Negotiated cipher per proto bugfix

I have a test server that I configured to support only SSLv3 and TLSv1.2. When I set `SSLHonorCipherOrder` to `off` I get the following results:
```
     ECDHE-RSA-AES256-SHA:          SSLv3     ECDHE-RSA-AES256-GCM-SHA384:   TLSv1.2
```
The current code, when printing TLSv1.2 checks whether `${cipher[4]}` is empty, and since it is assume no previous protocol (SSLv2, SSLv3, TLSv1, TLSv1.1) was supported and so doesn't output a newline before outputting the cipher and protocol for TLSv1.2.

This PR fixes that by changing to code to look at the previous non-empty cipher (if there is one), even if that does not come from the previous protocol.
This commit is contained in:
David Cooper 2017-02-14 09:53:38 -05:00 committed by GitHub
parent 67fb3feff8
commit 76c34dd148
1 changed files with 4 additions and 3 deletions

View File

@ -4742,7 +4742,7 @@ read_dhbits_from_file() {
run_server_preference() {
local cipher1 cipher2
local cipher1 cipher2 prev_cipher=""
local default_cipher default_cipher_ossl default_proto
local remark4default_cipher supported_sslv2_ciphers
local -a cipher proto
@ -5013,7 +5013,7 @@ run_server_preference() {
for i in 1 2 3 4 5 6; do
if [[ -n "${cipher[i]}" ]]; then # cipher not empty
if [[ -z "${cipher[i-1]}" ]]; then # previous one empty
if [[ -z "$prev_cipher" ]]; then # previous one empty
#outln
if [[ -z "$SHOW_RFC" ]]; then
printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both
@ -5021,7 +5021,7 @@ run_server_preference() {
printf -- " %-51s %s" "${cipher[i]}:" "${proto[i]}" # print out both
fi
else # previous NOT empty
if [[ "${cipher[i-1]}" == "${cipher[i]}" ]]; then # and previous protocol same cipher
if [[ "$prev_cipher" == "${cipher[i]}" ]]; then # and previous protocol same cipher
out ", ${proto[i]}" # same cipher --> only print out protocol behind it
else
outln
@ -5032,6 +5032,7 @@ run_server_preference() {
fi
fi
fi
prev_cipher="${cipher[i]}"
fi
fileout "order_${proto[i]}_cipher" "INFO" "Default cipher on ${proto[i]}: ${cipher[i]} $remark4default_cipher"
done