mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
Merge pull request #1031 from dcooper16/client_simulation_ssl_native
Improve SSL native client simulation
This commit is contained in:
commit
24a392d6eb
File diff suppressed because it is too large
Load Diff
30
testssl.sh
30
testssl.sh
@ -296,6 +296,7 @@ OSSL_VER_MINOR=0
|
|||||||
OSSL_VER_APPENDIX="none"
|
OSSL_VER_APPENDIX="none"
|
||||||
CLIENT_PROB_NO=1
|
CLIENT_PROB_NO=1
|
||||||
HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables
|
HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables
|
||||||
|
OSSL_SUPPORTED_CURVES=""
|
||||||
HAS_SSL2=false
|
HAS_SSL2=false
|
||||||
HAS_SSL3=false
|
HAS_SSL3=false
|
||||||
HAS_TLS13=false
|
HAS_TLS13=false
|
||||||
@ -4132,6 +4133,7 @@ run_client_simulation() {
|
|||||||
local short=()
|
local short=()
|
||||||
local protos=()
|
local protos=()
|
||||||
local ciphers=()
|
local ciphers=()
|
||||||
|
local ciphersuites=()
|
||||||
local tlsvers=()
|
local tlsvers=()
|
||||||
local sni=()
|
local sni=()
|
||||||
local warning=()
|
local warning=()
|
||||||
@ -4144,9 +4146,10 @@ run_client_simulation() {
|
|||||||
local minRsaBits=()
|
local minRsaBits=()
|
||||||
local maxRsaBits=()
|
local maxRsaBits=()
|
||||||
local minEcdsaBits=()
|
local minEcdsaBits=()
|
||||||
|
local curves=()
|
||||||
local requiresSha2=()
|
local requiresSha2=()
|
||||||
local i=0
|
local i=0
|
||||||
local name tls proto cipher temp what_dh bits curve
|
local name tls proto cipher temp what_dh bits curve supported_curves
|
||||||
local has_dh_bits using_sockets=true
|
local has_dh_bits using_sockets=true
|
||||||
local client_service
|
local client_service
|
||||||
local options
|
local options
|
||||||
@ -4223,7 +4226,16 @@ run_client_simulation() {
|
|||||||
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
|
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
options="$(s_client_options "-cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
|
if [[ -n "${curves[i]}" ]]; then
|
||||||
|
# "$OPENSSL s_client" will fail if the -curves option includes any unsupported curves.
|
||||||
|
supported_curves=""
|
||||||
|
for curve in $(colon_to_spaces "${curves[i]}"); do
|
||||||
|
[[ "$OSSL_SUPPORTED_CURVES" =~ " $curve " ]] && supported_curves+=":$curve"
|
||||||
|
done
|
||||||
|
curves[i]=""
|
||||||
|
[[ -n "$supported_curves" ]] && curves[i]="-curves ${supported_curves:1}"
|
||||||
|
fi
|
||||||
|
options="$(s_client_options "-cipher ${ciphers[i]} -ciphersuites "\'${ciphersuites[i]}\'" ${curves[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
|
||||||
debugme echo "$OPENSSL s_client $options </dev/null"
|
debugme echo "$OPENSSL s_client $options </dev/null"
|
||||||
$OPENSSL s_client $options </dev/null >$TMPFILE 2>$ERRFILE
|
$OPENSSL s_client $options </dev/null >$TMPFILE 2>$ERRFILE
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
@ -4263,7 +4275,7 @@ run_client_simulation() {
