Skip to content

Commit 410b3ac

Browse files
author
David Cooper
committed
OpenSSL 4 compatibility
According to https://openssl-library.org/roadmap/index.html, OpenSSL 4 is scheduled to be released in April 2026. This commit modifies code that checks $OPENSSL version numbers so that versions 4 and above will be recognized.
1 parent f34b81e commit 410b3ac

1 file changed

Lines changed: 16 additions & 18 deletions

File tree

testssl.sh

Lines changed: 16 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -2083,7 +2083,7 @@ check_revocation_ocsp() {
20832083
if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
20842084
host_header="-header Host ${host_header}"
20852085
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \
2086-
[[ $OSSL_VER_MAJOR == 3 ]]; then
2086+
[[ $OSSL_VER_MAJOR -ge 3 ]]; then
20872087
host_header="-header Host=${host_header}"
20882088
else
20892089
host_header="-header Host ${host_header}"
@@ -4443,7 +4443,7 @@ ciphers_by_strength() {
44434443
ossl_ciphers_proto=""
44444444
elif [[ $proto == -ssl2 ]] || [[ $proto == -ssl3 ]] || \
44454445
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \
4446-
[[ $OSSL_VER_MAJOR == 3 ]]; then
4446+
[[ $OSSL_VER_MAJOR -ge 3 ]]; then
44474447
ossl_ciphers_proto="$proto"
44484448
else
44494449
ossl_ciphers_proto="-tls1"
@@ -6852,7 +6852,7 @@ sub_session_resumption() {
68526852
fi
68536853
fi
68546854
if "$byID" && [[ ! "$OSSL_NAME" =~ LibreSSL ]] && \
6855-
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* || $OSSL_VER_MAJOR == 3 ]] && \
6855+
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* || $OSSL_VER_MAJOR -ge 3 ]] && \
68566856
[[ ! -s "$sess_data" ]]; then
68576857
# it seems OpenSSL indicates no Session ID resumption by just not generating output
68586858
debugme echo -n "No session resumption byID (empty file)"
@@ -7706,15 +7706,13 @@ determine_trust() {
77067706
# and the output should should be indented by two more spaces.
77077707
[[ -n $json_postfix ]] && spaces=" "
77087708

7709-
case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
7710-
1.0.2|1.1.0|1.1.1|2.[1-9].*|3.*|4.*) # 2.x is LibreSSL. 2.1.1 was tested to work, below is not sure
7711-
:
7712-
;;
7713-
*) addtl_warning="Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust"
7714-
fileout "${jsonID}${json_postfix}" "WARN" "$addtl_warning"
7715-
addtl_warning="(${addtl_warning})"
7716-
;;
7717-
esac
7709+
if [[ $OSSL_VER_MAJOR -lt 3 ]] && [[ "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" != 1.0.2 ]] && \
7710+
[[ "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" != 1.1.* ]] && [[ "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" != 2.[1-9].* ]]; then
7711+
# 2.x is LibreSSL. 2.1.1 was tested to work, below is not sure
7712+
addtl_warning="Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust"
7713+
fileout "${jsonID}${json_postfix}" "WARN" "$addtl_warning"
7714+
addtl_warning="(${addtl_warning})"
7715+
fi
77187716
debugme tmln_out
77197717

77207718
# if you run testssl.sh from a different path /you can set either TESTSSL_INSTALL_DIR or CA_BUNDLES_PATH to find the CA BUNDLES
@@ -12503,7 +12501,7 @@ hmac() {
1250312501
local key="$2" text="$3" output
1250412502
local -i ret
1250512503

12506-
if [[ ! "$OSSL_NAME" =~ LibreSSL ]] && [[ $OSSL_VER_MAJOR == 3 ]]; then
12504+
if [[ ! "$OSSL_NAME" =~ LibreSSL ]] && [[ $OSSL_VER_MAJOR -ge 3 ]]; then
1250712505
output="$(hex2binary "$text" | $OPENSSL mac -macopt digest:"${hash_fn/-/}" -macopt hexkey:"$key" HMAC 2>/dev/null)"
1250812506
ret=$?
1250912507
tm_out "$(strip_lf "$output")"
@@ -12524,7 +12522,7 @@ hmac-transcript() {
1252412522
local key="$2" transcript="$3" output
1252512523
local -i ret
1252612524

12527-
if [[ ! "$OSSL_NAME" =~ LibreSSL ]] && [[ $OSSL_VER_MAJOR == 3 ]]; then
12525+
if [[ ! "$OSSL_NAME" =~ LibreSSL ]] && [[ $OSSL_VER_MAJOR -ge 3 ]]; then
1252812526
output="$(hex2binary "$transcript" | \
1252912527
$OPENSSL dgst "$hash_fn" -binary 2>/dev/null | \
1253012528
$OPENSSL mac -macopt digest:"${hash_fn/-/}" -macopt hexkey:"$key" HMAC 2>/dev/null)"
@@ -20477,9 +20475,9 @@ find_openssl_binary() {
2047720475
OSSL_NAME=${OSSL_NAME// /}
2047820476

2047920477
# see #190, reverting logic: unless otherwise proved openssl has no dh bits
20480-
case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
20481-
1.0.2|1.1.0|1.1.1|3.*) HAS_DH_BITS=true ;;
20482-
esac
20478+
if [[ $OSSL_VER_MAJOR -ge 3 ]] || [[ "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" == 1.1.* ]] || [[ "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" == 1.0.2 ]]; then
20479+
HAS_DH_BITS=true
20480+
fi
2048320481

2048420482
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
2048520483

@@ -20625,7 +20623,7 @@ find_openssl_binary() {
2062520623
# not check /usr/bin/openssl -- if available. This is more a kludge which we shouldn't use for
2062620624
# every openssl feature. At some point we need to decide which with openssl version we go.
2062720625
# We also check, whether there's /usr/bin/openssl which has TLS 1.3
20628-
if [[ ! "$OSSL_NAME" =~ LibreSSL ]] && [[ ! $OSSL_VER =~ 1.1.1 ]] && [[ ! $OSSL_VER_MAJOR =~ 3 ]]; then
20626+
if [[ ! "$OSSL_NAME" =~ LibreSSL ]] && [[ ! $OSSL_VER =~ 1.1.1 ]] && [[ $OSSL_VER_MAJOR -lt 3 ]]; then
2062920627
if [[ -x $OPENSSL2 ]]; then
2063020628
$OPENSSL2 s_client -help 2>$s_client_has2
2063120629
$OPENSSL2 s_client -starttls foo 2>$s_client_starttls_has2

0 commit comments

Comments
 (0)