Merge pull request #1240 from drwetter/more_client_sim

Major upgrade of some client simulations

CHANGELOG.veryold-releases.txt

@@ -0,0 +1,396 @@
+
+2.6 New:
+  * display matching host key (HPKP)
+  * LOGJAM 1: check DHE_EXPORT cipher
+  * LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers
+  * "wide mode" option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name
+  * binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit)
+  * OS X binaries (@jvehent, new builds: @jpluimers)
+  * ARM binary (@f-s)
+  * FreeBSD binary
+  * TLS_FALLBACK_SCSV check -- thx @JonnyHightower
+  * (HTTP) proxy support! Also with sockets -- thx @jnewbigin
+  * Extended validation certificate detection
+  * Run in default mode through all ciphers at the end of a default run
+  * will test multiple IP addresses of one supplied server name in one shot, --ip= restricts it accordingly
+  * new mass testing file option --file option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696
+  * TLS time and HTTP time stamps
+  * TLS time displayed also for STARTTLS protocols
+  * support of sockets for STARTTLS protocols
+  * TLS 1.0-1.1 as socket checks per default in production
+  * further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.)
+  * can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams).
+  * quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
+  * lots of fixes, code improvements, even more robust
+
+Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
+
+2.4 New:
+  * "only one cmd line option at a time" is completely gone
+  * several tuning parameters on the cmd line (only available through environment variables b4): --assuming-http, --ssl-native, --sneaky, --warnings, --color, -- debug, --long
+  * certificate information
+  * more HTTP header infos (cookies+security headers)
+  * protocol check via bash sockets for SSLv2+v3
+  * debug handling significantly improved (verbosity/each function leaves files in $TEMPDIR)
+  * BEAST check
+  * FREAK check
+  * check for Secure Client-Initiated Renegotiation
+  * lots of cosmetic and maintainability code cleanups
+  * bugfixing
+
+Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh
+
+
+2.2. new features as:
+  * works fully under BSD (openssl >=1.0)
+  * single cipher check (-x) with pattern of hexcode/cipher
+  * check for POODLE SSL
+  * HPKP check
+  * OCSP stapling
+  * GOST and CHACHA20 POLY1305 cipher support
+  * service detection (HTTP, IMAP, POP, SMTP)
+  * runs now with all colors, b/w screen, no escape codes at all
+  * protocol check better
+  * job control removes stalling
+  * RFC <---> OpenSSL name space mapping of ciphers everywhere
+  * includes a lot of fixes  
+
+Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
+
+
+2.0 major release, new features:
+  * SNI
+  * STARTTLS fully supported
+  * RC4 check
+  * (P)FS check
+  * SPDY check
+  * color codes make more sense now
+  * cipher hexcodes are shown
+  * tests ciphers per protocol 
+  * HSTS
+  * web and application server banner 
+  * server preferences
+  * TLS server extensions
+  * server key size
+  * cipher suite mapping from openssl to RFC 
+  * heartbleed check
+  * CCS injection check
+
+---------------------
+Details:
+
+1.112
+- IPv6 display fix
+
+1.111
+- NEW: tested under FreeBSD (works with exception of xxd in CCS)
+- getent now works under Linux and FreeBSD
+- sed -i in hsts sacrificed for compatibility
+- removed query for IP for finishing banner, is now called once in parse_hn_port
+- GOST warning after banner
+- empty build date is not displayed anymore
+- long build date strings minimized
+- FIXED: IPv6 address are displayed again
+
+1.110
+- NEW: adding Russian GOST cipher support by providing a config file on the fly
+- adding the compile date of openssl in the banner
+
+1.109
+- minor IPv6 fixes
+
+1.108
+- NEW: Major rewrite of output functions. Now using printf instead of "echo -e" for BSD and MacOSX compatibility
+
+1.107
+- improved IP address stuff
+
+1.106
+- minor fixes
+
+1.105
+- NEW: working prototype for CCS injection
+
+1.104
+- NEW: everywhere *also* RFC style ciphers -- if the mapping file is found
+- unitary calls to display cipher suites
+
+1.103
+- NEW: telnet support for STARTTLS (works only with a patched openssl version)
+  --> not tested (lack of server)
+
+1.102
+- NEW: test for BREACH (experimental)
+
+1.101
+- BUGFIX: muted too verbose output of which on CentOS/RHEL
+- BUGFIX: muted too verbose output of netcat/nc on CentOS/RHEL+Debian
+
+1.100
+- further cleanup
+  - starttls now tests allciphers() instead of cipher_per_proto
+      (normal use case makes most sense here)
+  - ENV J_POSITIV --> SHOW_EACH_C
+- finding mapping-rfc.txt is now a bit smarter
+- preparations for ChaCha20-Poly1305 (would have provided binaries but
+  "openssl s_client -connect" with that ciphersuite fails currently with 
+  a handshake error though client and server hello succeeded!)
+
+1.99
+- BUGFIX: now really really everywhere testing the IP with supplied name
+- locking out openssl < 0.9.8f, new function called "old_fart" ;-)
+- FEATURE: displaying PTR record of IP
+- FEATURE: displaying further IPv4/IPv6 addresses 
+- bit of a cleanup
+
+1.98
+- http_header is in total only called once
+- better parsing of default protocol (FIXME shouldn't appear anymore)
+
+1.97
+- reduced sleep time for server hello and payload reply (heartbleed)
+
+1.96
+- NEW: (experimental) heartbleed support with bash sockets (shell only SSL handshake!)
+  see also https://testssl.sh/bash-heartbleed.sh
+
+1.95 (2.0rc3)
+- changed cmdline options for CRIME and renego vuln to uppercase
+- NEW: displays server key size now
+- NEW: displays TLS server extensions (might kill old openssl versions)
+- brown warning if HSTS < 180 days
+- brown warning if SSLv3 is offered as default protocol
+
+1.94
+- NEW: prototype of mapping to RFC cipher suite names, needed file mapping-rfc.txt in same dir
+  as of now only used for 'testssl.sh -V'
+- internal renaming: it was supposed to be "cipherlists" instead of "ciphersuites"
+- additional tests for cipherlists DES, 3DES, ADH
+
+1.93
+- BUGFIX: removed space in Server banner fixed (at the expense of showing just nothing if Server string is empty)
+
+1.92
+- BUGFIX: fixed error of faulty detected empty server string
+
+1.91
