Merge pull request #1216 from dcooper16/add_determine_optimal_sockets_params
Add determine_optimal_sockets_params()
This commit is contained in:
commit
613e1d0133
|
@ -8,7 +8,7 @@ readonly TLS13_CIPHER="
|
||||||
13,01, 13,02, 13,03, 13,04, 13,05"
|
13,01, 13,02, 13,03, 13,04, 13,05"
|
||||||
|
|
||||||
# 123 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN HTTP2/ALPN
|
# 123 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN HTTP2/ALPN
|
||||||
readonly TLS12_CIPHER="
|
declare TLS12_CIPHER="
|
||||||
c0,30, c0,2c, c0,28, c0,24, c0,14, c0,0a, 00,9f, 00,6b,
|
c0,30, c0,2c, c0,28, c0,24, c0,14, c0,0a, 00,9f, 00,6b,
|
||||||
00,39, 00,9d, 00,3d, 00,35, c0,2f, c0,2b, c0,27, c0,23,
|
00,39, 00,9d, 00,3d, 00,35, c0,2f, c0,2b, c0,27, c0,23,
|
||||||
c0,13, c0,09, 00,9e, 00,67, 00,33, 00,9c, 00,3c, 00,2f,
|
c0,13, c0,09, 00,9e, 00,67, 00,33, 00,9c, 00,3c, 00,2f,
|
||||||
|
|
144
testssl.sh
144
testssl.sh
|
@ -378,6 +378,7 @@ STARTTLS_PROTOCOL=""
|
||||||
OPTIMAL_PROTO="" # Need this for IIS6 (sigh) + OpenSSL 1.0.2, otherwise some handshakes will fail see
|
OPTIMAL_PROTO="" # Need this for IIS6 (sigh) + OpenSSL 1.0.2, otherwise some handshakes will fail see
|
||||||
# https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
# https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
||||||
STARTTLS_OPTIMAL_PROTO="" # Same for STARTTLS, see https://github.com/drwetter/testssl.sh/issues/188
|
STARTTLS_OPTIMAL_PROTO="" # Same for STARTTLS, see https://github.com/drwetter/testssl.sh/issues/188
|
||||||
|
OPTIMAL_SOCKETS_PROTO="" # Same for tls_sockets(). -- not yet used
|
||||||
TLS_TIME="" # To keep the value of TLS server timestamp
|
TLS_TIME="" # To keep the value of TLS server timestamp
|
||||||
TLS_NOW="" # Similar
|
TLS_NOW="" # Similar
|
||||||
TLS_DIFFTIME_SET=false # Tells TLS functions to measure the TLS difftime or not
|
TLS_DIFFTIME_SET=false # Tells TLS functions to measure the TLS difftime or not
|
||||||
|
@ -5178,11 +5179,6 @@ run_protocols() {
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
tls_sockets "03" "$TLS12_CIPHER"
|
tls_sockets "03" "$TLS12_CIPHER"
|
||||||
ret_val_tls12=$?
|
ret_val_tls12=$?
|
||||||
if [[ $ret_val_tls12 -ne 0 ]]; then
|
|
||||||
tls_sockets "03" "$TLS12_CIPHER_2ND_TRY"
|
|
||||||
[[ $? -eq 0 ]] && ret_val_tls12=0
|
|
||||||
# see #807 and #806
|
|
||||||
fi
|
|
||||||
tls12_detected_version="$DETECTED_TLS_VERSION"
|
tls12_detected_version="$DETECTED_TLS_VERSION"
|
||||||
# Need to ensure that at most 128 ciphers are included in ClientHello.
|
# Need to ensure that at most 128 ciphers are included in ClientHello.
|
||||||
# If the TLSv1.2 test was successful, then use the 5 TLSv1.3 ciphers
|
# If the TLSv1.2 test was successful, then use the 5 TLSv1.3 ciphers
|
||||||
|
@ -15841,7 +15837,6 @@ run_grease() {
|
||||||
for (( i=0; i < 5; i++ )); do
|
for (( i=0; i < 5; i++ )); do
|
||||||
case $i in
|
case $i in
|
||||||
0) proto="03" ; cipher_list="$TLS12_CIPHER" ;;
|
0) proto="03" ; cipher_list="$TLS12_CIPHER" ;;
|
||||||
1) proto="03" ; cipher_list="$TLS12_CIPHER_2ND_TRY" ;;
|
|
||||||
2) proto="02" ; cipher_list="$TLS_CIPHER" ;;
|
2) proto="02" ; cipher_list="$TLS_CIPHER" ;;
|
||||||
3) proto="01" ; cipher_list="$TLS_CIPHER" ;;
|
3) proto="01" ; cipher_list="$TLS_CIPHER" ;;
|
||||||
4) proto="00" ; cipher_list="$TLS_CIPHER" ;;
|
4) proto="00" ; cipher_list="$TLS_CIPHER" ;;
|
||||||
|
@ -17740,6 +17735,121 @@ sclient_auth() {
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Determine the best parameters to use with tls_sockets():
