From 24c342b34b274b21fd61bc77b5f84dfb50df0a07 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 27 Oct 2017 13:52:09 -0400 Subject: [PATCH] Add TLSv1.3 support for run_cipher_match() This PR adds TLSv1.3 support for run_cipher_match(). It also addresses issue #660 for run_cipher_match(). --- testssl.sh | 127 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 74 insertions(+), 53 deletions(-) diff --git a/testssl.sh b/testssl.sh index 752573c..793dc55 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2757,6 +2757,7 @@ run_cipher_match(){ local -i nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 local -i num_bundles mod_check bundle_size bundle end_of_bundle local dhlen has_dh_bits="$HAS_DH_BITS" + local cipher proto protos_to_try local available local -i sclient_success local re='^[0-9A-Fa-f]+$' @@ -2909,37 +2910,51 @@ run_cipher_match(){ [[ $mod_check -ne 0 ]] && bundle_size+=1 fi - for (( bundle=0; bundle < num_bundles; bundle++ )); do - end_of_bundle=$bundle*$bundle_size+$bundle_size - [[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers - while true; do - ciphers_to_test="" - for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do - ! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}" + if "$HAS_TLS13"; then + protos_to_try="-no_ssl2 -tls1_2 -tls1_1 -tls1" + else + protos_to_try="-no_ssl2 -tls1_1 -tls1" + fi + "$HAS_SSL3" && protos_to_try+=" -ssl3" + + for proto in $protos_to_try; do + if [[ "$proto" == "-tls1_1" ]]; then + num_bundles=1 + bundle_size=$nr_ossl_ciphers + fi + for (( bundle=0; bundle < num_bundles; bundle++ )); do + end_of_bundle=$bundle*$bundle_size+$bundle_size + [[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers + while true; do + ciphers_to_test="" + for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do + ! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}" + done + [[ -z "$ciphers_to_test" ]] && break + $OPENSSL s_client $(s_client_options "$proto -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE