Skip to content

Commit 1b2903e

Browse files
committed
Improvement for testing curves with several openssl / libressl versions
As noted in #2016 the detection of curves in find_openssl_binary() was not yet perfect. This commit removes another connect call. Also it corrects the port statement for LibreSSL-like pre-checks as port 0 generally seems to me better suited. Inline documentation was added. It worked so far with OpenSSL 1.0.2, 1.1.1 and 3.0 and LibreSSL 3.4. This is for 3.0. Similar commit (a11bd15) was for 3.1dev, see PR #2020 .
1 parent 25a8579 commit 1b2903e

1 file changed

Lines changed: 8 additions & 2 deletions

File tree

testssl.sh

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17090,14 +17090,20 @@ find_openssl_binary() {
1709017090

1709117091
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
1709217092

17093-
if $OPENSSL s_client -curves "${curves_ossl[0]}" -connect $NXCONNECT 2>&1 | grep -aiq "unknown option"; then
17093+
# The following statement works with openssl 1.0.2, 1.1.1 and 3.0 as LibreSSL 3.4
17094+
if $OPENSSL s_client -curves 2>&1 | grep -aiq "unknown option"; then
17095+
# This is e.g. for LibreSSL (tested with version 3.4.1): WSL users will get "127.0.0.1:0" here,
17096+
# All other "invalid.:0". We need a port here, in any case!
17097+
# The $OPENSSL connect call deliberately fails: when the curve isn't available with
17098+
# "getaddrinfo: Name or service not known", newer LibreSSL with "Failed to set groups".
1709417099
for curve in "${curves_ossl[@]}"; do
17095-
$OPENSSL s_client -groups $curve -connect ${NXCONNECT%:*}:8443 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups"
17100+
$OPENSSL s_client -groups $curve -connect ${NXCONNECT%:*}:0 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups"
1709617101
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
1709717102
done
1709817103
else
1709917104
HAS_CURVES=true
1710017105
for curve in "${curves_ossl[@]}"; do
17106+
# Same as above, we just don't need a port for invalid.
1710117107
$OPENSSL s_client -curves $curve -connect $NXCONNECT 2>&1 | grep -Eiaq "Error with command|unknown option"
1710217108
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
1710317109
done

0 commit comments

Comments
 (0)