Minor internal code improvements
* rename actually_supported_ciphers() to actually_supported_osslciphers() * remove some redundant quotes at rhs of double brackets checks
This commit is contained in:
parent
442c728187
commit
849a41a371
94
testssl.sh
94
testssl.sh
|
@ -1211,10 +1211,10 @@ count_ciphers() {
|
||||||
#arg1: TLS 1.2 and below ciphers
|
#arg1: TLS 1.2 and below ciphers
|
||||||
#arg2: TLS 1.3 ciphers
|
#arg2: TLS 1.3 ciphers
|
||||||
#arg3: options (e.g., -V)
|
#arg3: options (e.g., -V)
|
||||||
actually_supported_ciphers() {
|
actually_supported_osslciphers() {
|
||||||
local tls13_ciphers="$TLS13_OSSL_CIPHERS"
|
local tls13_ciphers="$TLS13_OSSL_CIPHERS"
|
||||||
|
|
||||||
[[ "$2" != "ALL" ]] && tls13_ciphers="$2"
|
[[ "$2" != ALL ]] && tls13_ciphers="$2"
|
||||||
if "$HAS_CIPHERSUITES"; then
|
if "$HAS_CIPHERSUITES"; then
|
||||||
$OPENSSL ciphers $3 $OSSL_CIPHERS_S -ciphersuites "$tls13_ciphers" "$1" 2>/dev/null || echo ""
|
$OPENSSL ciphers $3 $OSSL_CIPHERS_S -ciphersuites "$tls13_ciphers" "$1" 2>/dev/null || echo ""
|
||||||
elif [[ -n "$tls13_ciphers" ]]; then
|
elif [[ -n "$tls13_ciphers" ]]; then
|
||||||
|
@ -3116,14 +3116,14 @@ prettyprint_local() {
|
||||||
neat_header
|
neat_header
|
||||||
|
|
||||||
if [[ -z "$1" ]]; then
|
if [[ -z "$1" ]]; then
|
||||||
actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V" | while read -r hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
|
actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V" | while read -r hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
|
||||||
hexc="$(normalize_ciphercode $hexcode)"
|
hexc="$(normalize_ciphercode $hexcode)"
|
||||||
outln "$(neat_list "$hexc" "$ciph" "$kx" "$enc")"
|
outln "$(neat_list "$hexc" "$ciph" "$kx" "$enc")"
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
#for arg in $(echo $@ | sed 's/,/ /g'); do
|
#for arg in $(echo $@ | sed 's/,/ /g'); do
|
||||||
for arg in ${*//,/ /}; do
|
for arg in ${*//,/ /}; do
|
||||||
actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V" | while read -r hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
|
actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V" | while read -r hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
|
||||||
hexc="$(normalize_ciphercode $hexcode)"
|
hexc="$(normalize_ciphercode $hexcode)"
|
||||||
# for numbers we don't do word matching:
|
# for numbers we don't do word matching:
|
||||||
[[ $arg =~ $re ]] && \
|
[[ $arg =~ $re ]] && \
|
||||||
|
@ -3463,14 +3463,14 @@ run_cipher_match(){
|
||||||
ossl_supported[nr_ciphers]=true
|
ossl_supported[nr_ciphers]=true
|
||||||
nr_ciphers+=1
|
nr_ciphers+=1
|
||||||
fi
|
fi
|
||||||
done < <(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")
|
done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")no sockets, openssl
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Test the SSLv2 ciphers, if any.
