From 701545dbb6beb289b94f971108ff937e3b4a47e7 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 13 Jun 2016 15:35:56 +0200 Subject: [PATCH 01/20] Allow the file output feature and mass_test feature to work together --- testssl.sh | 45 ++++++++++++++++----------------------------- 1 file changed, 16 insertions(+), 29 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8fc1ccb..9588cc7 100755 --- a/testssl.sh +++ b/testssl.sh @@ -149,6 +149,7 @@ WIDE=${WIDE:-false} # whether to display for some options th LOGFILE=${LOGFILE:-""} # logfile if used JSONFILE=${JSONFILE:-""} # jsonfile if used CSVFILE=${CSVFILE:-""} # csvfile if used +APPEND=false # append file in stead of overwriting HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs) @@ -453,12 +454,17 @@ strip_quote() { } fileout_header() { - "$do_json" && printf "[\n" > "$JSONFILE" - "$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" + if [[ $APPEND ]]; then + "$do_json" && [[ ! -f "$JSONFILE" ]] && printf "[\n" > "$JSONFILE" + "$do_csv" && [[ ! -f "CSVFILE" ]] && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" + else + "$do_json" && printf "[\n" > "$JSONFILE" + "$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" + fi } fileout_footer() { - "$do_json" && printf "]\n" >> "$JSONFILE" + "$do_json" && [[ -f "$JSONFILE" ]] && printf "]\n" >> "$JSONFILE" } fileout() { # ID, SEVERITY, FINDING @@ -6237,7 +6243,7 @@ cleanup () { [[ -d "$TEMPDIR" ]] && rm -rf "$TEMPDIR"; fi outln - fileout_footer + [[ $APPEND ]] || fileout_footer } fatal() { @@ -6858,30 +6864,6 @@ mx_all_ips() { return $ret } -run_mass_testing_parallel() { - local cmdline="" - local global_cmdline=${CMDLINE%%--file*} - - if [[ ! -r "$FNAME" ]] && $IKNOW_FNAME; then - fatal "Can't read file \"$FNAME\"" "-1" - fi - pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln - outln "(output is in ....\n)" - while read cmdline; do - cmdline=$(filter_input "$cmdline") - [[ -z "$cmdline" ]] && continue - [[ "$cmdline" == "EOF" ]] && break - cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" - draw_line "=" $((TERM_DWITH / 2)); outln; - determine_logfile - outln "$cmdline" - $cmdline >$LOGFILE & - sleep $PARALLEL_SLEEP - done < "$FNAME" - return $? -} - - run_mass_testing() { local cmdline="" local global_cmdline=${CMDLINE%%--file*} @@ -6891,15 +6873,17 @@ run_mass_testing() { fi pr_reverse "====== Running in file batch mode with file=\"$FNAME\" ======"; outln "\n" + APPEND=false # Make sure we close out our files while read cmdline; do cmdline=$(filter_input "$cmdline") [[ -z "$cmdline" ]] && continue [[ "$cmdline" == "EOF" ]] && break - cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" + cmdline="$0 $global_cmdline --warnings=batch -q --append $cmdline" draw_line "=" $((TERM_DWITH / 2)); outln; outln "$cmdline" $cmdline done < "${FNAME}" + fileout_footer return $? } @@ -7272,6 +7256,9 @@ parse_cmd_line() { [[ $? -eq 0 ]] && shift do_csv=true ;; + --append) + APPEND=true + ;; --openssl|--openssl=*) OPENSSL=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift From 3b1d8b6253f81fe2dd1269030d63da4503650e1c Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Tue, 14 Jun 2016 10:36:57 +0200 Subject: [PATCH 02/20] Need to deal with the comma correctly if we are appending to a file --- testssl.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index 9588cc7..e99d6b0 100755 --- a/testssl.sh +++ b/testssl.sh @@ -455,7 +455,11 @@ strip_quote() { fileout_header() { if [[ $APPEND ]]; then - "$do_json" && [[ ! -f "$JSONFILE" ]] && printf "[\n" > "$JSONFILE" + if [[ -f "$JSONFILE" ]]; then + FIRST_FINDING=false # We need to insert a comma, because there is file content already + else + "$do_json" && printf "[\n" > "$JSONFILE" + fi "$do_csv" && [[ ! -f "CSVFILE" ]] && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" else "$do_json" && printf "[\n" > "$JSONFILE" @@ -471,9 +475,8 @@ fileout() { # ID, SEVERITY, FINDING local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") if "$do_json"; then - "$FIRST_FINDING" || echo "," >> $JSONFILE - echo -e " - { + "$FIRST_FINDING" || echo -n "," >> $JSONFILE + echo -e " { \"id\" : \"$1\", \"ip\" : \"$NODE/$NODEIP\", \"port\" : \"$PORT\", From b8b779b419be90e45f08e3c682fe0273f4b3250c Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 17 Jun 2016 16:33:00 -0400 Subject: [PATCH 03/20] Use sockets for client simulations Modify run_client_simulation() to send the ClientHello from https://api.dev.ssllabs.com/api/v3/getClients (modified to use the correct value in the server name extension) if $EXPERIMENTAL is true, $STARTTLS is empty, and $SSL_NATIVE is false. --- testssl.sh | 401 +++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 361 insertions(+), 40 deletions(-) diff --git a/testssl.sh b/testssl.sh index cb8147e..da2bc2c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1455,7 +1455,22 @@ openssl2rfc() { } rfc2openssl() { - : + local hexcode ossl_hexcode ossl_name + local -i len + + hexcode=$(grep -iw "$1" "$MAPPING_FILE_RFC" 2>>$ERRFILE | head -1 | awk '{ print $1 }') + [[ -z "$hexcode" ]] && return 0 + len=${#hexcode} + case $len in + 3) ossl_hexcode="0x00,0x${hexcode:1:2}" ;; + 5) ossl_hexcode="0x${hexcode:1:2},0x${hexcode:3:2}" ;; + 7) ossl_hexcode="0x${hexcode:1:2},0x${hexcode:3:2},0x${hexcode:5:2}" ;; + *) return 0 ;; + esac + ossl_name="$($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' | grep -i " $ossl_hexcode " | awk '{ print $3 }')" + [[ -z "$ossl_name" ]] && ossl_name="-" + out "$ossl_name" + return 0 } @@ -1789,6 +1804,155 @@ run_cipher_per_proto() { return 0 } +# arg1 is an ASCII-HEX encoded SSLv3 or TLS ClientHello. +# If the ClientHello contains a server name extension, then +# either: +# 1) replace it with one corresponding to $SNI; or +# 2) remove it, if $SNI is empty +create_client_simulation_tls_clienthello() { + local tls_handshake_ascii="$1" + local -i len offset tls_handshake_ascii_len len_all len_clienthello + local -i len_extensions len_extension + local content_type tls_version_reclayer handshake_msg_type tls_clientversion + local tls_random tls_sid tls_cipher_suites tls_compression_methods + local tls_extensions="" extension_type len_extensions_hex + local len_servername hexdump_format_str servername_hexstr + local len_servername_hex len_sni_listlen len_sni_ext + local tls_client_hello len_clienthello_hex tls_handshake_ascii_len_hex + local sni_extension_found=false + + tls_handshake_ascii_len=${#tls_handshake_ascii} + + tls_content_type="${tls_handshake_ascii:0:2}" + tls_version_reclayer="${tls_handshake_ascii:2:4}" + len_all=$(hex2dec "${tls_handshake_ascii:6:4}") + + handshake_msg_type="${tls_handshake_ascii:10:2}" + len_clienthello=$(hex2dec "${tls_handshake_ascii:12:6}") + tls_clientversion="${tls_handshake_ascii:18:4}" + tls_random="${tls_handshake_ascii:22:64}" + len=2*$(hex2dec "${tls_handshake_ascii:86:2}")+2 + tls_sid="${tls_handshake_ascii:86:$len}" + offset=86+$len + + len=2*$(hex2dec "${tls_handshake_ascii:$offset:4}")+4 + tls_cipher_suites="${tls_handshake_ascii:$offset:$len}" + offset=$offset+$len + + len=2*$(hex2dec "${tls_handshake_ascii:$offset:2}")+2 + tls_compression_methods="${tls_handshake_ascii:$offset:$len}" + offset=$offset+$len + + if [[ $offset -ge $tls_handshake_ascii_len ]]; then + # No extensions + out "$tls_handshake_ascii" + return 0 + fi + + len_extensions=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") + offset=$offset+4 + for (( 1; offset < tls_handshake_ascii_len; 1 )); do + extension_type="${tls_handshake_ascii:$offset:4}" + offset=$offset+4 + len_extension=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") + + if [[ "$extension_type" != "0000" ]]; then + # The extension will just be copied into the revised ClientHello + sni_extension_found=true + offset=$offset-4 + len=$len_extension+8 + tls_extensions+="${tls_handshake_ascii:$offset:$len}" + offset=$offset+$len + elif [[ -n "$SNI" ]]; then + # Create a server name extension that corresponds to $SNI + len_servername=${#NODE} + hexdump_format_str="$len_servername/1 \"%02x\"" + servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}") + # convert lengths we need to fill in from dec to hex: + len_servername_hex=$(printf "%02x\n" $len_servername) + len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) + len_sni_ext=$(printf "%02x\n" $((len_servername+5))) + tls_extensions+="000000${len_sni_ext}00${len_sni_listlen}0000${len_servername_hex}${servername_hexstr}" + offset=$offset+$len_extension+4 + fi + done + + if ! $sni_extension_found; then + out "$tls_handshake_ascii" + return 0 + fi + + len_extensions=${#tls_extensions}/2 + len_extensions_hex=$(printf "%02x\n" $len_extensions) + len2twobytes "$len_extensions_hex" + tls_extensions="${LEN_STR:0:2}${LEN_STR:4:2}${tls_extensions}" + + tls_client_hello="${tls_clientversion}${tls_random}${tls_sid}${tls_cipher_suites}${tls_compression_methods}${tls_extensions}" + len_clienthello=${#tls_client_hello}/2 + len_clienthello_hex=$(printf "%02x\n" $len_clienthello) + len2twobytes "$len_clienthello_hex" + tls_handshake_ascii="${handshake_msg_type}00${LEN_STR:0:2}${LEN_STR:4:2}${tls_client_hello}" + + tls_handshake_ascii_len=${#tls_handshake_ascii}/2 + tls_handshake_ascii_len_hex=$(printf "%02x\n" $tls_handshake_ascii_len) + len2twobytes "$tls_handshake_ascii_len_hex" + tls_handshake_ascii="${tls_content_type}${tls_version_reclayer}${LEN_STR:0:2}${LEN_STR:4:2}${tls_handshake_ascii}" + out "$tls_handshake_ascii" + return 0 +} + +client_simulation_sockets() { + local -i len i ret=0 + local -i save=0 + local lines clienthello data="" + local cipher_list_2send + + if [[ "${1:0:4}" == "1603" ]]; then + clienthello="$(create_client_simulation_tls_clienthello "$1")" + else + clienthello="$1" + fi + len=${#clienthello} + for (( i=0; i < len; i=i+2 )); do + data+=", ${clienthello:i:2}" + done + debugme echo "sending client hello..." + code2network "${data}" + fd_socket 5 || return 6 + data=$(echo $NW_STR) + [[ "$DEBUG" -ge 4 ]] && echo "\"$data\"" + printf -- "$data" >&5 2>/dev/null & + sleep $USLEEP_SND + + sockread_serverhello 32768 + TLS_NOW=$(LC_ALL=C date "+%s") + debugme outln "reading server hello..." + if [[ "$DEBUG" -ge 4 ]]; then + hexdump -C $SOCK_REPLY_FILE | head -6 + echo + fi + + parse_tls_serverhello "$SOCK_REPLY_FILE" + save=$? + + # see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL + lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>$ERRFILE)") + debugme out " (returned $lines lines) " + + # determine the return value for higher level, so that they can tell what the result is + if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then + ret=1 # NOT available + else + ret=0 + fi + debugme outln + + close_socket + TMPFILE=$SOCK_REPLY_FILE + tmpfile_handle $FUNCNAME.dd + return $ret +} + run_client_simulation() { # Runs browser simulations. Browser capabilities gathered from: # https://www.ssllabs.com/ssltest/clients.html on 10 jan 2016 @@ -1799,7 +1963,16 @@ run_client_simulation() { local tlsvers=() local sni=() local warning=() + local handshakebytes=() + local