mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
run_cipher_per_proto() 128-cipher limit
Ensure that neither run_allciphers() nor run_cipher_per_proto() sends a ClientHello with 128 or more cipher suites.
This commit is contained in:
parent
adbb1932eb
commit
8c86049848
21
testssl.sh
21
testssl.sh
@ -1604,7 +1604,13 @@ run_allciphers() {
|
|||||||
|
|
||||||
# set ciphers_found[1] so that all bundles will be tested in round 0.
|
# set ciphers_found[1] so that all bundles will be tested in round 0.
|
||||||
ciphers_found[1]=true
|
ciphers_found[1]=true
|
||||||
round_num=0
|
# Some servers can't handle a handshake with >= 128 ciphers.
|
||||||
|
for (( round_num=0; bundle_size/4 >= 128; bundle_size/=4 )); do
|
||||||
|
round_num=$round_num+1
|
||||||
|
for (( i=4**$round_num; i<2*4**$round_num; i++ )); do
|
||||||
|
ciphers_found[i]=true
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
for (( bundle_size/=4; bundle_size>=1; bundle_size/=4 )); do
|
for (( bundle_size/=4; bundle_size>=1; bundle_size/=4 )); do
|
||||||
# Note that since the number of ciphers isn't a power of 4, the number
|
# Note that since the number of ciphers isn't a power of 4, the number
|
||||||
@ -1690,6 +1696,7 @@ run_cipher_per_proto() {
|
|||||||
outln " -ssl2 SSLv2\n -ssl3 SSLv3\n -tls1 TLS 1\n -tls1_1 TLS 1.1\n -tls1_2 TLS 1.2"| while read proto proto_text; do
|
outln " -ssl2 SSLv2\n -ssl3 SSLv3\n -tls1 TLS 1\n -tls1_1 TLS 1.1\n -tls1_2 TLS 1.2"| while read proto proto_text; do
|
||||||
locally_supported "$proto" "$proto_text" || continue
|
locally_supported "$proto" "$proto_text" || continue
|
||||||
outln
|
outln
|
||||||
|
has_server_protocol "${proto:1}" || continue
|
||||||
|
|
||||||
# get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values)
|
# get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values)
|
||||||
nr_ciphers=0
|
nr_ciphers=0
|
||||||
@ -1710,7 +1717,14 @@ run_cipher_per_proto() {
|
|||||||
|
|
||||||
# set ciphers_found[1] so that the complete bundle will be tested in round 0.
|
# set ciphers_found[1] so that the complete bundle will be tested in round 0.
|
||||||
ciphers_found[1]=true
|
ciphers_found[1]=true
|
||||||
for (( round_num=0; bundle_size>=1; bundle_size/=4 )); do
|
# Some servers can't handle a handshake with >= 128 ciphers.
|
||||||
|
for (( round_num=0; bundle_size>=128; bundle_size/=4 )); do
|
||||||
|
round_num=$round_num+1
|
||||||
|
for (( i=4**$round_num; i<2*4**$round_num; i++ )); do
|
||||||
|
ciphers_found[i]=true
|
||||||
|
done
|
||||||
|
done
|
||||||
|
for (( 1; bundle_size>=1; bundle_size/=4 )); do
|
||||||
# Note that since the number of ciphers isn't a power of 4, the number
|
# Note that since the number of ciphers isn't a power of 4, the number
|
||||||
# of bundles may be may be less than 4**(round_num+1), and the final
|
# of bundles may be may be less than 4**(round_num+1), and the final
|
||||||
# bundle may have fewer than bundle_size ciphers.
|
# bundle may have fewer than bundle_size ciphers.
|
||||||
@ -2229,7 +2243,7 @@ add_tls_offered() {
|
|||||||
# function which checks whether SSLv2 - TLS 1.2 is being offereed
|
# function which checks whether SSLv2 - TLS 1.2 is being offereed
|
||||||
has_server_protocol() {
|
has_server_protocol() {
|
||||||
[[ -z "$PROTOS_OFFERED" ]] && return 0 # if empty we rather return 0, means check at additional cost=connect will be done
|
[[ -z "$PROTOS_OFFERED" ]] && return 0 # if empty we rather return 0, means check at additional cost=connect will be done
|
||||||
if grep -w "$1" <<< "$PROTOS_OFFERED"; then
|
if grep -qw "$1" <<< "$PROTOS_OFFERED"; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
return 1
|
return 1
|
||||||
@ -2341,7 +2355,6 @@ run_protocols() {
|
|||||||
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
||||||
outln
|
outln
|
||||||
fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL"
|
fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL"
|
||||||
add_tls_offered "tls1"
|
|
||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
outln "$supported_no_ciph1" # protocol ok, but no cipher
|
outln "$supported_no_ciph1" # protocol ok, but no cipher
|
||||||
|
Loading…
Reference in New Issue
Block a user