LibreSSL does not support the -nextprotoneg option. This commit enhances run_npn() to use tls_sockets() when $HAS_NPN is false, rather than reporting that the check can not be performed.
This commit fixes three lines of code that use Bash substring matching. In each case, a list of strings to match was enclosed in brackets. This resulted in a match if the string to test contained any character from any of the strings to match. This commit fixes the issue by removing the brackets.
(The bugs were introduced in b8e9b09ca7 and 8149c2d5cf)
Some versions of OpenSSL/LibreSSL do not support TLS 1.1 and earlier, either because they do not support the protocol (e.g, `$OEPNSSL s_client -tls1` results in a "unknown option" error) or because the cryptography needed to support these protocol versions (e.g., MD5/SHA1) is not available.
Given the limitations of some versions of $OPENSSL, this commit enhances ticketbleed testing in two ways. First, it performs the testing using the newest (non-TLS 1.3) version supported by the server, so that TLS 1 and TLS 1.1 aren't used unless TLS 1.2 is not supported. Second, it adds tests for whether the protocol version to be used is supported by $OPENSSL and for whether connection attempts were successful, rather than assuming connection attempts succeed.
.... by forbidding spaces in supplied CA files/directories
Also now we're sanitizing the cmd line parameter better using `safe_echo()`
See also #2647 .
For this anotehr variable needed to be passed to starttls_full_read()
via starttls_smtp_dialog, where the variable is defined.
Handling of the connection problem will occur at the calling level, fd_socket(),
so that in the future this can be extended if another STARTTLS problem signals
that we're too fast.
Fixes#2098.
When testing a TLS 1.3 host s_client_options used TLS 1.3 ciphers to test
for NPN. As that is not implemented we nee dto make sure any other version
is used.
This PR ensures that --after testing whether it's a TLS 1.3-only host
where this test doesn't make any sense in the first place.
Fix for #2633
