mirrors/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-08-25 08:21:18 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2870 from testssl/fraction_sleep

Browse Source 
wait_kill() is now 0.1 seconds
This commit is contained in:
Dirk Wetter 2025-07-30 22:29:04 +02:00 committed by GitHub
commit de222f1241
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 26 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
testssl.sh
View File

@ -196,16 +196,16 @@ ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}" # single file with a CA in PEM format or
TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else
EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code
PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy PROXY_WAIT=${PROXY_WAIT:-10} # waiting at max 10 seconds for socket reply through proxy
DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this
IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long sec before killing the process to retrieve a service banner / http header
MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate
MAX_OSSL_FAIL=${MAX_OSSL_FAIL:-2} # If this many failures for s_client connects are reached we terminate MAX_OSSL_FAIL=${MAX_OSSL_FAIL:-2} # If this many failures for s_client connects are reached we terminate
MAX_STARTTLS_FAIL=${MAX_STARTTLS_FAIL:-2} # max number of STARTTLS handshake failures in plaintext phase MAX_STARTTLS_FAIL=${MAX_STARTTLS_FAIL:-2} # max number of STARTTLS handshake failures in plaintext phase
MAX_HEADER_FAIL=${MAX_HEADER_FAIL:-2} # If this many failures for HTTP GET are encountered we don't try again to get the header MAX_HEADER_FAIL=${MAX_HEADER_FAIL:-2} # If this many failures for HTTP GET are encountered we don't try again to get the header
MAX_WAITSOCK=${MAX_WAITSOCK:-5} # waiting at max 5 seconds for socket reply. There shouldn't be any reason to change this. MAX_WAITSOCK=${MAX_WAITSOCK:-5} # waiting at max 5 seconds for socket reply. There shouldn't be any reason to change this.
QUIC_WAIT=${QUIC_WAIT:-3} # QUIC is UDP. Thus we run the connect in the background. This is how long to wait QUIC_WAIT=${QUIC_WAIT:-3} # QUIC is UDP. Thus we run the connect in the background. This is how long in sec to wait
CCS_MAX_WAITSOCK=${CCS_MAX_WAITSOCK:-5} # for the two CCS payload (each). There shouldn't be any reason to change this. CCS_MAX_WAITSOCK=${CCS_MAX_WAITSOCK:-5} # for the two CCS payload (each). There shouldn't be any reason to change this.
HEARTBLEED_MAX_WAITSOCK=${HEARTBLEED_MAX_WAITSOCK:-8} # for the heartbleed payload. There shouldn't be any reason to change this. HEARTBLEED_MAX_WAITSOCK=${HEARTBLEED_MAX_WAITSOCK:-8} # for the heartbleed payload. There shouldn't be any reason to change this.
STARTTLS_SLEEP=${STARTTLS_SLEEP:-10} # max time wait on a socket for STARTTLS. MySQL has a fixed value of 1 which can't be overwritten (#914) STARTTLS_SLEEP=${STARTTLS_SLEEP:-10} # max time wait on a socket for STARTTLS. MySQL has a fixed value of 1 which can't be overwritten (#914)
@ -1948,7 +1948,7 @@ http_head_printf() {
# $node works here good as it connects via IPv6 first, then IPv4. # $node works here good as it connects via IPv6 first, then IPv4.
