OpenSSL will buffer only the first command till the establishment of the
session.
In case of slow session establishment, we could:
* loose some renego trys missing proper mitigation implementation
* loose some renego trys missing a real vulnerable host if 2/3 of the
tries are lost during session establishment (very slow startup).
Wait for the session to be fully establised before starting the renego
loop.
Reduce wait between reneg test to 0.25s. Still robust and accelerates
the test as now we do up to 10 renego tests.
With the global loop timeout, the backoff identification seem unneeded.
But if we switch to 0.25s, we no longuer trigger the global timeout so
it is still valuable.
Adjust write out messages as bash do not support floating point number
arithmetic.
Some site hang/block the connection after some renego reties
Example: https://feedback.amadeus.com
Hand written timeout logic because:
- we want to get the result of the command in case of normal exit
- we want to have working log fd redirection
- we want to known the timeout condition
If a user chose a broken umask testssl.sh will start but emits
subsequent errors.
This patch adds two sanity checks whether it is allowed to create
and read files in the temp directory.
Fixes#2449
As suggested in #1844, this commit changes testssl.sh so that the parent process quits immediately if there is an error in the command line for one of the child processes.
Currently, a signal is sent to the parent process to quit if the child process encounters an error and calls help(), but sometimes parse_cmd_line() just prints an error message and calls fatal() rather than help(), in which case the parent process does not stop. This commit addresses the issue by creating a new function, fatal_cmd_line(), which is almost the same as fatal(), but additionally sends a signal to the parent indicating that the parent should stop. This commit also changes calls to fatal() to calls to fatal_cmd_line() if json_header(), csv_header(), html_header(), or prepare_logging() encounter a problem. The same is done if prettyprint_local() with the command-line option provided for it.
There may be other places in which it would be appropriate to call fatal_cmd_line() rather than fatal() (e.g., in parse_hn_port() or check_proxy()), but those changes are not made in this commit.
What was problematic was the error message when the certificate
stores were missing. This fixes it by redirecting the error
message to /dev/null so that if the sub function detects the missing
file it returns with an error by the program and not by executing
"basename"
Emmanuel Fusté
Dirk Wetter
Odinmylord
Jan Brasna
dependabot[bot]
David Cooper