mirror of
				https://github.com/drwetter/testssl.sh.git
				synced 2025-10-26 21:31:01 +01:00 
			
		
		
		
	run_ssl_poodle() when OpenSSL doesn't support SSLv3
If the version of OpenSSL being used doesn't support `s_client -ssl3` (e.g., OpenSSL 1.1.0), `run_ssl_poodle()` displays `not vulnerable (OK)` even though it can't test whether the server is vulnerable. This PR fixes it so that a "Local problem" warning is displayed is `s_client -ssl3` isn't supported. The PR also removes the `$SNI` from the call to `$OPENSSL s_client` since OpenSSL ignores the `-servername` directive for `-ssl3` anyways.
This commit is contained in:
		
							parent
							
								
									424cf233d1
								
							
						
					
					
						commit
						7dd1d15e9a
					
				| @ -6447,10 +6447,11 @@ run_ssl_poodle() { | ||||
| 
 | ||||
|      [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln | ||||
|      pr_bold " POODLE, SSL"; out " (CVE-2014-3566)               " | ||||
|      locally_supported "-ssl3" || return 1 | ||||
|      cbc_ciphers=$(actually_supported_ciphers $cbc_ciphers) | ||||
| 
 | ||||
|      debugme echo $cbc_ciphers | ||||
|      $OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null | ||||
|      $OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null | ||||
|      sclient_connect_successful $? $TMPFILE | ||||
|      sclient_success=$? | ||||
|      [[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user