Skip to content

Commit 61d0189

Browse files
drwetterdrwetter
authored
Merge pull request #2969 from testssl/mitigate_2083
Mitigate inconsistent test results for ROBOT
2 parents 28baa6b + 6cd5b43 commit 61d0189

1 file changed

Lines changed: 7 additions & 1 deletion

File tree

testssl.sh

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -209,6 +209,7 @@ MAX_WAITSOCK=${MAX_WAITSOCK:-5} # waiting at max 5 seconds for socket re
209209
QUIC_WAIT=${QUIC_WAIT:-3} # QUIC is UDP. Thus we run the connect in the background. This is how long in sec to wait
210210
CCS_MAX_WAITSOCK=${CCS_MAX_WAITSOCK:-5} # for the two CCS payload (each). There shouldn't be any reason to change this.
211211
HEARTBLEED_MAX_WAITSOCK=${HEARTBLEED_MAX_WAITSOCK:-8} # for the heartbleed payload. There shouldn't be any reason to change this.
212+
ROBOT_TIMEOUT=${ROBOT_TIMEOUT:5} # Initial timeout for ROBOT check
212213
STARTTLS_SLEEP=${STARTTLS_SLEEP:-10} # max time wait on a socket for STARTTLS. MySQL has a fixed value of 1 which can't be overwritten (#914)
213214
FAST_STARTTLS=${FAST_STARTTLS:-true} # at the cost of reliability decrease the handshakes for STARTTLS
214215
USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
@@ -20669,7 +20670,7 @@ run_robot() {
2066920670
local -i i subret len iteration testnum pubkeybytes
2067020671
local pubkeybits
2067120672
local vulnerable=false send_ccs_finished=true
20672-
local -i start_time end_time robottimeout=$MAX_WAITSOCK
20673+
local -i start_time end_time robottimeout=$ROBOT_TIMEOUT
2067320674
local cve="CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168"
2067420675
local cwe="CWE-203"
2067520676
local jsonID="ROBOT"
@@ -20839,6 +20840,11 @@ run_robot() {
2083920840
end_time=$(LC_ALL=C date "+%s")
2084020841
resp=$(hexdump -v -e '16/1 "%02x"' "$SOCK_REPLY_FILE")
2084120842
response[testnum]="${resp%%[!0-9A-F]*}"
20843+
# TLS alert length seems to vary sometimes within this loop which leads to
20844+
# wrong test results, see #2083. Thus we cut this here to length 14, if
20845+
# it's a TLS alert with the length of 2
20846+
[[ ${response[testnum]::2} == 15 ]] && [[ ${response[testnum]:10:2} == 02 ]] &&
20847+
response[testnum]=${response[testnum]::14}
2084220848
# The first time a response is received to a client key
2084320849
# exchange message, measure the amount of time it took to
2084420850
# receive a response and set the timeout value for future

0 commit comments

Comments
 (0)