be fully establised before starting the renego
loop.
Reduce wait between reneg test to 0.25s. Still robust and accelerates
the test as now we do up to 10 renego tests.
With the global loop timeout, the backoff identification seem unneeded.
But if we switch to 0.25s, we no longuer trigger the global timeout so
it is still valuable.
Adjust write out messages as bash do not support floating point number
arithmetic.
Dirk Wetter
Jim
Emmanuel Fusté
dependabot[bot]
Maurizio S
Emmanuel Fusté
Odinmylord
Jan Brasna