Try more ciphers

determine_optimal_sockets_params() makes two attempts to send a TLS 1.2 ClientHello, with each attempt trying 127 ciphers. However, this leaves 97 ciphers from etc/cipher-mapping.txt that are not tried, most of which use ARIA or CAMELLIA. This commit adds a third attempt a send a ClientHello that offers these 97 remaining ciphers. This helps to ensure that support for TLS 1.2 is detected and that later calls to tls_sockets() work, even if the server only supports the ARIA/CAMELLIA ciphers that are not included in TLS12_CIPHER or TLS12_CIPHER_2ND_TRY.
This commit is contained in:
David Cooper 2022-04-18 11:42:47 -04:00
parent 54e5469411
commit 50b09267d0
2 changed files with 43 additions and 4 deletions

View File

@ -45,6 +45,22 @@ c0,1c, c0,1b, c0,1a, c0,17, 00,1b, 00,93, 00,8b, 00,1f,
c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e,
00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,ff"
# 97 less common ciphers for TLS 1.2 and SPDY/NPN HTTP2/ALPN
readonly TLS12_CIPHER_3RD_TRY="
c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,47, c0,49, c0,4b,
c0,4d, c0,4f, c0,51, c0,53, c0,55, c0,57, c0,59, c0,5b,
c0,5d, c0,5f, c0,61, c0,63, c0,65, c0,67, c0,69, c0,6b,
c0,6d, c0,6f, c0,71, c0,7b, c0,7d, c0,7f, c0,81, c0,83,
c0,85, c0,87, c0,89, c0,8b, c0,8d, c0,8f, c0,91, c0,93,
16,b7, 16,b8, 16,b9, 16,ba, c0,3c, c0,3e, c0,40, c0,42,
c0,44, c0,46, c0,48, c0,4a, c0,4c, c0,4e, c0,50, c0,52,
c0,54, c0,56, c0,58, c0,5a, c0,5c, c0,5e, c0,60, c0,62,
c0,64, c0,66, c0,68, c0,6a, c0,6c, c0,6e, c0,70, c0,7a,
c0,7c, c0,7e, c0,80, c0,82, c0,84, c0,86, c0,88, c0,8a,
c0,8c, c0,8e, c0,90, c0,92, fe,ff, ff,e0, 00,1e, 00,22,
fe,fe, ff,e1, 00,27, 00,26, 00,2a, 00,29, 00,28, 00,2b,
ff,87, 00,ff"
# 76 standard cipher + 4x GOST for SSLv3, TLS 1, TLS 1.1
readonly TLS_CIPHER="
c0,14, c0,0a, c0,22, c0,21, c0,20, 00,39, 00,38, 00,37,

View File

@ -21090,7 +21090,7 @@ sclient_auth() {
# This information can be used by determine_optimal_proto() to help distinguish between a server
# that is not TLS/SSL enabled and one that is not compatible with the version of OpenSSL being used.
determine_optimal_sockets_params() {
local -i ret1=1 ret2=1
local -i ret1=1 ret2=1 ret3=1
local i proto cipher_offered
local all_failed=true
@ -21159,8 +21159,6 @@ determine_optimal_sockets_params() {
add_proto_offered tls1_2 yes
TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY"
all_failed=false
else
add_proto_offered tls1_2 no
fi
if [[ $ret2 -eq 2 ]]; then
case $DETECTED_TLS_VERSION in
@ -21172,7 +21170,32 @@ determine_optimal_sockets_params() {
all_failed=false
fi
fi
if [[ $ret1 -eq 0 ]] || [[ $ret2 -eq 0 ]]; then
# Try a third time with cipher suites not in $TLS12_CIPHER or
# $TLS12_CIPHER_2ND_TRY. If using these cipher suites results in a
# successful connection, then change $TLS12_CIPHER to these
# cipher suites so that later tests will use this list of cipher
# suites.
if [[ $ret1 -ne 0 ]] && [[ $ret2 -ne 0 ]]; then
tls_sockets "03" "$TLS12_CIPHER_3RD_TRY"
ret3=$?
if [[ $ret3 -eq 0 ]]; then
add_proto_offered tls1_2 yes
TLS12_CIPHER="$TLS12_CIPHER_3RD_TRY"
all_failed=false
else
add_proto_offered tls1_2 no
fi
if [[ $ret3 -eq 2 ]]; then
case $DETECTED_TLS_VERSION in
0302) add_proto_offered tls1_1 yes ;;
0301) add_proto_offered tls1 yes ;;
0300) add_proto_offered ssl3 yes ;;
esac
[[ $ret1 -ne 2 ]] && [[ $ret2 -ne 2 ]] && TLS12_CIPHER="$TLS12_CIPHER_3RD_TRY"
all_failed=false
fi
fi
if [[ $ret1 -eq 0 ]] || [[ $ret2 -eq 0 ]] || [[ $ret3 -eq 0 ]]; then
cipher_offered="$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")"
if [[ "$cipher_offered" == TLS_* ]] || [[ "$cipher_offered" == SSL_* ]]; then
cipher_offered="$(rfc2hexcode "$cipher_offered")"