In the wait loop, I was relying on a 1s sleep to eliminate a possible
late zero return value server close on the last attempt.
- do globaly one more harmless "for" iteration
and remove the sleep 1 for faster and more robust result
- correct the non HTTP case iteration value
- adjust the timeout to the conservative 6s in the non HTTP case,
for HTTP case it become 33s
- improve comments
All cases could be handled by the single openssl s_client invocation
loop:
- dispatch and adjust comments to not loose them
- remove the first s_client invocation: stuck connections are allready
handled by the main loop
- remove the second s_client invocation: normal case and server closed
connections are allready handled by the main loop. The loop take care
of the race between server connection close and s_client terminating
too by doing another loop run, not closing STDIN.
- special non HTTP case equivalent to ssl_reneg_attempts=2
- specialcase only the HTTP result printing to not change the output
- openssl-timeout option clashe badly with the main loop logic:
Introduce $OPENSSL_NOTIMEOUT
This commit adds support for the two cipher suites in RFC 9150, TLS_SHA256_SHA256 and TLS_SHA384_SHA384. These are authentication and integrity-only cipher suites.
LibreSSL 4.0.0 was recently released. This commit modified the version check in determine_trust() so that there isn't an incorrect warning suggesting that LibreSSL 4.0.0 "<= 1.0.2 might be too unreliable to determine trust."
This commit modifies check_revocation_ocsp() to check the revocation status of a certificate in a stapled OCSP response whether the response uses SHA-1 or SHA-256 in CertID.
In rare cases testssl.sh writes in the terminal output "likely not offered" but
misses the "likely" in the json/csv output.
This fixes#2575 by adding that word and amending the return value 4 with
a comment.
While in 3.2 there was only a hint how to deal with TLS 1.3 only hosts, a restart
with --openssl=/usr/bin/openssl or setting of OSSL_SHORTCUT-true was required.
This PR changes the behavior: if an openssl version can be found in /usr/bin/openssl
(or SUPPLIED via OPENSSL2=/home/version/ofopenssl testssl <cmdline>) which
supports TLS 1.3 it switches automatically and informs the user that it has done so.
This message is asynchonous and is implemented with a new function check_msg()
and a global OPEN_MSG, so that we maintain the formatting. Otherwise it would have
appeared between rDNS and service detection. Now it's nicely after service detection.
... for readability and bugs to be filed (fixes#2506)
This PR defines a short string for the OpenSSL banner as some suppliers have made them (unnecessarily) long so that it won't fit nice in the banner anymore.
The banner also now omits the built line from openssl as for the user it is normally not important.
Local and ULA and more IPv6 adresses were incorrectly filtered by ``awk '/^[0-9]/ { print $1 }'``
which searches in the first term for only numeric values.
The PR adds a-f and fixes#2529 .
This commit fixes#2502 in the 3.2 branch by checking that the key_share extension is at least 4 bytes long (8 in ASCII-HEX). These 4 bytes encode the group value (2 bytes) and the length of the key (2 bytes).
When choosing --file or -iL warnings were set in any case to --batch which
needs e.g. crurrenly an interaction when do bacth scanning. This PR enables
to supply WARNINgs / --warnings =off before so that the intercation is mot
needed.
See also #2496.
- In case of multiple IP testing, clear ERRFILE bettween runs
- Zero return value with server connection close should be taken into
account in the looping logic case too. Add it.
- Break the wait loop in case of connection close for faster result.
- Ignore "notAfter" in the wait loop for expired certificates.
- Indentation and tab cleanup.
Tested on 57 url with previously suspicious results with success. No
regressions on 50 others.
There is a race condition if openssl exit during a renego but after
the RENEGOTIATING printing.
In this case we could issue a R before the process exit and be blocked
in the waiting loop.
With the safety guards in place (loop count + timeout) this is harmless
but not optimal.
Fix this by:
- reordering the sleep vs echo to let the process exit and catch the
pipe error more frequently.
- exit the while loop if RENEGOTIATING is not the last log line. We
will catch the pipe error on the next for loop echo.
- correct the k variable initialisation
- correct the for (( ; ; )) variable $ convention usage
- reduce the while loop count limit to 120 to align with the global
timeout
The heuristic is too fragile and timing dependant.
- As for the initial TLS negociation, wait for the result of the
renegociation request before sending the next one.
- Remove the result ratio calculation and message as we now reach the
timeout in case of exponential backoff or connection hang.
This commit depend on the fix of the timeout, broken by the zombi fix.
The zombi fix did too much modifications breaking the global time-out
function.
As the wait $pid failed, we no longer create the watchdog file.
Fix by reverting unnecessary changes.