|
|||||||
if [[ "$proto" == TLSv1.2 ]] && ( ! "$using_sockets" || [[ -z "${handshakebytes[i]}" ]] ); then
|
if [[ "$proto" == TLSv1.2 ]] && ( ! "$using_sockets" || [[ -z "${handshakebytes[i]}" ]] ); then
|
||||||
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
|
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
|
||||||
for tls in ${tlsvers[i]}; do
|
for tls in ${tlsvers[i]}; do
|
||||||
options="$(s_client_options "$tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
|
options="$(s_client_options "$tls -cipher ${ciphers[i]} -ciphersuites "\'${ciphersuites[i]}\'" ${curves[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
|
||||||
debugme echo "$OPENSSL s_client $options </dev/null"
|
debugme echo "$OPENSSL s_client $options </dev/null"
|
||||||
$OPENSSL s_client $options </dev/null >$TMPFILE 2>$ERRFILE
|
$OPENSSL s_client $options </dev/null >$TMPFILE 2>$ERRFILE
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
@ -8019,8 +8031,7 @@ run_pfs() {
|
|||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
ossl_supported[nr_curves]=false
|
ossl_supported[nr_curves]=false
|
||||||
supported_curve[nr_curves]=false
|
supported_curve[nr_curves]=false
|
||||||
$OPENSSL s_client -curves $curve -connect x 2>&1 | egrep -iaq "Error with command|unknown option"
|
[[ "$OSSL_SUPPORTED_CURVES" =~ " $curve " ]] && ossl_supported[nr_curves]=true && nr_ossl_curves+=1
|
||||||
[[ $? -ne 0 ]] && ossl_supported[nr_curves]=true && nr_ossl_curves+=1
|
|
||||||
nr_curves+=1
|
nr_curves+=1
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -14684,6 +14695,8 @@ find_openssl_binary() {
|
|||||||
local s_client_starttls_has=$TEMPDIR/s_client_starttls_has.txt
|
local s_client_starttls_has=$TEMPDIR/s_client_starttls_has.txt
|
||||||
local openssl_location cwd=""
|
local openssl_location cwd=""
|
||||||
local ossl_wo_dev_info
|
local ossl_wo_dev_info
|
||||||
|
local curve
|
||||||
|
local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
|
||||||
|
|
||||||
# 0. check environment variable whether it's executable
|
# 0. check environment variable whether it's executable
|
||||||
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
||||||
@ -14765,6 +14778,11 @@ find_openssl_binary() {
|
|||||||
|
|
||||||
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
||||||
|
|
||||||
|
for curve in "${curves_ossl[@]}"; do
|
||||||
|
$OPENSSL s_client -curves $curve -connect x 2>&1 | egrep -iaq "Error with command|unknown option"
|
||||||
|
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
|
||||||
|
done
|
||||||
|
|
||||||
$OPENSSL pkey -help 2>&1 | grep -q Error || \
|
$OPENSSL pkey -help 2>&1 | grep -q Error || \
|
||||||
HAS_PKEY=true
|
HAS_PKEY=true
|
||||||
|
|
||||||
@ -15031,6 +15049,8 @@ OSSL_VER_PLATFORM: $OSSL_VER_PLATFORM
|
|||||||
OPENSSL_NR_CIPHERS: $OPENSSL_NR_CIPHERS
|
OPENSSL_NR_CIPHERS: $OPENSSL_NR_CIPHERS
|
||||||
OPENSSL_CONF: $OPENSSL_CONF
|
