Fix RFC 7919 DH groups

This PR fixes three issues related to the testing for RFC 7919 DH groups in run_pfs(): * If the RFC 7919 DH groups are supported for both TLSv1.3 cipher suites and non-TLSv1.3 cipher suites, then the list of supported groups is printed twice. * The finding that is used for CSV/JSON files includes the word "offered" after the list of groups, which is inconsistent with other findings. * Since the $ffdhe_offered is only used to determine whether to test for use of RFC 7919 DH groups with non-TLSv1.3 ciphers, this flag should only be set if a non-TLSv1.3 ciphers that uses ephemeral DH is found.
2025-01-03 23:39:45 +01:00 · 2018-04-10 12:40:49 -04:00 · 2018-04-10 12:40:49 -04:00 · 2c792fdc00
commit 2c792fdc00
parent a0c17fda9f
1 changed files with 12 additions and 10 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -7983,9 +7983,11 @@ run_pfs() {
                              fi
                         fi
                    fi
-                    if [[ "${ciph[i]}" == "DHE-"* ]] || [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || ( "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_DHE_"* ]] ); then
+                    if [[ "${ciph[i]}" == "DHE-"* ]] || ( "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_DHE_"* ]] ); then
                         ffdhe_offered=true
                         ffdhe_cipher_list_hex+=", ${hexcode[i]}"
+                    elif [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]]; then
+                         ffdhe_cipher_list_hex+=", ${hexcode[i]}"
                    fi
               fi
               if "$WIDE"; then
@ -8161,16 +8163,16 @@ run_pfs() {
                    [[ $i -eq $nr_curves ]] && break
                    supported_curve[i]=true
               done
-               curves_offered=""
-               for (( i=0; i < nr_curves; i++ )); do
-                    "${supported_curve[i]}" && curves_offered+="${ffdhe_groups_output[i]} "
-               done
-               if [[ -n "$curves_offered" ]]; then
-                    pr_bold " RFC 7919 DH groups offered:  "
-                    outln "$curves_offered"
-                    fileout "RFC7919_DH_groups" "INFO" "$curves_offered offered"
-               fi
          done
+          curves_offered=""
+          for (( i=0; i < nr_curves; i++ )); do
+               "${supported_curve[i]}" && curves_offered+="${ffdhe_groups_output[i]} "
+          done
+          if [[ -n "$curves_offered" ]]; then
+               pr_bold " RFC 7919 DH groups offered:  "
+               outln "$curves_offered"
+               fileout "RFC7919_DH_groups" "INFO" "$curves_offered"
+          fi
     fi
     outln