Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2026-04-21 10:23:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Identity TLS 1.3 ciphers by OpenSSL name

Browse Source 
This commit changes the way that TLS 1.3 ciphers are identified by the OpenSSL names. To the degree possible, rather than checking for prefixes that have historically been used in various versions of OpenSSL and LibreSSL, the cipher name being checked against the known list of TLS 1.3 cipher suites that $OPENSSL supports.

In the few places in which the cipher suite name to be checked may not be supported by $OPENSSL, a check for the prefix "TLS_" is also used.
This commit is contained in:
David Cooper
2026-04-13 13:31:01 -07:00
committed by David
parent 57cca5c2a0
commit 74a60d25ea
1 changed files with 12 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
testssl.sh
View File

@@ -4120,7 +4120,7 @@ run_cipher_match(){
tls13_ciphers_to_test="" tls13_ciphers_to_test=""
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
if ! "${ciphers_found2[i]}"; then if ! "${ciphers_found2[i]}"; then
if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]] || [[ "${ciph2[i]}" == AEAD-* ]]; then if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph2[i]}: ]]; then
tls13_ciphers_to_test+=":${ciph2[i]}" tls13_ciphers_to_test+=":${ciph2[i]}"
else else
ciphers_to_test+=":${ciph2[i]}" ciphers_to_test+=":${ciph2[i]}"
@@ -4138,7 +4138,7 @@ run_cipher_match(){
[[ $i -eq $end_of_bundle ]] && break [[ $i -eq $end_of_bundle ]] && break
i=${index[i]} i=${index[i]}
ciphers_found[i]=true ciphers_found[i]=true
if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]] || [[ "$cipher" == AEAD-* ]]; then if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${cipher}: ]]; then
kx[i]="$(read_dhtype_from_file $TMPFILE)" kx[i]="$(read_dhtype_from_file $TMPFILE)"
fi fi
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
@@ -4394,7 +4394,7 @@ run_allciphers() {
tls13_ciphers_to_test="" tls13_ciphers_to_test=""
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
if ! "${ciphers_found2[i]}"; then if ! "${ciphers_found2[i]}"; then
if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]] || [[ "${ciph2[i]}" == AEAD-* ]]; then if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph2[i]}: ]]; then
tls13_ciphers_to_test+=":${ciph2[i]}" tls13_ciphers_to_test+=":${ciph2[i]}"
else else
ciphers_to_test+=":${ciph2[i]}" ciphers_to_test+=":${ciph2[i]}"
@@ -4412,7 +4412,7 @@ run_allciphers() {
[[ $i -eq $end_of_bundle ]] && break [[ $i -eq $end_of_bundle ]] && break
i=${index[i]} i=${index[i]}
ciphers_found[i]=true ciphers_found[i]=true
if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]] || [[ "$cipher" == AEAD-* ]]; then if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${cipher}: ]]; then
kx[i]="$(read_dhtype_from_file $TMPFILE)" kx[i]="$(read_dhtype_from_file $TMPFILE)"
fi fi
if [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]]; then if [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]]; then
@@ -4603,11 +4603,9 @@ ciphers_by_strength() {
fi fi
while read hexc n ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do while read hexc n ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
if [[ "$proto" == -tls1_3 ]]; then if [[ "$proto" == -tls1_3 ]]; then
[[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]] || [[ "${ciph[nr_ciphers]}" == AEAD-* ]] || continue [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[nr_ciphers]}: ]] || continue