OPENSSL_CONF: $OPENSSL_CONF
|
||||||
|
|
||||||
|
OSSL_SUPPORTED_CURVES: $OSSL_SUPPORTED_CURVES
|
||||||
|
|
||||||
HAS_IPv6: $HAS_IPv6
|
HAS_IPv6: $HAS_IPv6
|
||||||
HAS_SSL2: $HAS_SSL2
|
HAS_SSL2: $HAS_SSL2
|
||||||
HAS_SSL3: $HAS_SSL3
|
HAS_SSL3: $HAS_SSL3
|
||||||
|
@ -51,8 +51,19 @@ foreach my $client ( @$ssllabs ) {
|
|||||||
|
|
||||||
# Ciphers
|
# Ciphers
|
||||||
my @ciphers = ();
|
my @ciphers = ();
|
||||||
|
my @ciphersuites = ();
|
||||||
foreach my $suite ( @{$client->{suiteIds}} ) {
|
foreach my $suite ( @{$client->{suiteIds}} ) {
|
||||||
if ( exists $ciphers{$suite} ) {
|
if ( $suite == "4865" ) {
|
||||||
|
push @ciphersuites, "TLS_AES_128_GCM_SHA256"; }
|
||||||
|
elsif ( $suite == "4866" ) {
|
||||||
|
push @ciphersuites, "TLS_AES_256_GCM_SHA384"; }
|
||||||
|
elsif ( $suite == "4867" ) {
|
||||||
|
push @ciphersuites, "TLS_CHACHA20_POLY1305_SHA256"; }
|
||||||
|
elsif ( $suite == "4868" ) {
|
||||||
|
push @ciphersuites, "TLS_AES_128_CCM_SHA256"; }
|
||||||
|
elsif ( $suite == "4869" ) {
|
||||||
|
push @ciphersuites, "TLS_AES_128_CCM_8_SHA256"; }
|
||||||
|
elsif ( exists $ciphers{$suite} ) {
|
||||||
push @ciphers, $ciphers{$suite}; }
|
push @ciphers, $ciphers{$suite}; }
|
||||||
elsif ( $suite == "255" ) {
|
elsif ( $suite == "255" ) {
|
||||||
# no openssl name for this:
|
# no openssl name for this:
|
||||||
@ -102,6 +113,7 @@ foreach my $client ( @$ssllabs ) {
|
|||||||
}
|
}
|
||||||
print "\n" if ! $has_matched ;
|
print "\n" if ! $has_matched ;
|
||||||
$sim->{ciphers} = "ciphers+=(\"" . (join ":", @ciphers) . "\")";
|
$sim->{ciphers} = "ciphers+=(\"" . (join ":", @ciphers) . "\")";
|
||||||
|
$sim->{ciphersuites} = "ciphersuites+=(\"" . (join ":", @ciphersuites) . "\")";
|
||||||
|
|
||||||
# SNI
|
# SNI
|
||||||
if ( exists $client->{supportsSni} && $client->{supportsSni} ) {
|
if ( exists $client->{supportsSni} && $client->{supportsSni} ) {
|
||||||
@ -123,33 +135,54 @@ foreach my $client ( @$ssllabs ) {
|
|||||||
# protos
|
# protos
|
||||||
my @proto_flags = ();
|
my @proto_flags = ();
|
||||||
my @tls_flags = ();
|
my @tls_flags = ();
|
||||||
# Figure out if we need to support sslv2
|
if ( $client->{lowestProtocol} == $client->{highestProtocol} ) {
|
||||||
if ( $client->{lowestProtocol} < 768 && $client->{highestProtocol} >= 512 ) {
|
if ( $client->{lowestProtocol} == 512 ) {
|
||||||
# 512 = 0x200 = sslv2
|
push @proto_flags, "-ssl2"; }
|
||||||
# 768 = 0x300 = sslv3
|
elsif ( $client->{lowestProtocol} == 768 ) {
|
||||||
push @proto_flags, "-ssl2";
|
push @proto_flags, "-ssl3"; }
|
||||||
}
|
elsif ( $client->{lowestProtocol} == 769 ) {
|
||||||
# Do we need to support SSL3?
|
push @proto_flags, "-tls1"; }
|
||||||
if ( $client->{lowestProtocol} <= 768 && $client->{highestProtocol} >= 768 ) {
|
elsif ( $client->{lowestProtocol} == 770 ) {
|
||||||
# 768 = 0x300 = sslv3
|
push @proto_flags, "-tls1_1"; }
|
||||||
push @proto_flags, "-ssl3";