|
# Test the SSLv2 ciphers, if any.
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
ciphers_to_test=""
|
ciphers_to_test=""
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
if [[ "${sslvers[i]}" == "SSLv2" ]]; then
|
if [[ "${sslvers[i]}" == SSLv2 ]]; then
|
||||||
ciphers_to_test+=", ${hexcode[i]}"
|
ciphers_to_test+=", ${hexcode[i]}"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -3480,7 +3480,7 @@ run_cipher_match(){
|
||||||
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
||||||
"$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")"
|
"$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")"
|
||||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
|
if [[ "${sslvers[i]}" == SSLv2 ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
|
||||||
ciphers_found[i]=true
|
ciphers_found[i]=true
|
||||||
"$SHOW_SIGALGO" && sigalg[i]="$s"
|
"$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||||
fi
|
fi
|
||||||
|
@ -3490,7 +3490,7 @@ run_cipher_match(){
|
||||||
else
|
else
|
||||||
ciphers_to_test=""
|
ciphers_to_test=""
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
if [[ "${sslvers[i]}" == "SSLv2" ]]; then
|
if [[ "${sslvers[i]}" == SSLv2 ]]; then
|
||||||
ciphers_to_test+=":${ciph[i]}"
|
ciphers_to_test+=":${ciph[i]}"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -3501,7 +3501,7 @@ run_cipher_match(){
|
||||||
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
|
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
|
||||||
"$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
|
"$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
|
||||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
|
if [[ "${sslvers[i]}" == SSLv2 ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
|
||||||
ciphers_found[i]=true
|
ciphers_found[i]=true
|
||||||
"$SHOW_SIGALGO" && sigalg[i]="$s"
|
"$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||||
fi
|
fi
|
||||||
|
@ -3540,7 +3540,7 @@ run_cipher_match(){
|
||||||
"$HAS_SSL3" && protos_to_try+=" -ssl3"
|
"$HAS_SSL3" && protos_to_try+=" -ssl3"
|
||||||
|
|
||||||
for proto in $protos_to_try; do
|
for proto in $protos_to_try; do
|
||||||
if [[ "$proto" == "-tls1_1" ]]; then
|
if [[ "$proto" == -tls1_1 ]]; then
|
||||||
num_bundles=1
|
num_bundles=1
|
||||||
bundle_size=$nr_ossl_ciphers
|
bundle_size=$nr_ossl_ciphers
|
||||||
fi
|
fi
|
||||||
|
@ -3619,7 +3619,7 @@ run_cipher_match(){
|
||||||
! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}"
|
! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}"
|
||||||
done
|
done
|
||||||
[[ -z "$ciphers_to_test" ]] && break
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
[[ "$proto" == "04" ]] && [[ ! "$ciphers_to_test" =~ ,\ 13,[0-9a-f][0-9a-f] ]] && break
|
[[ "$proto" == 04 ]] && [[ ! "$ciphers_to_test" =~ ,\ 13,[0-9a-f][0-9a-f] ]] && break
|
||||||
ciphers_to_test="$(strip_inconsistent_ciphers "$proto" "$ciphers_to_test")"
|
ciphers_to_test="$(strip_inconsistent_ciphers "$proto" "$ciphers_to_test")"
|
||||||
[[ -z "$ciphers_to_test" ]] && break
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
if "$SHOW_SIGALGO"; then
|
if "$SHOW_SIGALGO"; then
|
||||||
|
@ -3709,7 +3709,7 @@ run_allciphers() {
|
||||||
fi
|
fi
|
||||||
if [[ ${#hexc} -eq 9 ]]; then
