mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-01 06:19:44 +01:00
Reorganize ciphers_by_strength()
This commit modifies ciphers_by_strength() and run_server_preference() so that the message indicating that ciphers are listed by strength is not printed until the list of supported ciphers has been determined. This is in support of #1311, as it will allow the message to be modified based on the set of supported ciphers. This commit also modifies both ciphers_by_strength() and cipher_pref_check() so that the order in which ciphers are listed (by strength or server preference) is not printed if the server does not support the protocol.
This commit is contained in:
parent
13298ffd19
commit
564dd63efc
58
testssl.sh
58
testssl.sh
@ -4220,7 +4220,7 @@ run_allciphers() {
|
|||||||
# are good or bad) and list them in order to encryption strength.
|
# are good or bad) and list them in order to encryption strength.
|
||||||
ciphers_by_strength() {
|
ciphers_by_strength() {
|
||||||
local proto="$1" proto_hex="$2" proto_text="$3"
|
local proto="$1" proto_hex="$2" proto_text="$3"
|
||||||
local using_sockets="$4" wide="$5"
|
local using_sockets="$4" wide="$5" serverpref_known="$6"
|
||||||
local ossl_ciphers_proto
|
local ossl_ciphers_proto
|
||||||
local -i nr_ciphers nr_ossl_ciphers nr_nonossl_ciphers success
|
local -i nr_ciphers nr_ossl_ciphers nr_nonossl_ciphers success
|
||||||
local n sslvers auth mac hexc sslv2_ciphers="" cipher
|
local n sslvers auth mac hexc sslv2_ciphers="" cipher
|
||||||
@ -4229,20 +4229,21 @@ ciphers_by_strength() {
|
|||||||
local -i i bundle end_of_bundle bundle_size num_bundles
|
local -i i bundle end_of_bundle bundle_size num_bundles
|
||||||
local -a ciphers_found ciphers_found2 sigalg ossl_supported index
|
local -a ciphers_found ciphers_found2 sigalg ossl_supported index
|
||||||
local dhlen supported_sslv2_ciphers ciphers_to_test tls13_ciphers_to_test addcmd temp
|
local dhlen supported_sslv2_ciphers ciphers_to_test tls13_ciphers_to_test addcmd temp
|
||||||
local available
|
local available proto_supported=false
|
||||||
local id
|
local id
|
||||||
local has_dh_bits="$HAS_DH_BITS"
|
local has_dh_bits="$HAS_DH_BITS"
|
||||||
|
|
||||||
# for local problem if it happens
|
# for local problem if it happens
|
||||||
"$wide" || out " "
|
"$wide" || out " "
|
||||||
if ! "$using_sockets" && ! locally_supported "$proto"; then
|
if ! "$using_sockets" && ! sclient_supported "$proto"; then
|
||||||
pr_local_problem "Your $OPENSSL does not support $proto"
|
"$wide" && outln
|
||||||
|
pr_local_problem "$OPENSSL does not support $proto"
|
||||||
"$wide" && outln
|
"$wide" && outln
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $(has_server_protocol "${proto:1}") -eq 1 ]]; then
|
if [[ $(has_server_protocol "${proto:1}") -eq 1 ]]; then
|
||||||
"$wide" && outln " - "
|
"$wide" && outln "\n - "
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -4333,15 +4334,17 @@ ciphers_by_strength() {
|
|||||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
if [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
|
if [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
|
||||||
ciphers_found[i]=true
|
ciphers_found[i]=true
|
||||||
|
proto_supported=true
|
||||||
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
|
"$wide" && outln
|
||||||
outln " protocol supported with no cipher "
|
outln " protocol supported with no cipher "
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
add_proto_offered ssl2 no
|
add_proto_offered ssl2 no
|
||||||
"$wide" && outln " - "
|
"$wide" && outln "\n - "
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
@ -4353,12 +4356,13 @@ ciphers_by_strength() {
|
|||||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
if [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
|
if [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
|
||||||
ciphers_found[i]=true
|
ciphers_found[i]=true
|
||||||
|
proto_supported=true
|
||||||
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
add_proto_offered ssl2 no
|
add_proto_offered ssl2 no
|
||||||
"$wide" && outln " - "
|
"$wide" && outln "\n - "
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else # no SSLv2
|
else # no SSLv2
|
||||||
@ -4413,6 +4417,7 @@ ciphers_by_strength() {
|
|||||||
done
|
done
|
||||||
i=${index[i]}
|
i=${index[i]}
|
||||||
ciphers_found[i]=true
|
ciphers_found[i]=true
|
||||||
|
proto_supported=true
|
||||||
"$wide" && [[ "$proto" == -tls1_3 ]] && kx[i]="$(read_dhtype_from_file $TMPFILE)"
|
"$wide" && [[ "$proto" == -tls1_3 ]] && kx[i]="$(read_dhtype_from_file $TMPFILE)"
|
||||||
if "$wide" && ( [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]] ); then
|
if "$wide" && ( [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]] ); then
|
||||||
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
|
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
|
||||||
@ -4474,6 +4479,7 @@ ciphers_by_strength() {
|
|||||||
done
|
done
|
||||||
i=${index[i]}
|
i=${index[i]}
|
||||||
ciphers_found[i]=true
|
ciphers_found[i]=true
|
||||||
|
proto_supported=true
|
||||||
"$wide" && [[ "$proto" == -tls1_3 ]] && kx[i]="$(read_dhtype_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")"
|
"$wide" && [[ "$proto" == -tls1_3 ]] && kx[i]="$(read_dhtype_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")"
