mirror of
				https://github.com/drwetter/testssl.sh.git
				synced 2025-10-24 21:41:00 +02:00 
			
		
		
		
	- collect more TLS extensions
This commit is contained in:
		
							parent
							
								
									34053e27cd
								
							
						
					
					
						commit
						be079acb5e
					
				
							
								
								
									
										19
									
								
								testssl.sh
									
									
									
									
									
								
							
							
						
						
									
										19
									
								
								testssl.sh
									
									
									
									
									
								
							| @ -5716,7 +5716,7 @@ get_server_certificate() { | |||||||
|      local savedir |      local savedir | ||||||
|      local nrsaved |      local nrsaved | ||||||
| 
 | 
 | ||||||
|      "$HAS_SPDY" && [[ -z $STARTTLS ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\"" |      "$HAS_SPDY" && [[ -z "$STARTTLS" ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\"" | ||||||
| 
 | 
 | ||||||
|      if [[ -n "$2" ]]; then |      if [[ -n "$2" ]]; then | ||||||
|          protocols_to_try="$2" |          protocols_to_try="$2" | ||||||
| @ -5758,11 +5758,21 @@ get_server_certificate() { | |||||||
|           return $success |           return $success | ||||||
|      fi |      fi | ||||||
| 
 | 
 | ||||||
|  |      # this all needs to be moved into determine_tls_extensions() | ||||||
|  |      >$TEMPDIR/tlsext.txt | ||||||
|  |      # first shot w/o any protocol, then in turn we collect all extensions | ||||||
|  |      $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -tlsextdebug -status </dev/null 2>$ERRFILE >$TMPFILE | ||||||
|  |      sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt | ||||||
|      for proto in $protocols_to_try; do |      for proto in $protocols_to_try; do | ||||||
|  |           # we could know here which protcols are supported | ||||||
|           addcmd="" |           addcmd="" | ||||||
|           [[ ! "$proto" =~ ssl ]] && addcmd="$SNI" |           [[ ! "$proto" =~ ssl ]] && addcmd="$SNI" | ||||||
|           $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $npn_params -status </dev/null 2>$ERRFILE >$TMPFILE |           $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $npn_params -status </dev/null 2>$ERRFILE >$TMPFILE | ||||||
|           sclient_connect_successful $? $TMPFILE && success=0 && break |           if sclient_connect_successful $? $TMPFILE; then | ||||||
|  |                success=0 | ||||||
|  |                grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt | ||||||
|  |                break               # now we have the certificate | ||||||
|  |           fi | ||||||
|      done                          # this loop is needed for IIS6 and others which have a handshake size limitations |      done                          # this loop is needed for IIS6 and others which have a handshake size limitations | ||||||
|      if [[ $success -eq 7 ]]; then |      if [[ $success -eq 7 ]]; then | ||||||
|           # "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then: |           # "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then: | ||||||
| @ -5774,6 +5784,7 @@ get_server_certificate() { | |||||||
|                tmpfile_handle $FUNCNAME.txt |                tmpfile_handle $FUNCNAME.txt | ||||||
|                return 7  # this is ugly, I know |                return 7  # this is ugly, I know | ||||||
|           else |           else | ||||||
|  |                grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt | ||||||
|                GOST_STATUS_PROBLEM=true |                GOST_STATUS_PROBLEM=true | ||||||
|           fi |           fi | ||||||
|      fi |      fi | ||||||
| @ -5782,7 +5793,7 @@ get_server_certificate() { | |||||||
|      # this is not beautiful (grep+sed) |      # this is not beautiful (grep+sed) | ||||||
|      # but maybe we should just get the ids and do a private matching, according to |      # but maybe we should just get the ids and do a private matching, according to | ||||||
|      # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml |      # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml | ||||||
|      tls_extensions=$(grep -a 'TLS server extension ' $TMPFILE | \ |      tls_extensions=$(grep -a 'TLS server extension ' $TEMPDIR/tlsext.txt | \ | ||||||
|           sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ |           sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ | ||||||
|               -e 's/,.*$/,/g' -e 's/),$/\"/g' \ |               -e 's/,.*$/,/g' -e 's/),$/\"/g' \ | ||||||
|               -e 's/elliptic curves\/#10/supported_groups\/#10/g') |               -e 's/elliptic curves\/#10/supported_groups\/#10/g') | ||||||
| @ -6589,8 +6600,6 @@ certificate_info() { | |||||||
| # FIXME: Trust (only CN) | # FIXME: Trust (only CN) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| run_server_defaults() { | run_server_defaults() { | ||||||
|      local ciph match_found newhostcert sni |      local ciph match_found newhostcert sni | ||||||
|      local sessticket_str="" |      local sessticket_str="" | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user