mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Further changes to run_server_preference()
In order not to provide redundant information run_allciphers() is now not being run via default (1). Therefore run_server_preference() runs always in wide mode. In order to archieve that cipher_pref_check() was modified to accept a fifth argument whether it'll run in wide mode. As of now cipher_pref_check() is only called by run_server_preference(), so the code referring to non-wide mode in cipher_pref_check() may also be deleted in the future. To provide a better view the run_fs() section is now being run after run_server_preference(). (1) saves also 5-6 seconds
This commit is contained in:
parent
a86ccb6968
commit
3e54f4e4cd
75
testssl.sh
75
testssl.sh
@ -6530,47 +6530,35 @@ run_server_preference() {
|
||||
"$FAST" && using_sockets=false
|
||||
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
|
||||
|
||||
# TODO: Shouldn't say "Cipher order" if the server does not always impose an order.
|
||||
# TODO: In non-wide mode, need to distinguish between those order by server preference and those ordered by encryption strength.
|
||||
pr_bold " Cipher listing per protocol"
|
||||
"$WIDE" && outln "\n" && neat_header
|
||||
pr_bold " Cipher per protocol"
|
||||
outln "\n" && neat_header
|
||||
while read proto_ossl proto_hex proto_txt; do
|
||||
if "$WIDE"; then
|
||||
pr_underline "$(printf -- "%b" "$proto_txt")"
|
||||
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
|
||||
# the following takes care of that but only if we know the protocol is not supported
|
||||
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
|
||||
"$WIDE" && outln "\n - "
|
||||
continue
|
||||
fi
|
||||
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
|
||||
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
|
||||
if [[ "$proto_ossl" == ssl2 ]] || \
|
||||
( [[ "$proto_ossl" != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
||||
( [[ "$proto_ossl" == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
||||
if [[ "$proto_ossl" == ssl2 ]]; then
|
||||
outln " (listed by strength)"
|
||||
elif [[ "$proto_ossl" == tls1_3 ]]; then
|
||||
outln " (no server order, thus listed by strength)"
|
||||
else
|
||||
prln_svrty_high " (no server order, thus listed by strength)"
|
||||
fi
|
||||
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "$WIDE"
|
||||
pr_underline "$(printf -- "%b" "$proto_txt")"
|
||||
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
|
||||
# the following takes care of that but only if we know the protocol is not supported
|
||||
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
|
||||
outln "\n - "
|
||||
continue
|
||||
fi
|
||||
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
|
||||
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
|
||||
if [[ "$proto_ossl" == ssl2 ]] || \
|
||||
( [[ "$proto_ossl" != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
||||
( [[ "$proto_ossl" == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
||||
if [[ "$proto_ossl" == ssl2 ]]; then
|
||||
outln " (listed by strength)"
|
||||
elif [[ "$proto_ossl" == tls1_3 ]]; then
|
||||
outln " (no server order, thus listed by strength)"
|
||||
else
|
||||
outln " (server order)"
|
||||
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets"
|
||||
prln_svrty_high " (no server order, thus listed by strength)"
|
||||
fi
|
||||
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
||||
else
|
||||
if [[ "$proto_ossl" == ssl2 ]] || ( [[ "$proto_ossl" != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
||||
( [[ "$proto_ossl" == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
||||
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "$WIDE"
|
||||