|
if [[ ${#hexc} -eq 9 ]]; then
|
||||||
hexcode[i]="${hexc:2:2},${hexc:7:2}"
|
hexcode[i]="${hexc:2:2},${hexc:7:2}"
|
||||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
if [[ "${hexc:2:2}" == 00 ]]; then
|
||||||
normalized_hexcode[i]="x${hexc:7:2}"
|
normalized_hexcode[i]="x${hexc:7:2}"
|
||||||
else
|
else
|
||||||
normalized_hexcode[i]="x${hexc:2:2}${hexc:7:2}"
|
normalized_hexcode[i]="x${hexc:2:2}${hexc:7:2}"
|
||||||
|
@ -3728,7 +3728,7 @@ run_allciphers() {
|
||||||
while read -r hexc n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
|
while read -r hexc n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
|
||||||
ciphers_found[nr_ciphers]=false
|
ciphers_found[nr_ciphers]=false
|
||||||
if [[ ${#hexc} -eq 9 ]]; then
|
if [[ ${#hexc} -eq 9 ]]; then
|
||||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
if [[ "${hexc:2:2}" == 00 ]]; then
|
||||||
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:7:2}")"
|
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:7:2}")"
|
||||||
else
|
else
|
||||||
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:2:2}${hexc:7:2}")"
|
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:2:2}${hexc:7:2}")"
|
||||||
|
@ -3739,7 +3739,7 @@ run_allciphers() {
|
||||||
sigalg[nr_ciphers]=""
|
sigalg[nr_ciphers]=""
|
||||||
ossl_supported[nr_ciphers]=true
|
ossl_supported[nr_ciphers]=true
|
||||||
nr_ciphers=$nr_ciphers+1
|
nr_ciphers=$nr_ciphers+1
|
||||||
done < <(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")
|
done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")
|
||||||
nr_ciphers_tested=$nr_ciphers
|
nr_ciphers_tested=$nr_ciphers
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -3762,7 +3762,7 @@ run_allciphers() {
|
||||||
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
|
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
|
||||||
"$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
|
"$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
|
||||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
|
if [[ "${sslvers[i]}" == SSLv2 ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
|
||||||
ciphers_found[i]=true
|
ciphers_found[i]=true
|
||||||
"$SHOW_SIGALGO" && sigalg[i]="$s"
|
"$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||||
fi
|
fi
|
||||||
|
@ -3817,7 +3817,7 @@ run_allciphers() {
|
||||||
"$HAS_SSL3" && protos_to_try+=" -ssl3"
|
"$HAS_SSL3" && protos_to_try+=" -ssl3"
|
||||||
|
|
||||||
for proto in $protos_to_try; do
|
for proto in $protos_to_try; do
|
||||||
if [[ "$proto" == "-tls1_1" ]]; then
|
if [[ "$proto" == -tls1_1 ]]; then
|
||||||
num_bundles=1
|
num_bundles=1
|
||||||
bundle_size=$nr_ossl_ciphers
|
bundle_size=$nr_ossl_ciphers
|
||||||
fi
|
fi
|
||||||
|
@ -3865,7 +3865,7 @@ run_allciphers() {
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
if ! "${ciphers_found[i]}"; then
|
if ! "${ciphers_found[i]}"; then
|
||||||
[[ "${sslvers[i]}" == "SSLv2" ]] && continue
|
[[ "${sslvers[i]}" == SSLv2 ]] && continue
|
||||||
ciphers_found2[nr_nonossl_ciphers]=false
|
ciphers_found2[nr_nonossl_ciphers]=false
|
||||||
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
|
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
|
||||||
rfc_ciph2[nr_nonossl_ciphers]="${TLS_CIPHER_RFC_NAME[i]}"