+- replaced most lcyan to brown (=not really bad but somehow)
+- empty server string better displayed
+- preferred CBC TLS 1.2 cipher is now brown (lucky13)
+
+1.90
+- fix for netweaver banner (server is lowercase)
+- no server banner is no disadvantage (color code)
+- 1 more blank proto check
+- server preference is better displayed
+
+1.89
+- reordered! : protocols + cipher come first
+- colorized preferred server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green)
+- SSLv3 is now light cyan
+- NEW: -P|--preference now in help menu
+- light cyan is more appropriate than red for HSTS
+
+1.88
+- NEW: prototype for protocol and cipher preference
+- prototype for session ticket
+
+1.87
+- changed just the version string to rc1
+
+1.86
+ - NEW: App banner now production, except 2 liners
+ - DEBUG: 1 is now true as everywhere else
+ - CRIME+Renego prettier
+ - last optical polish for RC4, PFS
+
+1.85
+ - NEW: appbanner (also 2 lines like asp.net)
+ - OSSL_VER_MAJOR/MINOR/APPENDIX
+ - less bold because bold headlines as bold should be reserved for emphasize findings
+ - tabbed output also for protocols and cipher classes
+ - unify neat printing
+
+1.84
+ - NEW: deprecating openssl version <0.98
+ - displaying a warning >= 0.98 < 1.0
+ - NEW: neat print also for all ciphers (-E,-e)
+
+1.83
+- BUGFIX: results from unit test: logical error in PFS+RC4 fixed
+- headline of -V / PFS+RC4 ciphers unified
+
+1.82
+- NEW: output for -V now better (bits separate, spacing improved)
+
+1.81
+- output for RC4+PFS now better (with headline, bits separate, spacing improved)
+- both also sorted by encr. strength .. umm ..err bits!
+
+1.80
+- order of finding supplied binary extended (first one wins):
+  1. use supplied variable $OPENSSL
+  2. use "openssl" in same path as testssl.sh
+  3. use "openssl.`uname -m`" in same path as testssl.sh
+  4. use anything in system $PATH (return value of "which"
+
+1.79
+- STARTTLS options w/o trailing 's' now (easier)
+- commented code for CRIME SPDY
+- issue a warning for openssl < 0.9.7 ( that version won't work anyway probably)
+- NPN protos as a global var
+- pretty print with fixed columns: PFS, RC4, allciphers, cipher_per_proto
+
+1.78
+- -E, -e now sorted by encryption strength (note: it's only encr key length)
+- -V now pretty prints all local ciphers
+- -V <pattern> now pretty prints all local ciphers matching pattern (plain string, no regex)
+- bugfix: SSLv2 cipher hex codes has 3 bytes!
+
+1.77
+- removed legacy code (PROD_REL var)
+
+1.76
+- bash was gone!! disaster for Ubuntu, fixed
+- starttls+rc4 check: bottom line was wrong
+- starttls had too much output (certificate) at first a/v check
+
+1.75
+- location is now https://testssl.sh
+- be nice: banner, version, help also works for BSD folks (on dash)
+- bug in server banner fixed
+- sneaky referrer and user agent possible
+
+1.74
+- Debian 7 fix
+- ident obsoleted
+
+1.72
+- removed obsolete GREP
+- SWURL/SWCONTACT
+- output for positive RC4 better
+
+1.71
+- workaround for buggy bash (RC4)
+- colors improved
+  - blue is now reserved for headline
+  - magenta for local probs
+  - in RC4 removal of SSL protocol provided by openssl
+
+1.70
+- DEBUG in http_headers now as expected
+- <?xml marker as HTML body understood
+
+1.69
+- HTTP 1.1 header
+- removed in each cipher the proto openssl is returning
++ NEW: cipher_per_proto
+
+1.68
+- header parser for openssl
+- HSTS
+- server banner string
+- vulnerabilities closer+condensed
+
+1.68
+- header parser for openssl
+- HSTS
+- server banner string
+- vulnerabilities closer+condensed
+
+1.67
+- signal green if no SSLv3
+- cipher hex code now in square brackets  
+
+
+[..]
+
+
+1.36
+* fixed issue while connecting to non-webservers
+
+1.35
+* fixed portability issue on Ubuntu
+
+1.34
+* ip(v4) address in output, helps to tell different systems apart later on
+* local hostname in output
+
+1.31 (Halloween Release)
+* bugfix: SSLv2 was kind of borken
+* now it works for sure but ssl protocol are kind of ugly
+
+1.30b (25.10.2012)
+* bugfix: TLS 1.1/1.2 may lead to false negatives
+* bugfix: CMDLINE -a/-e was misleading, now similar to help menu
+
+1.3 (10/13/2012)
+* can test now for cipher suites only
+* can test now for protocols suites only
+* tests for tls v1.1/v1.2 of local openssl supports it
+* commandline "all "is rename to "each-cipher"
+* banner when it's done
+
+1.21a (10/4/2012)
+* tests whether openssl has support for zlib compiled so that it avoids a false negative
+
+1.21 (10/4/2012)
+* CRIME support
+
+1.20b
+* bugfixed release
+
+1.20a
+* code cleanup
+* showciphers variable introduced: only show ciphers if this is set (it is by
+  default now and there's a comment
+* openssl version + path to it in the banner
+
+
+1.20
+* bugfix (ssl in ssl handshake failure is sometimes too much)
+* date in output
+* autodetection of CVS version removed
+
+1.19
+* bugfix
+
+1.18
+* Rearrangement of arguments: URL comes now always last!
+* small code cleanups for readability
+* individual cipher test is now with bold headline, not blue
+* NOPARANOID flag tells whether medium grade ciphers are ok. NOW they are (=<1.17 was paranoid)
+
+1.17
+* SSL tests now for renegotiation vulnerability!
+* version detection of testssl.sh
+* program has a banner
+* fixed bug leading to a file named "1"
+* comment for 128Bit ciphers
+
+1.16
+* major code cleanups
+* cmd line options: port is now in first argument!!
+* help is more verbose
+* check whether on other server side is ssl server listening
+* https:// can be now supplied also on the command line
+* test all ciphers now
+* new cleanup routine
+* -a does not do standard test afterward, you need to run testssl a second
+  time w/o -a if you want this 
+
+1.12
+* tests also medium grade ciphers (which you should NOT use)
+* tests now also high grade ciphers which you SHOULD ONLY use
+* switch for more verbose output of cipher for those cryptographically interested .
+  in rows: SSL version, Key eXchange, Authentication, Encryption and Message Authentication Code
+* this is per default enabled (provide otherwise "" as VERB_CLIST)
+* as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers
+
+1.11 
+* Hint for howto enable 56 Bit Ciphers 
+* possible to specify where openssl is (hardcoded, $ENV, last resort: auto)
+* warns if netcat is not there
+
+1.10 
+* somewhat first released version