|
||||||
|
# For TLSv1.3, determine what extension number to use for the key_share extension.
|
||||||
|
# For TLSv1.2, determine what cipher list to send, since there are more than 128
|
||||||
|
# TLSv1.2 ciphers and some servers fail if the ClientHello contains too many ciphers.
|
||||||
|
# If both TLSv1.3 and TLSv1.2 ClientHello messages result in failed connection attempts,
|
||||||
|
# then try to determine whether:
|
||||||
|
# (1) This is an SSLv2-only server
|
||||||
|
# (2) This server supports some protocol in SSLv3 - TLSv1.1, but cannot handle version negotiation.
|
||||||
|
# (3) This is not a TLS/SSL enabled server.
|
||||||
|
# This information can be used by determine_optimal_proto() to help distinguish between a server
|
||||||
|
# that is not TLS/SSL enabled and one that is not compatible with the version of OpenSSL being used.
|
||||||
|
determine_optimal_sockets_params() {
|
||||||
|
local -i ret1 ret2
|
||||||
|
local proto
|
||||||
|
local all_failed=true
|
||||||
|
|
||||||
|
# If a STARTTLS protocol is specified and $SSL_NATIVE is true, then skip this test, since
|
||||||
|
# $SSL_NATIVE may have been set to true as a result of tls_sockets() not supporting the STARTTLS
|
||||||
|
# protocol.
|
||||||
|
[[ -n "$STARTTLS_PROTOCOL" ]] && "$SSL_NATIVE" && return 0
|
||||||
|
|
||||||
|
# NOTE: The following code is only needed as long as draft versions of TLSv1.3 prior to draft 23
|
||||||
|
# are supported. It is used to determine whether a draft 23 or pre-draft 23 ClientHello should be
|
||||||
|
# sent.
|
||||||
|
KEY_SHARE_EXTN_NR="33"
|
||||||
|
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0f, 0e, 03,04, 7f,1c, 7f,1b, 7f,1a, 7f,19, 7f,18, 7f,17"
|
||||||
|
if [[ $? -eq 0 ]]; then
|
||||||
|
add_tls_offered tls1_3 yes
|
||||||
|
all_failed=false
|
||||||
|
else
|
||||||
|
KEY_SHARE_EXTN_NR="28"
|
||||||
|
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0b, 0a, 7f,16, 7f,15, 7f,14, 7f,13, 7f,12"
|
||||||
|
if [[ $? -eq 0 ]]; then
|
||||||
|
add_tls_offered tls1_3 yes
|
||||||
|
all_failed=false
|
||||||
|
else
|
||||||
|
add_tls_offered tls1_3 no
|
||||||
|
KEY_SHARE_EXTN_NR="33"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Need to determine which set of ciphers is best to use with
|
||||||
|
# a TLSv1.2 ClientHello since there are far more than 128 ciphers
|
||||||
|
# that can be used.
|
||||||
|
tls_sockets "03" "$TLS12_CIPHER"
|
||||||
|
ret1=$?
|
||||||
|
if [[ $ret1 -eq 0 ]] || [[ $ret1 -eq 2 ]]; then
|
||||||
|
case $DETECTED_TLS_VERSION in
|
||||||
|
0303) add_tls_offered tls1_2 yes ;;
|
||||||
|
0302) add_tls_offered tls1_1 yes ;;
|
||||||
|
0301) add_tls_offered tls1 yes ;;
|
||||||
|
0300) add_tls_offered ssl3 yes ;;
|
||||||
|
esac
|
||||||
|
all_failed=false
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Try again with a different, less common, set of cipher suites
|
||||||
|
# see #807 and #806. If using these cipher suites results in a
|
||||||
|
# successful connection, then change $TLS12_CIPHER to these
|
||||||
|
# cipher suites so that later tests will use this list of cipher
|
||||||
|
# suites.
|
||||||
|
if [[ $ret1 -ne 0 ]]; then
|
||||||
|
tls_sockets "03" "$TLS12_CIPHER_2ND_TRY"
|
||||||
|
ret2=$?
