@@ -10693,8 +10693,9 @@ run_server_defaults() {
1069310693 outln "(none)"
1069410694 fileout "TLS_extensions" "INFO" "(none)"
1069510695 else
10696- #FIXME: we rather want to have the chance to print each ext in italics or another format.
10697- # Atm is a string of quoted strings -- that needs to be fixed at the root then
10696+ #FIXME: we rather want to print each ext in italics or another format.
10697+ # Atm it's a string of quoted strings -- that needs to be fixed at the
10698+ # the root then.
1069810699 # out_row_aligned_max_width() places line breaks at space characters.
1069910700 # So, in order to prevent the text for an extension from being broken
1070010701 # across lines, temporarily replace space characters within the text
@@ -10707,32 +10708,36 @@ run_server_defaults() {
1070710708 tls_extensions="${tls_extensions:1}"
1070810709 fileout "TLS_extensions" "INFO" "$tls_extensions"
1070910710 tls_extensions="${tls_extensions// /{}"
10710- tls_extensions="${tls_extensions//\"{\"/\" \"}"
10711- tls_extensions="$(out_row_aligned_max_width "$tls_extensions" " " $TERM_WIDTH)"
10712- tls_extensions="${tls_extensions//{/ }"
10711+ tls_extensions="${tls_extensions//'{\"'/'" "'}"
10712+ #tls_extensions="${tls_extensions//\"{\"/\" \"}" # blank command for deconfusing vim's syntax hiliting
10713+ tls_extensions="$(out_row_aligned_max_width "$tls_extensions" ' ' $TERM_WIDTH)"
10714+ tls_extensions="${tls_extensions//\{/ }"
1071310715 outln "$tls_extensions"
1071410716 fi
1071510717
10716- # We want to check whether the (for >=TLS 1.2) mandatory "extended master secret" extension is supported by
10717- # the server. Otherwise it would violate RFC 9325 https://www.rfc-editor.org/rfc/rfc9325#section-3.5
10718- # and cause connection problems.
10718+ # We want to check whether the (for <=TLS 1.2) mandatory "extended master secret" extension is supported by
10719+ # the server. Otherwise it would violate RFC 9325 https://www.rfc-editor.org/rfc/rfc9325#section-3.5. Also:
10720+ # "If a server implementing this document receives the "extended_master_secret" extension, it MUST
10721+ # include the extension in its ServerHello message". (https://www.rfc-editor.org/rfc/rfc7627.html#section-5.2).
10722+
1071910723 jsonID="TLS_misses_extension_23"
10720- if [[ $(has_server_protocol "tls1_2") -eq 1 ]] && [[ $(has_server_protocol "tls1_3") -eq 1 ]] ; then
10721- :
10722- elif [[ $tls_extensions =~ \#23 ]]; then
10723- # Was the last handshake >= TLS 1.2 ?
10724- if grep -qE 'Protocol.*(TLSv1.3|TLSv1.2)' $TEMPDIR/$NODEIP.parse_tls_serverhello.txt ; then
10725- fileout "$jsonID" "INFO" "Extended master secret extension detected"
10726- debugme outln "${spaces}Extended master secret extension detected"
10724+ if [[ $tls_extensions =~ \#23 ]]; then
10725+ if "$TLS13_ONLY"; then
10726+ # this shouldn't happen
10727+ fileout "$jsonID" "LOW" "Misconfiguration: Extended master secret extension detected for TLS 1.3 only"
10728+ debugme outln "${spaces}Misconfiguration: Extended master secret extension detected for TLS 1.3 only"
1072710729 else
10728- out "$spaces"
10729- prln_warning "Fixme: Server supports TLS 1.2 or 1.3 but last ServerHello was < TLS 1.2"
10730- fileout "$jsonID" "WARN" "Server supports TLS 1.2 or 1.3 but last ServerHello was < TLS 1.2"
10730+ if grep -qE 'Protocol.*(TLSv1.)' $TEMPDIR/$NODEIP.parse_tls_serverhello.txt ; then
10731+ fileout "$jsonID" "INFO" "Extended master secret extension detected"
10732+ debugme outln "${spaces}Extended master secret extension detected"
10733+ fi
10734+ # We don't worry about SSL3.0 here. It should have been tested before withg testssl.sh --
10735+ # though it's mentioned in https://www.rfc-editor.org/rfc/rfc7627.html#section-6.4
1073110736 fi
10732- else
10737+ elif ! "$TLS13_ONLY"; then
1073310738 out "$spaces"
10734- prln_svrty_medium "No extended master secret extension, violates RFC 9325 & may cause connection problems"
10735- fileout "$jsonID" "MEDIUM" "No extended master secret extension, violates RFC 9325 & may cause connection problems"
10739+ prln_svrty_medium "No extended master secret extension, violates RFC 7627/ 9325 & may cause connection problems"
10740+ fileout "$jsonID" "MEDIUM" "No extended master secret extension, violates RFC 7627/ 9325 & may cause connection problems"
1073610741 fi
1073710742
1073810743 pr_bold " Session Ticket RFC 5077 hint "
0 commit comments