"GOST" problem when running script?

[teward]

Not sure if my testssl.sh is broken, but when I try and run against any site I get output such as this:

% ./testssl.sh www.google.com 443

###########################################################
    testssl.sh       2.5dev from https://testssl.sh/dev/
    (2157342 2015-07-10 10:23:10 -- 1.307)

      This program is free software. Distribution and 
             modification under GPLv2 permitted. 
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.1f 6 Jan 2014" [~115 ciphers] on
 darksource:/usr/bin/openssl
 (built: "Jun 11 15:28:12 2015", platform: "debian-amd64")

Testing now all IP addresses (on port 443): GOST engine already loaded
--------------------------------------------------------------------------------
./testssl.sh: line 2064: GOST: Name or service not known
./testssl.sh: line 2064: /dev/tcp/GOST/443: Invalid argument

Unable to open a socket to GOST:443. 
Ignore? 

Ignoring the "Using OpenSSL 1.0.1f" since I defaulted to the original script and didn't change the $OPENSSL variable to use one of the static-built OpenSSLs included here or my KRB5-enabled build, is this something unique to my system, or are others getting this?

Using the master branch, from an Ubuntu 14.04 (x64) system.

[daveewart]

I get the same error when specifying one of the static OPENSSL's too.

Problem started for me with commit 2157342

$ OPENSSL=openssl-bins/openssl-1.0.2-chacha.pm/openssl64-1.0.2pm-static ./testssl.sh MY-FQDN-HOST

###########################################################
    testssl.sh       2.5dev from https://testssl.sh/dev/
    (768cc55 2015-07-12 18:46:27 -- 1.308)

      This program is free software. Distribution and 
             modification under GPLv2 permitted. 
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
 athena:openssl-bins/openssl-1.0.2-chacha.pm/openssl64-1.0.2pm-static
 (built: "Jul  6 18:05:33 2015", platform: "linux-x86_64")

Testing now all IP addresses (on port 443): GOST engine already loaded
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
./testssl.sh: line 2065: GOST: No address associated with hostname
./testssl.sh: line 2065: /dev/tcp/GOST/443: Invalid argument

Unable to open a socket to GOST:443. 
Ignore?  y

Testing now (2015-07-13 16:50) ---> GOST:443 (MY-FQDN-HOST) <---

 further IP addresses:   engine already loaded
 rDNS (GOST):            --

 GOST:443 doesn't seem a TLS/SSL enabled server or it requires a certificate
 Note that the results might look ok but they are nonsense. Proceed ?  y
 Service detected:       Couldn't determine what's running on port 443, assuming no HTTP service, skipping HTTP checks

--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)

 SSLv2      ./testssl.sh: line 2065: GOST: No address associated with hostname
./testssl.sh: line 2065: /dev/tcp/GOST/443: Invalid argument

Unable to open a socket to GOST:443.
 SSLv3      ./testssl.sh: line 2065: GOST: No address associated with hostname
./testssl.sh: line 2065: /dev/tcp/GOST/443: Invalid argument

Unable to open a socket to GOST:443.
rm: missing operand
Try `rm --help' for more information.
 TLS 1      ./testssl.sh: line 2065: GOST: No address associated with hostname
./testssl.sh: line 2065: /dev/tcp/GOST/443: Invalid argument

Unable to open a socket to GOST:443.
rm: missing operand
Try `rm --help' for more information.
 TLS 1.1    ./testssl.sh: line 2065: GOST: No address associated with hostname
./testssl.sh: line 2065: /dev/tcp/GOST/443: Invalid argument

Unable to open a socket to GOST:443.
rm: missing operand
Try `rm --help' for more information.
 TLS 1.2    ./testssl.sh: line 1237: $TMPFILE: ambiguous redirect
./testssl.sh: line 1247: $TMPFILE: ambiguous redirect

[drwetter]

Hi Thomas,

Am 07/13/2015 um 05:21 PM schrieb Thomas Ward:

Ignoring the "Using OpenSSL 1.0.1f" since I defaulted to the original script and didn't change
the |$OPENSSL| variable to use one of the static-built OpenSSLs included here or my
KRB5-enabled build, is this something unique to my system, or are others getting this?

./testssl.sh www.google.com 443
###########################################################
testssl.sh 2.5dev from https://testssl.sh/dev/
(768cc55 2015-07-12 18:46:27 -- 1.308)

  This program is free software. Distribution and
         modification under GPLv2 permitted.
  USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

   Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
AAAA:BBBB/openssl64-1.0.2pm-static
(built: "Jul 6 18:05:33 2015", platform: "linux-x86_64")

Testing now all IP addresses (on port 443): 173.194.113.176 173.194.113.178 173.194.113.179

173.194.113.177 173.194.113.180

Testing now (2015-07-13 17:43) ---> 173.194.113.176:443 (www.google.com) <---

further IP addresses: 173.194.113.178 173.194.113.179 173.194.113.177 173.194.113.180
2a00:1450:4007:80d::2004
rDNS (173.194.113.176): ham02s12-in-f16.1e100.net
Service detected: HTTP

--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)

SSLv2 not offered (OK)
SSLv3 offered (NOT ok)
[..]

Note that my release is one ahead of yours but there were only minor changes and
probably not in the function in question...