|
||||||
|
if [[ $ret2 -eq 0 ]]; then
|
||||||
|
add_tls_offered tls1_2 yes
|
||||||
|
TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY"
|
||||||
|
all_failed=false
|
||||||
|
else
|
||||||
|
add_tls_offered tls1_2 no
|
||||||
|
fi
|
||||||
|
if [[ $ret2 -eq 2 ]]; then
|
||||||
|
case $DETECTED_TLS_VERSION in
|
||||||
|
0302) add_tls_offered tls1_1 yes ;;
|
||||||
|
0301) add_tls_offered tls1 yes ;;
|
||||||
|
0300) add_tls_offered ssl3 yes ;;
|
||||||
|
esac
|
||||||
|
[[ $ret1 -ne 2 ]] && TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY"
|
||||||
|
all_failed=false
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if "$all_failed"; then
|
||||||
|
# One of the following must be true:
|
||||||
|
# * This is not a TLS/SSL enabled server.
|
||||||
|
# * The server only supports SSLv2
|
||||||
|
# * The server does not handle version negotiation correctly.
|
||||||
|
for proto in 01 00 02; do
|
||||||
|
tls_sockets "$proto" "$TLS_CIPHER" "" "" "true"
|
||||||
|
ret1=$?
|
||||||
|
if [[ $ret1 -ne 0 ]]; then
|
||||||
|
case $proto in
|
||||||
|
02) add_tls_offered tls1_1 no ;;
|
||||||
|
01) add_tls_offered tls1 no ;;
|
||||||
|
00) add_tls_offered ssl3 no ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
if [[ $ret1 -eq 0 ]] || [[ $ret1 -eq 2 ]]; then
|
||||||
|
case $DETECTED_TLS_VERSION in
|
||||||
|
0302) add_tls_offered tls1_1 yes ;;
|
||||||
|
0301) add_tls_offered tls1 yes ;;
|
||||||
|
0300) add_tls_offered ssl3 yes ;;
|
||||||
|
esac
|
||||||
|
OPTIMAL_SOCKETS_PROTO="$proto"
|
||||||
|
all_failed=false
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
if "$all_failed"; then
|
||||||
|
sslv2_sockets
|
||||||
|
[[ $? -eq 3 ]] && all_failed=false && add_tls_offered ssl2 yes
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
# This is a helper function for determine_optimal_proto() below. It sets the
|
# This is a helper function for determine_optimal_proto() below. It sets the
|
||||||
# the global STARTTLS_OPTIMAL_PROTO / OPTIMAL_PROTO accordingly and returns 1
|
# the global STARTTLS_OPTIMAL_PROTO / OPTIMAL_PROTO accordingly and returns 1
|
||||||
|
@ -17912,26 +18022,6 @@ determine_optimal_proto() {
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# NOTE: The following code is only needed as long as draft versions of TLSv1.3 prior to draft 23
|
|
||||||
# are supported. It is used to determine whether a draft 23 or pre-draft 23 ClientHello should be
|
|
||||||
# sent.
|
|
||||||
if [[ -z "$1" ]]; then
|
|
||||||
KEY_SHARE_EXTN_NR="33"
|
|
||||||
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0f, 0e, 03,04, 7f,1c, 7f,1b, 7f,1a, 7f,19, 7f,18, 7f,17"
|
|
||||||
if [[ $? -eq 0 ]]; then
|
|
||||||
add_tls_offered tls1_3 yes
|
|
||||||
else
|
|
||||||
KEY_SHARE_EXTN_NR="28"
|
|
||||||
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0b, 0a, 7f,16, 7f,15, 7f,14, 7f,13, 7f,12"
|
|
||||||
if [[ $? -eq 0 ]]; then
|
|
||||||
add_tls_offered tls1_3 yes
|
|
||||||
else
|
|
||||||
add_tls_offered tls1_3 no
|
|
||||||
KEY_SHARE_EXTN_NR="33"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
@ -17961,6 +18051,7 @@ determine_service() {
|
||||||
outln
|
outln
|
||||||
if [[ -z "$1" ]]; then
|
if [[ -z "$1" ]]; then
|
||||||
# no STARTTLS.
|
# no STARTTLS.
|
||||||
|
determine_optimal_sockets_params
|
||||||
determine_optimal_proto
|
determine_optimal_proto
|
||||||
$SNEAKY && \
|
$SNEAKY && \
|
||||||
ua="$UA_SNEAKY" || \
|
ua="$UA_SNEAKY" || \
|
||||||
|
@ -18021,6 +18112,7 @@ determine_service() {
|
||||||
fatal "Your $OPENSSL does not support the \"-starttls nntp\" option" $ERR_OSSLBIN
|
fatal "Your $OPENSSL does not support the \"-starttls nntp\" option" $ERR_OSSLBIN
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
determine_optimal_sockets_params
|
||||||
determine_optimal_proto "$1"
|
determine_optimal_proto "$1"
|
||||||
|
|
||||||
out " Service set:$CORRECT_SPACES STARTTLS via "
|
out " Service set:$CORRECT_SPACES STARTTLS via "
|
||||||
|
|
Loading…
Reference in New Issue