Merge pull request #1199 from dcooper16/get_server_certificate_sockets

Use sockets for get_server_certificate()
This commit is contained in:
Dirk Wetter 2019-02-15 09:40:22 +01:00 committed by GitHub
commit 6c0bbaf042
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -6989,20 +6989,38 @@ extract_stapled_ocsp() {
return 0 return 0
} }
# arg1 is "-cipher <OpenSSL cipher>" or empty # arg1 is "<OpenSSL cipher>"
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried) # arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
get_server_certificate() { get_server_certificate() {
local protocols_to_try proto local protocols_to_try proto
local success local success ret
local npn_params="" line local npn_params="" line
local ciphers_to_test=""
# Cipher suites that use a certifiate with an RSA (signature) public key
local -r a_rsa="cc,13, cc,15, c0,30, c0,28, c0,14, 00,9f, cc,a8, cc,aa, c0,a3, c0,9f, 00,6b, 00,39, c0,77, 00,c4, 00,88, c0,45, c0,4d, c0,53, c0,61, c0,7d, c0,8b, 16,b7, 16,b9, c0,2f, c0,27, c0,13, 00,9e, c0,a2, c0,9e, 00,67, 00,33, c0,76, 00,be, 00,9a, 00,45, c0,44, c0,4c, c0,52, c0,60, c0,7c, c0,8a, c0,11, c0,12, 00,16, 00,15, 00,14, c0,10"
# Cipher suites that use a certifiate with an RSA (encryption) public key
local -r e_rsa="00,b7, c0,99, 00,ad, cc,ae, 00,9d, c0,a1, c0,9d, 00,3d, 00,35, 00,c0, 00,84, 00,95, c0,3d, c0,51, c0,69, c0,6f, c0,7b, c0,93, ff,01, 00,ac, c0,a0, c0,9c, 00,9c, 00,3c, 00,2f, 00,ba, 00,b6, 00,96, 00,41, c0,98, 00,07, 00,94, c0,3c, c0,50, c0,68, c0,6e, c0,7a, c0,92, 00,05, 00,04, 00,92, 00,0a, 00,93, fe,ff, ff,e0, 00,62, 00,09, 00,61, fe,fe, ff,e1, 00,64, 00,60, 00,08, 00,06, 00,03, 00,b9, 00,b8, 00,2e, 00,3b, 00,02, 00,01"
# Cipher suites that use a certifiate with a DSA public key
local -r a_dss="00,a3, 00,6a, 00,38, 00,c3, 00,87, c0,43, c0,57, c0,81, 00,a2, 00,40, 00,32, 00,bd, 00,99, 00,44, c0,42, c0,56, c0,80, 00,66, 00,13, 00,63, 00,12, 00,65, 00,11"
# Cipher suites that use a certifiate with a DH public key
local -r a_dh="00,a5, 00,a1, 00,69, 00,68, 00,37, 00,36, 00,c2, 00,c1, 00,86, 00,85, c0,3f, c0,41, c0,55, c0,59, c0,7f, c0,83, 00,a4, 00,a0, 00,3f, 00,3e, 00,31, 00,30, 00,bc, 00,bb, 00,98, 00,97, 00,43, 00,42, c0,3e, c0,40, c0,54, c0,58, c0,7e, c0,82, 00,10, 00,0d, 00,0f, 00,0c, 00,0b, 00,0e"
# Cipher suites that use a certifiate with an ECDH public key
local -r a_ecdh="c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, c0,4b, c0,4f, c0,5f, c0,63, c0,89, c0,8d, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, c0,4a, c0,4e, c0,5e, c0,62, c0,88, c0,8c, c0,0c, c0,02, c0,0d, c0,03, c0,0b, c0,01"
# Cipher suites that use a certifiate with an ECDSA public key
local -r a_ecdsa="cc,14, c0,2c, c0,24, c0,0a, cc,a9, c0,af, c0,ad, c0,73, c0,49, c0,5d, c0,87, 16,b8, 16,ba, c0,2b, c0,23, c0,09, c0,ae, c0,ac, c0,72, c0,48, c0,5c, c0,86, c0,07, c0,08, c0,06"
# Cipher suites that use a certifiate with a GOST public key
local -r a_gost="00,80, 00,81, ff,00, 00,82, 00,83"
local using_sockets=true
"$SSL_NATIVE" && using_sockets=false
CERTIFICATE_LIST_ORDERING_PROBLEM=false CERTIFICATE_LIST_ORDERING_PROBLEM=false
if [[ "$1" =~ "-cipher tls1_3" ]]; then if [[ "$1" =~ "tls1_3" ]]; then
[[ $(has_server_protocol "tls1_3") -eq 1 ]] && return 1 [[ $(has_server_protocol "tls1_3") -eq 1 ]] && return 1
if "$HAS_TLS13"; then if "$HAS_TLS13"; then
if [[ "$1" =~ "-cipher tls1_3_RSA" ]]; then if [[ "$1" =~ "tls1_3_RSA" ]]; then
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tls1_3 -tlsextdebug -status -msg -sigalgs PSS+SHA256:PSS+SHA384") </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tls1_3 -tlsextdebug -status -msg -sigalgs PSS+SHA256:PSS+SHA384") </dev/null 2>$ERRFILE >$TMPFILE