|
elsif ( $client->{lowestProtocol} == 771 ) {
|
||||||
}
|
push @proto_flags, "-tls1_2"; }
|
||||||
# Do we need to support TLS 1.0?
|
elsif ( $client->{lowestProtocol} == 772 ) {
|
||||||
if ( $client->{lowestProtocol} <= 769 && $client->{highestProtocol} >= 769 ) {
|
push @proto_flags, "-tls1_3"; }
|
||||||
# 769 = 0x301 = tls1.0
|
} else {
|
||||||
push @proto_flags, "-tls1";
|
# Figure out if we need to support sslv2
|
||||||
}
|
if ( $client->{lowestProtocol} > 512 ) {
|
||||||
# Do we need to support TLS 1.1?
|
# 512 = 0x200 = sslv2
|
||||||
if ( $client->{lowestProtocol} <= 770 && $client->{highestProtocol} >= 770 ) {
|
push @proto_flags, "-no_ssl2";
|
||||||
# 770 = 0x302 = tls1.1
|
}
|
||||||
push @proto_flags, "-tls1_1";
|
# Do we need to support SSL3?
|
||||||
}
|
if ( $client->{lowestProtocol} > 768 || $client->{highestProtocol} < 768 ) {
|
||||||
# Do we need to support TLS 1.2?
|
# 768 = 0x300 = sslv3
|
||||||
if ( $client->{lowestProtocol} <= 771 && $client->{highestProtocol} >= 771 ) {
|
push @proto_flags, "-no_ssl3";
|
||||||
# 771 = 0x303 = tls1.2
|
}
|
||||||
push @proto_flags, "-tls1_2";
|
# Do we need to support TLS 1.0?
|
||||||
|
if ( $client->{lowestProtocol} > 769 || $client->{highestProtocol} < 769 ) {
|
||||||
|
# 769 = 0x301 = tls1.0
|
||||||
|
push @proto_flags, "-no_tls1";
|
||||||
|
} else {
|
||||||
|
push @tls_flags, "-tls1";
|
||||||
|
}
|
||||||
|
# Do we need to support TLS 1.1?
|
||||||
|
if ( $client->{lowestProtocol} > 770 || $client->{highestProtocol} < 770 ) {
|
||||||
|
# 770 = 0x302 = tls1.1
|
||||||
|
push @proto_flags, "-no_tls1_1";
|
||||||
|
} else {
|
||||||
|
push @tls_flags, "-tls1_1";
|
||||||
|
}
|
||||||
|
# Do we need to support TLS 1.2?
|
||||||
|
if ( $client->{lowestProtocol} > 771 || $client->{highestProtocol} < 771 ) {
|
||||||
|
# 771 = 0x303 = tls1.2
|
||||||
|
push @proto_flags, "-no_tls1_2";
|
||||||
|
} else {
|
||||||
|
push @tls_flags, "-tls1_2";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
$sim->{protos} = "protos+=(\"" . (join " ", reverse @proto_flags) . "\")";
|
$sim->{protos} = "protos+=(\"" . (join " ", reverse @proto_flags) . "\")";
|
||||||
|
$sim->{tlsvers} = "tlsvers+=(\"" . (join " ", reverse @tls_flags) . "\")";
|
||||||
$sim->{lowestProtocol} = sprintf("lowest_protocol+=(\"0x%04x\")", $client->{lowestProtocol});
|
$sim->{lowestProtocol} = sprintf("lowest_protocol+=(\"0x%04x\")", $client->{lowestProtocol});
|
||||||
$sim->{highestProtocol} = sprintf("highest_protocol+=(\"0x%04x\")", $client->{highestProtocol});
|
$sim->{highestProtocol} = sprintf("highest_protocol+=(\"0x%04x\")", $client->{highestProtocol});
|
||||||
|
|
||||||
@ -175,6 +208,71 @@ foreach my $client ( @$ssllabs ) {
|
|||||||
} else {
|
} else {
|
||||||
$sim->{requiresSha2} = "requiresSha2+=(false)";
