Skip to content
Permalink
Browse files

Merge pull request #1282 from drwetter/1279_related

Added HAS_ZLIB in run_crime(), declaration of CERT_COMPRESSION fixed
  • Loading branch information...
drwetter committed Jun 12, 2019
2 parents 53ecacf + 7a1fb0b commit 6e4abbf33a2a8ccea6b05d9eaf798239b8186939
Showing with 8 additions and 6 deletions.
  1. +8 −6 testssl.sh
@@ -299,8 +299,8 @@ ERRFILE=""
CLIENT_AUTH=false
TLS_TICKETS=false
NO_SSL_SESSIONID=false
CERT_COMPRESSION=false # secret flag to set in addition to --devel for certificate compression
HOSTCERT="" # File with host certificate, without intermediate certificate
CERT_COMPRESSION=${CERT_COMPRESSION:-false} # secret flag to set in addition to --devel for certificate compression
HOSTCERT="" # File with host certificate, without intermediate certificate
HEADERFILE=""
HEADERVALUE=""
HTTP_STATUS_CODE=""
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln
pr_bold " CRIME, TLS " ; out "($cve) "

# first we need to test whether OpenSSL binary has zlib support
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
if [[ $? -eq 0 ]]; then
if ! "$HAS_ZLIB"; then
if "$SSL_NATIVE"; then
prln_local_problem "$OPENSSL lacks zlib support"
fileout "CRIME_TLS" "WARN" "CRIME, TLS: Not tested. $OPENSSL lacks zlib support" "$cve" "$cwe"
local tmp=""
local using_sockets=true

"$do_tls_sockets" && return 0

>$ERRFILE
"$SSL_NATIVE" && using_sockets=false

# arg2: list of cipher suites / hostname/ip
# arg3: hostname/ip
HEX_CIPHER="$TLS12_CIPHER"
# DEBUG=3 ./testssl.sh --devel 04 "13,02, 13,01" google.com --> TLS 1.3
# DEBUG=3 ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de --> TLS 1.2, old CHACHA/POLY
# DEBUG=3 ./testssl.sh --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com --> new CHACHA/POLY
# DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0
fi
shift
do_tls_sockets=true
outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}"
outln "\nTLS_LOW_BYTE, HEX_CIPHER: \"${TLS_LOW_BYTE}\", \"${HEX_CIPHER}\""
;;
--wide)
WIDE=true
if [[ "$TLS_LOW_BYTE" == 04 ]]; then
if "$CERT_COMPRESSION"; then
# See PR #1279
[[ $DEBUG -eq 3 ]] && tmln_out "including TLS extension certificate compression"
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01"
else
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"

0 comments on commit 6e4abbf

Please sign in to comment.
You can’t perform that action at this time.