elif [[ "$1" =~ "-cipher tls1_3_ECDSA" ]]; then elif [[ "$1" =~ "tls1_3_ECDSA" ]]; then
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tls1_3 -tlsextdebug -status -msg -sigalgs ECDSA+SHA256:ECDSA+SHA384") </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tls1_3 -tlsextdebug -status -msg -sigalgs ECDSA+SHA256:ECDSA+SHA384") </dev/null 2>$ERRFILE >$TMPFILE
else else
return 1 return 1
@ -7013,9 +7031,9 @@ get_server_certificate() {
extract_stapled_ocsp extract_stapled_ocsp
success=$? success=$?
else else
if [[ "$1" =~ "-cipher tls1_3_RSA" ]]; then if [[ "$1" =~ "tls1_3_RSA" ]]; then
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01" tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01"
elif [[ "$1" =~ "-cipher tls1_3_ECDSA" ]]; then elif [[ "$1" =~ "tls1_3_ECDSA" ]]; then
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,0a,00,08,04,03,05,03,06,03,02,03" tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,0a,00,08,04,03,05,03,06,03,02,03"
else else
return 1 return 1
@ -7052,48 +7070,109 @@ get_server_certificate() {
return $success return $success
fi fi
# this all needs to be moved into determine_tls_extensions() if "$using_sockets"; then
>$TEMPDIR/tlsext.txt protocols_to_try="${protocols_to_try/tls1_2/03}"
# first shot w/o any protocol, then in turn we collect all extensions protocols_to_try="${protocols_to_try/tls1_1/02}"
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tlsextdebug -status </dev/null 2>$ERRFILE >$TMPFILE protocols_to_try="${protocols_to_try/tls1/01}"
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt protocols_to_try="${protocols_to_try/ssl3/00}"
for proto in $protocols_to_try; do
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
[[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && continue
addcmd=""
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status -msg") </dev/null 2>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then
success=0
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
break # now we have the certificate
fi
done # this loop is needed for IIS6 and others which have a handshake size limitations
if [[ $success -eq 7 ]]; then
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
[[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && return 7
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
if ! sclient_connect_successful $? $TMPFILE; then
if [ -z "$1" ]; then
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
fi
tmpfile_handle ${FUNCNAME[0]}.txt
return 7 # this is ugly, I know
else
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
GOST_STATUS_PROBLEM=true
fi
fi
case "$proto" in
"tls1_2") DETECTED_TLS_VERSION="0303" ;;
"tls1_1") DETECTED_TLS_VERSION="0302" ;;
"tls1") DETECTED_TLS_VERSION="0301" ;;
"ssl3") DETECTED_TLS_VERSION="0300" ;;
esac
extract_new_tls_extensions $TMPFILE
extract_certificates "$proto"
extract_stapled_ocsp
success=$?
[[ "$1" =~ aRSA ]] && ciphers_to_test+=", $a_rsa"
[[ "$1" =~ eRSA ]] && ciphers_to_test+=", $e_rsa"
[[ "$1" =~ aDSS ]] && ciphers_to_test+=", $a_dss"
[[ "$1" =~ aDH ]] && ciphers_to_test+=", $a_dh"
[[ "$1" =~ aECDH ]] && ciphers_to_test+=", $a_ecdh"
[[ "$1" =~ aECDSA ]] && ciphers_to_test+=", $a_ecdsa"
[[ "$1" =~ aGOST ]] && ciphers_to_test+=", $a_gost"
[[ -z "$ciphers_to_test" ]] && return 1
ciphers_to_test="${ciphers_to_test:2}"
for proto in $protocols_to_try; do
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
tls_sockets "$proto" "$ciphers_to_test, 00,ff" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00"
ret=$?
