Further changes to run_server_preference()
In order not to provide redundant information run_allciphers() is now not being run via default (1). Therefore run_server_preference() runs always in wide mode. In order to archieve that cipher_pref_check() was modified to accept a fifth argument whether it'll run in wide mode. As of now cipher_pref_check() is only called by run_server_preference(), so the code referring to non-wide mode in cipher_pref_check() may also be deleted in the future. To provide a better view the run_fs() section is now being run after run_server_preference(). (1) saves also 5-6 seconds
This commit is contained in:
parent
a86ccb6968
commit
3e54f4e4cd
75
testssl.sh
75
testssl.sh
|
@ -6530,47 +6530,35 @@ run_server_preference() {
|
||||||
"$FAST" && using_sockets=false
|
"$FAST" && using_sockets=false
|
||||||
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
|
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
|
||||||
|
|
||||||
# TODO: Shouldn't say "Cipher order" if the server does not always impose an order.
|
pr_bold " Cipher per protocol"
|
||||||
# TODO: In non-wide mode, need to distinguish between those order by server preference and those ordered by encryption strength.
|
outln "\n" && neat_header
|
||||||
pr_bold " Cipher listing per protocol"
|
|
||||||
"$WIDE" && outln "\n" && neat_header
|
|
||||||
while read proto_ossl proto_hex proto_txt; do
|
while read proto_ossl proto_hex proto_txt; do
|
||||||
if "$WIDE"; then
|
pr_underline "$(printf -- "%b" "$proto_txt")"
|
||||||
pr_underline "$(printf -- "%b" "$proto_txt")"
|
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
|
||||||
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
|
# the following takes care of that but only if we know the protocol is not supported
|
||||||
# the following takes care of that but only if we know the protocol is not supported
|
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
|
||||||
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
|
outln "\n - "
|
||||||
"$WIDE" && outln "\n - "
|
continue
|
||||||
continue
|
fi
|
||||||
fi
|
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
|
||||||
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
|
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
|
||||||
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
|
if [[ "$proto_ossl" == ssl2 ]] || \
|
||||||
if [[ "$proto_ossl" == ssl2 ]] || \
|
( [[ "$proto_ossl" != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
||||||
( [[ "$proto_ossl" != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
( [[ "$proto_ossl" == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
||||||
( [[ "$proto_ossl" == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
if [[ "$proto_ossl" == ssl2 ]]; then
|
||||||
if [[ "$proto_ossl" == ssl2 ]]; then
|
outln " (listed by strength)"
|
||||||
outln " (listed by strength)"
|
elif [[ "$proto_ossl" == tls1_3 ]]; then
|
||||||
elif [[ "$proto_ossl" == tls1_3 ]]; then
|
outln " (no server order, thus listed by strength)"
|
||||||
outln " (no server order, thus listed by strength)"
|
|
||||||
else
|
|
||||||
prln_svrty_high " (no server order, thus listed by strength)"
|
|
||||||
fi
|
|
||||||
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "$WIDE"
|
|
||||||
else
|
else
|
||||||
outln " (server order)"
|
prln_svrty_high " (no server order, thus listed by strength)"
|
||||||
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets"
|
|
||||||
fi
|
fi
|
||||||
|
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
||||||
else
|
else
|
||||||
if [[ "$proto_ossl" == ssl2 ]] || ( [[ "$proto_ossl" != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
outln " (server order)"
|
||||||
( [[ "$proto_ossl" == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
||||||
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "$WIDE"
|
|
||||||
else
|
|
||||||
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets"
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
done <<< "$(tm_out " ssl2 22 SSLv2\n ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
|
done <<< "$(tm_out " ssl2 22 SSLv2\n ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
|
||||||
outln
|
outln
|
||||||
outln
|
|
||||||
|
|
||||||
return $ret
|
return $ret
|
||||||
# end of run_server_preference()
|
# end of run_server_preference()
|
||||||
|
@ -6658,6 +6646,7 @@ check_tls12_pref() {
|
||||||
cipher_pref_check() {
|
cipher_pref_check() {
|
||||||
local p="$1" proto_hex="$2" proto="$3"
|
local p="$1" proto_hex="$2" proto="$3"
|
||||||
local using_sockets="$4"
|
local using_sockets="$4"
|
||||||
|
local wide="$5" # at the moment this is called ALWAYS via run_server_preference and ALWAYS w true