Readme.md

@@ -82,14 +82,14 @@ Update notification here or @ [twitter](https://twitter.com/drwetter).
 * JSON output now valid also for non-responding servers
 * Testing now per default 370 ciphers
 * Further improving the robustness of TLS sockets (sending and parsing)
-* Support of supplying timeout value for ``openssl connect`` -- useful for batch/mass scanning
+* Support of supplying timeout value for `openssl connect` -- useful for batch/mass scanning
 * File input for serial or parallel mass testing can be also in nmap grep(p)able (-oG) format
 * LOGJAM: now checking also for DH  and FFDHE groups (TLS 1.2)
 * PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3)
 * Check for session resumption (Ticket, ID)
 * TLS Robustness check (GREASE)
 * Expect-CT Header Detection
-* --phone-out does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL
+* `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL
 * Fully OpenBSD and LibreSSL support
 * Missing SAN warning
 * Added support for private CAs
@@ -105,6 +105,7 @@ Update notification here or @ [twitter](https://twitter.com/drwetter).
 * More robustness for any STARTTLS protocol (fall back to plaintext while in TLS)
 * Fixed TCP fragmentation
 * Added `--ids-friendly` switch
+* Major update of client simulations with self-collected data
 
 [Planned for 3.0](https://github.com/drwetter/testssl.sh/milestone/4).
 

etc/README.md

@@ -32,6 +32,6 @@ If you want to test against e.g. a company internal CA you want to avoid warning
 
 * ``common-primes.txt`` is used for LOGJAM and the PFS section
 
-* ``client-simulation.txt`` as the name indicates it's the data for the client simulation. Use
+* ``client-simulation.txt`` / ``client-simulation.wiresharked.txt`` are as the names indicate data for the client simulation.
-  ``~/utils/update_client_sim_data.pl`` for an update. Note: This list has been manually
+  The first one is derived from ``~/utils/update_client_sim_data.pl``, and manually edited to sort and label those we don't want.
-  edited to sort it and weed it out.
+  The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.

