Merge pull request #1216 from dcooper16/add_determine_optimal_sockets_params
Add determine_optimal_sockets_params()
This commit is contained in:
commit
613e1d0133
|
@ -8,7 +8,7 @@ readonly TLS13_CIPHER="
|
|||
13,01, 13,02, 13,03, 13,04, 13,05"
|
||||
|
||||
# 123 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN HTTP2/ALPN
|
||||
readonly TLS12_CIPHER="
|
||||
declare TLS12_CIPHER="
|
||||
c0,30, c0,2c, c0,28, c0,24, c0,14, c0,0a, 00,9f, 00,6b,
|
||||
00,39, 00,9d, 00,3d, 00,35, c0,2f, c0,2b, c0,27, c0,23,
|
||||
c0,13, c0,09, 00,9e, 00,67, 00,33, 00,9c, 00,3c, 00,2f,
|
||||
|
|
144
testssl.sh
144
testssl.sh
|
@ -378,6 +378,7 @@ STARTTLS_PROTOCOL=""
|
|||
OPTIMAL_PROTO="" # Need this for IIS6 (sigh) + OpenSSL 1.0.2, otherwise some handshakes will fail see
|
||||
# https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
||||
STARTTLS_OPTIMAL_PROTO="" # Same for STARTTLS, see https://github.com/drwetter/testssl.sh/issues/188
|
||||
OPTIMAL_SOCKETS_PROTO="" # Same for tls_sockets(). -- not yet used
|
||||
TLS_TIME="" # To keep the value of TLS server timestamp
|
||||
TLS_NOW="" # Similar
|
||||
TLS_DIFFTIME_SET=false # Tells TLS functions to measure the TLS difftime or not
|
||||
|
@ -5178,11 +5179,6 @@ run_protocols() {
|
|||
if "$using_sockets"; then
|
||||
tls_sockets "03" "$TLS12_CIPHER"
|
||||
ret_val_tls12=$?
|
||||
if [[ $ret_val_tls12 -ne 0 ]]; then
|
||||
tls_sockets "03" "$TLS12_CIPHER_2ND_TRY"
|
||||
[[ $? -eq 0 ]] && ret_val_tls12=0
|
||||
# see #807 and #806
|
||||
fi
|
||||
tls12_detected_version="$DETECTED_TLS_VERSION"
|
||||
# Need to ensure that at most 128 ciphers are included in ClientHello.
|
||||
# If the TLSv1.2 test was successful, then use the 5 TLSv1.3 ciphers
|
||||
|
@ -15841,7 +15837,6 @@ run_grease() {
|
|||
for (( i=0; i < 5; i++ )); do
|
||||
case $i in
|
||||
0) proto="03" ; cipher_list="$TLS12_CIPHER" ;;
|
||||
1) proto="03" ; cipher_list="$TLS12_CIPHER_2ND_TRY" ;;
|
||||
2) proto="02" ; cipher_list="$TLS_CIPHER" ;;
|
||||
3) proto="01" ; cipher_list="$TLS_CIPHER" ;;
|
||||
4) proto="00" ; cipher_list="$TLS_CIPHER" ;;
|
||||
|
@ -17740,6 +17735,121 @@ sclient_auth() {
|
|||
return 1
|
||||
}
|
||||
|
||||
# Determine the best parameters to use with tls_sockets():
|
||||
# For TLSv1.3, determine what extension number to use for the key_share extension.
|
||||
# For TLSv1.2, determine what cipher list to send, since there are more than 128
|
||||
# TLSv1.2 ciphers and some servers fail if the ClientHello contains too many ciphers.
|
||||
# If both TLSv1.3 and TLSv1.2 ClientHello messages result in failed connection attempts,
|
||||
# then try to determine whether:
|
||||
# (1) This is an SSLv2-only server
|
||||
# (2) This server supports some protocol in SSLv3 - TLSv1.1, but cannot handle version negotiation.
|
||||
# (3) This is not a TLS/SSL enabled server.
|
||||
# This information can be used by determine_optimal_proto() to help distinguish between a server
|
||||
# that is not TLS/SSL enabled and one that is not compatible with the version of OpenSSL being used.
|
||||
determine_optimal_sockets_params() {
|
||||
local -i ret1 ret2
|
||||
local proto
|
||||
local all_failed=true
|
||||
|
||||
# If a STARTTLS protocol is specified and $SSL_NATIVE is true, then skip this test, since
|
||||
# $SSL_NATIVE may have been set to true as a result of tls_sockets() not supporting the STARTTLS
|
||||
# protocol.
|
||||
[[ -n "$STARTTLS_PROTOCOL" ]] && "$SSL_NATIVE" && return 0
|
||||
|
||||
# NOTE: The following code is only needed as long as draft versions of TLSv1.3 prior to draft 23
|
||||
# are supported. It is used to determine whether a draft 23 or pre-draft 23 ClientHello should be
|
||||
# sent.
|
||||
KEY_SHARE_EXTN_NR="33"
|
||||
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0f, 0e, 03,04, 7f,1c, 7f,1b, 7f,1a, 7f,19, 7f,18, 7f,17"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
add_tls_offered tls1_3 yes
|
||||
all_failed=false
|
||||
else
|
||||
KEY_SHARE_EXTN_NR="28"
|
||||
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0b, 0a, 7f,16, 7f,15, 7f,14, 7f,13, 7f,12"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
add_tls_offered tls1_3 yes
|
||||
all_failed=false
|
||||
else
|
||||
add_tls_offered tls1_3 no
|
||||
KEY_SHARE_EXTN_NR="33"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Need to determine which set of ciphers is best to use with
|
||||
# a TLSv1.2 ClientHello since there are far more than 128 ciphers
|
||||
# that can be used.
|
||||
tls_sockets "03" "$TLS12_CIPHER"
|
||||
ret1=$?