# This is a subshell, so fd 8 is not inherited # This is a subshell, so fd 8 is not inherited
bash -c "exec 8<>/dev/tcp/$node/80" 2>/dev/null & bash -c "exec 8<>/dev/tcp/$node/80" 2>/dev/null &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $((HEADER_MAXSLEEP * 10))
if [[ $? -ne 3 ]]; then if [[ $? -ne 3 ]]; then
# process with pid !$ wasn't killed but was that a reject? So we try again # process with pid !$ wasn't killed but was that a reject? So we try again
# to make sure there wasn't a TCP reset # to make sure there wasn't a TCP reset
@ -2234,7 +2234,7 @@ check_revocation_ocsp() {
fi fi
} }
# waits maxsleep seconds (arg2) until process with arg1 (pid) will be killed # waits maxsleep 1/10 seconds (arg2) until process with arg1 (pid) will be killed
# #
# return values # return values
# 0: process terminated before be killed # 0: process terminated before be killed
@ -2250,13 +2250,14 @@ wait_kill(){
return 0 # process terminated before didn't reach $maxsleep return 0 # process terminated before didn't reach $maxsleep
fi fi
[[ "$DEBUG" -ge 6 ]] && ps $pid [[ "$DEBUG" -ge 6 ]] && ps $pid
sleep 1 sleep 0.1
maxsleep=$((maxsleep - 1)) maxsleep=$((maxsleep - 1))
HAD_SLEPT=$((HAD_SLEPT + 1)) HAD_SLEPT=$((HAD_SLEPT + 1))
test $maxsleep -le 0 && break test $maxsleep -le 0 && break
done # needs to be killed: done # needs to be killed:
kill $pid >&2 2>/dev/null kill $pid >&2 2>/dev/null
wait $pid 2>/dev/null # make sure pid terminated, see wait(1p) wait $pid 2>/dev/null # make sure pid terminated, see wait(1p)
HAD_SLEPT=$((HAD_SLEPT/10)) # correct HAD_SLEPT. #FIXME: is only being used by run_http_header()
return 3 # means killed return 3 # means killed
} }
@ -2499,7 +2500,7 @@ service_detection() {
else else
# SNI is not standardized for !HTTPS but fortunately for other protocols s_client doesn't seem to care # SNI is not standardized for !HTTPS but fortunately for other protocols s_client doesn't seem to care
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$1 -quiet $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE & tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$1 -quiet $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $((HEADER_MAXSLEEP * 10))
was_killed=$? was_killed=$?
fi fi
head $TMPFILE | grep -aq '^HTTP/' && SERVICE=HTTP head $TMPFILE | grep -aq '^HTTP/' && SERVICE=HTTP
@ -2613,7 +2614,7 @@ run_http_header() {
[[ -z "$1" ]] && url="/" || url="$1" [[ -z "$1" ]] && url="/" || url="$1"
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE & tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $((HEADER_MAXSLEEP * 10))
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
# Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang. # Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang.
# Doing it again in the foreground to get an accurate header time # Doing it again in the foreground to get an accurate header time
@ -6245,7 +6246,7 @@ sub_quic() {
fi fi
OPENSSL_CONF='' $use_openssl s_client -quic -alpn h3 -connect $NODEIP:$PORT -servername $NODE </dev/null \ OPENSSL_CONF='' $use_openssl s_client -quic -alpn h3 -connect $NODEIP:$PORT -servername $NODE </dev/null \
2>$sclient_errfile >$sclient_outfile & 2>$sclient_errfile >$sclient_outfile &
wait_kill $! $QUIC_WAIT wait_kill $! $((QUIC_WAIT * 10))
ret=$? ret=$?
if [[ $ret -eq 3 ]]; then if [[ $ret -eq 3 ]]; then
# process was killed # process was killed
@ -11783,16 +11784,17 @@ starttls_just_send(){
} }
# arg1: (optional): wait time # arg1: (optional): wait time
#
starttls_just_read(){ starttls_just_read(){
local waitsleep=$STARTTLS_SLEEP local waitsleep=${1:-$STARTTLS_SLEEP}
[[ -n "$1" ]] && waitsleep=$1
if [[ "$DEBUG" -ge 2 ]]; then if [[ "$DEBUG" -ge 2 ]]; then
echo "=== just read banner ===" echo "=== just read banner ==="
cat <&5 & cat <&5 &
else else
dd of=/dev/null count=8 <&5 2>/dev/null & dd of=/dev/null count=8 <&5 2>/dev/null &
fi fi
wait_kill $! $waitsleep wait_kill $! $((waitsleep * 10))
return 0 return 0
} }
@ -12363,7 +12365,7 @@ sockread() {
[[ -z "$2" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2 [[ -z "$2" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
SOCK_REPLY_FILE=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7 SOCK_REPLY_FILE=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null & dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null &
wait_kill $! $maxsleep wait_kill $! $((maxsleep * 10))
return $? return $?