else
|
||||
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets"
|
||||
fi
|
||||
outln " (server order)"
|
||||
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
||||
fi
|
||||
done <<< "$(tm_out " ssl2 22 SSLv2\n ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
|
||||
outln
|
||||
outln
|
||||
|
||||
return $ret
|
||||
# end of run_server_preference()
|
||||
@ -6658,6 +6646,7 @@ check_tls12_pref() {
|
||||
cipher_pref_check() {
|
||||
local p="$1" proto_hex="$2" proto="$3"
|
||||
local using_sockets="$4"
|
||||
local wide="$5" # at the moment this is called ALWAYS via run_server_preference and ALWAYS w true
|
||||
local tested_cipher cipher order rfc_cipher rfc_order
|
||||
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
|
||||
local -i i nr_ciphers nr_nonossl_ciphers num_bundles bundle_size bundle end_of_bundle success
|
||||
@ -6680,11 +6669,11 @@ cipher_pref_check() {
|
||||
|
||||
if ( [[ $p != tls1_3 ]] || "$HAS_TLS13" ) && ( [[ $p != ssl3 ]] || "$HAS_SSL3" ); then
|
||||
if [[ $p == tls1_2 ]] && "$SERVER_SIZE_LIMIT_BUG"; then
|
||||
order="$(check_tls12_pref "$WIDE")"
|
||||
order="$(check_tls12_pref "$wide")"
|
||||
[[ "${order:0:1}" == \ ]] && order="${order:1}"
|
||||
ciphers_found="$order"
|
||||
fi
|
||||
if "$WIDE" || [[ -z "$order" ]]; then
|
||||
if "$wide" || [[ -z "$order" ]]; then
|
||||
tested_cipher=""; order=""; nr_ciphers_found=0
|
||||
while true; do
|
||||
if [[ $p != tls1_3 ]]; then
|
||||
@ -6713,7 +6702,7 @@ cipher_pref_check() {
|
||||
order+="$cipher "
|
||||
tested_cipher+=":-"$cipher
|
||||
"$FAST" && break
|
||||
if "$WIDE"; then
|
||||
if "$wide"; then
|
||||
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
||||
[[ "$cipher" == ${TLS_CIPHER_OSSL_NAME[i]} ]] && break
|
||||
done
|
||||
@ -6843,7 +6832,7 @@ cipher_pref_check() {
|
||||
for (( i=0; i < nr_ciphers; i++ )); do
|
||||
[[ "$cipher" == ${rfc_ciph[i]} ]] && ciphers_found2[i]=true && break
|
||||
done
|
||||
if "$WIDE"; then
|
||||
if "$wide"; then
|
||||
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
||||
[[ "$cipher" == ${TLS_CIPHER_RFC_NAME[i]} ]] && break
|
||||
done
|
||||
@ -6884,7 +6873,7 @@ cipher_pref_check() {
|
||||
|
||||
if [[ -n "$order" ]]; then
|
||||
add_tls_offered "$p" yes
|
||||
if "$WIDE"; then
|
||||
if "$wide"; then
|
||||
for (( i=0 ; i<nr_ciphers_found; i++ )); do
|
||||
neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${export2[i]}" "true"
|
||||
outln "${sigalg[i]}"
|
||||
@ -20348,7 +20337,7 @@ initialize_globals() {
|
||||
|
||||
# Set default scanning options for the boolean global do_* variables.
|
||||
set_scanning_defaults() {
|
||||
do_allciphers=true
|
||||
do_allciphers=false
|
||||
do_vulnerabilities=true
|
||||
do_beast=true
|
||||
do_lucky13=true
|
||||
@ -21098,11 +21087,11 @@ lets_roll() {
|
||||
fileout_section_header $section_number true && ((section_number++))
|
||||
"$do_cipherlists" && { run_cipherlists; ret=$(($? + ret)); stopwatch run_cipherlists; }
|
||||
|
||||
fileout_section_header $section_number true && ((section_number++))
|
||||
"$do_fs" && { run_fs; ret=$(($? + ret)); stopwatch run_fs; }
|
||||
fileout_section_header $section_number true && ((section_number++))
|
||||
"$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; }
|
||||
|
||||
fileout_section_header $section_number true && ((section_number++))
|
||||
"$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; }
|
||||
"$do_fs" && { run_fs; ret=$(($? + ret)); stopwatch run_fs; }
|
||||
|
||||
fileout_section_header $section_number true && ((section_number++))
|
||||
"$do_server_defaults" && { run_server_defaults; ret=$(($? + ret)); stopwatch run_server_defaults; }
|
||||
|
Loading…
Reference in New Issue
Block a user