lowest_protocol=() + local highest_protocol=() local i=0 + local name tls proto cipher + local using_sockets=true + + if $SSL_NATIVE || [[ -n "$STARTTLS" ]] || ! $EXPERIMENTAL; then + using_sockets=false + fi # doesn't make sense for other services if [[ $SERVICE != "HTTP" ]]; then @@ -1814,14 +1987,20 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("") warning+=("") + handshakebytes+=("160301004b010000470301531f3de6b36804738bbb94a6ecd570a544789c3bb0a6ef8b9d702f997d928d4b00002000040005002f00330032000a00160013000900150012000300080014001100ff0100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.0.4 ") short+=("android_404") protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") - ciphers+=("CDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") + ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100c6010000c20301531f479cc7785f455ca7a70142af5be929c1ba931eedbf46dba6b6638da75e95000038c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc0020005000400ff020100006000000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f00100011001200130014001500160017001800190023000033740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.1.1 ") short+=("android_411") @@ -1830,6 +2009,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d7010000d30301531f3f6dd9eb5f6b3586c628cc2cdc82cdb259b1a096237ba4df30dbbc0f26fb000044c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400ff020100006500000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f00010133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.2.2 ") short+=("android_422") @@ -1838,22 +2020,31 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d1010000cd0301531f40a89e11d5681f563f3dad094375227035d4e9d2c1654d7d3954e3254558000044c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400ff0100006000000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f001000110023000033740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.3 ") short+=("android_43") - protos+=("-no_ssl2") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d1010000cd0301531f41c3c5110dd688458e5e48e06d30814572ad7b8f9d9df1b0a8820b270685000044c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400ff0100006000000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f001000110023000033740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.4.2 ") short+=("android_442") protos+=("-no_ssl2") - ciphers+=("CDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") - tlsvers+=("-tl1_2 -tls1_1 -tls1") + ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") + tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d1010000cd0303531f4317998fb70d57feded18c14433a1b665f963f7e3b1b045b6cc3d61bf21300004cc030c02cc014c00a00a3009f006b006a00390038009d003d0035c012c00800160013000ac02fc02bc027c023c013c00900a2009e0067004000330032009c003c002fc011c0070005000400ff0100005800000014001200000f7777772e73736c6c6162732e636f6d000b00020100000a0008000600190018001700230000000d00220020060106020603050105020503040104020403030103020303020102020203010133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Android 5.0.0 ") short+=("android_500") @@ -1862,6 +2053,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100bd010000b9030354c21737f3d9d10696c91debf12415f9c45833a83cfbbd4c60c9b91407d2316b000038cc14cc13cc15c014c00a003900380035c012c00800160013000ac02fc02bc013c00900a2009e00330032009c002fc011c0070005000400ff0100005800000014001200000f6465762e73736c6c6162732e636f6d00230000000d00220020060106020603050105020503040104020403030103020303020102020203010133740000000b00020100000a00080006001900180017") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Baidu Jan 2015 ") short+=("baidu_jan_2015") @@ -1870,6 +2064,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100a30100009f030154c1a814c755540538a93b25e7824623d0ee9fc294ee752869cf76819edb3aa200004800ffc00ac0140088008700390038c00fc00500840035c007c009c011c0130045004400330032c00cc00ec002c0040096004100040005002fc008c01200160013c00dc003feff000a0100002e00000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b0002010000230000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("BingPreview Jan 2015 ") short+=("bingpreview_jan_2015") @@ -1878,6 +2075,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030101510100014d030354c13b79c1ca7169ae70c45d43311f9290d8ac1e326dfc36ff0aa99ea85406d50000a0c030c02cc028c024c014c00ac022c02100a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c012c008c01cc01b00160013c00dc003000ac02fc02bc027c023c013c009c01fc01e00a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff020100008300000014001200000f6465762e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000d002200200601060206030501050205030401040204030301030203030201020202030101000f000101") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Chrome 47 / OSX ") short+=("chrome_47_osx") @@ -1886,6 +2086,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100ca010000c6030361f8858af23cda649baf596105ec66bfe5b4642046c486e3e5321b26588392f400001ec02bc02f009ecc14cc13c00ac0140039c009c0130033009c0035002f000a0100007fff0100010000000014001200000f6465762e73736c6c6162732e636f6d0017000000230000000d001600140601060305010503040104030301030302010203000500050100000000337400000012000000100017001508687474702f312e3108737064792f332e3102683275500000000b00020100000a0006000400170018") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Firefox 31.3.0ESR / Win7 ") short+=("firefox_3130esr_win7") @@ -1894,6 +2097,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b1010000ad030357ce74b9799a67f62ffd7f53fde81675039c3597b2b17f9e18dbbbd418dd68f600002ec02bc02fc00ac009c013c014c012c007c0110033003200450039003800880016002f004100350084000a000500040100005600000014001200000f6465762e73736c6c6162732e636f6dff01000100000a00080006001700180019000b000201000023000033740000000500050100000000000d0012001004010501020104030503020304020202") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Firefox 42 / OSX ") short+=("firefox_42_osx") @@ -1902,6 +2108,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b8010000b403038abe51f10e414011c88d4807c3cf465ae02ba1ef74dd1d59a0b8f04c4f13c969000016c02bc02fc00ac009c013c01400330039002f0035000a0100007500000014001200000f6465762e73736c6c6162732e636f6dff01000100000a00080006001700180019000b00020100002300003374000000100017001502683208737064792f332e3108687474702f312e31000500050100000000000d001600140401050106010201040305030603020304020202") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("GoogleBot Feb 2015 ") short+=("googlebot_feb_2015") @@ -1910,62 +2119,86 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100db010000d70303d9c72e000f6a7f0a156840bd4aa9fd0612df4aeb69a1a1c6452c5f1f4d0ba6b000002ac02bc02fc007c011c009c013c00ac014009c00050004002f000a003500330032001600130039003800ff0100008400000014001200000f6465762e73736c6c6162732e636f6d00230000000d0020001e06010602060305010502050304010402040303010302030302010202020333740000000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("IE6 / XP ") short+=("ie6_xp") - protos+=("-no_tls1") + protos+=("-no_tls1_2 -no_tls1_1 -no_tls1") tlsvers+=("") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:RC4-MD5:DES-CBC3-MD5:RC2-CBC-MD5:DES-CBC-SHA:DES-CBC-MD5:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") sni+=("") warning+=("") + handshakebytes+=("804c01030000330000001000000400000500000a0100800700c003008000000906004000006400006200000300000602008004008000001300001200006317411550ac4c45ccbc8f4538dbc56d3a") + lowest_protocol+=("0x0200") + highest_protocol+=("0x0300") names+=("IE7 / Vista ") short+=("ie7_vista") - protos+=("-no_ssl2") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("160301007d01000079030151fa62ab452795b7003c5f93ab677dbf57dd62bfa39e0ffaaeabe45b06552452000018002f00350005000ac009c00ac013c01400320038001300040100003800000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a00080006001700180019000b00020100ff01000100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("IE8 / XP ") short+=("ie8_xp") - protos+=("-no_ssl2") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") tlsvers+=("-tls1") sni+=("") warning+=("") + handshakebytes+=("16030100410100003d030151fa5ac223f1d72558e48bb4f144baa494403ca6c360349cbd1449997d8dd1ec00001600040005000a000900640062000300060013001200630100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("IE8-10 / Win7 ") short+=("ie10_win7") - protos+=("-no_ssl2") - ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5") - tlsvers+=("-tls1") - sni+=("$SNI") - warning+=("") - - names+=("IE11 / Win7 ") - short+=("ie11_win7") - protos+=("-no_ssl2 -no_ssl3") - ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5") - tlsvers+=("-tls1_2 -tls1_1 -tls1") - sni+=("$SNI") - warning+=("") - - names+=("IE11 / Win8.1 ") - short+=("ie11_win81") - protos+=("-no_ssl2 -no_ssl3") - ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA") - tlsvers+=("-tls1_2 -tls1_1 -tls1") - sni+=("$SNI") - warning+=("") - - names+=("IE10 / Win Phone 8.0 ") - short+=("ie10_winphone_80") - protos+=("-no_ssl2") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("160301007b01000077030151d156b7a2f14154f4e58272d8e272392bb33c1110f21d3b7a3ea2b09fb14c5a000018002f00350005000ac013c014c009c00a003200380013000401000036ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") + + names+=("IE11 / Win7 ") + short+=("ie11_win7") + protos+=("-no_ssl2") + ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") + tlsvers+=("-tls1_2 -tls1_1 -tls1") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030300a10100009d0303528113a0e622051411874ae3411d7e9f63c4f2671cec1d9c87f2654f88c1bed400002a003c002f003d00350005000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001300040100004aff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e0401050102010403050302030202") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") + + names+=("IE11 / Win8.1 ") + short+=("ie11_win81") + protos+=("-no_ssl2") + ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA") + tlsvers+=("-tls1_2 -tls1_1 -tls1") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030300bb010000b7030352678fd707022be386508c7e5837f03bcb1b91c372733322f87872ff873af1db000026003c002f003d0035000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001301000068ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000100012001006737064792f3308687474702f312e3133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") + + names+=("IE10 / Win Phone 8.0 ") + short+=("ie10_winphone_80") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") + ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") + tlsvers+=("-tls1") + sni+=("$SNI") + warning+=("") + handshakebytes+=("160301007f0100007b0301536487d458b1a364f27085798ca9e06353f0b300baeecd775e6ccc90a97037c2000018002f00350005000ac013c014c009c00a00320038001300040100003aff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b0002010000230000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("IE11 / Win Phone 8.1 ") short+=("ie10_winphone_81") @@ -1974,6 +2207,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300bb010000b703035363d297ad92a8fe276a4e5b9395d593e96fff9c3df0987e5dfbab544ce05832000026003c002f003d0035000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001301000068ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000100012001006737064792f3308687474702f312e3133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("IE11 / Win Phone 8.1 Update") short+=("ie10_winphone_81_update") @@ -1982,6 +2218,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300c5010000c103035537a79a55362d42c3b3308fea91e85c5656021153d0a4baf03e7fef6e315c72000030c028c027c014c013009f009e009d009c003d003c0035002fc02cc02bc024c023c00ac009006a004000380032000a001301000068ff0100010000000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000100012001006737064792f3308687474702f312e3133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("IE11 / Win10 ") short+=("ie11_win10") @@ -1990,6 +2229,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300c9010000c50303558923f4d57c2d79aba0360f4030073f0554d057176bd610fb2aa74ee4407361000034c030c02fc028c027c014c013009f009e009d009c003d003c0035002fc02cc02bc024c023c00ac009006a004000380032000a00130100006800000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d00140012040105010201040305030203020206010603002300000010000e000c02683208687474702f312e3100170000ff01000100") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Edge 13 / Win10 ") short+=("edge13_win10") @@ -1998,14 +2240,20 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300d3010000cf0303565ee009f8e3f685347567b3edfd626034a1125966e4d818ec6f57a022d2fc9e000034c02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a006a00400038003200130100007200000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d00140012040105010201040305030203020206010603002300000010000e000c02683208687474702f312e310017000055000006000100020002ff01000100") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") - names+=("Edge 12 / Win Phone 10 ") + names+=("Edge 13 / Win Phone 10 ") short+=("edge13_winphone10") protos+=("-no_ssl2 -no_ssl3") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300d3010000cf0303565ee836e62e7b9b734f4dca5f3f1ad62dc4e5f87bdf6c90f325b6a2e0012705000034c02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a006a00400038003200130100007200000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d00140012040105010201040305030203020206010603002300000010000e000c02683208687474702f312e310017000055000006000100020002ff01000100") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Java 6u45 ") short+=("java6u45") @@ -2014,6 +2262,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("") warning+=("") + handshakebytes+=("8065010301003c0000002000000401008000000500002f00003300003200000a0700c00000160000130000090600400000150000120000030200800000080000140000110000ff52173357f48ce6722f974dbb429b9279208d1cf5b9088947c9ba16d9ecbc0fa6") + lowest_protocol+=("0x0200") + highest_protocol+=("0x0301") names+=("Java 7u25 ") short+=("java7u25") @@ -2022,6 +2273,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100ad010000a9030152178334e8b855253e50e4623e475b6941c18cc312de6395a98e1cd4fd6735e700002ac009c013002fc004c00e00330032c007c0110005c002c00cc008c012000ac003c00d00160013000400ff01000056000a0034003200170001000300130015000600070009000a0018000b000c0019000d000e000f001000110002001200040005001400080016000b0002010000000014001200000f7777772e73736c6c6162732e636f6d") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Java 8u31 ") short+=("java8u31") @@ -2030,6 +2284,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300e7010000e3030354c21168512b37f2a7410028c16673626ff931146918c7b29f78150b7339e5af000046c023c027003cc025c02900670040c009c013002fc004c00e00330032c02bc02f009cc02dc031009e00a2c008c012000ac003c00d00160013c007c0110005c002c00c000400ff01000074000a0034003200170001000300130015000600070009000a0018000b000c0019000d000e000f001000110002001200040005001400080016000b00020100000d001a001806030601050305010403040103030301020302010202010100000014001200000f6465762e73736c6c6162732e636f6d") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("OpenSSL 0.9.8y ") short+=("openssl098y") @@ -2038,6 +2295,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100730100006f0301521782e707c1a780d3124742f35573dbb693babe5d3a7e9405c706af18b636bf00002a00390038003500160013000a00330032002f0007000500040015001200090014001100080006000300ff0100001c00000014001200000f7777772e73736c6c6162732e636f6d00230000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("OpenSSL 1.0.1l ") short+=("openssl101l") @@ -2046,6 +2306,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("160301014f0100014b030332b230e5dd8c5573c219a243f397e31f407c7a93b60a26e7c3d5cca06a566fe1000094c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0100008e00000014001200000f6465762e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000d0020001e060106020603050105020503040104020403030103020303020102020203000500050100000000000f000101") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("OpenSSL 1.0.2e ") short+=("openssl102") @@ -2055,6 +2318,9 @@ run_client_simulation() { sni+=("$SNI") #warning+=("Tests are based on OpenSSL 1.0.1, therefore ciphers 0xe and 0xb are missing") warning+=("") + handshakebytes+=("16030101590100015503032a9db79b37d9364a9a685dc25bfec88c21ef88c206a20b9801108c67607e79800000b6c030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc00200050004c012c008001600130010000dc00dc003000a00150012000f000c000900ff0100007600000014001200000f6465762e73736c6c6162732e636f6d000b000403000102000a001c001a00170019001c001b0018001a0016000e000d000b000c0009000a00230000000d0020001e060106020603050105020503040104020403030103020303020102020203000500050100000000000f000101") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 5.1.9/ OSX 10.6.8 ") short+=("safari519_osx1068") @@ -2063,6 +2329,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("160301009d01000099030151d15dc2887b1852fd4291e36c3f4e8a35266e15dd6354779fbf5438b59b42da000046c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110100002a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Safari 6 / iOS 6.0.1 ") short+=("safari6_ios601") @@ -2071,14 +2340,20 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300bf010000bb030351d15ce21834380a8b5f491a00790b6d097014bb1e04124706631c6a6a3f973800005800ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c004c005c002c003c00ec00fc00cc00d003d003c002f000500040035000a0067006b003300390016c006c010c001c00b003b000200010100003a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a05010401020104030203") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 6.0.4/ OS X 10.8.4 ") short+=("safari604_osx1084") protos+=("-no_ssl2 -no_tls1_2 -no_tls1_1") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA") - tlsvers+=("-tls1_2 -tls1_1 -tls1") + tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100a9010000a5030151fa327c6576dadde1e8a89d4d45bdc1d0c107b8cbe998337e02ca419a0bcb30204dd1c85d9fbc1607b27a35ec9dfd1dae2c589483843a73999c9de205748633b1003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0033003900160100002a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Safari 7 / iOS 7.1 ") short+=("safari7_ios71") @@ -2087,6 +2362,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b1010000ad0303532017204048bb5331c62bf295ab4c2f2b3964f515c649a7d0947c8102d7348600004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b0033003900160100003a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a05010401020104030203") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 7 / OS X 10.9 ") short+=("safari7_osx109") @@ -2095,6 +2373,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d1010000cd030351fa3664edce86d82606540539ccd388418b1a5cb8cfda5e15349c635d4b028b203bf83c63e3da6777e407300b5d657e429f11cd7d857977e4390fda365b8d4664004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b0033003900160100003a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a05010401020104030203") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 8 / iOS 8.4 ") short+=("safari8_ios84") @@ -2103,6 +2384,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b5010000b1030354c20f1647345d0cac1db29f0489aab5e2016e6b2baca65e8c5eb6dd48a1fcd400004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c000500040100003e00000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a0501040102010403020333740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 8 / OS X 10.10 ") short+=("safari8_osx1010") @@ -2111,6 +2395,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b5010000b1030354c20a44e0d7681f3d55d7e9a764b67e6ffa6722c17b21e15bc2c9c98892460a00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c000500040100003e00000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a0501040102010403020333740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 9 / iOS 9 ") short+=("safari9_ios9") @@ -2119,6 +2406,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100e2010000de030355fb38fdc94c6c1ff6ee066f0e69579f40a83ce5454787e8834b60fd8c31e5ac00003400ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000ac007c011000500040100008100000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000e000c0501040102010503040302033374000000100030002e0268320568322d31360568322d31350568322d313408737064792f332e3106737064792f3308687474702f312e3100050005010000000000120000") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Safari 9 / OS X 10.11 ") short+=("safari9_osx1011") @@ -2127,6 +2417,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100e2010000de030355def1c4d1f6a12227389012da236581104b0bfa8b8a5bc849372531349dccc600003400ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000ac007c011000500040100008100000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000e000c0501040102010503040302033374000000100030002e0268320568322d31360568322d31350568322d313408737064792f332e3106737064792f3308687474702f312e3100050005010000000000120000") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") outln pr_headlineln " Running browser simulations (experimental) " @@ -2136,17 +2429,29 @@ run_client_simulation() { for name in "${short[@]}"; do #FIXME: printf formatting would look better, especially if we want a wide option here out " ${names[i]} " - $OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE - debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $ERRFILE + fi + else + $OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE + debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE @@ -2172,6 +2477,7 @@ run_client_simulation() { fi #FiXME: awk cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://') + $using_sockets && [[ -n "${handshakebytes[i]}" ]] && cipher="$(rfc2openssl "$cipher")" outln "$proto $cipher" if [[ -n "${warning[i]}" ]]; then out " " @@ -4244,6 +4550,7 @@ parse_tls_serverhello() { TLS_TIME="" DETECTED_TLS_VERSION="" + [[ -n "$tls_hello_ascii" ]] && echo "CONNECTED(00000003)" > $TMPFILE # $tls_hello_ascii may contain trailing whitespace. Remove it: tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}" @@ -4474,6 +4781,19 @@ parse_tls_serverhello() { let offset=74+$tls_sid_len tls_compression_method="${tls_serverhello_ascii:$offset:2}" + if [[ "$tls_protocol2" == "0300" ]]; then + echo "Protocol : SSLv3" >> $TMPFILE + else + echo "Protocol : TLSv1.