From 76c34dd1486e68165bd462f60705261feaf397e3 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 14 Feb 2017 09:53:38 -0500 Subject: [PATCH 1/2] Negotiated cipher per proto bugfix I have a test server that I configured to support only SSLv3 and TLSv1.2. When I set `SSLHonorCipherOrder` to `off` I get the following results: ``` ECDHE-RSA-AES256-SHA: SSLv3 ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2 ``` The current code, when printing TLSv1.2 checks whether `${cipher[4]}` is empty, and since it is assume no previous protocol (SSLv2, SSLv3, TLSv1, TLSv1.1) was supported and so doesn't output a newline before outputting the cipher and protocol for TLSv1.2. This PR fixes that by changing to code to look at the previous non-empty cipher (if there is one), even if that does not come from the previous protocol. --- testssl.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 180c704..8eaafa0 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4742,7 +4742,7 @@ read_dhbits_from_file() { run_server_preference() { - local cipher1 cipher2 + local cipher1 cipher2 prev_cipher="" local default_cipher default_cipher_ossl default_proto local remark4default_cipher supported_sslv2_ciphers local -a cipher proto @@ -5013,7 +5013,7 @@ run_server_preference() { for i in 1 2 3 4 5 6; do if [[ -n "${cipher[i]}" ]]; then # cipher not empty - if [[ -z "${cipher[i-1]}" ]]; then # previous one empty + if [[ -z "$prev_cipher" ]]; then # previous one empty #outln if [[ -z "$SHOW_RFC" ]]; then printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both @@ -5021,7 +5021,7 @@ run_server_preference() { printf -- " %-51s %s" "${cipher[i]}:" "${proto[i]}" # print out both fi else # previous NOT empty - if [[ "${cipher[i-1]}" == "${cipher[i]}" ]]; then # and previous protocol same cipher + if [[ "$prev_cipher" == "${cipher[i]}" ]]; then # and previous protocol same cipher out ", ${proto[i]}" # same cipher --> only print out protocol behind it else outln @@ -5032,6 +5032,7 @@ run_server_preference() { fi fi fi + prev_cipher="${cipher[i]}" fi fileout "order_${proto[i]}_cipher" "INFO" "Default cipher on ${proto[i]}: ${cipher[i]} $remark4default_cipher" done From e2161aef5ef85af4f57e52e26feefd22add28b85 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 14 Feb 2017 10:04:42 -0500 Subject: [PATCH 2/2] Rearrange code Just a slight rearrangement of the code in order to remove some redundancy. --- testssl.sh | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8eaafa0..5d92727 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5013,24 +5013,15 @@ run_server_preference() { for i in 1 2 3 4 5 6; do if [[ -n "${cipher[i]}" ]]; then # cipher not empty - if [[ -z "$prev_cipher" ]]; then # previous one empty - #outln + if [[ -z "$prev_cipher" ]] || [[ "$prev_cipher" != "${cipher[i]}" ]]; then + [[ -n "$prev_cipher" ]] && outln if [[ -z "$SHOW_RFC" ]]; then printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both else printf -- " %-51s %s" "${cipher[i]}:" "${proto[i]}" # print out both fi - else # previous NOT empty - if [[ "$prev_cipher" == "${cipher[i]}" ]]; then # and previous protocol same cipher - out ", ${proto[i]}" # same cipher --> only print out protocol behind it - else - outln - if [[ -z "$SHOW_RFC" ]]; then - printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both - else - printf -- " %-51s %s" "${cipher[i]}:" "${proto[i]}" # print out both - fi - fi + else + out ", ${proto[i]}" # same cipher --> only print out protocol behind it fi prev_cipher="${cipher[i]}" fi