} }
@ -18120,13 +18122,14 @@ run_crime() {
# when GET command was stalled or killed (which is no not always used) # when GET command was stalled or killed (which is no not always used)
# and echos "warn_*". It return 0 when everything went ok and echos the # and echos "warn_*". It return 0 when everything went ok and echos the
# compression if any. # compression if any.
#
sub_breach_helper() { sub_breach_helper() {
local get_command="$1" local get_command="$1"
local detected_compression="" local detected_compression=""
local -i was_killed=0 local -i was_killed=0
safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE & safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $((HEADER_MAXSLEEP * 10))
was_killed=$? # !=0 when it was killed was_killed=$? # !=0 when it was killed
detected_compression=$(grep -ia ^Content-Encoding: $TMPFILE) detected_compression=$(grep -ia ^Content-Encoding: $TMPFILE)
detected_compression="$(strip_lf "$detected_compression")" detected_compression="$(strip_lf "$detected_compression")"
@ -22378,7 +22381,7 @@ get_txt_record() {
shouldwedo_ipv6() { shouldwedo_ipv6() {
"$do_ipv4_only" && return 0 "$do_ipv4_only" && return 0
bash -c "exec 5<>/dev/tcp/$1/$PORT" &>/dev/null & bash -c "exec 5<>/dev/tcp/$1/$PORT" &>/dev/null &
wait_kill $! $MAX_WAITSOCK wait_kill $! $((MAX_WAITSOCK * 10))
if [[ $? -eq 3 ]]; then if [[ $? -eq 3 ]]; then
# was killed, so this got stuck # was killed, so this got stuck
IPv6_OK=false IPv6_OK=false
@ -22990,7 +22993,7 @@ determine_optimal_proto() {
$OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI") </dev/null >$TMPFILE 2>>$ERRFILE $OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI") </dev/null >$TMPFILE 2>>$ERRFILE
else else
safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -ign_eof -enable_pha") >$TMPFILE 2>>$ERRFILE & safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$proto $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -ign_eof -enable_pha") >$TMPFILE 2>>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $((HEADER_MAXSLEEP * 10))
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
# Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang. # Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang.
# Doing it again in the foreground to get an accurate return code. # Doing it again in the foreground to get an accurate return code.
@ -23028,7 +23031,7 @@ determine_optimal_proto() {
if [[ "$(has_server_protocol "tls1_2")" -eq 0 ]] || [[ "$(has_server_protocol "tls1_1")" -eq 0 ]] || \ if [[ "$(has_server_protocol "tls1_2")" -eq 0 ]] || [[ "$(has_server_protocol "tls1_1")" -eq 0 ]] || \
[[ "$(has_server_protocol "tls1")" -eq 0 ]] || [[ "$(has_server_protocol "ssl3")" -eq 0 ]]; then [[ "$(has_server_protocol "tls1")" -eq 0 ]] || [[ "$(has_server_protocol "ssl3")" -eq 0 ]]; then
safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -ign_eof -no_tls1_3") >$TEMPDIR/client_auth_test.txt 2>>$ERRFILE & safe_echo "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI -ign_eof -no_tls1_3") >$TEMPDIR/client_auth_test.txt 2>>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $((HEADER_MAXSLEEP * 10))
# If the HTTP properly finished within $HEADER_MAXSLEEP and didn't hang, then # If the HTTP properly finished within $HEADER_MAXSLEEP and didn't hang, then
# do it again in the foreground to get an accurate return code. If it did hang, # do it again in the foreground to get an accurate return code. If it did hang,
# there is no way to test for client authentication, so don't try. # there is no way to test for client authentication, so don't try.