|
||||||
local tested_cipher cipher order rfc_cipher rfc_order
|
local tested_cipher cipher order rfc_cipher rfc_order
|
||||||
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
|
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
|
||||||
local -i i nr_ciphers nr_nonossl_ciphers num_bundles bundle_size bundle end_of_bundle success
|
local -i i nr_ciphers nr_nonossl_ciphers num_bundles bundle_size bundle end_of_bundle success
|
||||||
|
@ -6680,11 +6669,11 @@ cipher_pref_check() {
|
||||||
|
|
||||||
if ( [[ $p != tls1_3 ]] || "$HAS_TLS13" ) && ( [[ $p != ssl3 ]] || "$HAS_SSL3" ); then
|
if ( [[ $p != tls1_3 ]] || "$HAS_TLS13" ) && ( [[ $p != ssl3 ]] || "$HAS_SSL3" ); then
|
||||||
if [[ $p == tls1_2 ]] && "$SERVER_SIZE_LIMIT_BUG"; then
|
if [[ $p == tls1_2 ]] && "$SERVER_SIZE_LIMIT_BUG"; then
|
||||||
order="$(check_tls12_pref "$WIDE")"
|
order="$(check_tls12_pref "$wide")"
|
||||||
[[ "${order:0:1}" == \ ]] && order="${order:1}"
|
[[ "${order:0:1}" == \ ]] && order="${order:1}"
|
||||||
ciphers_found="$order"
|
ciphers_found="$order"
|
||||||
fi
|
fi
|
||||||
if "$WIDE" || [[ -z "$order" ]]; then
|
if "$wide" || [[ -z "$order" ]]; then
|
||||||
tested_cipher=""; order=""; nr_ciphers_found=0
|
tested_cipher=""; order=""; nr_ciphers_found=0
|
||||||
while true; do
|
while true; do
|
||||||
if [[ $p != tls1_3 ]]; then
|
if [[ $p != tls1_3 ]]; then
|
||||||
|
@ -6713,7 +6702,7 @@ cipher_pref_check() {
|
||||||
order+="$cipher "
|
order+="$cipher "
|
||||||
tested_cipher+=":-"$cipher
|
tested_cipher+=":-"$cipher
|
||||||
"$FAST" && break
|
"$FAST" && break
|
||||||
if "$WIDE"; then
|
if "$wide"; then
|
||||||
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
||||||
[[ "$cipher" == ${TLS_CIPHER_OSSL_NAME[i]} ]] && break
|
[[ "$cipher" == ${TLS_CIPHER_OSSL_NAME[i]} ]] && break
|
||||||
done
|
done
|
||||||
|
@ -6843,7 +6832,7 @@ cipher_pref_check() {
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
[[ "$cipher" == ${rfc_ciph[i]} ]] && ciphers_found2[i]=true && break
|
[[ "$cipher" == ${rfc_ciph[i]} ]] && ciphers_found2[i]=true && break
|
||||||
done
|
done
|
||||||
if "$WIDE"; then
|
if "$wide"; then
|
||||||
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
||||||
[[ "$cipher" == ${TLS_CIPHER_RFC_NAME[i]} ]] && break
|
[[ "$cipher" == ${TLS_CIPHER_RFC_NAME[i]} ]] && break
|
||||||
done
|
done
|
||||||
|
@ -6884,7 +6873,7 @@ cipher_pref_check() {
|
||||||
|
|
||||||
if [[ -n "$order" ]]; then
|
if [[ -n "$order" ]]; then
|
||||||
add_tls_offered "$p" yes
|
add_tls_offered "$p" yes
|
||||||
if "$WIDE"; then
|
if "$wide"; then
|
||||||
for (( i=0 ; i<nr_ciphers_found; i++ )); do
|
for (( i=0 ; i<nr_ciphers_found; i++ )); do
|
||||||
neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${export2[i]}" "true"
|
neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${export2[i]}" "true"
|
||||||
outln "${sigalg[i]}"
|
outln "${sigalg[i]}"
|
||||||
|
@ -20348,7 +20337,7 @@ initialize_globals() {
|
||||||
|
|
||||||
# Set default scanning options for the boolean global do_* variables.
|
# Set default scanning options for the boolean global do_* variables.
|
||||||
set_scanning_defaults() {
|
set_scanning_defaults() {
|
||||||
do_allciphers=true
|
do_allciphers=false
|
||||||
do_vulnerabilities=true
|
do_vulnerabilities=true
|
||||||
do_beast=true
|
do_beast=true
|
||||||
do_lucky13=true
|
do_lucky13=true
|
||||||
|
@ -21098,11 +21087,11 @@ lets_roll() {
|
||||||
fileout_section_header $section_number true && ((section_number++))
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
"$do_cipherlists" && { run_cipherlists; ret=$(($? + ret)); stopwatch run_cipherlists; }
|
"$do_cipherlists" && { run_cipherlists; ret=$(($? + ret)); stopwatch run_cipherlists; }
|
||||||
|
|
||||||
fileout_section_header $section_number true && ((section_number++))
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
"$do_fs" && { run_fs; ret=$(($? + ret)); stopwatch run_fs; }
|
"$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; }
|
||||||
|
|
||||||
fileout_section_header $section_number true && ((section_number++))
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
"$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; }
|
"$do_fs" && { run_fs; ret=$(($? + ret)); stopwatch run_fs; }
|
||||||
|
|
||||||
fileout_section_header $section_number true && ((section_number++))
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
"$do_server_defaults" && { run_server_defaults; ret=$(($? + ret)); stopwatch run_server_defaults; }
|
"$do_server_defaults" && { run_server_defaults; ret=$(($? + ret)); stopwatch run_server_defaults; }
|
||||||
|
|
Loading…
Reference in New Issue