etc/client-simulation.txt

@@ -1,6 +1,8 @@
 # This file contains client handshake data used in the run_client_simulation() function.
-# The file distributed with testssl.sh (etc/client-simulation.txt) has been generated
+# The file distributed with testssl.sh (~/etc/client-simulation.txt) has been generated
 # from this script and manually edited (=which UA to show up) and sorted.
+# In addition this file contains handshake data retrieved manually from
+# wireshark. Data and HowTo see ~/etc/client-simulation.wiresharked.txt
 #
 # Most clients are taken from Qualys SSL Labs --- From: https://api.dev.ssllabs.com/api/v3/getClients
 
@@ -193,6 +195,50 @@
      requiresSha2+=(false)
      current+=(true)
 
+     names+=("Android 8.1 (native)")
+     short+=("android_81")
+     ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA")
+     ciphersuites+=("")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030100c0010000bc030346fcc7d3e5a9f68af0aa05de62de63c4ad1a4f472da56aa1424041106922370720ef51a7595abfd5bb32038c96c481bb6449053ba08023a752d124b1c1ca7d34fe001cc02bc02ccca9c02fc030cca8c009c00ac013c014009c009d002f0035010000570000001700150000127777772e676f6f676c65617069732e636f6d00170000ff01000100000a00080006001d00170018000b00020100000500050100000000000d00140012040308040401050308050501080606010201")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0303")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP,SMTP,POP,IMAP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(false)
+     current+=(true)
+
+     names+=("Android 9.0 (native)")
+     short+=("android_90")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010246010002420303d6259dca682ab368c7e095da7189996da830514896063d4acdc83cb5d2c2568d2041a787bf8dd3d7a1ceda514a6606f1068432a13063ea320fd7e7b367af47ecae00220a0a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001d77a7a00000000001e001c0000196c68332e676f6f676c6575736572636f6e74656e742e636f6d00170000ff01000100000a000a0008aaaa001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029aaaa000100001d00203e67895a11e9ce5c69df2995782adaddb7a03ef30b245000ca332d5940ecff20002d00020101002b000b0aeaea0304030303020301001b00030200026a6a0001000029010500e000da001c9941f6b101f853f370851e583bd22e03150fc67298947270c6058707fe1670efe590d777a34b9e2e2d0ec6aa8d0ddc375c2535934c75c9623d1a271f735417fdd9190dae7f4c8541c262f8fbfeee2e820f54f59f68e78503f5c093f6084037be22c20dad3d057f64dc73f2dd45948e27c707f3f2107b32040a21fa9c1273e7797aaf5a5bc8994e9eafc4bd43b2951e10f952564a910f146344ec6d0c49f75fc6a070c75f0ffdd84fe9e10f77c23f1062e90f9e1e396eddb84d8ac00bf7ac87c557622dd18c54bbc229268699c60434648b279dd86e996baee9d1c155002120235d43319c7d5bb4725a52fa782468cd2280bd622c40a36296b354759f6d4389")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP,SMTP,POP,IMAP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(true)
+     current+=(true)
+
      names+=("Chrome 27 Win 7")
      short+=("chrome_27_win7")
      ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-DSS-RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA")
@@ -705,7 +751,7 @@
      warning+=("")
      handshakebytes+=("1603010200010001fc0303a4ae4c9839623356a42a2a977373dcefc5920611a46c549eca42959de9e2dab220d6c3276206e9c756685d96687302864815ed0e8496472898e86b30b694ee994300229a9a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001913a3a0000ff0100010000000014001200000f6465762e73736c6c6162732e636f6d0017000000230000000d00140012040308040401050308050501080606010201000500050100000000001200000010000e000c02683208687474702f312e3175500000000b000201000033002b00291a1a000100001d00205672b32aa464a7b8513f37108290ab0dd39e317d2b0db8fe0d77c147b324fe29002d00020101002b000b0a0a0a0304030303020301000a000a00081a1a001d00170018001b00030200022a2a000100001500c50000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
      protos+=("-no_ssl3 -no_ssl2")
-     tlsvers+=("-tls1_2 -tls1_1 -tls1")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
      lowest_protocol+=("0x0301")
      highest_protocol+=("0x0304")
      service+=("HTTP,FTP")
@@ -716,6 +762,28 @@
      minEcdsaBits+=(-1)
      curves+=("X25519:prime256v1:secp384r1")
      requiresSha2+=(false)
+     current+=(false)
+
+     names+=("Chrome 73 (Win 10)")
+     short+=("chrome_73_win10")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc0303a719e434922565bbd59fe0dfec21b7f5c8549fdf52566af99cce87ecb276992b20bbf979b5fbe4ebd1412e55ffe6b811e561d3f04ce451fc229d329babda4de91d00227a7a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001914a4a000000000012001000000d7777772e676f6f676c652e646500170000ff01000100000a000a0008aaaa001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029aaaa000100001d00205c2f12fabe8b2ff843aa9f347816b7d3a8b8c051f0830f4bbf13d44b5ec37c2b002d00020101002b000b0aeaea0304030303020301001b0003020002eaea000100001500cb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP")
+     minDhBits+=(1024)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(false)
      current+=(true)
 
      names+=("Firefox 10.0.12 ESR Win 7")
@@ -1304,7 +1372,7 @@
      minEcdsaBits+=(-1)
      curves+=("X25519:prime256v1:secp384r1:secp521r1")
      requiresSha2+=(false)
-     current+=(true)
+     current+=(false)
 
      names+=("Firefox 62 Win 7")
      short+=("firefox_62_win7")
@@ -1327,6 +1395,28 @@
      requiresSha2+=(false)
      current+=(true)
 
