diff --git a/testssl.sh b/testssl.sh index 4c68c6a..7e1431c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2026,33 +2026,69 @@ test_just_one(){ # test for all ciphers locally configured (w/o distinguishing whether they are good or bad) run_allciphers() { local tmpfile - local -i nr_ciphers=0 - local n auth mac export - local -a hexcode ciph sslvers kx enc export2 + local -i nr_ciphers=0 ret + local n auth mac export hexc sslv2_ciphers="" + local -a normalized_hexcode hexcode ciph sslvers kx enc export2 local -i i j parent child end_of_bundle round_num bundle_size num_bundles mod_check local -a ciphers_found local dhlen local available local ciphers_to_test local sslv2_supported=false + local has_dh_bits="$HAS_DH_BITS" + local using_sockets=true - # get a list of all the cipher suites to test (only need the hexcode, ciph, sslvers, kx, enc, and export values) - while read hexcode[nr_ciphers] n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do - nr_ciphers=$nr_ciphers+1 - done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) + if "$SSL_NATIVE" || [[ -n "$STARTTLS" ]]; then + using_sockets=false + fi + + if "$using_sockets"; then + # get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values) + for (( i=0; i < TLS_NR_CIPHERS; i++ )); do + hexc=$(echo "${TLS_CIPHER_HEXCODE[i]}" | tr 'A-Z' 'a-z') + ciph[i]="${TLS_CIPHER_OSSL_NAME[i]}" + sslvers[i]="${TLS_CIPHER_SSLVERS[i]}" + kx[i]="${TLS_CIPHER_KX[i]}" + enc[i]="${TLS_CIPHER_ENC[i]}" + export2[i]="${TLS_CIPHER_EXPORT[i]}" + if [[ ${#hexc} -eq 9 ]]; then + hexcode[i]="${hexc:2:2},${hexc:7:2}" + if [[ "${hexc:2:2}" == "00" ]]; then + normalized_hexcode[i]="x${hexc:7:2}" + else + normalized_hexcode[i]="x${hexc:2:2}${hexc:7:2}" + fi + else + hexcode[i]="${hexc:2:2},${hexc:7:2},${hexc:12:2}" + normalized_hexcode[i]="x${hexc:2:2}${hexc:7:2}${hexc:12:2}" + sslv2_ciphers="$sslv2_ciphers, ${hexcode[i]}" + fi + done + nr_ciphers=$TLS_NR_CIPHERS + + sslv2_sockets "${sslv2_ciphers:2}" "true" + if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then + sslv2_supported=true + fi + else + # get a list of all the cipher suites to test (only need the hexcode, ciph, sslvers, kx, enc, and export values) + while read hexcode[nr_ciphers] n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do + nr_ciphers=$nr_ciphers+1 + done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) + + if "$HAS_SSL2"; then + $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE =1; bundle_size/=4 )); do - # Note that since the number of ciphers isn't a power of 4, the number - # of bundles may be may be less than 4**(round_num+1), and the final - # bundle may have fewer than bundle_size ciphers. - num_bundles=$nr_ciphers/$bundle_size - mod_check=$nr_ciphers%$bundle_size - [[ $mod_check -ne 0 ]] && num_bundles=$num_bundles+1 - for ((i=0;i$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE + fi + else + $OPENSSL s_client -cipher "${ciph[i]}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE