[BUG / possible BUG] - TLS_FALLBACK_SCSV and POODLE

[accampato]

Hi all,
I would like to report a possible minor bug.
In some case, also if POODLE check are enabled testssl return exit_code=1 with warning message Rerun including POODLE SSL check

I am running version testssl.sh version 3.2rc4 from https://testssl.sh/dev/

Command line / docker command to reproduce

  testssl.sh -U  www.kappamed.it -> output is correct -> exit code = 0
  testssl.sh  -p -U  www.kappamed.it -> "Rerun including POODLE SSL check" warning message is provided -> exit code = 1
  testssl.sh  www.kappamed.it -> "Rerun including POODLE SSL check" warning message is provided -> exit code = 1

Expected behavior:

testssl.sh -U  www.kappamed.it -> output is correct -> exit code = 0
The expected output should be: 
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention NOT supported

testssl.sh  www.kappamed.it
The wrong message is:
POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507)              Rerun including POODLE SSL check. Downgrade attack prevention NOT supported

System

OS: Ubuntu 24.10
Platform: Linux 6.11.0-18-generic x86_64

Additional context

none

[accampato]

Additional context for resolution
The problem seems to be caused by the return here exiting the function and the variable POODLE is not ever assigned a value and so the check here fails.

This misbehaviour occurs when testssl do also the protocol checks
-p, --protocols checks TLS/SSL protocols (including SPDY/HTTP2)

[drwetter]

Thanks a lot @accampato ! Also the hint worked.

That host seems also to trigger a bug for the HTTP status code (edit: that seemed to happen on Mac OS only)

More: tomorrow