From 3a68e5b937176a7b07972be63b845e7d056d59d1 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 8 Nov 2016 12:36:25 -0500 Subject: [PATCH] Find more extensions in run_server_defaults() This PR uses `tls_sockets()` to determine whether a server supports certain extensions that may not be supported by `$OPENSSL`. At the moment it checks for max_fragment_length, client_certificate_url, truncated_hmac, ALPN, signed_certificate_timestamp, encrypt_then_mac, and extended_master_secret. In https://github.com/dcooper16/testssl.sh/blob/extended_tls_sockets/testssl.sh, `run_server_defaults()` is re-written to use `tls_sockets()` instead of `$OPENSSL`, with just one call to `$OPENSSL s_client` to get the session ticket, which reduces the dependence on `$OPENSSL`, but this PR limits the number of calls to `tls_sockets()`, which is still slow. Note: I included ALPN in the `tls_sockets()` ClientHello since a single call to `tls_sockets()` cannot test for both NPN and ALPN, and since support for NPN was added to OpenSSL before support for ALPN was added, I figured it was more likely that `determine_tls_extensions()` had already determined whether the server supported NPN. --- testssl.sh | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/testssl.sh b/testssl.sh index 8e43164..12534bf 100755 --- a/testssl.sh +++ b/testssl.sh @@ -839,6 +839,23 @@ asciihex_to_binary_file(){ return 0 } +# arg1: text string +# Output a comma-separated ASCII-HEX string resprestation of the input string. +string_to_asciihex() { + local string="$1" + local -i i eos + local output="" + + eos=${#string}-1 + for (( i=0; i