Skip to content

Commit 16efbd6

Browse files
drwetterdrwetter
authored
Merge pull request #2476 from akabe1/3.2
Fix mtls option location in s_client_options() and code cleanup
2 parents db9aa23 + a1dae24 commit 16efbd6

1 file changed

Lines changed: 11 additions & 26 deletions

File tree

testssl.sh

Lines changed: 11 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -2306,6 +2306,12 @@ s_client_options() {
23062306
fi
23072307
fi
23082308
fi
2309+
2310+
# In case of mutual TLS authentication is required by the server
2311+
# Note: the PEM certificate file must contain: client certificate and key (not encrypted)
2312+
if [[ -n "$MTLS" ]]; then
2313+
options+=" -cert $MTLS"
2314+
fi
23092315

23102316
# OpenSSL's name for secp256r1 is prime256v1. So whenever we encounter this
23112317
# (e.g. client simulations) we replace it with the name which OpenSSL understands
@@ -2317,11 +2323,6 @@ s_client_options() {
23172323
fi
23182324
tm_out "$options"
23192325

2320-
# In case of mutual TLS authentication is required by the server
2321-
# Note: the PEM certificate file must contain: client certificate and certificate key (not encrypted)
2322-
if [[ -n "$MTLS" ]]; then
2323-
options+=" -cert $MTLS"
2324-
fi
23252326
}
23262327

23272328
###### check code starts here ######
@@ -2440,7 +2441,6 @@ run_http_header() {
24402441
local url redirect
24412442
local jsonID="HTTP_status_code"
24422443
local spaces=" "
2443-
local cert_option=""
24442444

24452445
HEADERFILE=$TEMPDIR/$NODEIP.http_header.txt
24462446
if [[ $NR_HEADER_FAIL -eq 0 ]]; then
@@ -2456,16 +2456,12 @@ run_http_header() {
24562456
pr_bold " HTTP Status Code "
24572457
[[ -z "$1" ]] && url="/" || url="$1"
24582458

2459-
# Set -cert option value if mTLS authentication is selected
2460-
if [[ ! -z "$MTLS" ]]; then
2461-
cert_option="-cert $MTLS"
2462-
fi
2463-
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
2459+
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
24642460
wait_kill $! $HEADER_MAXSLEEP
24652461
if [[ $? -eq 0 ]]; then
24662462
# Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang.
24672463
# Doing it again in the foreground to get an accurate header time
2468-
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE
2464+
tm_out "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE
24692465
NOW_TIME=$(date "+%s")
24702466
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
24712467
HTTP_AGE=$(awk -F': ' '/^[aA][gG][eE]: / { print $2 }' $HEADERFILE)
@@ -6726,12 +6722,6 @@ sub_session_resumption() {
67266722
local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
67276723
local -a rw_line
67286724
local protocol="$1"
6729-
local cert_option=""
6730-
6731-
# Set -cert option value if mTLS authentication is selected
6732-
if [[ ! -z "$MTLS" ]]; then
6733-
cert_option="-cert $MTLS"
6734-
fi
67356725

67366726
if [[ "$2" == ID ]]; then
67376727
local byID=true
@@ -6761,7 +6751,7 @@ sub_session_resumption() {
67616751
addcmd+=" $protocol"
67626752
fi
67636753

6764-
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $cert_option $addcmd -sess_out $sess_data") </dev/null &>$tmpfile
6754+
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>$tmpfile
67656755
ret1=$?
67666756
if [[ $ret1 -ne 0 ]]; then
67676757
# MacOS and LibreSSL return 1 here, that's why we need to check whether the handshake contains e.g. a certificate
@@ -6779,7 +6769,7 @@ sub_session_resumption() {
67796769
# [[ ! $(<$sess_data) =~ -----.*\ SSL\ SESSION\ PARAMETERS----- ]]
67806770
ret=2
67816771
else
6782-
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $cert_option $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
6772+
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
67836773
ret2=$?
67846774
if [[ $DEBUG -ge 2 ]]; then
67856775
echo -n "$ret1, $ret2, "
@@ -17292,13 +17282,8 @@ sub_breach_helper() {
1729217282
local get_command="$1"
1729317283
local detected_compression=""
1729417284
local -i was_killed=0
17295-
local cert_option=""
1729617285

17297-
# Set -cert option value if mTLS authentication is selected
17298-
if [[ ! -z "$MTLS" ]]; then
17299-
cert_option="-cert $MTLS"
17300-
fi
17301-
safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS $cert_option -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE &
17286+
safe_echo "$get_command" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE &
1730217287
wait_kill $! $HEADER_MAXSLEEP
1730317288
was_killed=$? # !=0 when it was killed
1730417289
detected_compression=$(grep -ia ^Content-Encoding: $TMPFILE)

0 commit comments

Comments
 (0)