Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-30 12:21:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix curves findings in TLS1.2 and prior versions

Browse Source
This commit is contained in:
Riccardo Germenia 2025-01-17 12:03:34 +01:00
parent daf0671878
commit 2ae28d7f64
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
testssl.sh
View File

@ -10852,6 +10852,14 @@ run_fs() {
"${ossl_supported[i]}" && ! "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}" "${ossl_supported[i]}" && ! "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
fi fi
done done
# Versions of TLS prior to 1.3 close the connection if the client does not support the curve
# used in the certificate. The easiest solution is to move the curves to the end of the list.
# instead of removing them from the ClientHello.
for (( i=low; i < high; i++ )); do
if ! "$HAS_TLS13" || ! "${curves_deprecated[i]}" || [[ "$proto" == "-no_tls1_3" ]]; then
"${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
fi
done
[[ -z "$curves_to_test" ]] && break [[ -z "$curves_to_test" ]] && break
$OPENSSL s_client $(s_client_options "$proto -cipher "\'${ecdhe_cipher_list:1}\'" -ciphersuites "\'${tls13_cipher_list:1}\'" -curves "${curves_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE </dev/null $OPENSSL s_client $(s_client_options "$proto -cipher "\'${ecdhe_cipher_list:1}\'" -ciphersuites "\'${tls13_cipher_list:1}\'" -curves "${curves_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE </dev/null
sclient_connect_successful $? $TMPFILE || break sclient_connect_successful $? $TMPFILE || break