|
$sim->{requiresSha2} = "requiresSha2+=(false)";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
my @curves = ();
|
||||||
|
foreach my $curve ( @{$client->{ellipticCurves}} ) {
|
||||||
|
if ( $curve == 1 ) {
|
||||||
|
push @curves, "sect163k1"; }
|
||||||
|
elsif ( $curve == 2 ) {
|
||||||
|
push @curves, "sect163r1"; }
|
||||||
|
elsif ( $curve == 3 ) {
|
||||||
|
push @curves, "sect163r2"; }
|
||||||
|
elsif ( $curve == 4 ) {
|
||||||
|
push @curves, "sect193r1"; }
|
||||||
|
elsif ( $curve == 5 ) {
|
||||||
|
push @curves, "sect193r2"; }
|
||||||
|
elsif ( $curve == 6 ) {
|
||||||
|
push @curves, "sect233k1"; }
|
||||||
|
elsif ( $curve == 7 ) {
|
||||||
|
push @curves, "sect233r1"; }
|
||||||
|
elsif ( $curve == 8 ) {
|
||||||
|
push @curves, "sect239k1"; }
|
||||||
|
elsif ( $curve == 9 ) {
|
||||||
|
push @curves, "sect283k1"; }
|
||||||
|
elsif ( $curve == 10 ) {
|
||||||
|
push @curves, "sect283r1"; }
|
||||||
|
elsif ( $curve == 11 ) {
|
||||||
|
push @curves, "sect409k1"; }
|
||||||
|
elsif ( $curve == 12 ) {
|
||||||
|
push @curves, "sect409r1"; }
|
||||||
|
elsif ( $curve == 13 ) {
|
||||||
|
push @curves, "sect571k1"; }
|
||||||
|
elsif ( $curve == 14 ) {
|
||||||
|
push @curves, "sect571r1"; }
|
||||||
|
elsif ( $curve == 15 ) {
|
||||||
|
push @curves, "secp160k1"; }
|
||||||
|
elsif ( $curve == 16 ) {
|
||||||
|
push @curves, "secp160r1"; }
|
||||||
|
elsif ( $curve == 17 ) {
|
||||||
|
push @curves, "secp160r2"; }
|
||||||
|
elsif ( $curve == 18 ) {
|
||||||
|
push @curves, "secp192k1"; }
|
||||||
|
elsif ( $curve == 19 ) {
|
||||||
|
push @curves, "prime192v1"; }
|
||||||
|
elsif ( $curve == 20 ) {
|
||||||
|
push @curves, "secp224k1"; }
|
||||||
|
elsif ( $curve == 21 ) {
|
||||||
|
push @curves, "secp224r1"; }
|
||||||
|
elsif ( $curve == 22 ) {
|
||||||
|
push @curves, "secp256k1"; }
|
||||||
|
elsif ( $curve == 23 ) {
|
||||||
|
push @curves, "prime256v1"; }
|
||||||
|
elsif ( $curve == 24 ) {
|
||||||
|
push @curves, "secp384r1"; }
|
||||||
|
elsif ( $curve == 25 ) {
|
||||||
|
push @curves, "secp521r1"; }
|
||||||
|
elsif ( $curve == 26 ) {
|
||||||
|
push @curves, "brainpoolP256r1"; }
|
||||||
|
elsif ( $curve == 27 ) {
|
||||||
|
push @curves, "brainpoolP384r1"; }
|
||||||
|
elsif ( $curve == 28 ) {
|
||||||
|
push @curves, "brainpoolP512r1"; }
|
||||||
|
elsif ( $curve == 29 ) {
|
||||||
|
push @curves, "X25519"; }
|
||||||
|
elsif ( $curve == 30 ) {
|
||||||
|
push @curves, "X448"; }
|
||||||
|
}
|
||||||
|
$sim->{ellipticCurves} = "curves+=(\"" . (join ":", @curves) . "\")";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -184,10 +282,12 @@ my $sim = {};
|
|||||||
#$sim->{name} = "names+=(\"Mail iOS 9.3.2 \")";
|
#$sim->{name} = "names+=(\"Mail iOS 9.3.2 \")";
|
||||||
#$sim->{shortname} = "short+=(\"mail_ios_932\")";
