While in 3.2 there was only a hint how to deal with TLS 1.3 only hosts, a restart
with --openssl=/usr/bin/openssl or setting of OSSL_SHORTCUT-true was required.
This PR changes the behavior: if an openssl version can be found in /usr/bin/openssl
(or SUPPLIED via OPENSSL2=/home/version/ofopenssl testssl <cmdline>) which
supports TLS 1.3 it switches automatically and informs the user that it has done so.
This message is asynchonous and is implemented with a new function check_msg()
and a global OPEN_MSG, so that we maintain the formatting. Otherwise it would have
appeared between rDNS and service detection. Now it's nicely after service detection.
... for readability and bugs to be filed (fixes#2506)
This PR defines a short string for the OpenSSL banner as some suppliers have made them (unnecessarily) long so that it won't fit nice in the banner anymore.
The banner also now omits the built line from openssl as for the user it is normally not important.
Local and ULA and more IPv6 adresses were incorrectly filtered by ``awk '/^[0-9]/ { print $1 }'``
which searches in the first term for only numeric values.
The PR adds a-f and fixes#2529 .
This commit fixes#2502 in the 3.2 branch by checking that the key_share extension is at least 4 bytes long (8 in ASCII-HEX). These 4 bytes encode the group value (2 bytes) and the length of the key (2 bytes).
When choosing --file or -iL warnings were set in any case to --batch which
needs e.g. crurrenly an interaction when do bacth scanning. This PR enables
to supply WARNINgs / --warnings =off before so that the intercation is mot
needed.
See also #2496.
- In case of multiple IP testing, clear ERRFILE bettween runs
- Zero return value with server connection close should be taken into
account in the looping logic case too. Add it.
- Break the wait loop in case of connection close for faster result.
- Ignore "notAfter" in the wait loop for expired certificates.
- Indentation and tab cleanup.
Tested on 57 url with previously suspicious results with success. No
regressions on 50 others.
There is a race condition if openssl exit during a renego but after
the RENEGOTIATING printing.
In this case we could issue a R before the process exit and be blocked
in the waiting loop.
With the safety guards in place (loop count + timeout) this is harmless
but not optimal.
Fix this by:
- reordering the sleep vs echo to let the process exit and catch the
pipe error more frequently.
- exit the while loop if RENEGOTIATING is not the last log line. We
will catch the pipe error on the next for loop echo.
- correct the k variable initialisation
- correct the for (( ; ; )) variable $ convention usage
- reduce the while loop count limit to 120 to align with the global
timeout
The heuristic is too fragile and timing dependant.
- As for the initial TLS negociation, wait for the result of the
renegociation request before sending the next one.
- Remove the result ratio calculation and message as we now reach the
timeout in case of exponential backoff or connection hang.
This commit depend on the fix of the timeout, broken by the zombi fix.
The zombi fix did too much modifications breaking the global time-out
function.
As the wait $pid failed, we no longer create the watchdog file.
Fix by reverting unnecessary changes.
The actual code grep for "MongoDB" keyword in the head of the HTTP
session.
In case of "compressed" HTML, a big page is on one line.
On a IT page, we could encounter the "MongoDB" keyword and
miss-identify the application protocol.
Fixed by matching on a longuer string taken from a live MogoDB
server.
OpenSSL will buffer only the first command till the establishment of the
session.
In case of slow session establishment, we could:
* loose some renego trys missing proper mitigation implementation
* loose some renego trys missing a real vulnerable host if 2/3 of the
tries are lost during session establishment (very slow startup).
Wait for the session to be fully establised before starting the renego
loop.
Reduce wait between reneg test to 0.25s. Still robust and accelerates
the test as now we do up to 10 renego tests.
With the global loop timeout, the backoff identification seem unneeded.
But if we switch to 0.25s, we no longuer trigger the global timeout so
it is still valuable.
Adjust write out messages as bash do not support floating point number
arithmetic.
Some site hang/block the connection after some renego reties
Example: https://feedback.amadeus.com
Hand written timeout logic because:
- we want to get the result of the command in case of normal exit
- we want to have working log fd redirection
- we want to known the timeout condition
