summaryrefslogtreecommitdiffstats
path: root/functions/tls_fallback_scsv.php
diff options
context:
space:
mode:
Diffstat (limited to 'functions/tls_fallback_scsv.php')
-rw-r--r--functions/tls_fallback_scsv.php18
1 files changed, 12 insertions, 6 deletions
diff --git a/functions/tls_fallback_scsv.php b/functions/tls_fallback_scsv.php
index bd65c42..0892923 100644
--- a/functions/tls_fallback_scsv.php
+++ b/functions/tls_fallback_scsv.php
@@ -16,16 +16,22 @@
function tls_fallback_scsv($host, $ip, $port) {
global $timeout;
- if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
- // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest)
- return false;
- }
+ // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832
+ // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+ // // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest)
+ // return false;
+ // }
$result = [];
$protocols = ssl_conn_protocols($host, $ip, $port);
if (count(array_filter($protocols)) > 1) {
$result['protocol_count'] = count(array_filter($protocols));
- $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect " . escapeshellcmd($ip) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null");
- if ( stripos($fallback_test, "alert inappropriate fallback") !== false ) {
+ // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832
+ if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+ $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect '" . $ip . ":" . escapeshellcmd($port) . "' -fallback_scsv -no_tls1_2 2>&1 >/dev/null");
+ } else {
+ $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect " . escapeshellcmd($ip) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null");
+ }
+ if ( stripos($fallback_test, "SSL alert number 86") !== false ) {
$result['tls_fallback_scsv_support'] = 1;
}
} else {
generated by cgit v1.1 at 2025-05-10 23:04:31 +0000