@@ -184,7 +184,8 @@ FNAME_PREFIX=${FNAME_PREFIX:-""} # output filename prefix, see --outprefi
184184APPEND=${APPEND:-false} # append to csv/json/html/log file
185185OVERWRITE=${OVERWRITE:-false} # overwriting csv/json/html/log file
186186[[ -z "$NODNS" ]] && declare NODNS # If unset it does all DNS lookups per default. "min" only for hosts or "none" at all
187- NXCONNECT=${NXCONNECT:-invalid.} # For WSL this helps avoiding DNS requests to "invalid." which windows seem to handle delayed
187+ NXDNS=${NXDNS:-invalid.} # For WSL this helps avoiding DNS requests to "invalid." which windows seem to handle delayed
188+ NXCONNECT="" # needed when when need to test capabilities of the openssl binary
188189HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
189190ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs?
190191OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulnerability tests which may cause blocking by an IDS?
@@ -5349,7 +5350,7 @@ sclient_supported() {
53495350 -tls1_3)
53505351 "$HAS_TLS13" || return 7
53515352 ;;
5352- *) if $OPENSSL s_client -connect $NXCONNECT "$1" </dev/null 2>&1 | grep -aiq "unknown option"; then
5353+ *) if $OPENSSL s_client $NXCONNECT "$1" </dev/null 2>&1 | grep -aiq "unknown option"; then
53535354 return 7
53545355 fi
53555356 ;;
@@ -20421,9 +20422,8 @@ find_openssl_binary() {
2042120422 local s_client_has2=$TEMPDIR/s_client_has2.txt
2042220423 local s_client_starttls_has=$TEMPDIR/s_client_starttls_has.txt
2042320424 local s_client_starttls_has2=$TEMPDIR/s_client_starttls_has2
20424- local openssl_location cwd=""
20425- local ossl_wo_dev_info
20426- local curve
20425+ local openssl_location="" cwd=""
20426+ local curve=""
2042720427 local ossl_line1="" yr=""
2042820428 local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448" "brainpoolP256r1tls13" "brainpoolP384r1tls13" "brainpoolP512r1tls13" "ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192")
2042920429
@@ -20437,7 +20437,7 @@ find_openssl_binary() {
2043720437 # 2. otherwise, only if on Bash on Windows, use system binaries only.
2043820438 SYSTEM2="WSL"
2043920439 # Workaround for delayed responses of Windows DNS when using "invalid.", see #1738, #1812.
20440- [[ $NXCONNECT == invalid. ]] && NXCONNECT =127.0.0.1:0
20440+ [[ $NXDNS == invalid. ]] && NXDNS =127.0.0.1:0
2044120441 elif test_openssl_suffix "$TESTSSL_INSTALL_DIR"; then
2044220442 : # 3. otherwise try openssl in path of testssl.sh
2044320443 elif test_openssl_suffix "$TESTSSL_INSTALL_DIR/bin"; then
@@ -20508,19 +20508,10 @@ find_openssl_binary() {
2050820508 HAS_DH_BITS=true
2050920509 fi
2051020510
20511- OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
20512-
20513- if [[ $OPENSSL_NR_CIPHERS -le 140 ]]; then
20514- [[ ${OSSL_VER//./} -ge 210 ]] && HAS_DH_BITS=true
20515- if "$SSL_NATIVE"; then
20516- outln
20517- pr_warning "LibreSSL/OpenSSL in native ssl mode with poor cipher support is not a good choice for testing INSECURE features!"
20518- fi
20519- fi
20520-
2052120511 initialize_engine
2052220512
2052320513 openssl_location="$(type -p $OPENSSL)"
20514+
2052420515 [[ -n "$GIT_REL" ]] && \
2052520516 cwd="$PWD" || \
2052620517 cwd="$RUN_DIR"
@@ -20589,10 +20580,22 @@ find_openssl_binary() {
2058920580 $OPENSSL pkey -help 2>&1 | grep -q Error || HAS_PKEY=true
2059020581 $OPENSSL pkeyutl 2>&1 | grep -q Error || HAS_PKUTIL=true
2059120582
20592- # Below and at other occurrences we do a little trick using "$NXCONNECT" to avoid plain and
20593- # link level DNS lookups. See issue #1418 and https://tools.ietf.org/html/rfc6761#section-6.4
20583+ # In order to avoid delays due to lookups of the hostname "invalid." we just try to avoid using "-connect invalid."