|
#$sim->{shortname} = "short+=(\"mail_ios_932\")";
|
||||||
#$sim->{ciphers} = "ciphers+=(\"ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5\")";
|
#$sim->{ciphers} = "ciphers+=(\"ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5\")";
|
||||||
|
#$sim->{ciphersuites} = "ciphersuites+=(\"\")";
|
||||||
#$sim->{sni} = "sni+=(\"\$SNI\")";
|
#$sim->{sni} = "sni+=(\"\$SNI\")";
|
||||||
#$sim->{warning} = "warning+=(\"\")";
|
#$sim->{warning} = "warning+=(\"\")";
|
||||||
#$sim->{handshakebytes} = "handshakebytes+=(\"16030100bb010000b703015767e6ae46f9abf3138e26a9f9880f9697bf3387f7eff709db1fa220e692d80420fb04b0979bae1664e11ef172d4dfba15af59dd200b7831992a35c73cde9efed9003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003c000000190017000014696d61702e73656374696f6e7a65726f2e6f7267000a00080006001700180019000b0002010000050005010000000000120000\")";
|
#$sim->{handshakebytes} = "handshakebytes+=(\"16030100bb010000b703015767e6ae46f9abf3138e26a9f9880f9697bf3387f7eff709db1fa220e692d80420fb04b0979bae1664e11ef172d4dfba15af59dd200b7831992a35c73cde9efed9003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003c000000190017000014696d61702e73656374696f6e7a65726f2e6f7267000a00080006001700180019000b0002010000050005010000000000120000\")";
|
||||||
#$sim->{protos} = "protos+=(\"#-tls1_1 -tls1\")";
|
#$sim->{protos} = "protos+=(\"#-no_tls1_2 -no_ssl3 -no_ssl2\")";
|
||||||
|
#$sim->{tlsvers} = "tlsvers+=(\"#-tls1_1 -tls1\")";
|
||||||
#$sim->{lowestProtocol} = "lowest_protocol+=(\"0x0300\")";
|
#$sim->{lowestProtocol} = "lowest_protocol+=(\"0x0300\")";
|
||||||
#$sim->{highestProtocol} = "highest_protocol+=(\"0x0301\")";
|
#$sim->{highestProtocol} = "highest_protocol+=(\"0x0301\")";
|
||||||
#$sim->{service} = "service+=(\"SMTP,POP,IMAP\")";
|
#$sim->{service} = "service+=(\"SMTP,POP,IMAP\")";
|
||||||
@ -196,15 +296,18 @@ my $sim = {};
|
|||||||
#$sim->{minRsaBits} = "minRsaBits+=(-1)";
|
#$sim->{minRsaBits} = "minRsaBits+=(-1)";
|
||||||
#$sim->{maxRsaBits} = "maxRsaBits+=(-1)";
|
#$sim->{maxRsaBits} = "maxRsaBits+=(-1)";
|
||||||
#$sim->{minEcdsaBits} = "minEcdsaBits+=(-1)";
|
#$sim->{minEcdsaBits} = "minEcdsaBits+=(-1)";
|
||||||
|
#$sim->{ellipticCurves} = "curves+=(\"sect233k1:secp256r1:secp384r1:secp521r1\")";
|
||||||
#$sim->{requiresSha2} = "requiresSha2+=(false)";
|
#$sim->{requiresSha2} = "requiresSha2+=(false)";
|
||||||
#
|
#
|
||||||
#$sim->{name} = "names+=(\"Mail OSX 10.11.15 \")";
|
#$sim->{name} = "names+=(\"Mail OSX 10.11.15 \")";
|
||||||
#$sim->{shortname} = "short+=(\"mail_osx_101115\")";
|
#$sim->{shortname} = "short+=(\"mail_osx_101115\")";
|
||||||
#$sim->{ciphers} = "ciphers+=(\"ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5\")";
|
#$sim->{ciphers} = "ciphers+=(\"ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5\")";
