Commit b9271ba
authored
Fix infinite loop in run_pfs()
This commit fixes an infinite loop in run_pfs() that occurs in cases in which $OPENSSL supports TLS 1.3 and the server supports all of the non-TLS 1.3 FS ciphers that $OPENSSL supports but not all of the TLS 1.3 ciphers that $OPENSSL supports.
The problem is that testing for supported ciphers using $OPENSSL, testing should stop if there are no more ciphers to test (because all of the ciphers supported by $OPENSSL have been determined to be supported by the server). However, currently testing only stops if both the list of TLS 1.3 ciphers and non-TLS 1.3 ciphers is empty. In the problematic case, only the list of non-TLS 1.3 ciphers is empty. Instead of stopping, s_client_options() is called with a -cipher option with an empty list, and s_client_options() simply removes the -cipher option from the command, resulting in a call to $OPENSSL s_client with a full list of non-TLS 1.3 ciphers. Since this call succeeds, the loop continues.
This commit fixes the problem by stopping TLS 1.3 ClientHello testing when the list of TLS 1.3 ciphers is empty and stopping non-TLS 1.3 ClientHello testing when the list of non-TLS 1.3 ciphers is empty.1 parent abdd51d commit b9271ba
1 file changed
Lines changed: 6 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9711 | 9711 | | |
9712 | 9712 | | |
9713 | 9713 | | |
9714 | | - | |
| 9714 | + | |
| 9715 | + | |
| 9716 | + | |
| 9717 | + | |
| 9718 | + | |
| 9719 | + | |
9715 | 9720 | | |
9716 | 9721 | | |
9717 | 9722 | | |
| |||
0 commit comments