Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-07 17:20:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improved debug code for cipher order

Browse Source
This commit is contained in:
Dirk 2018-11-28 10:39:14 +01:00
parent b425767427
commit 696c4d0b93
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
testssl.sh
View File

@ -5779,13 +5779,14 @@ run_server_preference() {
outln outln
pr_bold " Has server cipher order? " pr_bold " Has server cipher order? "
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
addcmd="$OPTIMAL_PROTO" addcmd="$OPTIMAL_PROTO"
else else
# the supplied openssl will send an SSLv2 ClientHello if $SNI is empty # the supplied openssl will send an SSLv2 ClientHello if $SNI is empty
# and the -no_ssl2 isn't provided. # and the -no_ssl2 isn't provided.
addcmd="-no_ssl2 $SNI" addcmd="-no_ssl2 $SNI"
fi fi
[[ $DEBUG -ge 4 ]] && echo -e "\n Forward: ${list_fwd}\n ${tls13_list_fwd}"
$OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd -ciphersuites $tls13_list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd") </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd -ciphersuites $tls13_list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd") </dev/null 2>$ERRFILE >$TMPFILE
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
list_fwd="$(actually_supported_ciphers $list_fwd $tls13_list_fwd '-tls1')" list_fwd="$(actually_supported_ciphers $list_fwd $tls13_list_fwd '-tls1')"
@ -5811,12 +5812,13 @@ run_server_preference() {
return 1 return 1
fi fi
fi fi
cipher1=$(get_cipher $TMPFILE) # cipher1 from 1st serverhello cipher1=$(get_cipher $TMPFILE) # cipher1 from 1st serverhello
debugme tm_out "--> $cipher1\n"
if [[ -n "$STARTTLS_OPTIMAL_PROTO" ]]; then if [[ -n "$STARTTLS_OPTIMAL_PROTO" ]]; then
addcmd2="$STARTTLS_OPTIMAL_PROTO $SNI" addcmd2="$STARTTLS_OPTIMAL_PROTO $SNI"
else else
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then if [[ "$OPTIMAL_PR1866OTO" == -ssl2 ]]; then
addcmd2="$OPTIMAL_PROTO" addcmd2="$OPTIMAL_PROTO"
else else
addcmd2="-no_ssl2 $SNI" addcmd2="-no_ssl2 $SNI"
@ -5824,9 +5826,11 @@ run_server_preference() {
fi fi
# second client hello with reverse list # second client hello with reverse list
[[ $DEBUG -ge 4 ]] && echo -e "\n Reverse: ${list_reverse}\n ${tls13_list_reverse}"
$OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_reverse -ciphersuites $tls13_list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2") </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_reverse -ciphersuites $tls13_list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2") </dev/null 2>>$ERRFILE >$TMPFILE
# first handshake worked above so no error handling here # first handshake worked above so no error handling here
cipher2=$(get_cipher $TMPFILE) # cipher2 from 2nd serverhello cipher2=$(get_cipher $TMPFILE) # cipher2 from 2nd serverhello
debugme tm_out "--> $cipher2\n"
if [[ "$cipher1" != "$cipher2" ]]; then if [[ "$cipher1" != "$cipher2" ]]; then
# server used the different ends (ciphers) from the client hello # server used the different ends (ciphers) from the client hello
@ -5839,7 +5843,6 @@ run_server_preference() {
limitedsense="" limitedsense=""
fileout "$jsonID" "OK" "server" fileout "$jsonID" "OK" "server"
fi fi
debugme tm_out " $cipher1 | $cipher2"
outln outln
pr_bold " Negotiated protocol " pr_bold " Negotiated protocol "