Merge pull request rbsec#293 from jtesta/handshake_alert_fix

Ignore handshake alerts when enumerating ciphersuites
jtesta · Sep 18, 2023 · 1d68457 · 1d68457
2 parents 1d526ac + 2d479f1
commit 1d68457
Showing 1 changed file with 17 additions and 25 deletions.
diff --git a/sslscan.c b/sslscan.c
@@ -1871,20 +1871,18 @@ int testCipher(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
 
                 // Connect SSL over socket
                 cipherStatus = SSL_connect(ssl);
+                printf_verbose("SSL_connect() returned: %d\n", cipherStatus);
 
                 sslCipherPointer = SSL_get_current_cipher(ssl);
-                cipherbits = SSL_CIPHER_get_bits(sslCipherPointer, NULL);
-
-                if (cipherStatus == 0)
-                {
-                    return false;
-                }
-                else if (cipherStatus != 1)
-                {
-                    printf_verbose("SSL_get_error(ssl, cipherStatus) said: %d\n", SSL_get_error(ssl, cipherStatus));
-                    return false;
+                if (sslCipherPointer == NULL) {
+                  printf_verbose("SSL_get_current_cipher() returned NULL; this indicates that the server did not choose a cipher from our list (%s)\n", options->cipherstring);
+                  SSL_shutdown(ssl);
+                  FREE_SSL(ssl);
+                  CLOSE(socketDescriptor);
+                  return false;
                 }
 
+                cipherbits = SSL_CIPHER_get_bits(sslCipherPointer, NULL);
                 cipherid = SSL_CIPHER_get_id(sslCipherPointer);
                 cipherid = cipherid & 0x00ffffff;  // remove first byte which is the version (0x03 for TLSv1/SSLv3)
 
@@ -1907,24 +1905,18 @@ int testCipher(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
 		  milliseconds_elapsed = tval_elapsed.tv_sec * 1000 + (int)tval_elapsed.tv_usec / 1000;
 		}
 
-                outputCipher(options, ssl, cleanSslMethod, cipherid, ciphername, cipherbits, (cipherStatus == 1), milliseconds_elapsed);
+                outputCipher(options, ssl, cleanSslMethod, cipherid, ciphername, cipherbits, 1, milliseconds_elapsed);
 
                 // Disconnect SSL over socket
-                if (cipherStatus == 1)
-                {
-                    const char *usedcipher = SSL_get_cipher_name(ssl);
-                    if(sslMethod==TLSv1_3_client_method())
-                    { // Remove cipher from TLSv1.3 list
-                      cipherRemove(options->cipherstring, usedcipher);
-                    }
-                    else
-                    {
-                      // Using strcat rather than strncat to avoid a warning from GCC
-                      strcat(options->cipherstring, ":!");
-                      strncat(options->cipherstring, usedcipher, strlen(usedcipher));
-                    }
-                    SSL_shutdown(ssl);
+                const char *usedcipher = SSL_get_cipher_name(ssl);
+                if(sslMethod == TLSv1_3_client_method())
+                  cipherRemove(options->cipherstring, usedcipher);  // Remove cipher from TLSv1.3 list
+                else {
+                  // Using strcat rather than strncat to avoid a warning from GCC
+                  strcat(options->cipherstring, ":!");
+                  strncat(options->cipherstring, usedcipher, strlen(usedcipher));
                 }
+                SSL_shutdown(ssl);
 
                 // Free SSL object
                 FREE_SSL(ssl);