Merge branch '2.9dev' into parse_tls_serverhello3
This commit is contained in:
commit
1a042d5dba
42
testssl.sh
42
testssl.sh
|
@ -3205,6 +3205,24 @@ run_client_simulation() {
|
||||||
minEcdsaBits+=(-1)
|
minEcdsaBits+=(-1)
|
||||||
requiresSha2+=(false)
|
requiresSha2+=(false)
|
||||||
|
|
||||||
|
names+=("Apple ATS 9 iOS 9 ")
|
||||||
|
short+=("safari_9_osx1011")
|
||||||
|
protos+=("-no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1")
|
||||||
|
ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA")
|
||||||
|
tlsvers+=("-tls1_2")
|
||||||
|
sni+=("$SNI")
|
||||||
|
warning+=("")
|
||||||
|
handshakebytes+=("16030100b9010000b50303282275d1356ba8ceec8897786197b80f96d83a06d9205200a677f850c4b822f2000018c02cc02bc024c023c00ac009c030c02fc028c027c01300ff0201000073000b000403000102000a003a0038000e000d0019001c000b000c001b00180009000a001a00160017000800060007001400150004000500120013000100020003000f0010001100230000000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101")
|
||||||
|
lowest_protocol+=("0x0303")
|
||||||
|
highest_protocol+=("0x0303")
|
||||||
|
service+=("HTTP")
|
||||||
|
minDhBits+=(768)
|
||||||
|
maxDhBits+=(-1)
|
||||||
|
minRsaBits+=(-1)
|
||||||
|
maxRsaBits+=(8192)
|
||||||
|
minEcdsaBits+=(-1)
|
||||||
|
requiresSha2+=(false)
|
||||||
|
|
||||||
outln
|
outln
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
pr_headlineln " Running browser simulations via sockets (experimental) "
|
pr_headlineln " Running browser simulations via sockets (experimental) "
|
||||||
|
@ -3683,6 +3701,10 @@ read_dhbits_from_file() {
|
||||||
grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp)
|
grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp)
|
||||||
bits=$(tr -d ' bits' <<< $bits)
|
bits=$(tr -d ' bits' <<< $bits)
|
||||||
|
|
||||||
|
if [[ "$what_dh" == "X25519" ]] || [[ "$what_dh" == "X448" ]]; then
|
||||||
|
what_dh="ECDH"
|
||||||
|
fi
|
||||||
|
|
||||||
debugme echo ">$HAS_DH_BITS|$what_dh|$bits<"
|
debugme echo ">$HAS_DH_BITS|$what_dh|$bits<"
|
||||||
|
|
||||||
[[ -n "$what_dh" ]] && HAS_DH_BITS=true # FIX 190
|
[[ -n "$what_dh" ]] && HAS_DH_BITS=true # FIX 190
|
||||||
|
@ -5415,8 +5437,8 @@ run_pfs() {
|
||||||
# find out what elliptic curves are supported.
|
# find out what elliptic curves are supported.
|
||||||
curves_offered=""
|
curves_offered=""
|
||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
$OPENSSL ecparam -list_curves | grep -q $curve
|
$OPENSSL s_client -curves $curve 2>&1 | egrep -iaq "Error with command|unknown option"
|
||||||
[[ $? -eq 0 ]] && nr_curves+=1 && supported_curves+=("$curve")
|
[[ $? -ne 0 ]] && nr_curves+=1 && supported_curves+=("$curve")
|
||||||
done
|
done
|
||||||
|
|
||||||
# OpenSSL limits the number of curves that can be specified in the
|
# OpenSSL limits the number of curves that can be specified in the
|
||||||
|
@ -5442,7 +5464,8 @@ run_pfs() {
|
||||||
fi
|
fi
|
||||||
if [[ "$sclient_success" -eq 0 ]]; then
|
if [[ "$sclient_success" -eq 0 ]]; then
|
||||||
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$tmpfile")
|
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$tmpfile")
|
||||||
curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)"
|
curve_found="$(awk -F',' '{ print $1 }' <<< $temp)"
|
||||||
|
[[ "$curve_found" == "ECDH" ]] && curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)"
|
||||||
j=0; curve_used=""
|
j=0; curve_used=""
|
||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
[[ "${curves_ossl_output[j]}" == "$curve_found" ]] && curve_used="${curves_ossl[j]}" && break
|
[[ "${curves_ossl_output[j]}" == "$curve_found" ]] && curve_used="${curves_ossl[j]}" && break
|
||||||
|
@ -6632,12 +6655,17 @@ parse_tls_serverhello() {
|
||||||
26) dh_bits=256 ; named_curve_str="brainpoolP256r1" ;;
|
26) dh_bits=256 ; named_curve_str="brainpoolP256r1" ;;
|
||||||
27) dh_bits=384 ; named_curve_str="brainpoolP384r1" ;;
|
27) dh_bits=384 ; named_curve_str="brainpoolP384r1" ;;
|
||||||
28) dh_bits=512 ; named_curve_str="brainpoolP512r1" ;;
|
28) dh_bits=512 ; named_curve_str="brainpoolP512r1" ;;
|
||||||
29) dh_bits=256 ; named_curve_str="X25519" ;;
|
29) dh_bits=253 ; named_curve_str="X25519" ;;
|
||||||
30) dh_bits=448 ; named_curve_str="X448" ;;
|
30) dh_bits=448 ; named_curve_str="X448" ;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
[[ $DEBUG -ge 2 ]] && [[ $dh_bits -ne 0 ]] && echo "dh_bits: ECDH, $named_curve_str, $dh_bits bits"
|
if [[ $dh_bits -ne 0 ]] && [[ $named_curve -ne 29 ]] && [[ $named_curve -ne 30 ]]; then
|
||||||
[[ $dh_bits -ne 0 ]] && echo "Server Temp Key: ECDH, $named_curve_str, $dh_bits bits" >> $TMPFILE
|
debugme echo "dh_bits: ECDH, $named_curve_str, $dh_bits bits"
|
||||||
|
echo "Server Temp Key: ECDH, $named_curve_str, $dh_bits bits" >> $TMPFILE
|
||||||
|
elif [[ $dh_bits -ne 0 ]]; then
|
||||||
|
debugme echo "dh_bits: $named_curve_str, $dh_bits bits"
|
||||||
|
echo "Server Temp Key: $named_curve_str, $dh_bits bits" >> $TMPFILE
|
||||||
|
fi
|
||||||
elif [[ $rfc_cipher_suite =~ "TLS_DHE_" ]] || [[ $rfc_cipher_suite =~ "TLS_DH_anon" ]]; then
|
elif [[ $rfc_cipher_suite =~ "TLS_DHE_" ]] || [[ $rfc_cipher_suite =~ "TLS_DH_anon" ]]; then
|
||||||
# For DH ephemeral keys the first field is p, and the length of
|
# For DH ephemeral keys the first field is p, and the length of
|
||||||
# p is the same as the length of the public key.
|
# p is the same as the length of the public key.
|
||||||
|
@ -10373,4 +10401,4 @@ fi
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.559 2016/10/15 20:55:22 dirkw Exp $
|
# $Id: testssl.sh,v 1.562 2016/11/05 13:55:29 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue