Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-07 09:10:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reorganize cipher_pref_check()

Browse Source 
This PR reorganizes cipher_pref_check(). Currently, cipher_pref_check() runs a for loop, which loops over each protocol and prints the set of supported ciphers for each protocol. This PR simply places the body of the for loop in a separate function from the loop itself. This allows cipher_pref_check() to be called for just a single protocol rather than for all protocols. Another PR will make a similar change to run_cipher_per_proto().

The reason for this change is that cipher_pref_check() was only intended to be used in cases in which the server enforces a cipher preference order. Some servers, however, enforce an order for some protocols, but not for others. The change in this PR will make it possible in the future to call cipher_pref_check() only for protocols in which the server enforces a cipher order.
This commit is contained in:
David Cooper 2019-02-12 12:43:57 -05:00 committed by GitHub
parent 5d1109a582
commit 2a13643bb1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 190 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
testssl.sh
View File

@ -6106,7 +6106,17 @@ run_server_preference() {
fi
if "$has_cipher_order"; then
cipher_pref_check
"$FAST" && using_sockets=false
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
pr_bold " Cipher order"
while read proto_ossl proto_hex proto_txt; do
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets"
done <<< "$(tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
outln
outln
else
pr_bold " Negotiated cipher per proto"; outln " $limitedsense"
i=1
@ -6295,33 +6305,27 @@ check_tls12_pref() {
cipher_pref_check() {
local p proto proto_hex
local tested_cipher cipher order rfc_ciph rfc_order
local p="$1" proto_hex="$2" proto="$3"
local using_sockets="$4"
local tested_cipher cipher order rfc_cipher rfc_order
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
local -i i nr_ciphers nr_nonossl_ciphers num_bundles mod_check bundle_size bundle end_of_bundle success
local hexc ciphers_to_test
local -a rfc_ciph hexcode ciphers_found ciphers_found2
local -a -i index
local using_sockets=true ciphers_found_with_sockets
local ciphers_found_with_sockets
"$SSL_NATIVE" && using_sockets=false
"$FAST" && using_sockets=false
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
pr_bold " Cipher order"
while read p proto_hex proto; do
order=""; ciphers_found_with_sockets=false
if [[ $p == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
continue
return 0
fi
if [[ $p == tls1_3 ]] && ! "$HAS_TLS13" && ! "$using_sockets"; then
out "\n TLSv1.3 "; pr_local_problem "$OPENSSL doesn't support \"s_client -tls1_3\"";
continue
return 0
fi
[[ $(has_server_protocol "$p") -eq 1 ]] && continue
[[ $(has_server_protocol "$p") -eq 1 ]] && return 0
if ( [[ $p != tls1_3 ]] || "$HAS_TLS13" ) && ( [[ $p != ssl3 ]] || "$HAS_SSL3" ); then
# with the supplied binaries SNI works also for SSLv3
@ -6483,9 +6487,9 @@ cipher_pref_check() {
elif [[ -n "$order" ]] && [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then
rfc_order=""
while read -d " " cipher; do
rfc_ciph="$(openssl2rfc "$cipher")"
if [[ -n "$rfc_ciph" ]]; then
rfc_order+="$rfc_ciph "
rfc_cipher="$(openssl2rfc "$cipher")"
if [[ -n "$rfc_cipher" ]]; then
rfc_order+="$rfc_cipher "
else
rfc_order+="$cipher "
fi
@ -6504,11 +6508,8 @@ cipher_pref_check() {
fi
fileout "cipherorder_${proto//./_}" "INFO" "$order"
fi
done <<< "$(tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
outln
outln
tmpfile_handle ${FUNCNAME[0]}.txt
tmpfile_handle ${FUNCNAME[0]}-$p.txt
return 0
}