Improve SSL native client simulation

This PR improves client simulation in "--ssl-native" mode: * It changes ${protos[i]} to list the protocols that should be disabled rather than those that should be enabled, except in the case that the client only supports one protocol. * It sets the values for ${tlsvers[i]}, which is used in run_client_simulation(), but was not defined. * It adds a new variable, ${ciphersuites[i]}, that lists the TLSv1.3 cipher suites supported by a client. Client simulation still produces false results in "--ssl-native" mode, but the results are better than before.
2025-10-31 13:55:25 +01:00 · 2018-04-10 16:52:38 -04:00
parent c357ea7356
commit 39db50eea2
3 changed files with 419 additions and 145 deletions
--- a/utils/update_client_sim_data.pl
+++ b/utils/update_client_sim_data.pl
@@ -51,8 +51,19 @@ foreach my $client ( @$ssllabs ) {

 		# Ciphers
 		my @ciphers = ();
+		my @ciphersuites = ();
 		foreach my $suite ( @{$client->{suiteIds}} ) {
-			if ( exists $ciphers{$suite} ) {
+			if  ( $suite == "4865" ) {
+				push @ciphersuites, "TLS_AES_128_GCM_SHA256"; }
+			elsif ( $suite == "4866" ) {
+				push @ciphersuites, "TLS_AES_256_GCM_SHA384"; }
+			elsif ( $suite == "4867" ) {
+				push @ciphersuites, "TLS_CHACHA20_POLY1305_SHA256"; }
+			elsif ( $suite == "4868" ) {
+				push @ciphersuites, "TLS_AES_128_CCM_SHA256"; }
+			elsif ( $suite == "4869" ) {
+				push @ciphersuites, "TLS_AES_128_CCM_8_SHA256"; }
+			elsif ( exists $ciphers{$suite} ) {
 				push @ciphers, $ciphers{$suite}; }
 			elsif ( $suite == "255" ) {
 				# no openssl name for this:
@@ -102,6 +113,7 @@ foreach my $client ( @$ssllabs ) {
 		}
 		print "\n" if ! $has_matched ;
 		$sim->{ciphers} = "ciphers+=(\"" . (join ":", @ciphers) . "\")";
+		$sim->{ciphersuites} = "ciphersuites+=(\"" . (join ":", @ciphersuites) . "\")";

 		# SNI
 		if ( exists $client->{supportsSni} && $client->{supportsSni} ) {
@@ -123,33 +135,54 @@ foreach my $client ( @$ssllabs ) {
 		# protos
 		my @proto_flags = ();
 		my @tls_flags = ();
-		# Figure out if we need to support sslv2
-		if ( $client->{lowestProtocol} < 768 && $client->{highestProtocol} >= 512 ) {
-			# 512 = 0x200 = sslv2
-			# 768 = 0x300 = sslv3
-			push @proto_flags, "-ssl2";
-		}
-		# Do we need to support SSL3?
-		if ( $client->{lowestProtocol} <= 768 && $client->{highestProtocol} >= 768 ) {
-			# 768 = 0x300 = sslv3
-			push @proto_flags, "-ssl3";
-		}
-		# Do we need to support TLS 1.0?
-		if ( $client->{lowestProtocol} <= 769 && $client->{highestProtocol} >= 769 ) {
-			# 769 = 0x301 = tls1.0
-			push @proto_flags, "-tls1";
-		}
-		# Do we need to support TLS 1.1?
-		if ( $client->{lowestProtocol} <= 770 && $client->{highestProtocol} >= 770 ) {
-			# 770 = 0x302 = tls1.1
-			push @proto_flags, "-tls1_1";
-		}
-		# Do we need to support TLS 1.2?
-		if ( $client->{lowestProtocol} <= 771 && $client->{highestProtocol} >= 771 ) {
-			# 771 = 0x303 = tls1.2
-			push @proto_flags, "-tls1_2";
+		if ( $client->{lowestProtocol} == $client->{highestProtocol} ) {
+			if ( $client->{lowestProtocol} == 512 ) {
+				push @proto_flags, "-ssl2"; }
+			elsif ( $client->{lowestProtocol} == 768 ) {
+				push @proto_flags, "-ssl3"; }
+			elsif ( $client->{lowestProtocol} == 769 ) {
+				push @proto_flags, "-tls1"; }
+			elsif ( $client->{lowestProtocol} == 770 ) {
+				push @proto_flags, "-tls1_1"; }
+			elsif ( $client->{lowestProtocol} == 771 ) {
+				push @proto_flags, "-tls1_2"; }
+			elsif ( $client->{lowestProtocol} == 772 ) {
+				push @proto_flags, "-tls1_3"; }
+		} else {
+			# Figure out if we need to support sslv2
+			if ( $client->{lowestProtocol} > 512 ) {
+				# 512 = 0x200 = sslv2
+				push @proto_flags, "-no_ssl2";
+			}
+			# Do we need to support SSL3?
+			if ( $client->{lowestProtocol} > 768 || $client->{highestProtocol} < 768 ) {
+				# 768 = 0x300 = sslv3
+				push @proto_flags, "-no_ssl3";
+			}
+			# Do we need to support TLS 1.0?
+			if ( $client->{lowestProtocol} > 769 || $client->{highestProtocol} < 769 ) {
+				# 769 = 0x301 = tls1.0
+				push @proto_flags, "-no_tls1";
+			} else {
+				push @tls_flags, "-tls1";
+			}
+			# Do we need to support TLS 1.1?
+			if ( $client->{lowestProtocol} > 770 || $client->{highestProtocol} < 770 ) {
+				# 770 = 0x302 = tls1.1
+				push @proto_flags, "-no_tls1_1";
+			} else {
+				push @tls_flags, "-tls1_1";
+			}
+			# Do we need to support TLS 1.2?
+			if ( $client->{lowestProtocol} > 771 || $client->{highestProtocol} < 771 ) {
+				# 771 = 0x303 = tls1.2
+				push @proto_flags, "-no_tls1_2";
+			} else {
+				push @tls_flags, "-tls1_2";
+			}
 		}
 		$sim->{protos} = "protos+=(\"" . (join " ", reverse @proto_flags) . "\")";
+		$sim->{tlsvers} = "tlsvers+=(\"" . (join " ", reverse @tls_flags) . "\")";
 		$sim->{lowestProtocol} = sprintf("lowest_protocol+=(\"0x%04x\")", $client->{lowestProtocol});
 		$sim->{highestProtocol} = sprintf("highest_protocol+=(\"0x%04x\")", $client->{highestProtocol});