[[ $ret -eq 0 ]] && success=0 && break
[[ $ret -eq 2 ]] && success=0 && break
done # this loop is needed for IIS6 and others which have a handshake size limitations
if [[ $success -eq 7 ]]; then
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
tls_sockets "$proto" "$ciphers_to_test, 00,ff" "all" "00,12,00,00"
ret=$?
[[ $ret -eq 0 ]] && success=0
[[ $ret -eq 2 ]] && success=0
if [[ $success -eq 7 ]]; then
if [ -z "$1" ]; then
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
fi
tmpfile_handle ${FUNCNAME[0]}.txt
return 7 # this is ugly, I know
else
GOST_STATUS_PROBLEM=true
fi
fi
cp $TEMPDIR/$NODEIP.parse_tls_serverhello.txt $TMPFILE
extract_new_tls_extensions $TMPFILE
else
ciphers_to_test="$1"
if [[ "$1" =~ aRSA ]] && [[ "$1" =~ eRSA ]]; then
ciphers_to_test="${ciphers_to_test/eRSA/}"
elif [[ "$1" =~ aRSA ]]; then
ciphers_to_test="${ciphers_to_test/aRSA/}"
for ciph in $(colon_to_spaces $(actually_supported_ciphers "aRSA")); do
[[ "$ciph" =~ -RSA- ]] && ciphers_to_test+=":$ciph"
done
elif [[ "$1" =~ eRSA ]]; then
ciphers_to_test="${ciphers_to_test/eRSA/}"
for ciph in $(colon_to_spaces $(actually_supported_ciphers "aRSA")); do
[[ ! "$ciph" =~ -RSA- ]] && ciphers_to_test+=":$ciph"
done
fi
ciphers_to_test="${ciphers_to_test/::/:}"
[[ "${ciphers_to_test:0:1}" == : ]] && ciphers_to_test="${ciphers_to_test:1}"
[[ $(count_ciphers $(actually_supported_ciphers "$ciphers_to_test")) -ge 1 ]] || return 1
# this all needs to be moved into determine_tls_extensions()
>$TEMPDIR/tlsext.txt
# first shot w/o any protocol, then in turn we collect all extensions
$OPENSSL s_client $STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tlsextdebug -status </dev/null 2>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
for proto in $protocols_to_try; do
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
[[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && continue
addcmd=""
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status -msg") </dev/null 2>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then
success=0
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
break # now we have the certificate
fi
done # this loop is needed for IIS6 and others which have a handshake size limitations
if [[ $success -eq 7 ]]; then
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
[[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && return 7
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
if ! sclient_connect_successful $? $TMPFILE; then
if [ -z "$1" ]; then
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
fi
tmpfile_handle ${FUNCNAME[0]}.txt
return 7 # this is ugly, I know
else
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
GOST_STATUS_PROBLEM=true
fi
fi
case "$proto" in
"tls1_2") DETECTED_TLS_VERSION="0303" ;;
"tls1_1") DETECTED_TLS_VERSION="0302" ;;
"tls1") DETECTED_TLS_VERSION="0301" ;;
"ssl3") DETECTED_TLS_VERSION="0300" ;;
esac
extract_new_tls_extensions $TMPFILE
extract_certificates "$proto"
extract_stapled_ocsp
success=$?
