mirror of
https://github.com/drwetter/testssl.sh.git
synced 2026-04-21 10:23:31 +02:00
Identity TLS 1.3 ciphers by OpenSSL name
This commit changes the way that TLS 1.3 ciphers are identified by the OpenSSL names. To the degree possible, rather than checking for prefixes that have historically been used in various versions of OpenSSL and LibreSSL, the cipher name being checked against the known list of TLS 1.3 cipher suites that $OPENSSL supports. In the few places in which the cipher suite name to be checked may not be supported by $OPENSSL, a check for the prefix "TLS_" is also used.
This commit is contained in:
David Cooper
26
testssl.sh
26
testssl.sh
@@ -4120,7 +4120,7 @@ run_cipher_match(){
|
||||
tls13_ciphers_to_test=""
|
||||
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||
if ! "${ciphers_found2[i]}"; then
|
||||
if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]] || [[ "${ciph2[i]}" == AEAD-* ]]; then
|
||||
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph2[i]}: ]]; then
|
||||
tls13_ciphers_to_test+=":${ciph2[i]}"
|
||||
else
|
||||
ciphers_to_test+=":${ciph2[i]}"
|
||||
@@ -4138,7 +4138,7 @@ run_cipher_match(){
|
||||
[[ $i -eq $end_of_bundle ]] && break
|
||||
i=${index[i]}
|
||||
ciphers_found[i]=true
|
||||
if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]] || [[ "$cipher" == AEAD-* ]]; then
|
||||
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${cipher}: ]]; then
|
||||
kx[i]="$(read_dhtype_from_file $TMPFILE)"
|
||||
fi
|
||||
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
|
||||
@@ -4394,7 +4394,7 @@ run_allciphers() {
|
||||
tls13_ciphers_to_test=""
|
||||
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||
if ! "${ciphers_found2[i]}"; then
|
||||
if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]] || [[ "${ciph2[i]}" == AEAD-* ]]; then
|
||||
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph2[i]}: ]]; then
|
||||
tls13_ciphers_to_test+=":${ciph2[i]}"
|
||||
else
|
||||
ciphers_to_test+=":${ciph2[i]}"
|
||||
@@ -4412,7 +4412,7 @@ run_allciphers() {
|
||||
[[ $i -eq $end_of_bundle ]] && break
|
||||
i=${index[i]}
|
||||
ciphers_found[i]=true
|
||||
if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]] || [[ "$cipher" == AEAD-* ]]; then
|
||||
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${cipher}: ]]; then
|
||||
kx[i]="$(read_dhtype_from_file $TMPFILE)"
|
||||
fi
|
||||
if [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]]; then
|
||||
@@ -4603,11 +4603,9 @@ ciphers_by_strength() {
|
||||
fi
|
||||
while read hexc n ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
|
||||
if [[ "$proto" == -tls1_3 ]]; then
|
||||
[[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]] || [[ "${ciph[nr_ciphers]}" == AEAD-* ]] || continue
|
||||
[[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[nr_ciphers]}: ]] || continue
|
||||
elif [[ "$proto" == -tls1_2 ]]; then
|
||||
if [[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]] || [[ "${ciph[nr_ciphers]}" == AEAD-* ]]; then
|
||||
continue
|
||||
fi
|
||||
[[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[nr_ciphers]}: ]] && continue
|
||||
elif [[ "${ciph[nr_ciphers]}" == *-SHA256 ]] || [[ "${ciph[nr_ciphers]}" == *-SHA384 ]] || \
|
||||
[[ "${ciph[nr_ciphers]}" == *-CCM ]] || [[ "${ciph[nr_ciphers]}" == *-CCM8 ]] || \
|
||||
[[ "${ciph[nr_ciphers]}" =~ CHACHA20-POLY1305 ]]; then
|
||||
@@ -11184,7 +11182,7 @@ run_fs() {
|
||||
tls13_ciphers_to_test=""
|
||||
for (( i=0; i < nr_supported_ciphers; i++ )); do
|
||||
if ! "${ciphers_found[i]}" && "${ossl_supported[i]}"; then
|
||||
if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then
|
||||
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]]; then
|
||||
tls13_ciphers_to_test+=":${ciph[i]}"
|
||||
else
|
||||
ciphers_to_test+=":${ciph[i]}"
|
||||
@@ -11211,7 +11209,7 @@ run_fs() {
|
||||
done
|
||||
[[ $i -eq $nr_supported_ciphers ]] && break
|
||||
ciphers_found[i]=true
|
||||
if [[ "$fs_cipher" == TLS13* ]] || [[ "$fs_cipher" == TLS_* ]] || [[ "$fs_cipher" == AEAD-* ]]; then
|
||||
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${fs_cipher}: ]]; then
|
||||
fs_tls13_offered=true
|
||||
"$WIDE" && kx[i]="$(read_dhtype_from_file $TMPFILE)"
|
||||
elif [[ "$fs_cipher" == ECDHE-* ]]; then
|
||||
@@ -11281,12 +11279,12 @@ run_fs() {
|
||||
fi
|
||||
fs_ciphers+="$fs_cipher "
|
||||
|
||||
if [[ "${ciph[i]}" == ECDHE-* ]] || [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || \
|
||||
[[ "${ciph[i]}" == AEAD-* ]] || { "$using_sockets" && [[ "${rfc_ciph[i]}" == TLS_ECDHE_* ]]; }; then
|
||||
if [[ "${ciph[i]}" == ECDHE-* ]] || [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]] || [[ "${ciph[i]}" == TLS_* ]] || \
|
||||
{ "$using_sockets" && [[ "${rfc_ciph[i]}" == TLS_ECDHE_* ]]; }; then
|
||||
ecdhe_offered=true
|
||||
ecdhe_cipher_list_hex+=", ${hexcode[i]}"
|
||||
if [[ "${ciph[i]}" != "-" ]]; then
|
||||
if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then
|
||||
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]] || [[ "${ciph[i]}" == TLS_* ]]; then
|
||||
tls13_cipher_list+=":$fs_cipher"
|
||||
else
|
||||
ecdhe_cipher_list+=":$fs_cipher"
|
||||
@@ -11296,7 +11294,7 @@ run_fs() {
|
||||
if [[ "${ciph[i]}" == "DHE-"* ]] || { "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_DHE_"* ]]; }; then
|
||||
ffdhe_offered=true
|
||||
ffdhe_cipher_list_hex+=", ${hexcode[i]}"
|
||||
elif [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then
|
||||
elif [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]] || [[ "${ciph[i]}" == TLS_* ]]; then
|
||||
ffdhe_cipher_list_hex+=", ${hexcode[i]}"
|
||||
fi
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user