Fix Darwin / LibreSSL startup problem (3.0)

drwetter · drwetter · commit 37c6d78bfa1e · 2022-02-02T12:20:06.000+01:00
This PR addresses a bug where a user encountered the question "The results might look ok but they could be nonsense. Really proceed". That happened under Darwin and probably some LibreSSL versions when checking some hosts. sclient_auth() returned 1 indicating no SSL/TLS handshake could be established. This PR modifies sclient_auth() so that in those cases 0 is returned by skipping the check for the session ID. As NO_SSL_SESSIONID needs to be set when there's no session ID. This is done separately. This fixes #2052 for 3.0
diff --git a/testssl.sh b/testssl.sh
@@ -18317,26 +18317,30 @@ check_proxy() {
 }
 
 
-# this is only being called from determine_optimal_proto in order to check whether we have a server
-# with client authentication, a server with no SSL session ID switched off
+# This is only being called from determine_optimal_proto() in order to check whether we have a server with
+# client authentication, a server with no SSL session ID switched off -- and as the name indicates a protocol.
+# ARG1 is the return value of openssl s_client connect. (Darwin or LibreSSL may return 1 here)
+# ARG2 is the file name containing the server hello
 #
 sclient_auth() {
-     [[ $1 -eq 0 ]] && return 0                                            # no client auth (CLIENT_AUTH=false is preset globally)
-     if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then           # connect succeeded
-          if grep -q '^<<< .*CertificateRequest' "$2"; then                # CertificateRequest message in -msg
-               CLIENT_AUTH=true
-               return 0
-          fi
-          if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then      # probably no SSL session
-               if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then            # do another sanity check to be sure
+     local -i ret=1
+
+     if [[ $1 -eq 0 ]] ; then
+          ret=0                                                            # no client auth (CLIENT_AUTH=false is preset globally)
+     else
+          if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then      # connect succeeded
+               if grep -q '^<<< .*CertificateRequest' "$2"; then           # CertificateRequest message in -msg
+                    CLIENT_AUTH=true
+                    ret=0
+               elif [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then          # do another sanity check to be sure
                     CLIENT_AUTH=false
-                    NO_SSL_SESSIONID=true                                  # NO_SSL_SESSIONID is preset globally to false for all other cases
-                    return 0
+                    ret=0
                fi
           fi
      fi
-     # what's left now is: master key empty, handshake returned not successful, session ID empty --> not successful
-     return 1
+     [[ $ret -eq 0 ]] && \
+          [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]] && NO_SSL_SESSIONID=true # NO_SSL_SESSIONID is preset globally first
+     return $ret
 }
 
 # Determine the best parameters to use with tls_sockets():