fi
tmpfile_handle ${FUNCNAME[0]}.txt tmpfile_handle ${FUNCNAME[0]}.txt
return $success return $success
} }
@ -7575,6 +7654,20 @@ certificate_transparency() {
local hexc n ciph sslver kx auth enc mac export local hexc n ciph sslver kx auth enc mac export
local extra_extns="" local extra_extns=""
local -i success local -i success
# Cipher suites that use a certifiate with an RSA (signature) public key
local -r a_rsa="cc,13, cc,15, c0,30, c0,28, c0,14, 00,9f, cc,a8, cc,aa, c0,a3, c0,9f, 00,6b, 00,39, c0,77, 00,c4, 00,88, c0,45, c0,4d, c0,53, c0,61, c0,7d, c0,8b, 16,b7, 16,b9, c0,2f, c0,27, c0,13, 00,9e, c0,a2, c0,9e, 00,67, 00,33, c0,76, 00,be, 00,9a, 00,45, c0,44, c0,4c, c0,52, c0,60, c0,7c, c0,8a, c0,11, c0,12, 00,16, 00,15, 00,14, c0,10"
# Cipher suites that use a certifiate with an RSA (encryption) public key
local -r e_rsa="00,b7, c0,99, 00,ad, cc,ae, 00,9d, c0,a1, c0,9d, 00,3d, 00,35, 00,c0, 00,84, 00,95, c0,3d, c0,51, c0,69, c0,6f, c0,7b, c0,93, ff,01, 00,ac, c0,a0, c0,9c, 00,9c, 00,3c, 00,2f, 00,ba, 00,b6, 00,96, 00,41, c0,98, 00,07, 00,94, c0,3c, c0,50, c0,68, c0,6e, c0,7a, c0,92, 00,05, 00,04, 00,92, 00,0a, 00,93, fe,ff, ff,e0, 00,62, 00,09, 00,61, fe,fe, ff,e1, 00,64, 00,60, 00,08, 00,06, 00,03, 00,b9, 00,b8, 00,2e, 00,3b, 00,02, 00,01"
# Cipher suites that use a certifiate with a DSA public key
local -r a_dss="00,a3, 00,6a, 00,38, 00,c3, 00,87, c0,43, c0,57, c0,81, 00,a2, 00,40, 00,32, 00,bd, 00,99, 00,44, c0,42, c0,56, c0,80, 00,66, 00,13, 00,63, 00,12, 00,65, 00,11"
# Cipher suites that use a certifiate with a DH public key
local -r a_dh="00,a5, 00,a1, 00,69, 00,68, 00,37, 00,36, 00,c2, 00,c1, 00,86, 00,85, c0,3f, c0,41, c0,55, c0,59, c0,7f, c0,83, 00,a4, 00,a0, 00,3f, 00,3e, 00,31, 00,30, 00,bc, 00,bb, 00,98, 00,97, 00,43, 00,42, c0,3e, c0,40, c0,54, c0,58, c0,7e, c0,82, 00,10, 00,0d, 00,0f, 00,0c, 00,0b, 00,0e"
# Cipher suites that use a certifiate with an ECDH public key
local -r a_ecdh="c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, c0,4b, c0,4f, c0,5f, c0,63, c0,89, c0,8d, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, c0,4a, c0,4e, c0,5e, c0,62, c0,88, c0,8c, c0,0c, c0,02, c0,0d, c0,03, c0,0b, c0,01"
# Cipher suites that use a certifiate with an ECDSA public key
local -r a_ecdsa="cc,14, c0,2c, c0,24, c0,0a, cc,a9, c0,af, c0,ad, c0,73, c0,49, c0,5d, c0,87, 16,b8, 16,ba, c0,2b, c0,23, c0,09, c0,ae, c0,ac, c0,72, c0,48, c0,5c, c0,86, c0,07, c0,08, c0,06"
# Cipher suites that use a certifiate with a GOST public key
local -r a_gost="00,80, 00,81, ff,00, 00,82, 00,83"
# First check whether signed certificate timestamps (SCT) are included in the # First check whether signed certificate timestamps (SCT) are included in the
# server's certificate. If they aren't, check whether the server provided # server's certificate. If they aren't, check whether the server provided
@ -7609,11 +7702,15 @@ certificate_transparency() {
return 1 return 1
fi fi
else else
while read -r hexc n ciph sslver kx auth enc mac export; do [[ "$cipher" =~ aRSA ]] && ciphers+=", $a_rsa"
if [[ ${#hexc} -eq 9 ]]; then [[ "$cipher" =~ eRSA ]] && ciphers+=", $e_rsa"
ciphers+=", ${hexc:2:2},${hexc:7:2}" [[ "$cipher" =~ aDSS ]] && ciphers+=", $a_dss"