|
||||||
if "$wide" && ( [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]] ); then
|
if "$wide" && ( [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]] ); then
|
||||||
dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet)
|
dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet)
|
||||||
@ -4487,6 +4493,18 @@ ciphers_by_strength() {
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if "$wide" && [[ "${FUNCNAME[1]}" == run_server_preference ]] && "$proto_supported"; then
|
||||||
|
if [[ $proto_ossl == tls1_3 ]]; then
|
||||||
|
outln " (no server order, thus listed by strength)"
|
||||||
|
elif ! "$serverpref_known"; then
|
||||||
|
outln " (listed by strength)"
|
||||||
|
else
|
||||||
|
prln_svrty_high " (no server order, thus listed by strength)"
|
||||||
|
fi
|
||||||
|
elif "$wide" && "$proto_supported" || [[ $proto != -ssl2 ]]; then
|
||||||
|
outln
|
||||||
|
fi
|
||||||
|
|
||||||
cipher=""
|
cipher=""
|
||||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
if "${ciphers_found[i]}"; then
|
if "${ciphers_found[i]}"; then
|
||||||
@ -4567,8 +4585,8 @@ run_cipher_per_proto() {
|
|||||||
outln
|
outln
|
||||||
neat_header
|
neat_header
|
||||||
while read proto proto_hex proto_text; do
|
while read proto proto_hex proto_text; do
|
||||||
prln_underline "$(printf -- "%b" "$proto_text")"
|
pr_underline "$(printf -- "%b" "$proto_text")"
|
||||||
ciphers_by_strength "$proto" "$proto_hex" "$proto_text" "$using_sockets" "true"
|
ciphers_by_strength "$proto" "$proto_hex" "$proto_text" "$using_sockets" "true" "false"
|
||||||
done <<< "$(tm_out " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n -tls1_3 04 TLS 1.3")"
|
done <<< "$(tm_out " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n -tls1_3 04 TLS 1.3")"
|
||||||
return 0
|
return 0
|
||||||
#FIXME: no error condition
|
#FIXME: no error condition
|
||||||
@ -6773,8 +6791,6 @@ run_server_preference() {
|
|||||||
neat_header
|
neat_header
|
||||||
while read proto_ossl proto_hex proto_txt; do
|
while read proto_ossl proto_hex proto_txt; do
|
||||||
pr_underline "$(printf -- "%b" "$proto_txt")"
|
pr_underline "$(printf -- "%b" "$proto_txt")"
|
||||||
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
|
|
||||||
# the following takes care of that but only if we know the protocol is not supported
|
|
||||||
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
|
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
|
||||||
outln "\n - "
|
outln "\n - "
|
||||||
continue
|
continue
|
||||||
@ -6784,16 +6800,12 @@ run_server_preference() {
|
|||||||
if [[ $proto_ossl == ssl2 ]] || \
|
if [[ $proto_ossl == ssl2 ]] || \
|
||||||
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ) || \
|
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ) || \
|
||||||
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ); then
|
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ); then
|
||||||
if [[ $proto_ossl == ssl2 ]]; then
|
if [[ -n "$cipher2" ]] && [[ $proto_ossl != ssl2 ]]; then
|
||||||
outln " (listed by strength)"
|
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true" "true"
|
||||||
elif [[ $proto_ossl == tls1_3 ]]; then
|
|
||||||
outln " (no server order, thus listed by strength)"
|
|
||||||
elif [[ -z "$cipher2" ]]; then
|
|
||||||
outln " (listed by strength)"
|
|
||||||
else
|
else
|
||||||
prln_svrty_high " (no server order, thus listed by strength)"
|
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true" "false"
|
||||||
fi
|
fi
|
||||||
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
|
||||||
else
|
else
|
||||||
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
||||||
fi
|
fi
|
||||||
@ -7033,12 +7045,12 @@ cipher_pref_check() {
|
|||||||
local ciphers_found_with_sockets=false prioritize_chacha=false
|
local ciphers_found_with_sockets=false prioritize_chacha=false
|
||||||
|
|
||||||
if [[ $proto == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
|
if [[ $proto == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
|
||||||
outln " (server order)"
|
outln
|
||||||
prln_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
prln_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
if [[ $proto == tls1_3 ]] && ! "$HAS_TLS13" && ! "$using_sockets"; then
|
if [[ $proto == tls1_3 ]] && ! "$HAS_TLS13" && ! "$using_sockets"; then
|
||||||
outln " (server order)"
|
outln
|
||||||
prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_3\"";
|
prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_3\"";
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
@ -7339,8 +7351,10 @@ cipher_pref_check() {
|
|||||||
fi
|
fi
|
||||||
if "$prioritize_chacha"; then
|
if "$prioritize_chacha"; then
|
||||||
outln " (server order -- server prioritizes ChaCha ciphers when preferred by clients)"
|
outln " (server order -- server prioritizes ChaCha ciphers when preferred by clients)"
|
||||||
else
|
elif [[ -n "$order" ]]; then
|
||||||
outln " (server order)"
|
outln " (server order)"
|
||||||
|
else
|
||||||
|
outln
|
||||||
fi
|
fi
|
||||||
if [[ -n "$order" ]]; then
|
if [[ -n "$order" ]]; then
|
||||||
add_proto_offered "$proto" yes
|
add_proto_offered "$proto" yes
|
||||||
|
Loading…
Reference in New Issue
Block a user