$((0x$tls_protocol2-0x0301))" >> $TMPFILE + fi + echo "===============================================================================" >> $TMPFILE + if [[ "${tls_cipher_suite:0:2}" == "00" ]]; then + echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:2:2}"))" >> $TMPFILE + else + echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:0:4}"))" >> $TMPFILE + fi + echo "===============================================================================" >> $TMPFILE + if [[ $DEBUG -ge 2 ]]; then echo "TLS server hello message:" if [[ $DEBUG -ge 4 ]]; then @@ -4496,6 +4816,7 @@ parse_tls_serverhello() { esac outln fi + tmpfile_handle $FUNCNAME.txt return 0 } From 48d5e5a7a13e501b0bdca95bb76dc84c1dcd1ad5 Mon Sep 17 00:00:00 2001 From: Christoph Badura Date: Fri, 3 Jun 2016 19:06:35 +0200 Subject: [PATCH 04/20] Drop remaining '\c's in printf(1) arguments. --- testssl.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index cb8147e..7e96b77 100755 --- a/testssl.sh +++ b/testssl.sh @@ -357,7 +357,7 @@ pr_svrty_criticalln(){ pr_svrty_critical "$1"; outln; } # color=1 functions -pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m\c"; } +pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m"; } pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; } pr_boldln() { pr_bold "$1" ; outln; } pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; } @@ -4841,7 +4841,7 @@ tls_sockets() { # mainly adapted from https://gist.github.com/takeshixx/10107280 run_heartbleed(){ [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln - pr_bold " Heartbleed\c"; out " (CVE-2014-0160) " + pr_bold " Heartbleed"; out " (CVE-2014-0160) " [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then @@ -5255,7 +5255,7 @@ run_crime() { # $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI /dev/null >$TMPFILE # if [[ $? -eq 0 ]]; then # echo -# pr_bold "CRIME Vulnerability, SPDY \c" ; outln "(CVE-2012-4929): \c" +# pr_bold "CRIME Vulnerability, SPDY " ; outln "(CVE-2012-4929): " # STR=$(grep Compression $TMPFILE ) # if echo $STR | grep -q NONE >/dev/null; then From 0fd261eb6c8285c2bdbb412fab395d121243e157 Mon Sep 17 00:00:00 2001 From: Christoph Badura Date: Mon, 20 Jun 2016 21:51:40 +0200 Subject: [PATCH 05/20] Refactor date parsing. Makes testssl.sh work on NetBSD too. Introduce a parse_date() function to handle all date parsing. Check for the following date(1) variants: GNU: accepts "-d date-to-parse". FreeBSD/OS X: accepts "-j -f input-format" everything else: accepts "-j date-to-parse" usage: parse-date date output-format input-format Tested on NetBSD, OS X 10.11 and Debian jessie. --- testssl.sh | 45 +++++++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/testssl.sh b/testssl.sh index 7e96b77..76afa65 100755 --- a/testssl.sh +++ b/testssl.sh @@ -109,9 +109,13 @@ else readonly REL_DATE=$(tail -5 "$0" | awk '/dirkw Exp/ { print $5 }') fi readonly SYSTEM=$(uname -s) -date --help >/dev/null 2>&1 && \ +date -d @735275209 >/dev/null 2>&1 && \ readonly HAS_GNUDATE=true || \ readonly HAS_GNUDATE=false +# FreeBSD and OS X date(1) accept "-f inputformat" +date -j -f '%s' 1234567 >/dev/null 2>&1 && \ + readonly HAS_FREEBSDDATE=true || \ + readonly HAS_FREEBSDDATE=false echo A | sed -E 's/A//' >/dev/null 2>&1 && \ readonly HAS_SED_E=true || \ readonly HAS_SED_E=false @@ -609,6 +613,20 @@ wait_kill(){ return 3 # means killed } +# parse_date date format input-format +if "$HAS_GNUDATE"; then # Linux and NetBSD + parse_date() { + LC_ALL=C date -d "$1" "$2" + } +elif "$HAS_FREEBSDDATE"; then # FreeBSD and OS X + parse_date() { + LC_ALL=C date -j -f "$3" "$2" "$1" + } +else + parse_date() { + LC_ALL=C date -j "$2" "$1" + } +fi ###### check code starts here ###### @@ -830,11 +848,7 @@ run_http_date() { out "not tested as we're not targeting HTTP" else if [[ -n "$HTTP_TIME" ]]; then - if "$HAS_GNUDATE"; then - HTTP_TIME=$(date --date="$HTTP_TIME" "+%s") - else - HTTP_TIME=$(LC_ALL=C date -j -f "%a, %d %b %Y %T %Z" "$HTTP_TIME" "+%s" 2>>$ERRFILE) # the trailing \r confuses BSD flavors otherwise - fi + HTTP_TIME=$(parse_date "$HTTP_TIME" "+%s" "%a, %d %b %Y %T %Z" 2>>$ERRFILE) # the trailing \r confuses BSD flavors otherwise difftime=$((HTTP_TIME - $NOW_TIME)) [[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime" @@ -3511,15 +3525,9 @@ certificate_info() { out "$indent"; pr_bold " Certificate Expiration " - if "$HAS_GNUDATE"; then - enddate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z") - startdate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M") - days2expire=$(( $(date --date="$enddate" "+%s") - $(date "+%s") )) # in seconds - else - enddate=$(LC_ALL=C date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z") - startdate=$(LC_ALL=C date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M") - LC_ALL=C days2expire=$(( $(date -j -f "%F %H:%M %z" "$enddate" "+%s") - $(date "+%s") )) # in seconds - fi + enddate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z" "%b %d %T %Y %Z") + startdate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M" "%b %d %T %Y %Z") + days2expire=$(( $(parse_date "$enddate" "+%s" "%F %H:%M %z") - $(LC_ALL=C date "+%s") )) # in seconds days2expire=$((days2expire / 3600 / 24 )) if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then # we take the half of the thresholds for LE certificates @@ -4481,11 +4489,7 @@ parse_tls_serverhello() { echo " tls_sid_len: 0x$tls_sid_len_hex / = $((tls_sid_len/2))" fi echo -n " tls_hello_time: 0x$tls_hello_time " - if "$HAS_GNUDATE"; then - date --date="@$TLS_TIME" "+%Y-%m-%d %r" - else - LC_ALL=C date -j -f %s "$TLS_TIME" "+%Y-%m-%d %r" - fi + parse_date "$TLS_TIME" "+%Y-%m-%d %r" "%s" echo " tls_cipher_suite: 0x$tls_cipher_suite" echo -n " tls_compression_method: 0x$tls_compression_method " case $tls_compression_method in @@ -6154,6 +6158,7 @@ COLORBLIND: $COLORBLIND TERM_DWITH: $TERM_DWITH INTERACTIVE: $INTERACTIVE HAS_GNUDATE: $HAS_GNUDATE +HAS_FREEBSDDATE: $HAS_FREEBSDDATE HAS_SED_E: $HAS_SED_E SHOW_EACH_C: $SHOW_EACH_C From f8579ee2f7e52649b3a4c144ef78b2c4c3295f54 Mon Sep 17 00:00:00 2001 From: Florian Schuetz Date: Tue, 21 Jun 2016 08:57:39 +0200 Subject: [PATCH 06/20] Fix HSTS/HPKP includeSubDomains and preload being broken in file output. --- testssl.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index cb8147e..61e7790 100755 --- a/testssl.sh +++ b/testssl.sh @@ -855,19 +855,19 @@ run_http_date() { includeSubDomains() { if grep -aiqw includeSubDomains "$1"; then pr_done_good ", includeSubDomains" - return 1 + return 0 else pr_litecyan ", just this domain" - return 0 + return -1 fi } preload() { if grep -aiqw preload "$1"; then pr_done_good ", preload" - return 1 - else return 0 + else + return -1 fi } From 18c5f273c3334c9869abf87b3a6ae6618ebf7b7a Mon Sep 17 00:00:00 2001 From: Florian Schuetz Date: Tue, 21 Jun 2016 21:24:24 +0200 Subject: [PATCH 07/20] HSTS: check if max-age is present and nonzero --- testssl.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 61e7790..e7ca22c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -885,9 +885,18 @@ run_hsts() { if [[ $? -eq 0 ]]; then grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -waq "1" || out "(two HSTS header, using 1st one) " hsts_age_sec=$(sed -e 's/[^0-9]*//g' $TMPFILE | head -1) -#FIXME: test for number! - hsts_age_days=$(( hsts_age_sec / 86400)) - if [[ $hsts_age_days -gt $HSTS_MIN ]]; then + if [[ -n $hsts_age_sec ]]; then + hsts_age_days=$(( hsts_age_sec / 86400)) + else + hsts_age_days=-1 + fi + if [[ $hsts_age_days -eq -1 ]]; then + pr_svrty_medium "HSTS max-age is required but missing. Setting 15552000 s (180 days) or more is recommended" + fileout "hsts_time" "MEDIUM" "HSTS max-age missing. 15552000 s (180 days) or more recommnded" + elif [[ $hsts_age_days -eq 0 ]]; then + pr_svrty_medium "HSTS max-age is set to 0. HSTS is disabled" + fileout "hsts_time" "MEDIUM" "HSTS max-age set to 0. HSTS is disabled" + elif [[ $hsts_age_days -gt $HSTS_MIN ]]; then pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s" fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days" else From 6efc3e90f52e5926b0853d3b2fb221b631dcf452 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 11:04:58 +0200 Subject: [PATCH 08/20] includes IPv6 check and is ready for other uname's --- utils/make-openssl.sh | 98 +++++++++++++++++++++++++++---------------- 1 file changed, 63 insertions(+), 35 deletions(-) diff --git a/utils/make-openssl.sh b/utils/make-openssl.sh index b24d4e6..7883e39 100755 --- a/utils/make-openssl.sh +++ b/utils/make-openssl.sh @@ -13,7 +13,7 @@ sleep 3 STDOPTIONS="--prefix=/usr/ --openssldir=/etc/ssl -DOPENSSL_USE_BUILD_DATE enable-zlib \ enable-ssl2 enable-ssl3 enable-ssl-trace enable-rc5 enable-rc2 \ enable-gost enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \ -enable-seed enable-camellia enable-idea enable-rfc3779 experimental-jpake -DTEMP_GOST_TLS" +enable-seed enable-camellia enable-idea enable-rfc3779 experimental-jpake" clean() { case $NOCLEAN in @@ -42,48 +42,76 @@ makeall() { copyfiles() { echo; apps/openssl version -a; echo - cp -p apps/openssl ../openssl.$(uname).$(uname -m).$1 - echo + if grep static <<< "$1"; then + cp -p apps/openssl ../openssl.$(uname).$(uname -m) + else + cp -p apps/openssl ../openssl.$(uname).$(uname -m).krb5 + fi return $? } -case $(uname -m) in - "i686") clean - if [[ "$1" = krb ]]; then - name2add=krb - ./config $STDOPTIONS no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT - else - name2add=static - ./config $STDOPTIONS no-ec_nistp_64_gcc_128 -static - fi - [ $? -ne 0 ] && error "configuring" - makeall && copyfiles "$name2add" - [ $? -ne 0 ] && error "copying files" - apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l - echo - echo "------------ all ok ------------" +testv6_patch() { + if grep -q 'ending bracket for IPv6' apps/s_socket.c; then + STDOPTIONS += "-DOPENSSL_USE_IPV6" + else echo - ;; - "x86_64") clean - if [[ "$1" = krb ]]; then - name2add=krb - ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT - else - name2add=static - ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 -static - fi - [ $? -ne 0 ] && error "configuring" - makeall && copyfiles "$name2add" - [ $? -ne 0 ] && error "copying files" - apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l + echo "no IPv6 patch (Fedora) detected!! -- Press ^C and dl & apply from" + echo "https://github.com/drwetter/testssl.sh/blob/master/bin/fedora-dirk-ipv6.diff" + echo "or press any key to ignore" echo - echo "------------ all ok ------------" - echo + read a + fi +} + + +testv6_patch + + +case $(uname) in + Linux|FreeBSD) + case $(uname -m) in + "i686") clean + if [[ "$1" = krb ]]; then + name2add=krb + ./config $STDOPTIONS no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT + else + name2add=static + ./config $STDOPTIONS no-ec_nistp_64_gcc_128 -static + fi + [ $? -ne 0 ] && error "configuring" + makeall && copyfiles "$name2add" + [ $? -ne 0 ] && error "copying files" + apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l + echo + echo "------------ all ok ------------" + echo + ;; + "x86_64") clean + if [[ "$1" = krb ]]; then + name2add=krb + ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT + else + name2add=static + ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 -static + fi + [ $? -ne 0 ] && error "configuring" + makeall && copyfiles "$name2add" + [ $? -ne 0 ] && error "copying files" + apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l + echo + echo "------------ all ok ------------" + echo + ;; + *) echo " Sorry, don't know this architecture $(uname -m)" + exit 1 + ;; + esac ;; - *) echo " Sorry, don't know this architecture $(uname -m)" - exit 1 + Darwin) + ;; esac + # vim:tw=90:ts=5:sw=5 # $Id: make-openssl.sh,v 1.14 2015/07/20 19:40:54 dirkw Exp $ From 6eedd5747f7ac86672a671b4998731b055937842 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 11:13:11 +0200 Subject: [PATCH 09/20] wrong language fix ;-) --- utils/make-openssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/make-openssl.sh b/utils/make-openssl.sh index 7883e39..094e559 100755 --- a/utils/make-openssl.sh +++ b/utils/make-openssl.sh @@ -52,7 +52,7 @@ copyfiles() { testv6_patch() { if grep -q 'ending bracket for IPv6' apps/s_socket.c; then - STDOPTIONS += "-DOPENSSL_USE_IPV6" + STDOPTIONS="$STDOPTIONS -DOPENSSL_USE_IPV6" else echo echo "no IPv6 patch (Fedora) detected!! -- Press ^C and dl & apply from" From ef237039031c9f5155ed1dc374cc86953379644d Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 12:04:45 +0200 Subject: [PATCH 10/20] fix for #389 --- testssl.