fi [[ "$cipher" =~ aDH ]] && ciphers+=", $a_dh"
done < <(actually_supported_ciphers $cipher '' "-V") [[ "$cipher" =~ aECDH ]] && ciphers+=", $a_ecdh"
[[ "$cipher" =~ aECDSA ]] && ciphers+=", $a_ecdsa"
[[ "$cipher" =~ aGOST ]] && ciphers+=", $a_gost"
[[ -z "$ciphers" ]] && return 1
ciphers+=", 00,ff" ciphers+=", 00,ff"
fi fi
[[ -z "$sni_used" ]] && sni="$SNI" && SNI="" [[ -z "$sni_used" ]] && sni="$SNI" && SNI=""
@ -8453,6 +8550,9 @@ run_server_defaults() {
local -a ciphers_to_test certificate_type local -a ciphers_to_test certificate_type
local -a -i success local -a -i success
local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions
local using_sockets=true
"$SSL_NATIVE" && using_sockets=false
# Try each public key type once: # Try each public key type once:
# ciphers_to_test[1]: cipher suites using certificates with RSA signature public keys # ciphers_to_test[1]: cipher suites using certificates with RSA signature public keys
@ -8462,28 +8562,19 @@ run_server_defaults() {
# ciphers_to_test[5]: cipher suites using certificates with ECDH key agreement public keys # ciphers_to_test[5]: cipher suites using certificates with ECDH key agreement public keys
# ciphers_to_test[6]: cipher suites using certificates with ECDSA signature public keys # ciphers_to_test[6]: cipher suites using certificates with ECDSA signature public keys
# ciphers_to_test[7]: cipher suites using certificates with GOST R 34.10 (either 2001 or 94) public keys # ciphers_to_test[7]: cipher suites using certificates with GOST R 34.10 (either 2001 or 94) public keys
ciphers_to_test[1]="" ciphers_to_test[1]="aRSA:eRSA"
ciphers_to_test[2]="" ciphers_to_test[2]=""
for ciph in $(colon_to_spaces $(actually_supported_ciphers "aRSA")); do ciphers_to_test[3]="aDSS:aDH:aECDH:aECDSA:aGOST"
if [[ "$ciph" =~ -RSA- ]]; then ciphers_to_test[4]=""
ciphers_to_test[1]="${ciphers_to_test[1]}:$ciph" ciphers_to_test[5]=""
else ciphers_to_test[6]=""
ciphers_to_test[2]="${ciphers_to_test[2]}:$ciph" ciphers_to_test[7]=""
fi
done
[[ -n "${ciphers_to_test[1]}" ]] && ciphers_to_test[1]="${ciphers_to_test[1]:1}"
[[ -n "${ciphers_to_test[2]}" ]] && ciphers_to_test[2]="${ciphers_to_test[2]:1}"
ciphers_to_test[3]="aDSS"
ciphers_to_test[4]="aDH"
ciphers_to_test[5]="aECDH"
ciphers_to_test[6]="aECDSA"
ciphers_to_test[7]="aGOST"
ciphers_to_test[8]="tls1_3_RSA" ciphers_to_test[8]="tls1_3_RSA"
ciphers_to_test[9]="tls1_3_ECDSA" ciphers_to_test[9]="tls1_3_ECDSA"
certificate_type[1]="RSASig" ; certificate_type[2]="RSAKMK" certificate_type[1]="" ; certificate_type[2]=""
certificate_type[3]="DSA"; certificate_type[4]="DH" certificate_type[3]=""; certificate_type[4]=""
certificate_type[5]="ECDH" ; certificate_type[6]="ECDSA" certificate_type[5]="" ; certificate_type[6]=""
certificate_type[7]="GOST" ; certificate_type[8]="RSASig" certificate_type[7]="" ; certificate_type[8]="RSASig"
certificate_type[9]="ECDSA" certificate_type[9]="ECDSA"
for (( n=1; n <= 16 ; n++ )); do for (( n=1; n <= 16 ; n++ )); do
@ -8491,7 +8582,7 @@ run_server_defaults() {
# specifies TLSv1.1 and doesn't include a server name extension. # specifies TLSv1.1 and doesn't include a server name extension.
