Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix issues with run_protocols() in --ssl-native mode #1369

Merged
merged 5 commits into from Nov 9, 2019

Conversation

@dcooper16
Copy link
Contributor

dcooper16 commented Nov 6, 2019

This PR fixes a minor problem with run_protocols() in "--ssl-native" mode if $OPENSSL does not support TLS 1.3. Currently, the warning message that $OPENSSL does not support a protocol is printed when run_prototest_openssl() is called. This causes a problem for the output if $OPENSSL does not support TLS 1.3, since the run_prototest_openssl() is called before the results for TLS 1.2 are printed. The result is something like this:

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
Local problem: /home/cooper/Desktop/testssl.sh/bin/openssl.Linux.x86_64 doesn't support "s_client -tls1_3"
 TLS 1.2    offered (OK)
 TLS 1.3     NPN/SPDY   not offered
 ALPN/HTTP2 http/1.1 (offered)

This PR moves the printing of the warning message to run_protocols() in order to fix the problem.

dcooper16 added 5 commits Nov 6, 2019
This PR fixes a minor problem with run_protocols() in "--ssl-native" mode if $OPENSSL does not support TLS 1.3. Currently, the warning message that $OPENSSL does not support a protocol is printed when run_prototest_openssl() is called. This causes a problem for the output if $OPENSSL does not support TLS 1.3, since the run_prototest_openssl() is called before the results for TLS 1.2 are printed. The result is something like this:

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
Local problem: /home/cooper/Desktop/testssl.sh/bin/openssl.Linux.x86_64 doesn't support "s_client -tls1_3"
 TLS 1.2    offered (OK)
 TLS 1.3     NPN/SPDY   not offered
 ALPN/HTTP2 http/1.1 (offered)
run_prototest_openssl() currently checks only stdout for the string "no cipher list", which is an indication that the server supports SSLv2, but no ciphers for that protocol. However, the output that includes "no cipher list" is sent to stderr.
If --ssl-native is being used and the server supports SSLv2, but does not support any SSLv2 ciphers, there is a missing line break after the warning message is printed.
run_prototest_openssl() currently calls "$OPENSSL s_client" twice, once with $PROXY and once without. The problem is that the results of the first call are just ignored. This commit changes run_prototest_openssl() so that the attempt without $PROXY is only tried if the first attempt was unsuccessful.
@dcooper16 dcooper16 changed the title Fix issue with run_protocols() in --ssl-native mode Fix issues with run_protocols() in --ssl-native mode Nov 7, 2019
@dcooper16

This comment has been minimized.

Copy link
Contributor Author

dcooper16 commented Nov 7, 2019

I just added a few more commits that address issues related to run_protocols() in --ssl-native mode. Most of the issues are in the run_prototest_openssl() function.

  • The first commit just fixes a couple of typos in a comment.
  • The second commit fixes run_prototest_openssl()'s ability to detect when the server supports SSLv2, but does not support any SSLv2 ciphers.
  • The third commit fixes a missing line break if the server supports SSLv2, but does not support any SSLv2 ciphers, and --ssl-native is being used.
  • The fourth commit fixes a problem in run_prototest_openssl() where $OPENSSL s_client is being called twice and the results of the first call are ignored.

In the case of the fourth commit, it is not clear why run_prototest_openssl() needs to try calling $OPENSSL s_client twice. If the attempt to connect to the server using $PROXY is unsuccessful, is it necessary to try again without $PROXY? This doesn't seem to be done anywhere else?

@drwetter drwetter merged commit 5c39cea into drwetter:3.0 Nov 9, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Nov 9, 2019

Thanks, David!

@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Nov 9, 2019

If the attempt to connect to the server using $PROXY is unsuccessful, is it necessary to try again without $PROXY? This doesn't seem to be done anywhere else?

Can't tell anymore. I suspect it had something to do with the protocol but a) the use case of a proxy normally is that a proxy is needed as otherwise one can't get beyond the proxy. And b) I can't reproduce that

@dcooper16 dcooper16 deleted the dcooper16:run_protocols_ssl_native1 branch Nov 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.