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index e7ca22c..8e37eef 100755 --- a/testssl.sh +++ b/testssl.sh @@ -858,7 +858,7 @@ includeSubDomains() { return 0 else pr_litecyan ", just this domain" - return -1 + return 1 fi } @@ -867,7 +867,7 @@ preload() { pr_done_good ", preload" return 0 else - return -1 + return 1 fi } @@ -5774,7 +5774,7 @@ run_lucky13() { # in a nutshell: don't offer CBC suites (again). MAC as a fix for padding oracles is not enough. Best: TLS v1.2+ AES GCM echo "FIXME" fileout "lucky13" "WARN" "LUCKY13 (CVE-2013-0169) : No tested. Not implemented. #FIXME" - return -1 + return 1 } @@ -7496,4 +7496,4 @@ fi exit $? -# $Id: testssl.sh,v 1.502 2016/06/15 19:31:09 dirkw Exp $ +# $Id: testssl.sh,v 1.503 2016/06/23 10:04:44 dirkw Exp $ From 68353db42b072eb6e0672b08dd232e7c73a2478f Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 14:33:26 +0200 Subject: [PATCH 11/20] polishing #382 --- testssl.sh | 46 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index 7785e5e..ffeb15f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -153,7 +153,7 @@ WIDE=${WIDE:-false} # whether to display for some options th LOGFILE=${LOGFILE:-""} # logfile if used JSONFILE=${JSONFILE:-""} # jsonfile if used CSVFILE=${CSVFILE:-""} # csvfile if used -APPEND=false # append file in stead of overwriting +APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs) @@ -458,7 +458,7 @@ strip_quote() { } fileout_header() { - if [[ $APPEND ]]; then + if "$APPEND"; then if [[ -f "$JSONFILE" ]]; then FIRST_FINDING=false # We need to insert a comma, because there is file content already else @@ -6106,11 +6106,12 @@ output options (can also be preset via environment variables): file output options (can also be preset via environment variables): --log, --logging logs stdout to in current working directory - --logfile logs stdout to if file is a dir or to specified file - --json additional output of findings to JSON file in cwd (experimental) - --jsonfile additional output to JSON and output JSON to the specified file (experimental) - --csv additional output of findings to CSV file in cwd (experimental) - --csvfile set output to CSV and output CSV to the specified file (experimental) + --logfile logs stdout to if file is a dir or to specified log file + --json additional output of findings to JSON file in cwd + --jsonfile additional output to JSON and output JSON to the specified file + --csv additional output of findings to CSV file in cwd + --csvfile set output to CSV and output CSV to the specified file + --append if or exists rather append then overwrite All options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl . @@ -6263,7 +6264,7 @@ cleanup () { [[ -d "$TEMPDIR" ]] && rm -rf "$TEMPDIR"; fi outln - [[ $APPEND ]] || fileout_footer + "$APPEND" || fileout_footer } fatal() { @@ -6884,6 +6885,33 @@ mx_all_ips() { return $ret } + +run_mass_testing_parallel() { + local cmdline="" + local global_cmdline=${CMDLINE%%--file*} + + if [[ ! -r "$FNAME" ]] && $IKNOW_FNAME; then + fatal "Can't read file \"$FNAME\"" "-1" + fi + pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln + outln "(output is in ....\n)" +#FIXME: once this function is being called we need a handler which does the right thing +# ==> not overwrite + while read cmdline; do + cmdline=$(filter_input "$cmdline") + [[ -z "$cmdline" ]] && continue + [[ "$cmdline" == "EOF" ]] && break + cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" + draw_line "=" $((TERM_DWITH / 2)); outln; + determine_logfile + outln "$cmdline" + $cmdline >$LOGFILE & + sleep $PARALLEL_SLEEP + done < "$FNAME" + return $? +} + + run_mass_testing() { local cmdline="" local global_cmdline=${CMDLINE%%--file*} @@ -7491,4 +7519,4 @@ fi exit $? -# $Id: testssl.sh,v 1.503 2016/06/23 10:04:44 dirkw Exp $ +# $Id: testssl.sh,v 1.505 2016/06/23 12:33:25 dirkw Exp $ From 93204937c55061bf3a5635495c0679f5696d04b2 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 19:42:26 +0200 Subject: [PATCH 12/20] FIX #376 --- testssl.sh | 69 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 41 insertions(+), 28 deletions(-) diff --git a/testssl.sh b/testssl.sh index ffeb15f..d05af23 100755 --- a/testssl.sh +++ b/testssl.sh @@ -125,9 +125,9 @@ tty -s && \ readonly INTERACTIVE=false if ! tput cols &>/dev/null || ! $INTERACTIVE; then # Prevent tput errors if running non interactive - TERM_DWITH=${COLUMNS:-80} + TERM_WIDTH=${COLUMNS:-80} else - TERM_DWITH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes + TERM_WIDTH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes fi TERM_CURRPOS=0 # custom line wrapping needs alter the current horizontal cursor pos @@ -6174,7 +6174,7 @@ MAPPING_FILE_RFC: $MAPPING_FILE_RFC CAPATH: $CAPATH COLOR: $COLOR COLORBLIND: $COLORBLIND -TERM_DWITH: $TERM_DWITH +TERM_WIDTH: $TERM_WIDTH INTERACTIVE: $INTERACTIVE HAS_GNUDATE: $HAS_GNUDATE HAS_FREEBSDDATE: $HAS_FREEBSDDATE @@ -6331,7 +6331,6 @@ ignore_no_or_lame() { } # arg1: URI -# arg2: protocol parse_hn_port() { local tmp_port @@ -6364,13 +6363,27 @@ parse_hn_port() { debugme echo $NODE:$PORT SNI="-servername $NODE" - # now do logging if instructed + URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port + URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> / + [[ -z "$URL_PATH" ]] && URL_PATH="/" + debugme echo $URL_PATH + return 0 # NODE, URL_PATH, PORT is set now +} + + +# now do logging if instructed +# arg1: for testing mx records name we put a name of logfile in here, otherwise we get strange file names +prepare_logging() { + local fname_prefix="$1" + + [[ -z "$fname_prefix" ]] && fname_prefix="$NODE" + if "$do_logging"; then if [[ -z "$LOGFILE" ]]; then - LOGFILE=$NODE-$(date +"%Y%m%d-%H%M".log) + LOGFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".log) elif [[ -d "$LOGFILE" ]]; then # actually we were instructed to place all files in a DIR instead of the current working dir - LOGFILE=$LOGFILE/$NODE-$(date +"%Y%m%d-%H%M".log) + LOGFILE=$LOGFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".log) else : # just for clarity: a log file was specified, no need to do anything else fi @@ -6384,32 +6397,26 @@ parse_hn_port() { if "$do_json"; then if [[ -z "$JSONFILE" ]]; then - JSONFILE=$NODE-$(date +"%Y%m%d-%H%M".json) + JSONFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".json) elif [[ -d "$JSONFILE" ]]; then # actually we were instructed to place all files in a DIR instead of the current working dir - JSONFILE=$JSONFILE/$NODE-$(date +"%Y%m%d-%H%M".json) + JSONFILE=$JSONFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".json) fi fi - if "$do_csv"; then if [[ -z "$CSVFILE" ]]; then - CSVFILE=$NODE-$(date +"%Y%m%d-%H%M".csv) + CSVFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".csv) elif [[ -d "$CSVFILE" ]]; then # actually we were instructed to place all files in a DIR instead of the current working dir - CSVFILE=$CSVFILE/$NODE-$(date +"%Y%m%d-%H%M".csv) + CSVFILE=$CSVFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".csv) fi fi - fileout_header # write out any CSV/JSON header line - URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port - URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> / - [[ -z "$URL_PATH" ]] && URL_PATH="/" - debugme echo $URL_PATH - return 0 # NODE, URL_PATH, PORT is set now + return 0 } - + # args: string containing ip addresses filter_ip6_address() { local a @@ -6845,7 +6852,7 @@ draw_line() { } -mx_all_ips() { +run_mx_all_ips() { local mxs mx local mxport local -i ret=0 @@ -6855,12 +6862,17 @@ mx_all_ips() { # test first higher priority servers mxs=$(get_mx_record "$1" | sort -n | sed -e 's/^.* //' -e 's/\.$//' | tr '\n' ' ') mxport=${2:-25} + if [[ -n "$LOGFILE" ]]; then + prepare_logging + else + prepare_logging "mx-$1" + fi if [[ -n "$mxs" ]] && [[ "$mxs" != ' ' ]]; then [[ $mxport == "465" ]] && \ STARTTLS_PROTOCOL="" # no starttls for Port 465, on all other ports we speak starttls pr_bold "Testing now all MX records (on port $mxport): "; outln "$mxs" for mx in $mxs; do - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln parse_hn_port "$mx:$mxport" determine_ip_addresses || continue @@ -6876,7 +6888,7 @@ mx_all_ips() { fi ret=$(($? + ret)) done - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln pr_bold "Done testing now all MX records (on port $mxport): "; outln "$mxs" else @@ -6902,7 +6914,7 @@ run_mass_testing_parallel() { [[ -z "$cmdline" ]] && continue [[ "$cmdline" == "EOF" ]] && break cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" - draw_line "=" $((TERM_DWITH / 2)); outln; + draw_line "=" $((TERM_WIDTH / 2)); outln; determine_logfile outln "$cmdline" $cmdline >$LOGFILE & @@ -6927,7 +6939,7 @@ run_mass_testing() { [[ -z "$cmdline" ]] && continue [[ "$cmdline" == "EOF" ]] && break cmdline="$0 $global_cmdline --warnings=batch -q --append $cmdline" - draw_line "=" $((TERM_DWITH / 2)); outln; + draw_line "=" $((TERM_WIDTH / 2)); outln; outln "$cmdline" $cmdline done < "${FNAME}" @@ -7482,10 +7494,11 @@ fi if $do_mx_all_ips; then query_globals # if we have just 1x "do_*" --> we do a standard run -- otherwise just the one specified [[ $? -eq 1 ]] && set_scanning_defaults - mx_all_ips "${URI}" $PORT + run_mx_all_ips "${URI}" $PORT # we should reduce run_mx_all_ips to the stuff neccessary as ~15 lines later we have sililar code ret=$? else parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now + prepare_logging if ! determine_ip_addresses && [[ -z "$CMDLINE_IP" ]]; then fatal "No IP address could be determined" fi @@ -7499,13 +7512,13 @@ else if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" for ip in $IPADDRs; do - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln NODEIP="$ip" lets_roll "${STARTTLS_PROTOCOL}" ret=$(($? + ret)) done - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs" else # we need just one ip4v to check @@ -7519,4 +7532,4 @@ fi exit $? -# $Id: testssl.sh,v 1.505 2016/06/23 12:33:25 dirkw Exp $ +# $Id: testssl.sh,v 1.506 2016/06/23 17:42:25 dirkw Exp $ From 5cb4b722b4ac0b1d31738c38023dae5c8fc35591 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 24 Jun 2016 19:01:00 +0200 Subject: [PATCH 13/20] in client simulation it should be TLSv1.0 instead of TLSv1.0 --- testssl.