|
||||
if [[ $ret1 -eq 0 ]] || [[ $ret1 -eq 2 ]]; then
|
||||
case $DETECTED_TLS_VERSION in
|
||||
0303) add_tls_offered tls1_2 yes ;;
|
||||
0302) add_tls_offered tls1_1 yes ;;
|
||||
0301) add_tls_offered tls1 yes ;;
|
||||
0300) add_tls_offered ssl3 yes ;;
|
||||
esac
|
||||
all_failed=false
|
||||
fi
|
||||
|
||||
# Try again with a different, less common, set of cipher suites
|
||||
# see #807 and #806. If using these cipher suites results in a
|
||||
# successful connection, then change $TLS12_CIPHER to these
|
||||
# cipher suites so that later tests will use this list of cipher
|
||||
# suites.
|
||||
if [[ $ret1 -ne 0 ]]; then
|
||||
tls_sockets "03" "$TLS12_CIPHER_2ND_TRY"
|
||||
ret2=$?
|
||||
if [[ $ret2 -eq 0 ]]; then
|
||||
add_tls_offered tls1_2 yes
|
||||
TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY"
|
||||
all_failed=false
|
||||
else
|
||||
add_tls_offered tls1_2 no
|
||||
fi
|
||||
if [[ $ret2 -eq 2 ]]; then
|
||||
case $DETECTED_TLS_VERSION in
|
||||
0302) add_tls_offered tls1_1 yes ;;
|
||||
0301) add_tls_offered tls1 yes ;;
|
||||
0300) add_tls_offered ssl3 yes ;;
|
||||
esac
|
||||
[[ $ret1 -ne 2 ]] && TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY"
|
||||
all_failed=false
|
||||
fi
|
||||
fi
|
||||
|
||||
if "$all_failed"; then
|
||||
# One of the following must be true:
|
||||
# * This is not a TLS/SSL enabled server.
|
||||
# * The server only supports SSLv2
|
||||
# * The server does not handle version negotiation correctly.
|
||||
for proto in 01 00 02; do
|
||||
tls_sockets "$proto" "$TLS_CIPHER" "" "" "true"
|
||||
ret1=$?
|
||||
if [[ $ret1 -ne 0 ]]; then
|
||||
case $proto in
|
||||
02) add_tls_offered tls1_1 no ;;
|
||||
01) add_tls_offered tls1 no ;;
|
||||
00) add_tls_offered ssl3 no ;;
|
||||
esac
|
||||
fi
|
||||
if [[ $ret1 -eq 0 ]] || [[ $ret1 -eq 2 ]]; then
|
||||
case $DETECTED_TLS_VERSION in
|
||||
0302) add_tls_offered tls1_1 yes ;;
|
||||
0301) add_tls_offered tls1 yes ;;
|
||||
0300) add_tls_offered ssl3 yes ;;
|
||||
esac
|
||||
OPTIMAL_SOCKETS_PROTO="$proto"
|
||||
all_failed=false
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
if "$all_failed"; then
|
||||
sslv2_sockets
|
||||
[[ $? -eq 3 ]] && all_failed=false && add_tls_offered ssl2 yes
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# This is a helper function for determine_optimal_proto() below. It sets the
|
||||
# the global STARTTLS_OPTIMAL_PROTO / OPTIMAL_PROTO accordingly and returns 1
|
||||
|
@ -17912,26 +18022,6 @@ determine_optimal_proto() {
|
|||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||
fi
|
||||
|
||||
# NOTE: The following code is only needed as long as draft versions of TLSv1.3 prior to draft 23
|
||||
# are supported. It is used to determine whether a draft 23 or pre-draft 23 ClientHello should be
|
||||
# sent.
|
||||
if [[ -z "$1" ]]; then
|
||||
KEY_SHARE_EXTN_NR="33"
|
||||
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0f, 0e, 03,04, 7f,1c, 7f,1b, 7f,1a, 7f,19, 7f,18, 7f,17"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
add_tls_offered tls1_3 yes
|
||||
else
|
||||
KEY_SHARE_EXTN_NR="28"
|
||||
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0b, 0a, 7f,16, 7f,15, 7f,14, 7f,13, 7f,12"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
add_tls_offered tls1_3 yes
|
||||
else
|
||||
add_tls_offered tls1_3 no
|
||||
KEY_SHARE_EXTN_NR="33"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||
return 0
|
||||
}
|
||||
|
@ -17961,6 +18051,7 @@ determine_service() {
|
|||
outln
|
||||
if [[ -z "$1" ]]; then
|
||||
# no STARTTLS.
|
||||
determine_optimal_sockets_params
|
||||
determine_optimal_proto
|
||||
$SNEAKY && \
|
||||
ua="$UA_SNEAKY" || \
|
||||
|
@ -18021,6 +18112,7 @@ determine_service() {
|
|||
fatal "Your $OPENSSL does not support the \"-starttls nntp\" option" $ERR_OSSLBIN
|
||||
fi
|
||||
fi
|
||||
determine_optimal_sockets_params
|
||||
determine_optimal_proto "$1"
|
||||
|
||||
out " Service set:$CORRECT_SPACES STARTTLS via "
|
||||
|
|
Loading…
Reference in New Issue