- enabling TLS 1.2 via sockets

- enabling sockets in run_protocols STARTTLS per default
- minor output polishing
This commit is contained in:
Dirk 2017-02-07 23:08:29 +01:00
parent edb358b3e0
commit 0d993427a3

View File

@ -616,6 +616,7 @@ pr_italicln() { pr_italic "$1" ; outln; }
pr_strikethru() { [[ "$COLOR" -ne 0 ]] && out "\033[9m$1" || out "$1"; pr_off; } # ugly! pr_strikethru() { [[ "$COLOR" -ne 0 ]] && out "\033[9m$1" || out "$1"; pr_off; } # ugly!
pr_strikethruln() { pr_strikethru "$1" ; outln; } pr_strikethruln() { pr_strikethru "$1" ; outln; }
pr_underline() { [[ "$COLOR" -ne 0 ]] && out "\033[4m$1" || out "$1"; pr_off; } pr_underline() { [[ "$COLOR" -ne 0 ]] && out "\033[4m$1" || out "$1"; pr_off; }
pr_underlineln() { pr_underline "$1"; outln; }
pr_reverse() { [[ "$COLOR" -ne 0 ]] && out "\033[7m$1" || out "$1"; pr_off; } pr_reverse() { [[ "$COLOR" -ne 0 ]] && out "\033[7m$1" || out "$1"; pr_off; }
pr_reverse_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[7m\033[1m$1" || out "$1"; pr_off; } pr_reverse_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[7m\033[1m$1" || out "$1"; pr_off; }
@ -2626,7 +2627,7 @@ run_allciphers() {
outln outln
if "$using_sockets"; then if "$using_sockets"; then
pr_headlineln " Testing $nr_ciphers_tested via OpenSSL and sockets against the server, ordered by encryption strength " pr_headlineln " Testing $nr_ciphers_tested ciphers via OpenSSL plus sockets against the server, ordered by encryption strength "
else else
pr_headlineln " Testing all $nr_ciphers_tested locally available ciphers against the server, ordered by encryption strength " pr_headlineln " Testing all $nr_ciphers_tested locally available ciphers against the server, ordered by encryption strength "
[[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl"
@ -2803,7 +2804,7 @@ run_cipher_per_proto() {
outln outln
if "$using_sockets"; then if "$using_sockets"; then
pr_headlineln " Testing per protocol via OpenSSL and sockets against the server, ordered by encryption strength " pr_headlineln " Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength "
else else
pr_headlineln " Testing all locally available ciphers per protocol against the server, ordered by encryption strength " pr_headlineln " Testing all locally available ciphers per protocol against the server, ordered by encryption strength "
[[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl"
@ -4214,18 +4215,13 @@ run_protocols() {
if "$SSL_NATIVE"; then if "$SSL_NATIVE"; then
using_sockets=false using_sockets=false
pr_headlineln "(via native openssl)" pr_underlineln "via native openssl"
else
if [[ -n "$STARTTLS" ]]; then
pr_headlineln "(via openssl, SSLv2 via sockets) "
using_sockets=false
else else
using_sockets=true using_sockets=true
if "$EXPERIMENTAL"; then if [[ -n "$STARTTLS" ]]; then
pr_headlineln "(via sockets except SPDY+HTTP2) " pr_underlineln "via sockets "
else else
pr_headlineln "(via sockets except TLS 1.2, SPDY+HTTP2) " pr_underlineln "via sockets except SPDY+HTTP2 "
fi
fi fi
fi fi
outln outln
@ -4429,7 +4425,7 @@ run_protocols() {
esac esac
pr_bold " TLS 1.2 "; pr_bold " TLS 1.2 ";
if "$using_sockets" && "$EXPERIMENTAL"; then #TODO: IIS servers do have a problem here with our handshake if "$using_sockets"; then
tls_sockets "03" "$TLS12_CIPHER" tls_sockets "03" "$TLS12_CIPHER"
else else
run_prototest_openssl "-tls1_2" run_prototest_openssl "-tls1_2"
@ -4549,7 +4545,7 @@ run_std_cipherlists() {
read_dhbits_from_file() { read_dhbits_from_file() {
local bits what_dh temp curve="" local bits what_dh temp curve=""
local add="" local add=""
local old_fart=" (openssl cannot show DH bits)" local old_fart=" (your $OPENSSL cannot show DH bits)"
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$1") # extract line temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$1") # extract line
what_dh=$(awk -F',' '{ print $1 }' <<< $temp) what_dh=$(awk -F',' '{ print $1 }' <<< $temp)
@ -5252,7 +5248,7 @@ determine_trust() {
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && \ if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && \
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]] && \ [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]] && \
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1" ]]; then [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1" ]]; then
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)" addtl_warning="(Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust)"
fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning" fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning"
fi fi
debugme outln debugme outln
@ -6500,7 +6496,7 @@ run_pfs() {
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false [[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
outln outln
pr_headlineln " Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 " pr_headline " Testing robust (perfect) forward secrecy"; pr_underlineln ", (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 "
if ! "$using_sockets"; then if ! "$using_sockets"; then
[[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl"
if ! "$HAS_DH_BITS" && "$WIDE"; then if ! "$HAS_DH_BITS" && "$WIDE"; then