|
||||||
|
#$sim->{ciphersuites} = "ciphersuites+=(\"\")";
|
||||||
#$sim->{sni} = "sni+=(\"\$SNI\")";
|
#$sim->{sni} = "sni+=(\"\$SNI\")";
|
||||||
#$sim->{warning} = "warning+=(\"\")";
|
#$sim->{warning} = "warning+=(\"\")";
|
||||||
#$sim->{handshakebytes} = "handshakebytes+=(\"16030100940100009003015770e928499e82df2eb7477200e2a828d9fa4109514385bd1602df44aaf2b0f400003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003500000012001000000d3137382e3233372e33342e3932000a00080006001700180019000b0002010000050005010000000000120000\")";
|
#$sim->{handshakebytes} = "handshakebytes+=(\"16030100940100009003015770e928499e82df2eb7477200e2a828d9fa4109514385bd1602df44aaf2b0f400003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003500000012001000000d3137382e3233372e33342e3932000a00080006001700180019000b0002010000050005010000000000120000\")";
|
||||||
#$sim->{protos} = "protos+=(\"-tls1\")";
|
#$sim->{protos} = "protos+=(\"-tls1\")";
|
||||||
|
#$sim->{tlsvers} = "tlsvers+=(\"-tls1\")";
|
||||||
#$sim->{lowestProtocol} = "lowest_protocol+=(\"0x0301\")";
|
#$sim->{lowestProtocol} = "lowest_protocol+=(\"0x0301\")";
|
||||||
#$sim->{highestProtocol} = "highest_protocol+=(\"0x0301\")";
|
#$sim->{highestProtocol} = "highest_protocol+=(\"0x0301\")";
|
||||||
#$sim->{service} = "service+=(\"SMTP,POP,IMAP\")";
|
#$sim->{service} = "service+=(\"SMTP,POP,IMAP\")";
|
||||||
@ -213,16 +316,19 @@ my $sim = {};
|
|||||||
#$sim->{minRsaBits} = "minRsaBits+=(-1)";
|
#$sim->{minRsaBits} = "minRsaBits+=(-1)";
|
||||||
#$sim->{maxRsaBits} = "maxRsaBits+=(-1)";
|
#$sim->{maxRsaBits} = "maxRsaBits+=(-1)";
|
||||||
#$sim->{minEcdsaBits} = "minEcdsaBits+=(-1)";
|
#$sim->{minEcdsaBits} = "minEcdsaBits+=(-1)";
|
||||||
|
#$sim->{ellipticCurves} = "curves+=(\"sect233k1:secp256r1:secp384r1:secp521r1\")";
|
||||||
#$sim->{requiresSha2} = "requiresSha2+=(false)";
|
#$sim->{requiresSha2} = "requiresSha2+=(false)";
|
||||||
|
|
||||||
# example of self generated / provided handshake:
|
# example of self generated / provided handshake:
|
||||||
$sim->{name} = "names+=(\"Thunderbird 45.1.1 OSX 10.11 \")";
|
$sim->{name} = "names+=(\"Thunderbird 45.1.1 OSX 10.11 \")";
|
||||||
$sim->{shortname} = "short+=(\"thunderbird_45.1.1_osx_101115\")";
|
$sim->{shortname} = "short+=(\"thunderbird_45.1.1_osx_101115\")";
|
||||||
$sim->{ciphers} = "ciphers+=(\"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA\")";
|
$sim->{ciphers} = "ciphers+=(\"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA\")";
|
||||||
|
$sim->{ciphersuites} = "ciphersuites+=(\"\")";
|
||||||
$sim->{sni} = "sni+=(\"\$SNI\")";
|
$sim->{sni} = "sni+=(\"\$SNI\")";
|
||||||
$sim->{warning} = "warning+=(\"\")";
|
$sim->{warning} = "warning+=(\"\")";
|
||||||