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index d05af23..cb91233 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2178,6 +2178,7 @@ run_client_simulation() { else #FIXME: awk proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') + [[ "$proto" == TLSv1 ]] && proto="TLSv1.0" if [[ "$proto" == TLSv1.2 ]]; then # OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is... for tls in ${tlsvers[i]}; do @@ -7532,4 +7533,4 @@ fi exit $? -# $Id: testssl.sh,v 1.506 2016/06/23 17:42:25 dirkw Exp $ +# $Id: testssl.sh,v 1.507 2016/06/24 17:00:58 dirkw Exp $ From 799c6a5fd023ed6215af708e037f3e65a4e6feef Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 24 Jun 2016 15:48:40 -0400 Subject: [PATCH 14/20] Handle missing $MAPPING_FILE_RFC Changed code for run_client_simulation() so that cipher is output when sockets are used even if $MAPPING_FILE_RFC is missing. Also, updated the client data. --- testssl.sh | 400 +++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 345 insertions(+), 55 deletions(-) diff --git a/testssl.sh b/testssl.sh index 83cf672..18ed336 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1998,6 +1998,13 @@ run_client_simulation() { local handshakebytes=() local lowest_protocol=() local highest_protocol=() + local service=() + local minDhBits=() + local maxDhBits=() + local minRsaBits=() + local maxRsaBits=() + local minEcdsaBits=() + local requiresSha2=() local i=0 local name tls proto cipher local using_sockets=true @@ -2015,13 +2022,20 @@ run_client_simulation() { names+=("Android 2.3.7 ") short+=("android_237") protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") - ciphers+=("RC4-MD5:RC4-SHA:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") + ciphers+=("RC4-MD5:RC4-SHA:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") tlsvers+=("-tls1") sni+=("") warning+=("") handshakebytes+=("160301004b010000470301531f3de6b36804738bbb94a6ecd570a544789c3bb0a6ef8b9d702f997d928d4b00002000040005002f00330032000a00160013000900150012000300080014001100ff0100") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Android 4.0.4 ") short+=("android_404") @@ -2033,6 +2047,13 @@ run_client_simulation() { handshakebytes+=("16030100c6010000c20301531f479cc7785f455ca7a70142af5be929c1ba931eedbf46dba6b6638da75e95000038c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc0020005000400ff020100006000000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f00100011001200130014001500160017001800190023000033740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Android 4.1.1 ") short+=("android_411") @@ -2044,6 +2065,13 @@ run_client_simulation() { handshakebytes+=("16030100d7010000d30301531f3f6dd9eb5f6b3586c628cc2cdc82cdb259b1a096237ba4df30dbbc0f26fb000044c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400ff020100006500000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f00010133740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Android 4.2.2 ") short+=("android_422") @@ -2055,6 +2083,12 @@ run_client_simulation() { handshakebytes+=("16030100d1010000cd0301531f40a89e11d5681f563f3dad094375227035d4e9d2c1654d7d3954e3254558000044c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400ff0100006000000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f001000110023000033740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Android 4.3 ") short+=("android_43") @@ -2066,6 +2100,13 @@ run_client_simulation() { handshakebytes+=("16030100d1010000cd0301531f41c3c5110dd688458e5e48e06d30814572ad7b8f9d9df1b0a8820b270685000044c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400ff0100006000000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f001000110023000033740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Android 4.4.2 ") short+=("android_442") @@ -2077,6 +2118,13 @@ run_client_simulation() { handshakebytes+=("16030100d1010000cd0303531f4317998fb70d57feded18c14433a1b665f963f7e3b1b045b6cc3d61bf21300004cc030c02cc014c00a00a3009f006b006a00390038009d003d0035c012c00800160013000ac02fc02bc027c023c013c00900a2009e0067004000330032009c003c002fc011c0070005000400ff0100005800000014001200000f7777772e73736c6c6162732e636f6d000b00020100000a0008000600190018001700230000000d00220020060106020603050105020503040104020403030103020303020102020203010133740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Android 5.0.0 ") short+=("android_500") @@ -2088,6 +2136,13 @@ run_client_simulation() { handshakebytes+=("16030100bd010000b9030354c21737f3d9d10696c91debf12415f9c45833a83cfbbd4c60c9b91407d2316b000038cc14cc13cc15c014c00a003900380035c012c00800160013000ac02fc02bc013c00900a2009e00330032009c002fc011c0070005000400ff0100005800000014001200000f6465762e73736c6c6162732e636f6d00230000000d00220020060106020603050105020503040104020403030103020303020102020203010133740000000b00020100000a00080006001900180017") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Baidu Jan 2015 ") short+=("baidu_jan_2015") @@ -2099,6 +2154,13 @@ run_client_simulation() { handshakebytes+=("16030100a30100009f030154c1a814c755540538a93b25e7824623d0ee9fc294ee752869cf76819edb3aa200004800ffc00ac0140088008700390038c00fc00500840035c007c009c011c0130045004400330032c00cc00ec002c0040096004100040005002fc008c01200160013c00dc003feff000a0100002e00000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b0002010000230000") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("BingPreview Jan 2015 ") short+=("bingpreview_jan_2015") @@ -2110,6 +2172,13 @@ run_client_simulation() { handshakebytes+=("16030101510100014d030354c13b79c1ca7169ae70c45d43311f9290d8ac1e326dfc36ff0aa99ea85406d50000a0c030c02cc028c024c014c00ac022c02100a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c012c008c01cc01b00160013c00dc003000ac02fc02bc027c023c013c009c01fc01e00a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff020100008300000014001200000f6465762e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000d002200200601060206030501050205030401040204030301030203030201020202030101000f000101") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Chrome 47 / OSX ") short+=("chrome_47_osx") @@ -2121,6 +2190,13 @@ run_client_simulation() { handshakebytes+=("16030100ca010000c6030361f8858af23cda649baf596105ec66bfe5b4642046c486e3e5321b26588392f400001ec02bc02f009ecc14cc13c00ac0140039c009c0130033009c0035002f000a0100007fff0100010000000014001200000f6465762e73736c6c6162732e636f6d0017000000230000000d001600140601060305010503040104030301030302010203000500050100000000337400000012000000100017001508687474702f312e3108737064792f332e3102683275500000000b00020100000a0006000400170018") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(8192) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Firefox 31.3.0ESR / Win7 ") short+=("firefox_3130esr_win7") @@ -2132,8 +2208,15 @@ run_client_simulation() { handshakebytes+=("16030100b1010000ad030357ce74b9799a67f62ffd7f53fde81675039c3597b2b17f9e18dbbbd418dd68f600002ec02bc02fc00ac009c013c014c012c007c0110033003200450039003800880016002f004100350084000a000500040100005600000014001200000f6465762e73736c6c6162732e636f6dff01000100000a00080006001700180019000b000201000023000033740000000500050100000000000d0012001004010501020104030503020304020202") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Firefox 42 / OSX ") + names+=("Firefox 42 OS X ") short+=("firefox_42_osx") protos+=("-no_ssl2 -no_ssl3") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") @@ -2143,6 +2226,13 @@ run_client_simulation() { handshakebytes+=("16030100b8010000b403038abe51f10e414011c88d4807c3cf465ae02ba1ef74dd1d59a0b8f04c4f13c969000016c02bc02fc00ac009c013c01400330039002f0035000a0100007500000014001200000f6465762e73736c6c6162732e636f6dff01000100000a00080006001700180019000b00020100002300003374000000100017001502683208737064792f332e3108687474702f312e31000500050100000000000d001600140401050106010201040305030603020304020202") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(1023) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("GoogleBot Feb 2015 ") short+=("googlebot_feb_2015") @@ -2154,9 +2244,16 @@ run_client_simulation() { handshakebytes+=("16030100db010000d70303d9c72e000f6a7f0a156840bd4aa9fd0612df4aeb69a1a1c6452c5f1f4d0ba6b000002ac02bc02fc007c011c009c013c00ac014009c00050004002f000a003500330032001600130039003800ff0100008400000014001200000f6465762e73736c6c6162732e636f6d00230000000d0020001e06010602060305010502050304010402040303010302030302010202020333740000000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE6 / XP ") - short+=("ie6_xp") + names+=("IE 6 XP ") + short+=("ie_6_xp") protos+=("-no_tls1_2 -no_tls1_1 -no_tls1") tlsvers+=("") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:RC4-MD5:DES-CBC3-MD5:RC2-CBC-MD5:DES-CBC-SHA:DES-CBC-MD5:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") @@ -2165,9 +2262,16 @@ run_client_simulation() { handshakebytes+=("804c01030000330000001000000400000500000a0100800700c003008000000906004000006400006200000300000602008004008000001300001200006317411550ac4c45ccbc8f4538dbc56d3a") lowest_protocol+=("0x0200") highest_protocol+=("0x0300") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE7 / Vista ") - short+=("ie7_vista") + names+=("IE 7 Vista ") + short+=("ie_7_vista") protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") tlsvers+=("-tls1") @@ -2176,9 +2280,16 @@ run_client_simulation() { handshakebytes+=("160301007d01000079030151fa62ab452795b7003c5f93ab677dbf57dd62bfa39e0ffaaeabe45b06552452000018002f00350005000ac009c00ac013c01400320038001300040100003800000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a00080006001700180019000b00020100ff01000100") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE8 / XP ") - short+=("ie8_xp") + names+=("IE 8 XP ") + short+=("ie_8_xp") protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") tlsvers+=("-tls1") @@ -2187,9 +2298,16 @@ run_client_simulation() { handshakebytes+=("16030100410100003d030151fa5ac223f1d72558e48bb4f144baa494403ca6c360349cbd1449997d8dd1ec00001600040005000a000900640062000300060013001200630100") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE8-10 / Win7 ") - short+=("ie10_win7") + names+=("IE 8-10 Win 7 ") + short+=("ie_8-10_win7") protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") tlsvers+=("-tls1") @@ -2198,9 +2316,16 @@ run_client_simulation() { handshakebytes+=("160301007b01000077030151d156b7a2f14154f4e58272d8e272392bb33c1110f21d3b7a3ea2b09fb14c5a000018002f00350005000ac013c014c009c00a003200380013000401000036ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE11 / Win7 ") - short+=("ie11_win7") + names+=("IE 11 Win 7 ") + short+=("ie_11_win7") protos+=("-no_ssl2") ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2209,9 +2334,16 @@ run_client_simulation() { handshakebytes+=("16030300a10100009d0303528113a0e622051411874ae3411d7e9f63c4f2671cec1d9c87f2654f88c1bed400002a003c002f003d00350005000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001300040100004aff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e0401050102010403050302030202") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE11 / Win8.1 ") - short+=("ie11_win81") + names+=("IE 11 Win 8.1 ") + short+=("ie_11_win81") protos+=("-no_ssl2") ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2220,9 +2352,16 @@ run_client_simulation() { handshakebytes+=("16030300bb010000b7030352678fd707022be386508c7e5837f03bcb1b91c372733322f87872ff873af1db000026003c002f003d0035000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001301000068ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000100012001006737064792f3308687474702f312e3133740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE10 / Win Phone 8.0 ") - short+=("ie10_winphone_80") + names+=("IE 10 Win Phone 8.0 ") + short+=("ie_10_winphone80") protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") tlsvers+=("-tls1") @@ -2231,9 +2370,16 @@ run_client_simulation() { handshakebytes+=("160301007f0100007b0301536487d458b1a364f27085798ca9e06353f0b300baeecd775e6ccc90a97037c2000018002f00350005000ac013c014c009c00a00320038001300040100003aff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b0002010000230000") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE11 / Win Phone 8.1 ") - short+=("ie10_winphone_81") + names+=("IE 11 Win Phone 8.1 ") + short+=("ie_11_winphone81") protos+=("-no_ssl2") ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2242,9 +2388,16 @@ run_client_simulation() { handshakebytes+=("16030300bb010000b703035363d297ad92a8fe276a4e5b9395d593e96fff9c3df0987e5dfbab544ce05832000026003c002f003d0035000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001301000068ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000100012001006737064792f3308687474702f312e3133740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE11 / Win Phone 8.1 Update") - short+=("ie10_winphone_81_update") + names+=("IE 11 Win Phone 8.1 Update ") + short+=("ie_11_winphone81update") protos+=("-no_ssl2") ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2253,9 +2406,16 @@ run_client_simulation() { handshakebytes+=("16030300c5010000c103035537a79a55362d42c3b3308fea91e85c5656021153d0a4baf03e7fef6e315c72000030c028c027c014c013009f009e009d009c003d003c0035002fc02cc02bc024c023c00ac009006a004000380032000a001301000068ff0100010000000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000100012001006737064792f3308687474702f312e3133740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("IE11 / Win10 ") - short+=("ie11_win10") + names+=("IE 11 Win 10 ") + short+=("ie_11_win10") protos+=("-no_ssl2 -no_ssl3") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2264,9 +2424,16 @@ run_client_simulation() { handshakebytes+=("16030300c9010000c50303558923f4d57c2d79aba0360f4030073f0554d057176bd610fb2aa74ee4407361000034c030c02fc028c027c014c013009f009e009d009c003d003c0035002fc02cc02bc024c023c00ac009006a004000380032000a00130100006800000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d00140012040105010201040305030203020206010603002300000010000e000c02683208687474702f312e3100170000ff01000100") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(4096) + minRsaBits+=(-1) + maxRsaBits+=(16384) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Edge 13 / Win10 ") - short+=("edge13_win10") + names+=("Edge 13 Win 10 ") + short+=("edge_13_win10") protos+=("-no_ssl2 -no_ssl3") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2275,9 +2442,16 @@ run_client_simulation() { handshakebytes+=("16030300d3010000cf0303565ee009f8e3f685347567b3edfd626034a1125966e4d818ec6f57a022d2fc9e000034c02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a006a00400038003200130100007200000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d00140012040105010201040305030203020206010603002300000010000e000c02683208687474702f312e310017000055000006000100020002ff01000100") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(4096) + minRsaBits+=(-1) + maxRsaBits+=(16384) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Edge 13 / Win Phone 10 ") - short+=("edge13_winphone10") + names+=("Edge 13 Win Phone 10 ") + short+=("edge_13_winphone10") protos+=("-no_ssl2 -no_ssl3") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2286,9 +2460,16 @@ run_client_simulation() { handshakebytes+=("16030300d3010000cf0303565ee836e62e7b9b734f4dca5f3f1ad62dc4e5f87bdf6c90f325b6a2e0012705000034c02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a006a00400038003200130100007200000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d00140012040105010201040305030203020206010603002300000010000e000c02683208687474702f312e310017000055000006000100020002ff01000100") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(4096) + minRsaBits+=(-1) + maxRsaBits+=(16384) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Java 6u45 ") - short+=("java6u45") + short+=("java_6u45") protos+=("-no_tls1_2 -no_tls1_1") ciphers+=("RC4-MD5:RC4-MD5:RC4-SHA:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:DES-CBC3-MD5:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC-SHA:DES-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") tlsvers+=("-tls1") @@ -2297,9 +2478,16 @@ run_client_simulation() { handshakebytes+=("8065010301003c0000002000000401008000000500002f00003300003200000a0700c00000160000130000090600400000150000120000030200800000080000140000110000ff52173357f48ce6722f974dbb429b9279208d1cf5b9088947c9ba16d9ecbc0fa6") lowest_protocol+=("0x0200") highest_protocol+=("0x0301") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(1024) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Java 7u25 ") - short+=("java7u25") + short+=("java_7u25") protos+=("-no_ssl2 -no_tls1_2 -no_tls1_1") ciphers+=("ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") tlsvers+=("-tls1") @@ -2308,9 +2496,16 @@ run_client_simulation() { handshakebytes+=("16030100ad010000a9030152178334e8b855253e50e4623e475b6941c18cc312de6395a98e1cd4fd6735e700002ac009c013002fc004c00e00330032c007c0110005c002c00cc008c012000ac003c00d00160013000400ff01000056000a0034003200170001000300130015000600070009000a0018000b000c0019000d000e000f001000110002001200040005001400080016000b0002010000000014001200000f7777772e73736c6c6162732e636f6d") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(1024) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("Java 8u31 ") - short+=("java8u31") + short+=("java_8u31") protos+=("-no_ssl2 -no_ssl3") ciphers+=("ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2319,9 +2514,16 @@ run_client_simulation() { handshakebytes+=("16030300e7010000e3030354c21168512b37f2a7410028c16673626ff931146918c7b29f78150b7339e5af000046c023c027003cc025c02900670040c009c013002fc004c00e00330032c02bc02f009cc02dc031009e00a2c008c012000ac003c00d00160013c007c0110005c002c00c000400ff01000074000a0034003200170001000300130015000600070009000a0018000b000c0019000d000e000f001000110002001200040005001400080016000b00020100000d001a001806030601050305010403040103030301020302010202010100000014001200000f6465762e73736c6c6162732e636f6d") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(2048) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("OpenSSL 0.9.8y ") - short+=("openssl098y") + short+=("openssl_098y") protos+=("-no_ssl2 -no_tls1_2 -no_tls1_1") ciphers+=("DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") tlsvers+=("-tls1") @@ -2330,9 +2532,16 @@ run_client_simulation() { handshakebytes+=("16030100730100006f0301521782e707c1a780d3124742f35573dbb693babe5d3a7e9405c706af18b636bf00002a00390038003500160013000a00330032002f0007000500040015001200090014001100080006000300ff0100001c00000014001200000f7777772e73736c6c6162732e636f6d00230000") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("OpenSSL 1.0.1l ") - short+=("openssl101l") + short+=("openssl_101l") protos+=("-no_ssl2") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2341,11 +2550,18 @@ run_client_simulation() { handshakebytes+=("160301014f0100014b030332b230e5dd8c5573c219a243f397e31f407c7a93b60a26e7c3d5cca06a566fe1000094c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0100008e00000014001200000f6465762e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000d0020001e060106020603050105020503040104020403030103020303020102020203000500050100000000000f000101") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) names+=("OpenSSL 1.0.2e ") - short+=("openssl102") + short+=("openssl_102e") protos+=("-no_ssl2") - ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") + ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") #warning+=("Tests are based on OpenSSL 1.0.1, therefore ciphers 0xe and 0xb are missing") @@ -2353,9 +2569,16 @@ run_client_simulation() { handshakebytes+=("16030101590100015503032a9db79b37d9364a9a685dc25bfec88c21ef88c206a20b9801108c67607e79800000b6c030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc00200050004c012c008001600130010000dc00dc003000a00150012000f000c000900ff0100007600000014001200000f6465762e73736c6c6162732e636f6d000b000403000102000a001c001a00170019001c001b0018001a0016000e000d000b000c0009000a00230000000d0020001e060106020603050105020503040104020403030103020303020102020203000500050100000000000f000101") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Safari 5.1.9/ OSX 10.6.8 ") - short+=("safari519_osx1068") + names+=("Safari 5.1.9 OS X 10.6.8 ") + short+=("safari_519_osx1068") protos+=("-no_ssl2 -no_tls1_2 -no_tls1_1") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") tlsvers+=("-tls1") @@ -2364,9 +2587,16 @@ run_client_simulation() { handshakebytes+=("160301009d01000099030151d15dc2887b1852fd4291e36c3f4e8a35266e15dd6354779fbf5438b59b42da000046c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110100002a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(4096) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Safari 6 / iOS 6.0.1 ") - short+=("safari6_ios601") + names+=("Safari 6 iOS 6.0.1 ") + short+=("safari_6_ios601") protos+=("-no_ssl2") ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA:ECDHE-ECDSA-NULL-SHA:ECDHE-RSA-NULL-SHA:ECDH-ECDSA-NULL-SHA:ECDH-RSA-NULL-SHA:NULL-SHA256:NULL-SHA:NULL-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2375,9 +2605,16 @@ run_client_simulation() { handshakebytes+=("16030300bf010000bb030351d15ce21834380a8b5f491a00790b6d097014bb1e04124706631c6a6a3f973800005800ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c004c005c002c003c00ec00fc00cc00d003d003c002f000500040035000a0067006b003300390016c006c010c001c00b003b000200010100003a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a05010401020104030203") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(4096) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Safari 6.0.4/ OS X 10.8.4 ") - short+=("safari604_osx1084") + names+=("Safari 