+     names+=("Firefox 66 (Win 8.1/10)")
+     short+=("firefox_66_win81")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc0303f488fc07f89155dba6560e527e1708e0b36458f32492fcf3074386f169d447e5204ed6d2d9d162b792388e9cee6c838b6b1e82dacdf1837f7279bc42339c70b79c0024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f0000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000010000e000c02683208687474702f312e310005000501000000000033006b0069001d0020f3c22d5492b1230da8895790bea5e5a3af7e63517cfa31b37d1d2a817a628f690017004104a373b66bce1c5d411d78d93b3c3ee6eb7c4519a52abf29e98bbc355a94f8f52a1c8bb7d6320c0104e98ec3895bc5e89ddc1d8f2b76305912992df46c546f2cf5002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c000240010015009400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP")
+     minDhBits+=(1023)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
+     requiresSha2+=(false)
+     current+=(true)
+
      names+=("IE 6 XP")
      short+=("ie_6_xp")
      ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:RC4-MD5:DES-CBC3-MD5:RC2-CBC-MD5:DES-CBC-SHA:DES-CBC-MD5:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA")
@@ -1640,7 +1730,7 @@
      minEcdsaBits+=(-1)
      curves+=("prime256v1:secp384r1")
      requiresSha2+=(false)
-     current+=(true)
+     current+=(false)
 
      names+=("Edge 13 Win Phone 10")
      short+=("edge_13_winphone10")
@@ -1661,7 +1751,7 @@
      minEcdsaBits+=(-1)
      curves+=("prime256v1:secp384r1")
      requiresSha2+=(false)
-     current+=(true)
+     current+=(false)
 
      names+=("Edge 15 Win 10")
      short+=("edge_15_win10")
@@ -1684,6 +1774,28 @@
      requiresSha2+=(false)
      current+=(true)
 
+     names+=("Edge 17 (Win 10)")
+     short+=("edge_17_win10")
+     ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA")
+     ciphersuites+=("")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("160303018d0100018903035cbeb3c560acfb3dfe583ba45f51f5e2e36f99dfe5e22f1a230724dfaf5ddbde000026c02cc02bc030c02fc024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0100013a0000001a0018000015737570706f72742e6d6963726f736f66742e636f6d000500050100000000000a00080006001d00170018000b00020100000d00140012040105010201040305030203020206010603002300c000000f032566a8435c845ce7de67f2f4fd6c75ed3206c9448a513d4b4f8cd2fedb5f7d1eb4573ce68756fdad198bd3e4eadfd4db2d7794cc69198366edcb9b9ff5803a58718c1de4d6dffeb4354cd48f5dba6de719cebb27d544f6b2f4427e4e5d46f564d3098134d9b69a4e83e233f5dfea099733f75022dba07665d7c35dd09742082a06f080871caaa6a7770ebc9e2c792eb88c44d0d56ae6ba068a189b674491cee28155148c86d53071e170ab354e0fd0e390b9ddda0886b9fa8c70ee1a0010000e000c02683208687474702f312e310017000000180006001003020100ff01000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0303")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP")
+     minDhBits+=(1024)
+     maxDhBits+=(4096)
+     minRsaBits+=(-1)
+     maxRsaBits+=(16384)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(false)
+     current+=(true)
+
      names+=("Opera 12.15 Win 7")
      short+=("opera_1215_win7")
      ciphers+=("DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-DSS-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
@@ -1768,6 +1880,28 @@
      requiresSha2+=(false)
      current+=(false)
 
+     names+=("Opera 60 (Win 10)")
+     short+=("opera_60_win10")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc03033503bae63f0cf8ef9d0a55623327a28e3c3525a2ce28153242e132279d3940e3206a440f32e7a8488b012b12d4b7d1b2b1764c784a944662a7f305e90f7d15168500228a8a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a01000191eaea000000000012001000000d7777772e6f706572612e636f6d00170000ff01000100000a000a0008caca001d00170018000b00020100002300c07505f51cc349fe3f9e022858dcd1eb12ca07a302fd9f43a4cbffec031296e77b07122bb9532dd112770b686a4898e20462c514c5fb043dc325a5453753c499774bfab673024a86543064c33d40b67b2e4e9dfa177305e8cdc39f3d8afe0fe7c80406a9e07ea836dd8a46ab7ef9aa5dc66301a346585f7ff26615a28cbea2544d4ba8101be6f528b4bba3a5ce9a6683537b29cd16d4c5015de6f9a93d3c132389e56ff20853d952f6ee06b46ca89dc52b67583fbb0fb61e2b78c03ef97892c6a90010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029caca000100001d00204aeb26ec670ce59e094a8b97c281186b4e87706df48667a24193e268a069cd54002d00020101002b000b0a3a3a0304030303020301001b00030200027a7a0001000015000b0000000000000000000000")
+     protos+=("-no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0300")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(false)
+     current+=(true)
+
      names+=("Safari 5.1.9 OS X 10.6.8")
      short+=("safari_519_osx1068")
      ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA")
@@ -2314,6 +2448,72 @@
      requiresSha2+=(false)
      current+=(true)
 