$sim->{handshakebytes} = "handshakebytes+=(\"160301009d010000990303c7c5b3ff80b3aa597c770c538b98ae34a94c9590ad8f947ba7bc28692061cb57000016c02bc02fc00ac009c013c01400330039002f0035000a0100005a0000001800160000136d78332e73656374696f6e7a65726f2e6f7267ff01000100000a00080006001700180019000b0002010000230000000500050100000000000d001600140401050106010201040305030603020304020202\")";
|
$sim->{handshakebytes} = "handshakebytes+=(\"160301009d010000990303c7c5b3ff80b3aa597c770c538b98ae34a94c9590ad8f947ba7bc28692061cb57000016c02bc02fc00ac009c013c01400330039002f0035000a0100005a0000001800160000136d78332e73656374696f6e7a65726f2e6f7267ff01000100000a00080006001700180019000b0002010000230000000500050100000000000d001600140401050106010201040305030603020304020202\")";
|
||||||
$sim->{protos} = "protos+=(\"-tls1_2 -tls1_1 -tls1\")";
|
$sim->{protos} = "protos+=(\"-no_ssl3 -no_ssl2\")";
|
||||||
|
$sim->{tlsvers} = "tlsvers+=(\"-tls1_2 -tls1_1 -tls1\")";
|
||||||
$sim->{lowestProtocol} = "lowest_protocol+=(\"0x0301\")";
|
$sim->{lowestProtocol} = "lowest_protocol+=(\"0x0301\")";
|
||||||
$sim->{highestProtocol} = "highest_protocol+=(\"0x0303\")";
|
$sim->{highestProtocol} = "highest_protocol+=(\"0x0303\")";
|
||||||
$sim->{service} = "service+=(\"SMTP,POP,IMAP\")";
|
$sim->{service} = "service+=(\"SMTP,POP,IMAP\")";
|
||||||
@ -231,6 +337,7 @@ $sim->{maxDhBits} = "maxDhBits+=(-1)";
|
|||||||
$sim->{minRsaBits} = "minRsaBits+=(-1)";
|
$sim->{minRsaBits} = "minRsaBits+=(-1)";
|
||||||
$sim->{maxRsaBits} = "maxRsaBits+=(-1)";
|
$sim->{maxRsaBits} = "maxRsaBits+=(-1)";
|
||||||
$sim->{minEcdsaBits} = "minEcdsaBits+=(-1)";
|
$sim->{minEcdsaBits} = "minEcdsaBits+=(-1)";
|
||||||
|
$sim->{ellipticCurves} = "curves+=(\"sect233k1:secp256r1:secp384r1:secp521r1\")";
|
||||||
$sim->{requiresSha2} = "requiresSha2+=(false)";
|
$sim->{requiresSha2} = "requiresSha2+=(false)";
|
||||||
|
|
||||||
my %count;
|
my %count;
|
||||||
@ -354,8 +461,8 @@ open OUT, ">client-simulation_generated.txt" or die "Unable to open client-simul
|
|||||||
print OUT "$header";
|
print OUT "$header";
|
||||||
|
|
||||||
foreach my $shortname ( sort keys %sims ) {
|
foreach my $shortname ( sort keys %sims ) {
|
||||||
foreach my $k ( qw(name shortname ciphers sni warning handshakebytes protos lowestProtocol highestProtocol service
|
foreach my $k ( qw(name shortname ciphers ciphersuites sni warning handshakebytes protos tlsvers lowestProtocol highestProtocol service
|
||||||
minDhBits maxDhBits minRsaBits maxRsaBits minEcdsaBits requiresSha2 current) ) {
|
minDhBits maxDhBits minRsaBits maxRsaBits minEcdsaBits ellipticCurves requiresSha2 current) ) {
|
||||||
print OUT " $sims{$shortname}->{$k}\n";
|
print OUT " $sims{$shortname}->{$k}\n";
|
||||||
}
|
}
|
||||||
print OUT "\n";
|
print OUT "\n";
|
||||||
|
Loading…
Reference in New Issue
Block a user