|
rfc_ciph2[nr_nonossl_ciphers]="${TLS_CIPHER_RFC_NAME[i]}"
|
||||||
|
@ -3899,7 +3899,7 @@ run_allciphers() {
|
||||||
! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}"
|
! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}"
|
||||||
done
|
done
|
||||||
[[ -z "$ciphers_to_test" ]] && break
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
[[ "$proto" == "04" ]] && [[ ! "$ciphers_to_test" =~ ,\ 13,[0-9a-f][0-9a-f] ]] && break
|
[[ "$proto" == 04 ]] && [[ ! "$ciphers_to_test" =~ ,\ 13,[0-9a-f][0-9a-f] ]] && break
|
||||||
ciphers_to_test="$(strip_inconsistent_ciphers "$proto" "$ciphers_to_test")"
|
ciphers_to_test="$(strip_inconsistent_ciphers "$proto" "$ciphers_to_test")"
|
||||||
[[ -z "$ciphers_to_test" ]] && break
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
if "$SHOW_SIGALGO"; then
|
if "$SHOW_SIGALGO"; then
|
||||||
|
@ -3997,7 +3997,7 @@ ciphers_by_strength() {
|
||||||
fi
|
fi
|
||||||
if [[ ${#hexc} -eq 9 ]]; then
|
if [[ ${#hexc} -eq 9 ]]; then
|
||||||
hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}"
|
hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}"
|
||||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
if [[ "${hexc:2:2}" == 00 ]]; then
|
||||||
normalized_hexcode[nr_ciphers]="x${hexc:7:2}"
|
normalized_hexcode[nr_ciphers]="x${hexc:7:2}"
|
||||||
else
|
else
|
||||||
normalized_hexcode[nr_ciphers]="x${hexc:2:2}${hexc:7:2}"
|
normalized_hexcode[nr_ciphers]="x${hexc:2:2}${hexc:7:2}"
|
||||||
|
@ -4051,10 +4051,10 @@ ciphers_by_strength() {
|
||||||
sigalg[nr_ciphers]=""
|
sigalg[nr_ciphers]=""
|
||||||
ossl_supported[nr_ciphers]=true
|
ossl_supported[nr_ciphers]=true
|
||||||
nr_ciphers+=1
|
nr_ciphers+=1
|
||||||
done < <(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "$ossl_ciphers_proto -V")
|
done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "$ossl_ciphers_proto -V")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$proto" == "-ssl2" ]]; then
|
if [[ "$proto" == -ssl2 ]]; then
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
sslv2_sockets "${sslv2_ciphers:2}" "true"
|
sslv2_sockets "${sslv2_ciphers:2}" "true"
|
||||||
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
||||||
|
@ -4396,7 +4396,7 @@ client_simulation_sockets() {
|
||||||
local tls_hello_ascii next_packet hello_done=0
|
local tls_hello_ascii next_packet hello_done=0
|
||||||
local -i sid_len offset1 offset2
|
local -i sid_len offset1 offset2
|
||||||
|
|
||||||
if [[ "${1:0:4}" == "1603" ]]; then
|
if [[ "${1:0:4}" == 1603 ]]; then
|
||||||
clienthello="$(modify_clienthello "$1")"
|
clienthello="$(modify_clienthello "$1")"
|
||||||
TLS_CLIENT_HELLO="${clienthello:10}"
|
TLS_CLIENT_HELLO="${clienthello:10}"
|
||||||
else
|
else
|
||||||
|
@ -4411,7 +4411,7 @@ client_simulation_sockets() {
|
||||||
# this appeared 1st in yassl + MySQL (https://github.com/drwetter/testssl.sh/pull/784) but adds
|
# this appeared 1st in yassl + MySQL (https://github.com/drwetter/testssl.sh/pull/784) but adds
|
||||||
# robustness to the implementation
|
# robustness to the implementation
|
||||||
# see also https://github.com/drwetter/testssl.sh/pull/797
|
# see also https://github.com/drwetter/testssl.sh/pull/797
|
||||||
if [[ "${1:0:4}" == "1603" ]]; then