+     names+=("OpenSSL 1.1.0j (Debian)")
+     short+=("openssl_110j")
+     ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
+     ciphersuites+=("")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030100c2010000be03036468410c4ae36f78a4357ad19fa61353e46aed101eff4e0c9f77ec654dc12eb4000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005d00000013001100000e7465737473736c2e73683a343433000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203")
+     protos+=("-no_ssl2 -no-ssl3")
+     tlsvers+=("-tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0300")
+     highest_protocol+=("0x0303")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp521r1:secp384r1")
+     requiresSha2+=(false)
+     current+=(true)
+
+     names+=("OpenSSL 1.1.1b (Debian)")
+     short+=("openssl_111b")
+     ciphers+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972")
+     protos+=("-no_ssl2 -no-ssl3")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0300")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:x448:secp521r1:secp384r1")
+     requiresSha2+=(true)
+     current+=(true)
+
+     names+=("Thunderbird (60.6)")
+     short+=("thunderbird_60_6_1")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc03039f5f6a4903cf739091fca37e8f43e6d173ffeb64905977b2dede05e061f3a24c20f958c20b0edd50e0716d108e1d6046178a8974d868c138eac8a6ab8becdf81cd001c130113031302c02bc02fcca9cca8c02cc030c013c014002f0035000a0100019700000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d00200ff08104aea54116caac222c2b7661e05d852847fcfd6860a0ec2f09804bd5330017004104d7afd4ac669de5312ff866d84381723c1d5ff549d409658f9300644d76e33b5c953499a89bdb1fc8930587645bf3452a47fbe6e3f00a59e232c39c269791d871002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500aa0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,SMTP,POP,IMAP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
+     requiresSha2+=(false)
+     current+=(true)
+
      names+=("Baidu Jan 2015")
      short+=("baidu_jan_2015")
      ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-MD5:RC4-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA")

