@@ -22468,6 +22468,9 @@ sclient_auth() {
2246822468# (3) This is not a TLS/SSL enabled server.
2246922469# This information can be used by determine_optimal_proto() to help distinguish between a server
2247022470# that is not TLS/SSL enabled and one that is not compatible with the version of OpenSSL being used.
22471+ # The function sets the global ALL_FAILED_SOCKETS. It is mandatory to be set to true unless the user
22472+ # wants to do pure openssl based tests.
22473+ #
2247122474determine_optimal_sockets_params() {
2247222475 local -i ret1=1 ret2=1 ret3=1
2247322476 local i proto cipher_offered
@@ -22623,7 +22626,8 @@ determine_optimal_sockets_params() {
2262322626# This function determines (STARTTLS_)OPTIMAL_PROTO. It is basically a workaround function as under certain
2262422627# circumstances a ClientHello without specifying a protocol will fail.
2262522628# Circumstances observed so far: 1.) IIS 6 and openssl 1.0.2 as opposed to 1.0.1 2.) starttls + dovecot imap.
22626- # Independent on the server side it seems reasonable to to know upfront which protocol always works
22629+ # Independent on the server side it seems reasonable to to know upfront which protocol always works.
22630+ # All clientHellos are openssl based here as opposed to determine_optimal_sockets_params() .
2262722631#
2262822632# arg1: if empty: no STARTTLS, else: STARTTLS protocol
2262922633# The first try in the loop is empty as we prefer not to specify always a protocol if we can get along w/o it
@@ -22770,13 +22774,13 @@ determine_optimal_proto() {
2277022774 elif ! "$HAS_SSL3" && [[ "$(has_server_protocol "ssl3")" -eq 0 ]] && [[ "$(has_server_protocol "tls1_3")" -ne 0 ]] && \
2277122775 [[ "$(has_server_protocol "tls1_2")" -ne 0 ]] && [[ "$(has_server_protocol "tls1_1")" -ne 0 ]] &&
2277222776 [[ "$(has_server_protocol "tls1")" -ne 0 ]]; then
22773- prln_magenta " $NODE:$PORT appears to support SSLv3 ONLY. You better use --openssl=<path_to_openssl_supporting_SSL_3>"
22777+ prln_warning " $NODE:$PORT appears to support SSLv3 ONLY. You better use --openssl=<path_to_openssl_supporting_SSL_3>"
2277422778 fileout "$jsonID" "WARN" "$NODE:$PORT appears to support SSLv3 ONLY, but $OPENSSL does not support SSLv3."
2277522779 ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
2277622780 [[ $? -ne 0 ]] && exit $ERR_CLUELESS
2277722781 MAX_OSSL_FAIL=10
2277822782 else
22779- prln_bold " Your OpenSSL cannot connect to $NODEIP:$PORT"
22783+ prln_warning " Your OpenSSL cannot connect to $NODEIP:$PORT"
2278022784 fileout "$jsonID" "WARN" "Your OpenSSL cannot connect to $NODEIP:$PORT."
2278122785 ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes"
2278222786 [[ $? -ne 0 ]] && exit $ERR_CLUELESS
@@ -22795,12 +22799,13 @@ determine_optimal_proto() {
2279522799 ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes"
2279622800 [[ $? -ne 0 ]] && exit $ERR_CLUELESS
2279722801 elif ! "$all_failed" && "$ALL_FAILED_SOCKETS" && ! "$SSL_NATIVE"; then
22798- # For some reason connecting with tls_sockets/sslv2_sockets didn't work, but connecting
22799- # with $OPENSSL s_client did.
22800- # FIXME: Should we include some sort of "please report" note here?
22801- prln_magenta " Testing with $NODE:$PORT only worked using $OPENSSL."
22802- prln_magenta " Test results may be somewhat better if the --ssl-native option is used."
22803- fileout "$jsonID" "WARN" "Testing with $NODE:$PORT only worked using $OPENSSL."
22802+ # Edge case: connecting with tls_sockets/sslv2_sockets didn't work, but connecting with $OPENSSL s_client did.
22803+ # See #2807
22804+ prln_warning "This shouldn't happen (pls report): Testing $NODE:$PORT only succeeded using $OPENSSL."
22805+ prln_warning "But testssl.sh also needs bash sockets to perform its checks correctly.\n"
22806+ outln "You can try to continue using the --ssl-native option but the results are likely not complete."
22807+ outln "Or you can restart using --ssl-native with another openssl version (--openssl <PATH>)."
22808+ fileout "$jsonID" "WARN" "Sockets didn't work. Testing NODE:$PORT only succeeded using $OPENSSL."
2280422809 ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
2280522810 [[ $? -ne 0 ]] && exit $ERR_CLUELESS
2280622811 fi
0 commit comments