|
if [[ "${1:0:4}" == 1603 ]]; then
|
||||||
# Extact list of cipher suites from SSLv3 or later ClientHello
|
# Extact list of cipher suites from SSLv3 or later ClientHello
|
||||||
sid_len=4*$(hex2dec "${data:174:2}")
|
sid_len=4*$(hex2dec "${data:174:2}")
|
||||||
offset1=178+$sid_len
|
offset1=178+$sid_len
|
||||||
|
@ -4425,7 +4425,7 @@ client_simulation_sockets() {
|
||||||
for (( i=22; i < 22+len; i=i+6 )); do
|
for (( i=22; i < 22+len; i=i+6 )); do
|
||||||
offset1=$i+2
|
offset1=$i+2
|
||||||
offset2=$i+4
|
offset2=$i+4
|
||||||
[[ "${clienthello:i:2}" == "00" ]] && cipher_list_2send+=", ${clienthello:offset1:2},${clienthello:offset2:2}"
|
[[ "${clienthello:i:2}" == 00 ]] && cipher_list_2send+=", ${clienthello:offset1:2},${clienthello:offset2:2}"
|
||||||
done
|
done
|
||||||
code2network "$(tolower "${cipher_list_2send:2}")" # convert CIPHER_SUITES to a "standardized" format
|
code2network "$(tolower "${cipher_list_2send:2}")" # convert CIPHER_SUITES to a "standardized" format
|
||||||
fi
|
fi
|
||||||
|
@ -4497,7 +4497,7 @@ client_simulation_sockets() {
|
||||||
hexdump -C $SOCK_REPLY_FILE | head -6
|
hexdump -C $SOCK_REPLY_FILE | head -6
|
||||||
echo
|
echo
|
||||||
fi
|
fi
|
||||||
if [[ "${tls_hello_ascii:0:1}" == "8" ]]; then
|
if [[ "${tls_hello_ascii:0:1}" == 8 ]]; then
|
||||||
parse_sslv2_serverhello "$SOCK_REPLY_FILE" "false"
|
parse_sslv2_serverhello "$SOCK_REPLY_FILE" "false"
|
||||||
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
||||||
echo "Protocol : SSLv2" > "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt"
|
echo "Protocol : SSLv2" > "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt"
|
||||||
|
@ -5535,7 +5535,7 @@ listciphers() {
|
||||||
local debugname=""
|
local debugname=""
|
||||||
local tls13_ciphers="$TLS13_OSSL_CIPHERS"
|
local tls13_ciphers="$TLS13_OSSL_CIPHERS"
|
||||||
|
|
||||||
[[ "$2" != "ALL" ]] && tls13_ciphers="$2"
|
[[ "$2" != ALL ]] && tls13_ciphers="$2"
|
||||||
if "$HAS_CIPHERSUITES"; then
|
if "$HAS_CIPHERSUITES"; then
|
||||||
$OPENSSL ciphers $OSSL_CIPHERS_S $3 -ciphersuites "$tls13_ciphers" "$1" &>$TMPFILE
|
$OPENSSL ciphers $OSSL_CIPHERS_S $3 -ciphersuites "$tls13_ciphers" "$1" &>$TMPFILE
|
||||||
elif [[ -n "$tls13_ciphers" ]]; then
|
elif [[ -n "$tls13_ciphers" ]]; then
|
||||||
|
@ -6314,7 +6314,7 @@ run_server_preference() {
|
||||||
[[ $DEBUG -ge 4 ]] && echo -e "\n Forward: ${list_fwd}"
|
[[ $DEBUG -ge 4 ]] && echo -e "\n Forward: ${list_fwd}"
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2") </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2") </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
list_fwd="$(actually_supported_ciphers $list_fwd '' '-tls1')"
|
list_fwd="$(actually_supported_osslciphers $list_fwd '' '-tls1')"
|
||||||
pr_warning "no matching cipher in this list found (pls report this): "
|
pr_warning "no matching cipher in this list found (pls report this): "
|
||||||
outln "$list_fwd . "
|
outln "$list_fwd . "
|
||||||
fileout "$jsonID" "WARN" "Could not determine server cipher order, no matching cipher in list found (pls report this): $list_fwd"
|
fileout "$jsonID" "WARN" "Could not determine server cipher order, no matching cipher in list found (pls report this): $list_fwd"