20584+ # when possible. The following does a check fopr that. For WSL we stick for now to the old scheme. Not sure about Cygwin
20585+ if [[ SYSTEM2 == "WSL" ]]; then
20586+ NXCONNECT=-connect $NXDNS
20587+ else
20588+ # If this connects and bails out with an error message, we do not need "-connect invalid."
20589+ if $OPENSSL s_client 2>&1 </dev/null | grep -Eiaq 'Connection refused|connect error|Bad file descriptor'; then
20590+ NXCONNECT=""
20591+ else
20592+ # We need to do link level DNS lookups. See issue #1418 and https://tools.ietf.org/html/rfc6761#section-6.4
20593+ NXCONNECT="-connect $NXDNS"
20594+ fi
20595+ fi
20596+
2059420597 if "$HAS_TLS13"; then
20595- $OPENSSL s_client -tls1_3 -sigalgs PSS+SHA256:PSS+SHA384 -connect $NXCONNECT </dev/null 2>&1 | grep -aiq "unknown option" || HAS_SIGALGS=true
20598+ $OPENSSL s_client -tls1_3 -sigalgs PSS+SHA256:PSS+SHA384 $NXCONNECT </dev/null 2>&1 | grep -aiq "unknown option" || HAS_SIGALGS=true
2059620599 fi
2059720600
2059820601 $OPENSSL s_client -noservername </dev/null 2>&1 | grep -aiq "unknown option" || HAS_NOSERVERNAME=true
@@ -20603,21 +20606,34 @@ find_openssl_binary() {
2060320606 $OPENSSL s_client -comp </dev/null 2>&1 | grep -aiq "unknown option" || HAS_COMP=true
2060420607 $OPENSSL s_client -no_comp </dev/null 2>&1 | grep -aiq "unknown option" || HAS_NO_COMP=true
2060520608
20606- # The following statement works with OpenSSL 1.0.2, 1.1.1 and 3.0 and LibreSSL 3.4
20609+ OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
20610+
20611+ if [[ $OPENSSL_NR_CIPHERS -le 140 ]]; then
20612+ [[ ${OSSL_VER//./} -ge 210 ]] && HAS_DH_BITS=true
20613+ if "$SSL_NATIVE"; then
20614+ outln
20615+ pr_warning "LibreSSL/OpenSSL in native ssl mode with poor cipher support is not a good choice for testing INSECURE features!"
20616+ fi
20617+ fi
20618+
2060720619 if $OPENSSL s_client -curves </dev/null 2>&1 | grep -aiq "unknown option"; then
20608- # LibreSSL (tested with version 3.4.1 and 3.0.2) need -groups instead of -curve
20609- # WSL users connect to "127.0.0.1:0", others to "invalid." or "invalid.:0"
20610- # The $OPENSSL connect call deliberately fails: when the curve isn't available with the described error messages
20611- for curve in "${curves_ossl[@]}"; do
20612- $OPENSSL s_client -groups $curve -connect ${NXCONNECT%:*}:0 </dev/null 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups"
20613- [[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
20614- done
20620+ if $OPENSSL s_client -groups </dev/null 2>&1 | grep -aiq "unknown option"; then
20621+ # this is for openssl versions like 0.9.8, they do not have -groups or -curves -- just to be safe
20622+ :
20623+ else
20624+ # LibreSSL (tested with version 3.4.1 and 3.0.2) need -groups instead of -curve
20625+ # WSL users connect to "127.0.0.1:0", others to "invalid." or "invalid.:0"
20626+ # The $OPENSSL connect call deliberately fails: when the curve isn't available with the described error messages
20627+ for curve in "${curves_ossl[@]}"; do
20628+ $OPENSSL s_client -groups $curve $NXCONNECT </dev/null 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups"
20629+ [[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
20630+ done
20631+ fi
2061520632 else
2061620633 HAS_CURVES=true
2061720634 for curve in "${curves_ossl[@]}"; do
2061820635 # Same as above, we just don't need a port for invalid.
20619- #FIXME: openssl 3 sometimes seems to hang when using '-connect invalid.' for up to 10 seconds
20620- $OPENSSL s_client -curves $curve -connect $NXCONNECT </dev/null 2>&1 | grep -Eiaq "Error with command|unknown option|Call to SSL_CONF_cmd(.*) failed|cannot be set"
20636+ $OPENSSL s_client -curves $curve $NXCONNECT </dev/null 2>&1 | grep -Eiaq "Error with command|unknown option|Call to SSL_CONF_cmd(.*) failed|cannot be set"
2062120637 [[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
2062220638 done
2062320639 fi
0 commit comments