etc/client-simulation.wiresharked.txt

@@ -0,0 +1,227 @@
+# This file contains client handshake data manually created from Wireshark.
+# The content needs to be added to client-simulation.txt which other part
+# comes from the SSLlabs client API via update_client_sim_data.pl
+# The whole process is done manually.
+#
+# Instructions how to add a client simulation:
+# * Start wireshark at the client / router. Best is during capture to filter for the target you want to contribute.
+# * Make sure you create a bit of encrypted traffic to a target of your choice 1) .
+# * Make sure the client traffic is specific: For just "Android" do not use a browser!
+# * Stop the recording.
+# * If needed sort for ClientHello.
+# * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic.
+# * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
+# * Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
+# * Adjust "lowest_protocol" and "highest_protocol" accordingly.
+# * Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE.
+# * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010). 
+# * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
+# * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
+# * For "ciphers" mark the Cipher Suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to ~/utils/hexstream2cipher.sh
+# * "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ~/utils/hexstream2cipher.sh
+# * Figure out the services by applying a good piece of logic
+# * Before submitting a PR: test it yourself! You can also watch it again via wireshark
+#
+# 
+# 1) Attention, privacy: if you want to contribute it contains the target hostname (SNI)
+
+
+     names+=("Android 8.1 (native)")
+     short+=("android_81")
+     ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA")
+     ciphersuites+=("")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030100c0010000bc030346fcc7d3e5a9f68af0aa05de62de63c4ad1a4f472da56aa1424041106922370720ef51a7595abfd5bb32038c96c481bb6449053ba08023a752d124b1c1ca7d34fe001cc02bc02ccca9c02fc030cca8c009c00ac013c014009c009d002f0035010000570000001700150000127777772e676f6f676c65617069732e636f6d00170000ff01000100000a00080006001d00170018000b00020100000500050100000000000d00140012040308040401050308050501080606010201")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0303")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP,SMTP,POP,IMAP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(false)
+     current+=(true)
+
+     names+=("Android 9.0 (native)")
+     short+=("android_90")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010246010002420303d6259dca682ab368c7e095da7189996da830514896063d4acdc83cb5d2c2568d2041a787bf8dd3d7a1ceda514a6606f1068432a13063ea320fd7e7b367af47ecae00220a0a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001d77a7a00000000001e001c0000196c68332e676f6f676c6575736572636f6e74656e742e636f6d00170000ff01000100000a000a0008aaaa001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029aaaa000100001d00203e67895a11e9ce5c69df2995782adaddb7a03ef30b245000ca332d5940ecff20002d00020101002b000b0aeaea0304030303020301001b00030200026a6a0001000029010500e000da001c9941f6b101f853f370851e583bd22e03150fc67298947270c6058707fe1670efe590d777a34b9e2e2d0ec6aa8d0ddc375c2535934c75c9623d1a271f735417fdd9190dae7f4c8541c262f8fbfeee2e820f54f59f68e78503f5c093f6084037be22c20dad3d057f64dc73f2dd45948e27c707f3f2107b32040a21fa9c1273e7797aaf5a5bc8994e9eafc4bd43b2951e10f952564a910f146344ec6d0c49f75fc6a070c75f0ffdd84fe9e10f77c23f1062e90f9e1e396eddb84d8ac00bf7ac87c557622dd18c54bbc229268699c60434648b279dd86e996baee9d1c155002120235d43319c7d5bb4725a52fa782468cd2280bd622c40a36296b354759f6d4389")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP,SMTP,POP,IMAP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(true)
+     current+=(true)
+
+     names+=("Edge 17 Win 10")
+     short+=("edge_17_win10")
+     ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA")
+     ciphersuites+=("")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("160303018d0100018903035cbeb3c560acfb3dfe583ba45f51f5e2e36f99dfe5e22f1a230724dfaf5ddbde000026c02cc02bc030c02fc024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0100013a0000001a0018000015737570706f72742e6d6963726f736f66742e636f6d000500050100000000000a00080006001d00170018000b00020100000d00140012040105010201040305030203020206010603002300c000000f032566a8435c845ce7de67f2f4fd6c75ed3206c9448a513d4b4f8cd2fedb5f7d1eb4573ce68756fdad198bd3e4eadfd4db2d7794cc69198366edcb9b9ff5803a58718c1de4d6dffeb4354cd48f5dba6de719cebb27d544f6b2f4427e4e5d46f564d3098134d9b69a4e83e233f5dfea099733f75022dba07665d7c35dd09742082a06f080871caaa6a7770ebc9e2c792eb88c44d0d56ae6ba068a189b674491cee28155148c86d53071e170ab354e0fd0e390b9ddda0886b9fa8c70ee1a0010000e000c02683208687474702f312e310017000000180006001003020100ff01000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0303")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP")
+     minDhBits+=(1024)
+     maxDhBits+=(4096)
+     minRsaBits+=(-1)
+     maxRsaBits+=(16384)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(false)
+     current+=(true)
+
+     names+=("Chrome 73 (Win 10)")
+     short+=("chrome_73_win10")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc0303a719e434922565bbd59fe0dfec21b7f5c8549fdf52566af99cce87ecb276992b20bbf979b5fbe4ebd1412e55ffe6b811e561d3f04ce451fc229d329babda4de91d00227a7a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001914a4a000000000012001000000d7777772e676f6f676c652e646500170000ff01000100000a000a0008aaaa001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029aaaa000100001d00205c2f12fabe8b2ff843aa9f347816b7d3a8b8c051f0830f4bbf13d44b5ec37c2b002d00020101002b000b0aeaea0304030303020301001b0003020002eaea000100001500cb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP")
+     minDhBits+=(1024)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(false)
+     current+=(true)
+
+     names+=("Firefox 66 (Win 8.1/10)")
+     short+=("firefox_66_win")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc0303f488fc07f89155dba6560e527e1708e0b36458f32492fcf3074386f169d447e5204ed6d2d9d162b792388e9cee6c838b6b1e82dacdf1837f7279bc42339c70b79c0024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f0000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000010000e000c02683208687474702f312e310005000501000000000033006b0069001d0020f3c22d5492b1230da8895790bea5e5a3af7e63517cfa31b37d1d2a817a628f690017004104a373b66bce1c5d411d78d93b3c3ee6eb7c4519a52abf29e98bbc355a94f8f52a1c8bb7d6320c0104e98ec3895bc5e89ddc1d8f2b76305912992df46c546f2cf5002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c000240010015009400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP")
+     minDhBits+=(1023)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
+     requiresSha2+=(false)
+     current+=(true)
+
+     names+=("Opera 60 (Win 10)")
+     short+=("opera_60_win10")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc03033503bae63f0cf8ef9d0a55623327a28e3c3525a2ce28153242e132279d3940e3206a440f32e7a8488b012b12d4b7d1b2b1764c784a944662a7f305e90f7d15168500228a8a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a01000191eaea000000000012001000000d7777772e6f706572612e636f6d00170000ff01000100000a000a0008caca001d00170018000b00020100002300c07505f51cc349fe3f9e022858dcd1eb12ca07a302fd9f43a4cbffec031296e77b07122bb9532dd112770b686a4898e20462c514c5fb043dc325a5453753c499774bfab673024a86543064c33d40b67b2e4e9dfa177305e8cdc39f3d8afe0fe7c80406a9e07ea836dd8a46ab7ef9aa5dc66301a346585f7ff26615a28cbea2544d4ba8101be6f528b4bba3a5ce9a6683537b29cd16d4c5015de6f9a93d3c132389e56ff20853d952f6ee06b46ca89dc52b67583fbb0fb61e2b78c03ef97892c6a90010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029caca000100001d00204aeb26ec670ce59e094a8b97c281186b4e87706df48667a24193e268a069cd54002d00020101002b000b0a3a3a0304030303020301001b00030200027a7a0001000015000b0000000000000000000000")
+     protos+=("-no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0300")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,FTP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1")
+     requiresSha2+=(false)
+     current+=(true)
+
+     names+=("OpenSSL 1.1.0j (Debian)")
+     short+=("openssl_110j")
+     ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
+     ciphersuites+=("")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030100c2010000be03036468410c4ae36f78a4357ad19fa61353e46aed101eff4e0c9f77ec654dc12eb4000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005d00000013001100000e7465737473736c2e73683a343433000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203")
+     protos+=("-no_ssl2 -no-ssl3")
+     tlsvers+=("-tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0300")
+     highest_protocol+=("0x0303")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp521r1:secp384r1")
+     requiresSha2+=(false)
+     current+=(true)
+
+     names+=("OpenSSL 1.1.1b (Debian)")
+     short+=("openssl_111b")
+     ciphers+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972")
+     protos+=("-no_ssl2 -no-ssl3")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0300")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:X448:secp521r1:secp384r1")
+     requiresSha2+=(true)
+     current+=(true)
+
+     names+=("Thunderbird (60.6)")
+     short+=("thunderbird_60_6_1")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc03039f5f6a4903cf739091fca37e8f43e6d173ffeb64905977b2dede05e061f3a24c20f958c20b0edd50e0716d108e1d6046178a8974d868c138eac8a6ab8becdf81cd001c130113031302c02bc02fcca9cca8c02cc030c013c014002f0035000a0100019700000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d00200ff08104aea54116caac222c2b7661e05d852847fcfd6860a0ec2f09804bd5330017004104d7afd4ac669de5312ff866d84381723c1d5ff549d409658f9300644d76e33b5c953499a89bdb1fc8930587645bf3452a47fbe6e3f00a59e232c39c269791d871002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500aa0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,SMTP,POP,IMAP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
+     requiresSha2+=(false)
+     current+=(true)
+
+