|
||||||
|
@ -7444,23 +7444,24 @@ get_server_certificate() {
|
||||||
# no DNS name was provided at the command line).
|
# no DNS name was provided at the command line).
|
||||||
[[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
|
[[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
|
||||||
else
|
else
|
||||||
|
# no sockets, openssl
|
||||||
ciphers_to_test="$1"
|
ciphers_to_test="$1"
|
||||||
if [[ "$1" =~ aRSA ]] && [[ "$1" =~ eRSA ]]; then
|
if [[ "$1" =~ aRSA ]] && [[ "$1" =~ eRSA ]]; then
|
||||||
ciphers_to_test="${ciphers_to_test/eRSA/}"
|
ciphers_to_test="${ciphers_to_test/eRSA/}"
|
||||||
elif [[ "$1" =~ aRSA ]]; then
|
elif [[ "$1" =~ aRSA ]]; then
|
||||||
ciphers_to_test="${ciphers_to_test/aRSA/}"
|
ciphers_to_test="${ciphers_to_test/aRSA/}"
|
||||||
for ciph in $(colon_to_spaces $(actually_supported_ciphers "aRSA")); do
|
for ciph in $(colon_to_spaces $(actually_supported_osslciphers "aRSA")); do
|
||||||
[[ "$ciph" =~ -RSA- ]] && ciphers_to_test+=":$ciph"
|
[[ "$ciph" =~ -RSA- ]] && ciphers_to_test+=":$ciph"
|
||||||
done
|
done
|
||||||
elif [[ "$1" =~ eRSA ]]; then
|
elif [[ "$1" =~ eRSA ]]; then
|
||||||
ciphers_to_test="${ciphers_to_test/eRSA/}"
|
ciphers_to_test="${ciphers_to_test/eRSA/}"
|
||||||
for ciph in $(colon_to_spaces $(actually_supported_ciphers "aRSA")); do
|
for ciph in $(colon_to_spaces $(actually_supported_osslciphers "aRSA")); do
|
||||||
[[ ! "$ciph" =~ -RSA- ]] && ciphers_to_test+=":$ciph"
|
[[ ! "$ciph" =~ -RSA- ]] && ciphers_to_test+=":$ciph"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
ciphers_to_test="${ciphers_to_test/::/:}"
|
ciphers_to_test="${ciphers_to_test/::/:}"
|
||||||
[[ "${ciphers_to_test:0:1}" == : ]] && ciphers_to_test="${ciphers_to_test:1}"
|
[[ "${ciphers_to_test:0:1}" == : ]] && ciphers_to_test="${ciphers_to_test:1}"
|
||||||
[[ $(count_ciphers $(actually_supported_ciphers "$ciphers_to_test")) -ge 1 ]] || return 1
|
[[ $(count_ciphers $(actually_supported_osslciphers "$ciphers_to_test")) -ge 1 ]] || return 1
|
||||||
|
|
||||||
for proto in $protocols_to_try; do
|
for proto in $protocols_to_try; do
|
||||||
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
|
[[ 1 -eq $(has_server_protocol $proto) ]] && continue
|
||||||
|
@ -9437,7 +9438,7 @@ run_pfs() {
|
||||||
sigalg[nr_supported_ciphers]=""
|
sigalg[nr_supported_ciphers]=""
|
||||||
ossl_supported[nr_supported_ciphers]=true
|
ossl_supported[nr_supported_ciphers]=true
|
||||||
nr_supported_ciphers+=1
|
nr_supported_ciphers+=1
|
||||||
done < <(actually_supported_ciphers "$pfs_cipher_list" "ALL" "-V")
|
done < <(actually_supported_osslciphers "$pfs_cipher_list" "ALL" "-V")
|
||||||
fi
|
fi
|
||||||
export=""
|
export=""
|
||||||
|
|
||||||
|
@ -9450,7 +9451,7 @@ run_pfs() {
|
||||||
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
||||||
else
|
else
|
||||||
debugme echo $nr_supported_ciphers
|
debugme echo $nr_supported_ciphers
|
||||||
debugme echo $(actually_supported_ciphers $pfs_cipher_list "ALL")
|
debugme echo $(actually_supported_osslciphers $pfs_cipher_list "ALL")
|
||||||
if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then
|
if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then
|
||||||
outln
|
outln
|
||||||
prln_local_problem "You only have $nr_supported_ciphers PFS ciphers on the client side "
|
prln_local_problem "You only have $nr_supported_ciphers PFS ciphers on the client side "
|
||||||
|
@ -14582,11 +14583,11 @@ run_sweet32() {
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
|
nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
|
||||||
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers))
|
nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $sweet32_ciphers))
|
||||||
debugme echo "$nr_sweet32_ciphers / $nr_supported_ciphers"
|
debugme echo "$nr_sweet32_ciphers / $nr_supported_ciphers"
|
||||||
|
|
