From d10dd6d34ce585e50028ef5ebd86f673785fae0d Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 15 Jun 2016 20:12:48 +0200 Subject: [PATCH 1/3] align old chacha/poly ciphers output in OPENSSL name, see #379 --- testssl.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 1a6c408..2dccf67 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1503,7 +1503,7 @@ neat_list(){ done fi #echo "${#kx}" # should be always 20 / 13 - printf -- " %-7s %-30s %-10s %-11s%-11s${ADD_RFC_STR:+ %-48s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$(show_rfc_style "$hexcode")" + printf -- " %-7s %-31s %-10s %-11s%-11s${ADD_RFC_STR:+ %-48s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$(show_rfc_style "$hexcode")" } test_just_one(){ @@ -6702,7 +6702,7 @@ determine_optimal_proto() { pr_bold " $NODEIP:$PORT " fi tmpfile_handle $FUNCNAME.txt - pr_boldln "doesn't seem a TLS/SSL enabled server"; + pr_boldln "doesn't seem to be a TLS/SSL enabled server"; ignore_no_or_lame " Note that the results might look ok but they are nonsense. Proceed ? " [[ $? -ne 0 ]] && exit -2 fi @@ -7487,4 +7487,4 @@ fi exit $? -# $Id: testssl.sh,v 1.499 2016/06/09 13:56:51 dirkw Exp $ +# $Id: testssl.sh,v 1.501 2016/06/15 18:11:22 dirkw Exp $ From 9b8fc2c6f0ccffec663ed54240a865dc5ec83f4e Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 15 Jun 2016 20:14:08 +0200 Subject: [PATCH 2/3] rename old alg chacha/poly ciphers according to SSLlabs (#379 / https://github.com/PeterMosmans/openssl/issues/43) --- etc/mapping-rfc.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/mapping-rfc.txt b/etc/mapping-rfc.txt index 0a3ee20..4ed598f 100644 --- a/etc/mapping-rfc.txt +++ b/etc/mapping-rfc.txt @@ -343,9 +343,9 @@ xCCAB TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 xCCAC TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 xCCAD TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 xCCAE TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 -xCC13 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD -xCC14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD -xCC15 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD +xCC13 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +xCC14 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +xCC15 OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xFEFE SSL_RSA_FIPS_WITH_DES_CBC_SHA xFEFF SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA xFFE0 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA From 02e9f5cd237abd3eb0e4f8fedeefe75252ae5cd9 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 15 Jun 2016 21:31:10 +0200 Subject: [PATCH 3/3] fix colum spacing again for all alg chacha poly ciphers --- testssl.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/testssl.sh b/testssl.sh index 2dccf67..cb8147e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1464,14 +1464,14 @@ show_rfc_style(){ #[[ -z "$1" ]] && return 0 local rfcname - rfcname="$(grep -iw "$1" "$MAPPING_FILE_RFC" | sed -e 's/^.*TLS/TLS/' -e 's/^.*SSL/SSL/')" + rfcname="$(grep -iw "$1" "$MAPPING_FILE_RFC" | awk '{ print $2 }')" [[ -n "$rfcname" ]] && out "$rfcname" return 0 } neat_header(){ - printf -- "Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits${ADD_RFC_STR:+ Cipher Suite Name (RFC)}\n" - printf -- "%s-------------------------------------------------------------------------${ADD_RFC_STR:+-------------------------------------------------}\n" + printf -- "Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits${ADD_RFC_STR:+ Cipher Suite Name (RFC)}\n" + printf -- "%s------------------------------------------------------------------------${ADD_RFC_STR:+---------------------------------------------------}\n" } @@ -1489,7 +1489,7 @@ neat_list(){ strength=$(sed -e 's/.*(//' -e 's/)//' <<< "$enc") # strength = encryption bits strength="${strength//ChaCha20-Poly1305/ly1305}" enc=$(sed -e 's/(.*)//g' -e 's/ChaCha20-Poly1305/ChaCha20-Po/g' <<< "$enc") # workaround for empty bits ChaCha20-Poly1305 - echo "$export" | grep -iq export && strength="$strength,export" + echo "$export" | grep -iq export && strength="$strength,exp" #printf -- "%q" "$kx" | xxd | head -1 # length correction for color escape codes (printf counts the escape color codes!!) @@ -1503,7 +1503,7 @@ neat_list(){ done fi #echo "${#kx}" # should be always 20 / 13 - printf -- " %-7s %-31s %-10s %-11s%-11s${ADD_RFC_STR:+ %-48s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$(show_rfc_style "$hexcode")" + printf -- " %-7s %-33s %-10s %-10s%-8s${ADD_RFC_STR:+ %-49s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$(show_rfc_style "$hexcode")" } test_just_one(){ @@ -1655,10 +1655,10 @@ run_allciphers() { if "$SHOW_EACH_C"; then if ${ciphers_found[child]}; then available="available" - pr_cyan " available" + pr_cyan "$available" else - out " not a/v" available="not a/v" + out "$available" fi fi if "$SHOW_SIGALGO" && ${ciphers_found[child]}; then @@ -1763,13 +1763,13 @@ run_cipher_per_proto() { fi fi neat_list "$HEXC" "${ciph[i]}" "${kx[i]}" "${enc[i]}" - available="available" if "$SHOW_EACH_C"; then if ${ciphers_found[child]}; then - pr_cyan " available" + available="available" + pr_cyan "$available" else - out " not a/v" available="not a/v" + out "$available" fi fi if "$SHOW_SIGALGO" && ${ciphers_found[child]}; then @@ -7487,4 +7487,4 @@ fi exit $? -# $Id: testssl.sh,v 1.501 2016/06/15 18:11:22 dirkw Exp $ +# $Id: testssl.sh,v 1.502 2016/06/15 19:31:09 dirkw Exp $