6.0.4 OS X 10.8.4 ") + short+=("safari_604_osx1084") protos+=("-no_ssl2 -no_tls1_2 -no_tls1_1") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA") tlsvers+=("-tls1") @@ -2386,9 +2623,16 @@ run_client_simulation() { handshakebytes+=("16030100a9010000a5030151fa327c6576dadde1e8a89d4d45bdc1d0c107b8cbe998337e02ca419a0bcb30204dd1c85d9fbc1607b27a35ec9dfd1dae2c589483843a73999c9de205748633b1003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0033003900160100002a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(4096) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Safari 7 / iOS 7.1 ") - short+=("safari7_ios71") + names+=("Safari 7 iOS 7.1 ") + short+=("safari_7_ios71") protos+=("-no_ssl2") ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2397,9 +2641,16 @@ run_client_simulation() { handshakebytes+=("16030100b1010000ad0303532017204048bb5331c62bf295ab4c2f2b3964f515c649a7d0947c8102d7348600004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b0033003900160100003a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a05010401020104030203") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(4096) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Safari 7 / OS X 10.9 ") - short+=("safari7_osx109") + names+=("Safari 7 OS X 10.9 ") + short+=("safari_7_osx109") protos+=("-no_ssl2") ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2408,9 +2659,16 @@ run_client_simulation() { handshakebytes+=("16030100d1010000cd030351fa3664edce86d82606540539ccd388418b1a5cb8cfda5e15349c635d4b028b203bf83c63e3da6777e407300b5d657e429f11cd7d857977e4390fda365b8d4664004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b0033003900160100003a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a05010401020104030203") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(4096) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Safari 8 / iOS 8.4 ") - short+=("safari8_ios84") + names+=("Safari 8 iOS 8.4 ") + short+=("safari_8_ios84") protos+=("-no_ssl2") ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2419,9 +2677,16 @@ run_client_simulation() { handshakebytes+=("16030100b5010000b1030354c20f1647345d0cac1db29f0489aab5e2016e6b2baca65e8c5eb6dd48a1fcd400004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c000500040100003e00000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a0501040102010403020333740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(768) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(4096) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Safari 8 / OS X 10.10 ") - short+=("safari8_osx1010") + names+=("Safari 8 OS X 10.10 ") + short+=("safari_8_osx1010") protos+=("-no_ssl2") ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2430,9 +2695,16 @@ run_client_simulation() { handshakebytes+=("16030100b5010000b1030354c20a44e0d7681f3d55d7e9a764b67e6ffa6722c17b21e15bc2c9c98892460a00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c000500040100003e00000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a0501040102010403020333740000") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(768) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(8192) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Safari 9 / iOS 9 ") - short+=("safari9_ios9") + names+=("Safari 9 iOS 9 ") + short+=("safari_9_ios9") protos+=("-no_ssl2 -no_ssl3") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2441,9 +2713,16 @@ run_client_simulation() { handshakebytes+=("16030100e2010000de030355fb38fdc94c6c1ff6ee066f0e69579f40a83ce5454787e8834b60fd8c31e5ac00003400ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000ac007c011000500040100008100000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000e000c0501040102010503040302033374000000100030002e0268320568322d31360568322d31350568322d313408737064792f332e3106737064792f3308687474702f312e3100050005010000000000120000") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(768) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(8192) + minEcdsaBits+=(-1) + requiresSha2+=(false) - names+=("Safari 9 / OS X 10.11 ") - short+=("safari9_osx1011") + names+=("Safari 9 OS X 10.11 ") + short+=("safari_9_osx1011") protos+=("-no_ssl2 -no_ssl3") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") @@ -2452,6 +2731,13 @@ run_client_simulation() { handshakebytes+=("16030100e2010000de030355def1c4d1f6a12227389012da236581104b0bfa8b8a5bc849372531349dccc600003400ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000ac007c011000500040100008100000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000e000c0501040102010503040302033374000000100030002e0268320568322d31360568322d31350568322d313408737064792f332e3106737064792f3308687474702f312e3100050005010000000000120000") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(768) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(8192) + minEcdsaBits+=(-1) + requiresSha2+=(false) outln pr_headlineln " Running browser simulations (experimental) " @@ -2510,7 +2796,7 @@ run_client_simulation() { fi #FiXME: awk cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://') - $using_sockets && [[ -n "${handshakebytes[i]}" ]] && cipher="$(rfc2openssl "$cipher")" + $using_sockets && [[ -n "${handshakebytes[i]}" ]] && [[ -n "$MAPPING_FILE_RFC" ]] && cipher="$(rfc2openssl "$cipher")" outln "$proto $cipher" if [[ -n "${warning[i]}" ]]; then out " " @@ -4814,10 +5100,14 @@ parse_tls_serverhello() { echo "Protocol : TLSv1.$((0x$tls_protocol2-0x0301))" >> $TMPFILE fi echo "===============================================================================" >> $TMPFILE - if [[ "${tls_cipher_suite:0:2}" == "00" ]]; then - echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:2:2}"))" >> $TMPFILE + if [[ -n "$MAPPING_FILE_RFC" ]]; then + if [[ "${tls_cipher_suite:0:2}" == "00" ]]; then + echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:2:2}"))" >> $TMPFILE + else + echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:0:4}"))" >> $TMPFILE + fi else - echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:0:4}"))" >> $TMPFILE + echo "Cipher : $($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' | grep -i " 0x${tls_cipher_suite:0:2},0x${tls_cipher_suite:2:2} " | awk '{ print $3 }')" >> $TMPFILE fi echo "===============================================================================" >> $TMPFILE From be85fbf2b7edfebfe790aa5aeaae3e56a5f05d8e Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 24 Jun 2016 16:14:41 -0400 Subject: [PATCH 15/20] Update IE client simulation data Change client data for IE 8-10 and IE 11 to match ssllabs. --- testssl.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 18ed336..f896cae 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2309,29 +2309,29 @@ run_client_simulation() { names+=("IE 8-10 Win 7 ") short+=("ie_8-10_win7") protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") - ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") + ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1") sni+=("$SNI") warning+=("") - handshakebytes+=("160301007b01000077030151d156b7a2f14154f4e58272d8e272392bb33c1110f21d3b7a3ea2b09fb14c5a000018002f00350005000ac013c014c009c00a003200380013000401000036ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100") + handshakebytes+=("160301007d01000079030155f092059b76ac28cceda732dac7f07a52aecc126f8ed890ab80e12e7eca049c000018c014c0130035002fc00ac00900380032000a0013000500040100003800000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a00080006001700180019000b00020100ff01000100") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") service+=("HTTP") minDhBits+=(1024) - maxDhBits+=(-1) + maxDhBits+=(4096) minRsaBits+=(-1) - maxRsaBits+=(-1) + maxRsaBits+=(16384) minEcdsaBits+=(-1) requiresSha2+=(false) names+=("IE 11 Win 7 ") short+=("ie_11_win7") protos+=("-no_ssl2") - ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") + ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") - handshakebytes+=("16030300a10100009d0303528113a0e622051411874ae3411d7e9f63c4f2671cec1d9c87f2654f88c1bed400002a003c002f003d00350005000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001300040100004aff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e0401050102010403050302030202") + handshakebytes+=("16030300b1010000ad030354c22c0a4842eab5a1a10763a3c16df20357f1ba3fac1c67136e09bfa94c5c0f000034c028c027c014c013009f009e009d009c003d003c0035002fc02cc02bc024c023c00ac009006a004000380032000a00130005000401000050ff0100010000000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a00080006001700180019000b00020100000d00140012040105010601020104030503060302030202") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") service+=("HTTP") From 36d300b74e3cb6b635fa05440a1327f4a44113a7 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 28 Jun 2016 12:21:50 +0200 Subject: [PATCH 16/20] add line when using sockets for client simulation --- testssl.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index f896cae..73836a5 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2740,7 +2740,11 @@ run_client_simulation() { requiresSha2+=(false) outln - pr_headlineln " Running browser simulations (experimental) " + if "$using_sockets"; then + pr_headlineln " Running browser simulations via sockets (experimental) " + else + pr_headlineln " Running browser simulations (experimental) " + fi outln debugme outln @@ -8144,4 +8148,4 @@ fi exit $? -# $Id: testssl.sh,v 1.507 2016/06/24 17:00:58 dirkw Exp $ +# $Id: testssl.sh,v 1.509 2016/06/28 10:21:48 dirkw Exp $ From 0a86f07e61e678408f92dd1a38d17cbe6e1ee2d1 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:02:53 +0200 Subject: [PATCH 17/20] Lets get unit testing --- .travis.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..ae61687 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,5 @@ +language: perl +perl: + - "5.18" +script: + prove From 2111008880d12665f9410a0d192c062f1478afb3 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:09:12 +0200 Subject: [PATCH 18/20] Install test dependancies --- .travis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.travis.yml b/.travis.yml index ae61687..54d4723 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,9 @@ language: perl perl: - "5.18" +install: + - cpanm Test::More + - cpanm Data::Dumper + - cpanm JSON script: prove From 353756ffd6d681bdd64d5d1750a3fac0118f630b Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:12:46 +0200 Subject: [PATCH 19/20] We need dnsutils as well --- .travis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.travis.yml b/.travis.yml index 54d4723..d4ce9b2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,10 @@ language: perl perl: - "5.18" +addons: + apt: + packages: + - dnsutils install: - cpanm Test::More - cpanm Data::Dumper From fa19ac168ff445e794fe440fff40e4b55c78bdfc Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:15:32 +0200 Subject: [PATCH 20/20] Be more verbose in your error testing --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d4ce9b2..46038c8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,4 +10,4 @@ install: - cpanm Data::Dumper - cpanm JSON script: - prove + - prove -v