||||||
nr_ssl2_sweet32_ciphers=$(count_ciphers $ssl2_sweet32_ciphers)
|
nr_ssl2_sweet32_ciphers=$(count_ciphers $ssl2_sweet32_ciphers)
|
||||||
nr_ssl2_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $ssl2_sweet32_ciphers))
|
nr_ssl2_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $ssl2_sweet32_ciphers))
|
||||||
debugme echo "$nr_ssl2_sweet32_ciphers / $nr_ssl2_supported_ciphers"
|
debugme echo "$nr_ssl2_sweet32_ciphers / $nr_ssl2_supported_ciphers"
|
||||||
|
|
||||||
if [[ $(( nr_supported_ciphers + nr_ssl2_supported_ciphers )) -le $nr_cipher_minimal ]]; then
|
if [[ $(( nr_supported_ciphers + nr_ssl2_supported_ciphers )) -le $nr_cipher_minimal ]]; then
|
||||||
|
@ -14690,7 +14691,7 @@ run_ssl_poodle() {
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
nr_cbc_ciphers=$(count_ciphers $cbc_ciphers)
|
nr_cbc_ciphers=$(count_ciphers $cbc_ciphers)
|
||||||
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $cbc_ciphers))
|
nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $cbc_ciphers))
|
||||||
# SNI not needed as SSLv3 has none:
|
# SNI not needed as SSLv3 has none:
|
||||||
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
|
@ -14899,7 +14900,7 @@ run_freak() {
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
nr_supported_ciphers=$(count_words "$exportrsa_tls_cipher_list_hex")+$(count_words "$exportrsa_ssl2_cipher_list_hex")
|
nr_supported_ciphers=$(count_words "$exportrsa_tls_cipher_list_hex")+$(count_words "$exportrsa_ssl2_cipher_list_hex")
|
||||||
else
|
else
|
||||||
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportrsa_cipher_list))
|
nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $exportrsa_cipher_list))
|
||||||
fi
|
fi
|
||||||
#echo "========= ${PIPESTATUS[*]}
|
#echo "========= ${PIPESTATUS[*]}
|
||||||
|
|
||||||
|
@ -14965,7 +14966,7 @@ run_freak() {
|
||||||
done
|
done
|
||||||
tmln_out
|
tmln_out
|
||||||
else
|
else
|
||||||
actually_supported_ciphers $exportrsa_cipher_list
|
actually_supported_osslciphers $exportrsa_cipher_list
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
debugme echo $nr_supported_ciphers
|
debugme echo $nr_supported_ciphers
|
||||||
|
@ -15081,7 +15082,7 @@ run_logjam() {
|
||||||
# Also as the openssl binary distributed has everything we need measurements show that
|
# Also as the openssl binary distributed has everything we need measurements show that
|
||||||
# there's no impact whether we use sockets or TLS here, so the default is sockets here
|
# there's no impact whether we use sockets or TLS here, so the default is sockets here
|
||||||
if ! "$using_sockets"; then
|
if ! "$using_sockets"; then
|
||||||
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdh_cipher_list))
|
nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $exportdh_cipher_list))
|
||||||
debugme echo $nr_supported_ciphers
|
debugme echo $nr_supported_ciphers
|
||||||
case $nr_supported_ciphers in
|
case $nr_supported_ciphers in
|
||||||
0) prln_local_problem "$OPENSSL doesn't have any DH EXPORT ciphers configured"
|
0) prln_local_problem "$OPENSSL doesn't have any DH EXPORT ciphers configured"
|
||||||
|
@ -15120,7 +15121,7 @@ run_logjam() {
|
||||||
done
|
done
|
||||||
tmln_out
|
tmln_out
|
||||||
else
|
else
|
||||||
echo $(actually_supported_ciphers $exportdh_cipher_list)
|
echo $(actually_supported_osslciphers $exportdh_cipher_list)
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -15379,6 +15380,7 @@ run_beast(){
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
|
# no sockets, openssl
|
||||||
while read hexc dash ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
|
while read hexc dash ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
|
||||||
if [[ ":${cbc_cipher_list}:" =~ :${ciph[nr_ciphers]}: ]]; then
|
if [[ ":${cbc_cipher_list}:" =~ :${ciph[nr_ciphers]}: ]]; then
|
||||||
ossl_supported[nr_ciphers]=true
