Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-09-10 05:52:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improve SSL native client simulation

Browse Source 
This PR improves client simulation in "--ssl-native" mode:

* It changes ${protos[i]} to list the protocols that should be disabled rather than those that should be enabled, except in the case that the client only supports one protocol.

* It sets the values for ${tlsvers[i]}, which is used in run_client_simulation(), but was not defined.

* It adds a new variable, ${ciphersuites[i]}, that lists the TLSv1.3 cipher suites supported by a client.

Client simulation still produces false results in "--ssl-native" mode, but the results are better than before.
This commit is contained in:
David Cooper
2018-04-10 16:52:38 -04:00
committed by David Cooper
parent c357ea7356
commit 39db50eea2
3 changed files with 419 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
testssl.sh
View File

@ -4132,6 +4132,7 @@ run_client_simulation() {
local short=()
local protos=()
local ciphers=()
local ciphersuites=()
local tlsvers=()
local sni=()
local warning=()
@ -4223,7 +4224,7 @@ run_client_simulation() {
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
fi
else
options="$(s_client_options "-cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
options="$(s_client_options "-cipher ${ciphers[i]} -ciphersuites "\'${ciphersuites[i]}\'" ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
debugme echo "$OPENSSL s_client $options </dev/null"
$OPENSSL s_client $options </dev/null >$TMPFILE 2>$ERRFILE
sclient_connect_successful $? $TMPFILE
@ -4263,7 +4264,7 @@ run_client_simulation() {
if [[ "$proto" == TLSv1.2 ]] && ( ! "$using_sockets" || [[ -z "${handshakebytes[i]}" ]] ); then
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
for tls in ${tlsvers[i]}; do
options="$(s_client_options "$tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
options="$(s_client_options "$tls -cipher ${ciphers[i]} -ciphersuites "\'${ciphersuites[i]}\'" $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
debugme echo "$OPENSSL s_client $options </dev/null"
$OPENSSL s_client $options </dev/null >$TMPFILE 2>$ERRFILE
sclient_connect_successful $? $TMPFILE