From 0e70130eb796510332aac0201958e56ef7e1822f Mon Sep 17 00:00:00 2001 From: GottemHams Date: Fri, 18 Jul 2025 17:37:06 +0200 Subject: [PATCH 1/2] Ensure HEAD requests on port 80 can actually go through, including timeout checks (only used by the Opossum test at the moment, fixes #2847) --- testssl.sh | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index b4cf21183..cc0503acd 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1933,11 +1933,33 @@ http_header_printf() { local errfile=$TEMPDIR/$NODE.$NODEIP.http_header_printf-err.log local -i ret=0 local proto="" foo="" node="" query="" + local pid [[ $DEBUG -eq 0 ]] && errfile=/dev/null IFS=/ read -r proto foo node query <<< "$1" - exec 33<>/dev/tcp/$node/80 + + # This command may fail immediately if the server responds with "connection refused". + # To deal with this while also being able to interrupt the call, we can use 'wait' to check the real exit code if the process no longer exists. + # The connection is wrapped in a subshell so we can redirect stderr instead of polluting any test output. + bash -c "exec 33<>/dev/tcp/$NODEIP/80" 2>$errfile & + pid=$! + if ! ps $pid >/dev/null && ! wait $pid; then + [[ -n "$PROXY" ]] && return 3 + return 1 + fi + + # On the other hand, if the process is still running then we'll need to check for a timeout, since the server doesn't seem to actively reject the connection + wait_kill $pid $HEADER_MAXSLEEP + if [[ $? -ne 0 ]]; then + # Killed, i.e. server didn't respond in time + [[ -n "$PROXY" ]] && return 3 + return 1 + fi + + # Now we need to set up a new connection, which is very unlikely to fail at this point. + # Note that the actual HEAD request will overwrite $errfile, which is fine because it should always be empty if we came this far. + exec 33<>/dev/tcp/$NODEIP/80 printf -- "%b" "HEAD ${proto}//${node}/${query} HTTP/1.1\r\nUser-Agent: ${useragent}\r\nHost: ${node}\r\n${request_header}\r\nAccept: */*\r\n\r\n\r\n" >&33 2>$errfile & wait_kill $! $HEADER_MAXSLEEP if [[ $? -ne 0 ]]; then From 3527a245560a9ea0315efa1c1da695a954d5ca10 Mon Sep 17 00:00:00 2001 From: GottemHams Date: Fri, 18 Jul 2025 18:00:11 +0200 Subject: [PATCH 2/2] Use NODE instead of NODEIP, since by using the hostname we can use both IPv4 and v6 --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index cc0503acd..773990713 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1942,7 +1942,7 @@ http_header_printf() { # This command may fail immediately if the server responds with "connection refused". # To deal with this while also being able to interrupt the call, we can use 'wait' to check the real exit code if the process no longer exists. # The connection is wrapped in a subshell so we can redirect stderr instead of polluting any test output. - bash -c "exec 33<>/dev/tcp/$NODEIP/80" 2>$errfile & + bash -c "exec 33<>/dev/tcp/$NODE/80" 2>$errfile & pid=$! if ! ps $pid >/dev/null && ! wait $pid; then [[ -n "$PROXY" ]] && return 3 @@ -1959,7 +1959,7 @@ http_header_printf() { # Now we need to set up a new connection, which is very unlikely to fail at this point. # Note that the actual HEAD request will overwrite $errfile, which is fine because it should always be empty if we came this far. - exec 33<>/dev/tcp/$NODEIP/80 + exec 33<>/dev/tcp/$NODE/80 printf -- "%b" "HEAD ${proto}//${node}/${query} HTTP/1.1\r\nUser-Agent: ${useragent}\r\nHost: ${node}\r\n${request_header}\r\nAccept: */*\r\n\r\n\r\n" >&33 2>$errfile & wait_kill $! $HEADER_MAXSLEEP if [[ $? -ne 0 ]]; then