|
ossl_supported[nr_ciphers]=true
|
||||||
|
@ -15389,7 +15391,7 @@ run_beast(){
|
||||||
fi
|
fi
|
||||||
nr_ciphers+=1
|
nr_ciphers+=1
|
||||||
fi
|
fi
|
||||||
done < <(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-tls1 -V")
|
done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-tls1 -V")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# first determine whether it's mitigated by higher protocols
|
# first determine whether it's mitigated by higher protocols
|
||||||
|
@ -15644,7 +15646,7 @@ run_lucky13() {
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
nr_cbc_ciphers=$(count_ciphers $cbc_ciphers)
|
nr_cbc_ciphers=$(count_ciphers $cbc_ciphers)
|
||||||
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $cbc_ciphers))
|
nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $cbc_ciphers))
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -no_ssl2 -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -no_ssl2 -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
|
@ -16787,7 +16789,7 @@ find_openssl_binary() {
|
||||||
$OPENSSL s_client -no_comp -connect x 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -no_comp -connect x 2>&1 | grep -aq "unknown option" || \
|
||||||
HAS_NO_COMP=true
|
HAS_NO_COMP=true
|
||||||
|
|
||||||
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
||||||
|
|
||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
$OPENSSL s_client -curves $curve -connect x 2>&1 | grep -Eiaq "Error with command|unknown option"
|
$OPENSSL s_client -curves $curve -connect x 2>&1 | grep -Eiaq "Error with command|unknown option"
|
||||||
|
@ -17185,7 +17187,7 @@ USLEEP_REC $USLEEP_REC
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
type -p locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt
|
type -p locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt
|
||||||
actually_supported_ciphers 'ALL:COMPLEMENTOFALL' 'ALL' "-V" &>$TEMPDIR/all_local_ciphers.txt
|
actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL' "-V" &>$TEMPDIR/all_local_ciphers.txt
|
||||||
fi
|
fi
|
||||||
# see also $TEMPDIR/s_client_has.txt from find_openssl_binary
|
# see also $TEMPDIR/s_client_has.txt from find_openssl_binary
|
||||||
}
|
}
|
||||||
|
@ -17199,9 +17201,9 @@ prepare_arrays() {
|
||||||
if [[ -e "$CIPHERS_BY_STRENGTH_FILE" ]]; then
|
if [[ -e "$CIPHERS_BY_STRENGTH_FILE" ]]; then
|
||||||
"$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
|
"$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
|
||||||
if "$HAS_SSL2"; then
|
if "$HAS_SSL2"; then
|
||||||
ossl_supported_tls="$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-tls1 -V")"
|
ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-tls1 -V")"
|
||||||
else
|
else
|
||||||
ossl_supported_tls="$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")"
|
ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")"
|
||||||
fi
|
fi
|
||||||
TLS13_OSSL_CIPHERS=""
|
TLS13_OSSL_CIPHERS=""
|
||||||
while read hexc n TLS_CIPHER_OSSL_NAME[i] TLS_CIPHER_RFC_NAME[i] TLS_CIPHER_SSLVERS[i] TLS_CIPHER_KX[i] TLS_CIPHER_AUTH[i] TLS_CIPHER_ENC[i] mac TLS_CIPHER_EXPORT[i]; do
|
while read hexc n TLS_CIPHER_OSSL_NAME[i] TLS_CIPHER_RFC_NAME[i] TLS_CIPHER_SSLVERS[i] TLS_CIPHER_KX[i] TLS_CIPHER_AUTH[i] TLS_CIPHER_ENC[i] mac TLS_CIPHER_EXPORT[i]; do
|
||||||
|
@ -17238,7 +17240,7 @@ mybanner() {
|
||||||
|
|
||||||
"$QUIET" && return
|
"$QUIET" && return
|
||||||
"$CHILD_MASS_TESTING" && return
|
"$CHILD_MASS_TESTING" && return
|
||||||
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL')")
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL')")
|
||||||
[[ -z "$GIT_REL" ]] && \
|
[[ -z "$GIT_REL" ]] && \
|
||||||
idtag="$CVS_REL" || \
|
idtag="$CVS_REL" || \
|
||||||
idtag="$GIT_REL -- $CVS_REL_SHORT"
|
idtag="$GIT_REL -- $CVS_REL_SHORT"
|
||||||
|
|
Loading…
Reference in New Issue