@@ -184,10 +217,12 @@ my $sim = {};
 #$sim->{name} = "names+=(\"Mail iOS 9.3.2                \")";
 #$sim->{shortname} = "short+=(\"mail_ios_932\")";
 #$sim->{ciphers} = "ciphers+=(\"ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5\")";
+#$sim->{ciphersuites} = "ciphersuites+=(\"\")";
 #$sim->{sni} = "sni+=(\"\$SNI\")";
 #$sim->{warning} = "warning+=(\"\")";
 #$sim->{handshakebytes} = "handshakebytes+=(\"16030100bb010000b703015767e6ae46f9abf3138e26a9f9880f9697bf3387f7eff709db1fa220e692d80420fb04b0979bae1664e11ef172d4dfba15af59dd200b7831992a35c73cde9efed9003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003c000000190017000014696d61702e73656374696f6e7a65726f2e6f7267000a00080006001700180019000b0002010000050005010000000000120000\")";
-#$sim->{protos} = "protos+=(\"#-tls1_1 -tls1\")";
+#$sim->{protos} = "protos+=(\"#-no_tls1_2 -no_ssl3 -no_ssl2\")";
+#$sim->{tlsvers} = "tlsvers+=(\"#-tls1_1 -tls1\")";
 #$sim->{lowestProtocol} = "lowest_protocol+=(\"0x0300\")";
 #$sim->{highestProtocol} = "highest_protocol+=(\"0x0301\")";
 #$sim->{service} = "service+=(\"SMTP,POP,IMAP\")";
@@ -201,10 +236,12 @@ my $sim = {};
 #$sim->{name} = "names+=(\"Mail OSX 10.11.15             \")";
 #$sim->{shortname} = "short+=(\"mail_osx_101115\")";
 #$sim->{ciphers} = "ciphers+=(\"ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5\")";
+#$sim->{ciphersuites} = "ciphersuites+=(\"\")";
 #$sim->{sni} = "sni+=(\"\$SNI\")";
 #$sim->{warning} = "warning+=(\"\")";
 #$sim->{handshakebytes} = "handshakebytes+=(\"16030100940100009003015770e928499e82df2eb7477200e2a828d9fa4109514385bd1602df44aaf2b0f400003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003500000012001000000d3137382e3233372e33342e3932000a00080006001700180019000b0002010000050005010000000000120000\")";
 #$sim->{protos} = "protos+=(\"-tls1\")";
+#$sim->{tlsvers} = "tlsvers+=(\"-tls1\")";
 #$sim->{lowestProtocol} = "lowest_protocol+=(\"0x0301\")";
 #$sim->{highestProtocol} = "highest_protocol+=(\"0x0301\")";
 #$sim->{service} = "service+=(\"SMTP,POP,IMAP\")";
@@ -219,10 +256,12 @@ my $sim = {};
 $sim->{name} = "names+=(\"Thunderbird 45.1.1 OSX 10.11  \")";
 $sim->{shortname} = "short+=(\"thunderbird_45.1.1_osx_101115\")";
 $sim->{ciphers} = "ciphers+=(\"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA\")";
+$sim->{ciphersuites} = "ciphersuites+=(\"\")";
 $sim->{sni} = "sni+=(\"\$SNI\")";
 $sim->{warning} = "warning+=(\"\")";
 $sim->{handshakebytes} = "handshakebytes+=(\"160301009d010000990303c7c5b3ff80b3aa597c770c538b98ae34a94c9590ad8f947ba7bc28692061cb57000016c02bc02fc00ac009c013c01400330039002f0035000a0100005a0000001800160000136d78332e73656374696f6e7a65726f2e6f7267ff01000100000a00080006001700180019000b0002010000230000000500050100000000000d001600140401050106010201040305030603020304020202\")";
-$sim->{protos} = "protos+=(\"-tls1_2 -tls1_1 -tls1\")";
+$sim->{protos} = "protos+=(\"-no_ssl3 -no_ssl2\")";
+$sim->{tlsvers} = "tlsvers+=(\"-tls1_2 -tls1_1 -tls1\")";
 $sim->{lowestProtocol} = "lowest_protocol+=(\"0x0301\")";
 $sim->{highestProtocol} = "highest_protocol+=(\"0x0303\")";
 $sim->{service} = "service+=(\"SMTP,POP,IMAP\")";
@@ -354,7 +393,7 @@ open OUT, ">client-simulation_generated.txt" or die "Unable to open client-simul
 print OUT "$header";

 foreach my $shortname ( sort keys %sims ) {
-	foreach my $k ( qw(name shortname ciphers sni warning handshakebytes protos lowestProtocol highestProtocol service 
+	foreach my $k ( qw(name shortname ciphers ciphersuites sni warning handshakebytes protos tlsvers lowestProtocol highestProtocol service 
 		minDhBits maxDhBits minRsaBits maxRsaBits minEcdsaBits requiresSha2 current) ) {
 		print OUT "     $sims{$shortname}->{$k}\n";
 	}