elif [[ "$proto" == -tls1_2 ]]; then elif [[ "$proto" == -tls1_2 ]]; then
if [[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]] || [[ "${ciph[nr_ciphers]}" == AEAD-* ]]; then [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[nr_ciphers]}: ]] && continue
continue
fi
elif [[ "${ciph[nr_ciphers]}" == *-SHA256 ]] || [[ "${ciph[nr_ciphers]}" == *-SHA384 ]] || \ elif [[ "${ciph[nr_ciphers]}" == *-SHA256 ]] || [[ "${ciph[nr_ciphers]}" == *-SHA384 ]] || \
[[ "${ciph[nr_ciphers]}" == *-CCM ]] || [[ "${ciph[nr_ciphers]}" == *-CCM8 ]] || \ [[ "${ciph[nr_ciphers]}" == *-CCM ]] || [[ "${ciph[nr_ciphers]}" == *-CCM8 ]] || \
[[ "${ciph[nr_ciphers]}" =~ CHACHA20-POLY1305 ]]; then [[ "${ciph[nr_ciphers]}" =~ CHACHA20-POLY1305 ]]; then
@@ -11184,7 +11182,7 @@ run_fs() {
tls13_ciphers_to_test="" tls13_ciphers_to_test=""
for (( i=0; i < nr_supported_ciphers; i++ )); do for (( i=0; i < nr_supported_ciphers; i++ )); do
if ! "${ciphers_found[i]}" && "${ossl_supported[i]}"; then if ! "${ciphers_found[i]}" && "${ossl_supported[i]}"; then
if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]]; then
tls13_ciphers_to_test+=":${ciph[i]}" tls13_ciphers_to_test+=":${ciph[i]}"
else else
ciphers_to_test+=":${ciph[i]}" ciphers_to_test+=":${ciph[i]}"
@@ -11211,7 +11209,7 @@ run_fs() {
done done
[[ $i -eq $nr_supported_ciphers ]] && break [[ $i -eq $nr_supported_ciphers ]] && break
ciphers_found[i]=true ciphers_found[i]=true
if [[ "$fs_cipher" == TLS13* ]] || [[ "$fs_cipher" == TLS_* ]] || [[ "$fs_cipher" == AEAD-* ]]; then if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${fs_cipher}: ]]; then
fs_tls13_offered=true fs_tls13_offered=true
"$WIDE" && kx[i]="$(read_dhtype_from_file $TMPFILE)" "$WIDE" && kx[i]="$(read_dhtype_from_file $TMPFILE)"
elif [[ "$fs_cipher" == ECDHE-* ]]; then elif [[ "$fs_cipher" == ECDHE-* ]]; then
@@ -11281,12 +11279,12 @@ run_fs() {
fi fi
fs_ciphers+="$fs_cipher " fs_ciphers+="$fs_cipher "
if [[ "${ciph[i]}" == ECDHE-* ]] || [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || \ if [[ "${ciph[i]}" == ECDHE-* ]] || [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]] || [[ "${ciph[i]}" == TLS_* ]] || \
[[ "${ciph[i]}" == AEAD-* ]] || { "$using_sockets" && [[ "${rfc_ciph[i]}" == TLS_ECDHE_* ]]; }; then { "$using_sockets" && [[ "${rfc_ciph[i]}" == TLS_ECDHE_* ]]; }; then
ecdhe_offered=true ecdhe_offered=true
ecdhe_cipher_list_hex+=", ${hexcode[i]}" ecdhe_cipher_list_hex+=", ${hexcode[i]}"
if [[ "${ciph[i]}" != "-" ]]; then if [[ "${ciph[i]}" != "-" ]]; then
if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]] || [[ "${ciph[i]}" == TLS_* ]]; then
tls13_cipher_list+=":$fs_cipher" tls13_cipher_list+=":$fs_cipher"
else else
ecdhe_cipher_list+=":$fs_cipher" ecdhe_cipher_list+=":$fs_cipher"
@@ -11296,7 +11294,7 @@ run_fs() {
if [[ "${ciph[i]}" == "DHE-"* ]] || { "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_DHE_"* ]]; }; then if [[ "${ciph[i]}" == "DHE-"* ]] || { "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_DHE_"* ]]; }; then
ffdhe_offered=true ffdhe_offered=true
ffdhe_cipher_list_hex+=", ${hexcode[i]}" ffdhe_cipher_list_hex+=", ${hexcode[i]}"
elif [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then elif [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]] || [[ "${ciph[i]}" == TLS_* ]]; then
ffdhe_cipher_list_hex+=", ${hexcode[i]}" ffdhe_cipher_list_hex+=", ${hexcode[i]}"
fi fi
fi fi