Could you do a "env | grep -a OPENSSL_CONF" for me on the cmd line?

Cheers, Dirk

[teward]

Same issue, @drwetter, even when using the static builds. This happens with www. too, and a declaration of which OpenSSL to use:

% OPENSSL=/home/teward/tools/testssl.sh/openssl-bins/openssl-1.0.2-chacha.pm/openssl64-1.0.2pm-static ./testssl.sh google.com 443

###########################################################
    testssl.sh       2.5dev from https://testssl.sh/dev/
    (2157342 2015-07-10 10:23:10 -- 1.307)

      This program is free software. Distribution and 
             modification under GPLv2 permitted. 
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
 darksource:/home/teward/tools/testssl.sh/openssl-bins/openssl-1.0.2-chacha.pm/openssl64-1.0.2pm-static
 (built: "Jul  6 18:05:33 2015", platform: "linux-x86_64")

Testing now all IP addresses (on port 443): GOST engine already loaded
----------------------------------------------------------------------------------------------------------
./testssl.sh: line 2064: GOST: Name or service not known
./testssl.sh: line 2064: /dev/tcp/GOST/443: Invalid argument

Unable to open a socket to GOST:443. 
Ignore?  

[drwetter]

Could you @teward, @daveewart do a "env | grep -a OPENSSL_CONF" for me on the cmd line pls?

[teward]

@drwetter null/empty output here. Ubuntu 14.04 LTS x64

[daveewart]

That returns no content on my system: Debian Wheezy, 64-bit.

[drwetter]

Am 07/13/2015 um 05:58 PM schrieb Dave Ewart:

That returns no content on my system: Debian Wheezy, 64-bit.

I can reproduce it on Ubuntu 14.04 now.

Thx for reporting, guys.

bear w/ me..

Dirk

[teward]

Gah lag is evil.

No problem, @drwetter, glad to see you're so responsive. I thought for a moment it was my fault, but it was only after a pull and update yesterday that this started happening, so one of the recent commits may have busted things :)

[daveewart]

Quick test with git-bisect shows "2157342d89626fec6e518160e2f9b15c0923ca55 is the first bad commit" for me, at least.

[teward]

confirmed that 2157342 is the first bad commit that introduces the problem. (I went the manual method - I git checkout'd the last revision i had prior to the pull, then manually checked out each commit up to the specified one, which is what triggered the problem)

[drwetter]

That's a tough one.

For some reason under Wheezy and Trusty Tahr host -t a $NODE (NODE: www.google.com) returns `GOST engine already loaded`` around line 3762. Note that Jessie is fine, Precise Pangolin as well as BSD and CentOS and Opensuse are fine.

[teward]

That's... interesting, @drwetter, any idea why it would be doing that? At-a-glance I didn't see anything that could cause that...

Let me spin up my Ubuntu 15.04 and 15.10 VMs and see if it happens there...

[teward]

This happens on Ubuntu 15.04 as well. The in-development version of Ubuntu (15.10) does not have this issue.

[drwetter]

dirks@laptop:/tmp/ssltester.lV9lq1|0% export OPENSSL_CONF=gost.conf
dirks@laptop:/tmp/ssltester.lV9lq1|0% nslookup -query=a   testssl.sh
GOST engine already loaded
13-Jul-2015 22:46:01.567 ENGINE_by_id failed (crypto failure)
13-Jul-2015 22:46:01.567 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost
(null): dst_lib_init: crypto failure
dirks@laptop:/tmp/ssltester.lV9lq1|10% host -t a testssl.sh          
GOST engine already loaded
13-Jul-2015 22:46:23.211 ENGINE_by_id failed (crypto failure)
13-Jul-2015 22:46:23.212 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost
host: dst_lib_init: crypto failure
dirks@laptop:/tmp/ssltester.lV9lq1|1% dig +short -t a testssl.sh
GOST engine already loaded
13-Jul-2015 22:46:31.908 ENGINE_by_id failed (crypto failure)
13-Jul-2015 22:46:31.909 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost
dig: dst_lib_init: crypto failure
dirks@laptop:/tmp/ssltester.lV9lq1|10% 

Problem of some Ubuntu/Debian flavors.

Just need to make sure OPENSSL_CONF is not set before any dns query command

[teward]

Well, I have versionChecker shell script code for Debian/Ubuntu to determine what flavor(s) one is on, it uses system existing tools. I could dig that up and run tests, perhaps that code can be integrated to do special-handling for some Debian/Ubuntu systems?

[drwetter]

thx but as I said I just need to make sure OPENSSL_CONF is not set before any dns query command

[teward]

OK. If that's all that needs done, then let me know when you need it tested.

Sent from my iPhone. Please excuse any typos, as they are likely to happen by accident.

On Jul 13, 2015, at 16:54, Dirk Wetter notifications@github.com wrote:

thx but as I said I just need to make sure OPENSSL_CONF is not set before any dns query command

—
Reply to this email directly or view it on GitHub.

[daveewart]

Thanks @drwetter that seems to work for me :-)

[drwetter]

BTW: Thx for reporting.

[teward]

@drwetter Confirmed that this is fixed. And no problem, better to report issues than leave them sitting around stagnating and causing issues :)