diff --git a/testssl.sh b/testssl.sh index 76bf9d4..dbdfde1 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1211,10 +1211,10 @@ count_ciphers() { #arg1: TLS 1.2 and below ciphers #arg2: TLS 1.3 ciphers #arg3: options (e.g., -V) -actually_supported_ciphers() { +actually_supported_osslciphers() { local tls13_ciphers="$TLS13_OSSL_CIPHERS" - [[ "$2" != "ALL" ]] && tls13_ciphers="$2" + [[ "$2" != ALL ]] && tls13_ciphers="$2" if "$HAS_CIPHERSUITES"; then $OPENSSL ciphers $3 $OSSL_CIPHERS_S -ciphersuites "$tls13_ciphers" "$1" 2>/dev/null || echo "" elif [[ -n "$tls13_ciphers" ]]; then @@ -3116,14 +3116,14 @@ prettyprint_local() { neat_header if [[ -z "$1" ]]; then - actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V" | while read -r hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 + actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V" | while read -r hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 hexc="$(normalize_ciphercode $hexcode)" outln "$(neat_list "$hexc" "$ciph" "$kx" "$enc")" done else #for arg in $(echo $@ | sed 's/,/ /g'); do for arg in ${*//,/ /}; do - actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V" | while read -r hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 + actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V" | while read -r hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 hexc="$(normalize_ciphercode $hexcode)" # for numbers we don't do word matching: [[ $arg =~ $re ]] && \ @@ -3463,14 +3463,14 @@ run_cipher_match(){ ossl_supported[nr_ciphers]=true nr_ciphers+=1 fi - done < <(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V") + done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")no sockets, openssl fi # Test the SSLv2 ciphers, if any. if "$using_sockets"; then ciphers_to_test="" for (( i=0; i < nr_ciphers; i++ )); do - if [[ "${sslvers[i]}" == "SSLv2" ]]; then + if [[ "${sslvers[i]}" == SSLv2 ]]; then ciphers_to_test+=", ${hexcode[i]}" fi done @@ -3480,7 +3480,7 @@ run_cipher_match(){ supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")" "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")" for (( i=0 ; i "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" @@ -5535,7 +5535,7 @@ listciphers() { local debugname="" local tls13_ciphers="$TLS13_OSSL_CIPHERS" - [[ "$2" != "ALL" ]] && tls13_ciphers="$2" + [[ "$2" != ALL ]] && tls13_ciphers="$2" if "$HAS_CIPHERSUITES"; then $OPENSSL ciphers $OSSL_CIPHERS_S $3 -ciphersuites "$tls13_ciphers" "$1" &>$TMPFILE elif [[ -n "$tls13_ciphers" ]]; then @@ -6314,7 +6314,7 @@ run_server_preference() { [[ $DEBUG -ge 4 ]] && echo -e "\n Forward: ${list_fwd}" $OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2") $ERRFILE >$TMPFILE if ! sclient_connect_successful $? $TMPFILE; then - list_fwd="$(actually_supported_ciphers $list_fwd '' '-tls1')" + list_fwd="$(actually_supported_osslciphers $list_fwd '' '-tls1')" pr_warning "no matching cipher in this list found (pls report this): " outln "$list_fwd . " fileout "$jsonID" "WARN" "Could not determine server cipher order, no matching cipher in list found (pls report this): $list_fwd" @@ -7444,23 +7444,24 @@ get_server_certificate() { # no DNS name was provided at the command line). [[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE else + # no sockets, openssl ciphers_to_test="$1" if [[ "$1" =~ aRSA ]] && [[ "$1" =~ eRSA ]]; then ciphers_to_test="${ciphers_to_test/eRSA/}" elif [[ "$1" =~ aRSA ]]; then ciphers_to_test="${ciphers_to_test/aRSA/}" - for ciph in $(colon_to_spaces $(actually_supported_ciphers "aRSA")); do + for ciph in $(colon_to_spaces $(actually_supported_osslciphers "aRSA")); do [[ "$ciph" =~ -RSA- ]] && ciphers_to_test+=":$ciph" done elif [[ "$1" =~ eRSA ]]; then ciphers_to_test="${ciphers_to_test/eRSA/}" - for ciph in $(colon_to_spaces $(actually_supported_ciphers "aRSA")); do + for ciph in $(colon_to_spaces $(actually_supported_osslciphers "aRSA")); do [[ ! "$ciph" =~ -RSA- ]] && ciphers_to_test+=":$ciph" done fi ciphers_to_test="${ciphers_to_test/::/:}" [[ "${ciphers_to_test:0:1}" == : ]] && ciphers_to_test="${ciphers_to_test:1}" - [[ $(count_ciphers $(actually_supported_ciphers "$ciphers_to_test")) -ge 1 ]] || return 1 + [[ $(count_ciphers $(actually_supported_osslciphers "$ciphers_to_test")) -ge 1 ]] || return 1 for proto in $protocols_to_try; do [[ 1 -eq $(has_server_protocol $proto) ]] && continue @@ -9437,7 +9438,7 @@ run_pfs() { sigalg[nr_supported_ciphers]="" ossl_supported[nr_supported_ciphers]=true nr_supported_ciphers+=1 - done < <(actually_supported_ciphers "$pfs_cipher_list" "ALL" "-V") + done < <(actually_supported_osslciphers "$pfs_cipher_list" "ALL" "-V") fi export="" @@ -9450,7 +9451,7 @@ run_pfs() { [[ $sclient_success -eq 2 ]] && sclient_success=0 else debugme echo $nr_supported_ciphers - debugme echo $(actually_supported_ciphers $pfs_cipher_list "ALL") + debugme echo $(actually_supported_osslciphers $pfs_cipher_list "ALL") if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then outln prln_local_problem "You only have $nr_supported_ciphers PFS ciphers on the client side " @@ -14582,11 +14583,11 @@ run_sweet32() { fi else nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers) - nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers)) + nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $sweet32_ciphers)) debugme echo "$nr_sweet32_ciphers / $nr_supported_ciphers" nr_ssl2_sweet32_ciphers=$(count_ciphers $ssl2_sweet32_ciphers) - nr_ssl2_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $ssl2_sweet32_ciphers)) + nr_ssl2_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $ssl2_sweet32_ciphers)) debugme echo "$nr_ssl2_sweet32_ciphers / $nr_ssl2_supported_ciphers" if [[ $(( nr_supported_ciphers + nr_ssl2_supported_ciphers )) -le $nr_cipher_minimal ]]; then @@ -14690,7 +14691,7 @@ run_ssl_poodle() { return 1 fi nr_cbc_ciphers=$(count_ciphers $cbc_ciphers) - nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $cbc_ciphers)) + nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $cbc_ciphers)) # SNI not needed as SSLv3 has none: $OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE &1 | grep -aq "unknown option" || \ HAS_NO_COMP=true - OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL' 'ALL')") + OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')") for curve in "${curves_ossl[@]}"; do $OPENSSL s_client -curves $curve -connect x 2>&1 | grep -Eiaq "Error with command|unknown option" @@ -17185,7 +17187,7 @@ USLEEP_REC $USLEEP_REC EOF type -p locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt - actually_supported_ciphers 'ALL:COMPLEMENTOFALL' 'ALL' "-V" &>$TEMPDIR/all_local_ciphers.txt + actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL' "-V" &>$TEMPDIR/all_local_ciphers.txt fi # see also $TEMPDIR/s_client_has.txt from find_openssl_binary } @@ -17199,9 +17201,9 @@ prepare_arrays() { if [[ -e "$CIPHERS_BY_STRENGTH_FILE" ]]; then "$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)" if "$HAS_SSL2"; then - ossl_supported_tls="$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-tls1 -V")" + ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-tls1 -V")" else - ossl_supported_tls="$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")" + ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")" fi TLS13_OSSL_CIPHERS="" while read hexc n TLS_CIPHER_OSSL_NAME[i] TLS_CIPHER_RFC_NAME[i] TLS_CIPHER_SSLVERS[i] TLS_CIPHER_KX[i] TLS_CIPHER_AUTH[i] TLS_CIPHER_ENC[i] mac TLS_CIPHER_EXPORT[i]; do @@ -17238,7 +17240,7 @@ mybanner() { "$QUIET" && return "$CHILD_MASS_TESTING" && return - OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL')") + OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL')") [[ -z "$GIT_REL" ]] && \ idtag="$CVS_REL" || \ idtag="$GIT_REL -- $CVS_REL_SHORT"