# So, for each public key type for which a certificate was found, # So, for each public key type for which a certificate was found,
# try again, but only with TLSv1.1 and without SNI. # try again, but only with TLSv1.1 and without SNI.
if [[ $n -ne 2 ]] && [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then if [[ $n -ne 1 ]] && [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
ciphers_to_test[n]="" ciphers_to_test[n]=""
elif [[ $n -ge 10 ]]; then elif [[ $n -ge 10 ]]; then
ciphers_to_test[n]="" ciphers_to_test[n]=""
@ -8499,16 +8590,15 @@ run_server_defaults() {
ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}" ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}"
fi fi
if [[ -n "${ciphers_to_test[n]}" ]] && \ if [[ -n "${ciphers_to_test[n]}" ]]; then
( [[ "${ciphers_to_test[n]}" =~ "tls1_3" ]] || [[ $(count_ciphers $(actually_supported_ciphers "${ciphers_to_test[n]}")) -ge 1 ]] ); then
if [[ $n -ge 10 ]]; then if [[ $n -ge 10 ]]; then
sni="$SNI" sni="$SNI"
SNI="" SNI=""
get_server_certificate "-cipher ${ciphers_to_test[n]}" "tls1_1" get_server_certificate "${ciphers_to_test[n]}" "tls1_1"
success[n]=$? success[n]=$?
SNI="$sni" SNI="$sni"
else else
get_server_certificate "-cipher ${ciphers_to_test[n]}" get_server_certificate "${ciphers_to_test[n]}"
success[n]=$? success[n]=$?
fi fi
if [[ ${success[n]} -eq 0 ]] && [[ -s "$HOSTCERT" ]]; then if [[ ${success[n]} -eq 0 ]] && [[ -s "$HOSTCERT" ]]; then
@ -8519,6 +8609,69 @@ run_server_defaults() {
sessticket_lifetime_hint=$(awk '/session ticket life/' $TMPFILE) sessticket_lifetime_hint=$(awk '/session ticket life/' $TMPFILE)
fi fi
if [[ $n -le 7 ]]; then
ciph="$(get_cipher $TMPFILE)"
if [[ "$ciph" != TLS_* ]] && [[ "$ciph" != SSL_* ]]; then
ciph="$(openssl2rfc "$ciph")"
fi
if [[ "$ciph" == TLS_DHE_RSA_* ]] || [[ "$ciph" == TLS_ECDHE_RSA_* ]] || [[ "$ciph" == TLS_CECPQ1_RSA_* ]]; then
certificate_type[n]="RSASig"
if [[ -z "${ciphers_to_test[n+1]}" ]]; then
ciphers_to_test[n+1]="${ciphers_to_test[n]/aRSA/}"
ciphers_to_test[n+1]="${ciphers_to_test[n+1]/::/:}"
[[ "${ciphers_to_test[n+1]:0:1}" == : ]] && ciphers_to_test[n+1]="${ciphers_to_test[n+1]:1}"
fi
ciphers_to_test[n]="aRSA"
elif [[ "$ciph" == TLS_RSA_* ]] || [[ "$ciph" == SSL_* ]]; then
certificate_type[n]="RSAKMK"
if [[ -z "${ciphers_to_test[n+1]}" ]]; then
ciphers_to_test[n+1]="${ciphers_to_test[n]/eRSA/}"
ciphers_to_test[n+1]="${ciphers_to_test[n+1]/::/:}"
[[ "${ciphers_to_test[n+1]:0:1}" == : ]] && ciphers_to_test[n+1]="${ciphers_to_test[n+1]:1}"
fi
ciphers_to_test[n]="eRSA"
elif [[ "$ciph" == TLS_DHE_DSS_* ]]; then
certificate_type[n]="DSA"
if [[ -z "${ciphers_to_test[n+1]}" ]]; then
ciphers_to_test[n+1]="${ciphers_to_test[n]/aDSS/}"
ciphers_to_test[n+1]="${ciphers_to_test[n+1]/::/:}"
[[ "${ciphe-S 127.0.0.1rs_to_test[n+1]:0:1}" == : ]] && ciphers_to_test[n+1]="${ciphers_to_test[n+1]:1}"
fi
ciphers_to_test[n]="aDSS"
elif [[ "$ciph" == TLS_DH_* ]]; then
certificate_type[n]="DH"
if [[ -z "${ciphers_to_test[n+1]}" ]]; then
ciphers_to_test[n+1]="${ciphers_to_test[n]/aDH/}"
ciphers_to_test[n+1]="${ciphers_to_test[n+1]/::/:}"
[[ "${ciphers_to_test[n+1]:0:1}" == : ]] && ciphers_to_test[n+1]="${ciphers_to_test[n+1]:1}"
fi
ciphers_to_test[n]="aDH"
elif [[ "$ciph" == TLS_ECDH_* ]]; then
certificate_type[n]="ECDH"
if [[ -z "${ciphers_to_test[n+1]}" ]]; then
ciphers_to_test[n+1]="${ciphers_to_test[n]/aECDH/}"
ciphers_to_test[n+1]="${ciphers_to_test[n+1]/::/:}"
[[ "${ciphers_to_test[n+1]:0:1}" == : ]] && ciphers_to_test[n+1]="${ciphers_to_test[n+1]:1}"
fi
ciphers_to_test[n]="aECDH"
elif [[ "$ciph" == TLS_ECDHE_ECDSA_* ]] || [[ "$ciph" == TLS_CECPQ1_ECDSA_* ]]; then
certificate_type[n]="ECDSA"
if [[ -z "${ciphers_to_test[n+1]}" ]]; then
ciphers_to_test[n+1]="${ciphers_to_test[n]/aECDSA/}"
ciphers_to_test[n+1]="${ciphers_to_test[n+1]/::/:}"
[[ "${ciphers_to_test[n+1]:0:1}" == : ]] && ciphers_to_test[n+1]="${ciphers_to_test[n+1]:1}"
fi
ciphers_to_test[n]="aECDSA"
elif [[ "$ciph" == TLS_GOST* ]]; then
certificate_type[n]="GOST"
if [[ -z "${ciphers_to_test[n+1]}" ]]; then
ciphers_to_test[n+1]="${ciphers_to_test[n]/aGOST/}"
ciphers_to_test[n+1]="${ciphers_to_test[n+1]/::/:}"
[[ "${ciphers_to_test[n+1]:0:1}" == : ]] && ciphers_to_test[n+1]="${ciphers_to_test[n+1]:1}"
fi
ciphers_to_test[n]="aGOST"
fi
fi
# check whether the host's certificate has been seen before # check whether the host's certificate has been seen before
match_found=false match_found=false
i=1 i=1
@ -8584,7 +8737,8 @@ run_server_defaults() {
previous_hostcert_txt[certs_found]="$($OPENSSL x509 -noout -text 2>>$ERRFILE <<< "$newhostcert")" previous_hostcert_txt[certs_found]="$($OPENSSL x509 -noout -text 2>>$ERRFILE <<< "$newhostcert")"
previous_intermediates[certs_found]=$(cat $TEMPDIR/intermediatecerts.pem) previous_intermediates[certs_found]=$(cat $TEMPDIR/intermediatecerts.pem)
previous_hostcert_issuer[certs_found]="" previous_hostcert_issuer[certs_found]=""
[[ -n "${previous_intermediates[certs_found]}" ]] && previous_hostcert_issuer[certs_found]=$(cat $TEMPDIR/hostcert_issuer.pem) [[ -n "${previous_intermediates[certs_found]}" ]] && [[ -r $TEMPDIR/hostcert_issuer.pem ]] && \
previous_hostcert_issuer[certs_found]=$(cat $TEMPDIR/hostcert_issuer.pem)
previous_ordering_problem[certs_found]=$CERTIFICATE_LIST_ORDERING_PROBLEM previous_ordering_problem[certs_found]=$CERTIFICATE_LIST_ORDERING_PROBLEM
[[ $n -ge 10 ]] && sni_used[certs_found]="" || sni_used[certs_found]="$SNI" [[ $n -ge 10 ]] && sni_used[certs_found]="" || sni_used[certs_found]="$SNI"
tls_version[certs_found]="$DETECTED_TLS_VERSION" tls_version[certs_found]="$DETECTED_TLS_VERSION"
@ -8606,6 +8760,10 @@ run_server_defaults() {
>$ERRFILE >$ERRFILE
[[ -z "$sessticket_lifetime_hint" ]] && sessticket_lifetime_hint=$(awk '/session ticket lifetime/' $TMPFILE) [[ -z "$sessticket_lifetime_hint" ]] && sessticket_lifetime_hint=$(awk '/session ticket lifetime/' $TMPFILE)
fi fi
if "$using_sockets" && [[ -z "$sessticket_lifetime_hint" ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher ALL:COMPLEMENTOFALL -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE && sessticket_lifetime_hint=$(awk '/session ticket lifetime/' $TMPFILE)
fi
debugme echo "# certificates found $certs_found" debugme echo "# certificates found $certs_found"
# Now that all of the server's certificates have been found, determine for # Now that all of the server's certificates have been found, determine for