Skip to content

Commit ad04a90

Browse files
drwetterdrwetter
authored
Merge pull request #2459 from Tazmaniac/client-renego-fix
Secure Client-Initiated Renegotiation : fixes/enhancements
2 parents b6fdfb1 + 67c362c commit ad04a90

1 file changed

Lines changed: 42 additions & 5 deletions

File tree

testssl.sh

Lines changed: 42 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -232,7 +232,8 @@ fi
232232
DISPLAY_CIPHERNAMES="openssl" # display OpenSSL ciphername (but both OpenSSL and RFC ciphernames in wide mode)
233233
declare UA_STD="TLS tester from $SWURL"
234234
declare -r UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0"
235-
SSL_RENEG_ATTEMPTS=${SSL_RENEG_ATTEMPTS:-6} # number of times to check SSL Renegotiation
235+
SSL_RENEG_ATTEMPTS=${SSL_RENEG_ATTEMPTS:-10} # number of times to check SSL Renegotiation
236+
SSL_RENEG_WAIT=${SSL_RENEG_WAIT:-0.25} # time between SSL Renegotiation checks
236237

237238
########### Initialization part, further global vars just being declared here
238239
#
@@ -16956,6 +16957,7 @@ run_renego() {
1695616957
local hint=""
1695716958
local jsonID=""
1695816959
local ssl_reneg_attempts=$SSL_RENEG_ATTEMPTS
16960+
local ssl_reneg_wait=$SSL_RENEG_WAIT
1695916961
# In cases where there's no default host configured we need SNI here as openssl then would return otherwise an error and the test will fail
1696016962

1696116963
"$HAS_TLS13" && [[ -z "$proto" ]] && proto="-no_tls1_3"
@@ -17040,6 +17042,13 @@ run_renego() {
1704017042
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested"
1704117043
sec_client_renego=1
1704217044
else
17045+
# We will need $ERRFILE for mitigation detection
17046+
if [[ $ERRFILE =~ dev.null ]]; then
17047+
ERRFILE=$TEMPDIR/errorfile.txt || exit $ERR_FCREATE
17048+
restore_errfile=1
17049+
else
17050+
restore_errfile=0
17051+
fi
1704317052
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
1704417053
# msg enables us to look deeper into it while debugging
1704517054
echo R | $OPENSSL s_client $(s_client_options "$proto $BUGS $legacycmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &
@@ -17064,21 +17073,47 @@ run_renego() {
1706417073
# Mitigations (default values) for:
1706517074
# - node.js allows 3x R and then blocks. So then 4x should be tested.
1706617075
# - F5 BIG-IP ADS allows 5x R and then blocks. So then 6x should be tested.
17076+
# - Stormshield allows 9x and then blocks. So then 10x should be tested.
1706717077
# This way we save a couple seconds as we weeded out the ones which are more robust
1706817078
# Amount of times tested before breaking is set in SSL_RENEG_ATTEMPTS.
1706917079
if [[ $SERVICE != HTTP ]]; then
1707017080
pr_svrty_medium "VULNERABLE (NOT ok)"; outln ", potential DoS threat"
1707117081
fileout "$jsonID" "MEDIUM" "VULNERABLE, potential DoS threat" "$cve" "$cwe" "$hint"
1707217082
else
17073-
(for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep 1; done) | \
17074-
$OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE
17075-
case $? in
17083+
(for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep $ssl_reneg_wait; done) | \
17084+
$OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &
17085+
pid=$!
17086+
( sleep $(($ssl_reneg_attempts*3)) && kill $pid && touch $TEMPDIR/was_killed ) >&2 2>/dev/null &
17087+
watcher=$!
17088+
# Trick to get the return value of the openssl command, output redirection and a timeout. Yes, some target hang/block after some tries.
17089+
wait $pid && pkill -HUP -P $watcher
17090+
tmp_result=$?
17091+
# If we are here, we have done two successful renegotiation (-2) and do the loop
17092+
loop_reneg=$(($(grep -ac '^RENEGOTIATING' $ERRFILE )-2))
17093+
if [[ -f $TEMPDIR/was_killed ]]; then
17094+
tmp_result=3
17095+
rm -f $TEMPDIR/was_killed
17096+
else
17097+
# If we got less than 2/3 successful attempts during the loop with 1s pause, we are in presence of exponential backoff.
17098+
if [[ $loop_reneg -le $(($ssl_reneg_attempts*2/3)) ]]; then
17099+
tmp_result=2
17100+
fi
17101+
fi
17102+
case $tmp_result in
1707617103
0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat ($ssl_reneg_attempts attempts)"
1707717104
fileout "$jsonID" "HIGH" "VULNERABLE, DoS threat" "$cve" "$cwe" "$hint"
1707817105
;;
1707917106
1) pr_svrty_good "not vulnerable (OK)"; outln " -- mitigated (disconnect within $ssl_reneg_attempts)"
1708017107
fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
1708117108
;;
17109+
2) pr_svrty_good "not vulnerable (OK)"; \
17110+
outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in ${ssl_reneg_attempts}x${ssl_reneg_wait}s)"
17111+
fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
17112+
;;
17113+
3) pr_svrty_good "not vulnerable (OK)"; \
17114+
outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in $((${ssl_reneg_attempts}*3))s(timeout))"
17115+
fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
17116+
;;
1708217117
*) prln_warning "FIXME (bug): $sec_client_renego ($ssl_reneg_attempts tries)"
1708317118
fileout "$jsonID" "DEBUG" "FIXME (bug $ssl_reneg_attempts tries) $sec_client_renego" "$cve" "$cwe"
1708417119
ret=1
@@ -17104,7 +17139,9 @@ run_renego() {
1710417139
#
1710517140
# https://www.openssl.org/news/vulnerabilities.html#y2009. It can only be tested with OpenSSL <=0.9.8k
1710617141
# Insecure Client-Initiated Renegotiation is missing ==> sockets. When we complete the handshake ;-)
17107-
17142+
if [[ $restore_errfile -eq 1 ]]; then
17143+
ERRFILE="/dev/null"
17144+
fi
1710817145
tmpfile_handle ${FUNCNAME[0]}.txt
1710917146
return $ret
1711017147
}

0 commit comments

Comments
 (0)