testssl.sh

@@ -4479,7 +4479,7 @@ run_client_simulation() {
      for name in "${short[@]}"; do
           if "${current[i]}" || "$ALL_CLIENTS" ; then
                # for ANY we test this service or if the service we determined from STARTTLS matches
-               if [[ "${service[i]}" == "ANY" ]] || [[ "${service[i]}" =~ $client_service ]]; then
+               if [[ "${service[i]}" == ANY ]] || [[ "${service[i]}" =~ $client_service ]]; then
                     out " $(printf -- "%-29s" "${names[i]}")"
                     if "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; then
                          client_simulation_sockets "${handshakebytes[i]}"
@@ -4514,7 +4514,7 @@ run_client_simulation() {
                          bits="${temp##*, }"
                          # formatting
                          curve="${temp#*, }"
-                         if [[ "$curve" == "$bits" ]]; then
+                         if [[ "$curve" == $bits ]]; then
                               curve=""
                          else
                               curve="${curve%%,*}"
@@ -4525,7 +4525,7 @@ run_client_simulation() {
                               curve="$what_dh"
                               what_dh="ECDH"
                          fi
-                         if [[ "$what_dh" == "DH" ]]; then
+                         if [[ "$what_dh" == DH ]]; then
                               [[ ${minDhBits[i]} -ne -1 ]] && [[ $bits -lt ${minDhBits[i]} ]] && sclient_success=1
                               [[ ${maxDhBits[i]} -ne -1 ]] && [[ $bits -gt ${maxDhBits[i]} ]] && sclient_success=1
                          fi

utils/hexstream2cipher.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+hs="$1"
+len=${#hs}
+echo "# ciphers: $((len/4))"
+
+mapfile="etc/cipher-mapping.txt"
+[ -s $mapfile ] || mapfile="../$mapfile"
+[ -s $mapfile ] || exit 255
+
+cip=""
+first=true
+
+for ((i=0; i<len ; i+=4)); do
+	printf "%02d" "$i"
+	echo -n ": ${hs:$i:4}"
+	grepstr="0x${hs:$i:2},0x${hs:$((i+2)):2}"
+        echo -n " --> $grepstr --> "
+	cip=$(grep -i ${grepstr} $mapfile | awk '{ print $3 }')
+	echo $cip
+	if "$first"; then
+		ciphers="$cip"
+		first=false
+	else
+		ciphers="$ciphers:$cip"
+	fi
+done
+
+echo
+echo $ciphers

utils/wireshark2ciphers.pl

@@ -1,49 +0,0 @@
-#!/usr/bin/perl
-
-use strict;
-use Data::Dumper;
-use JSON;
-
-my $namelength = 30;
-
-# Get all ciphers first
-my @spec;
-my %ciphers;
-my $ossl = "bin/openssl." . `uname -s` . "." . `uname -m`;
-$ossl =~ s/\R//g;                                       # remove LFs
-
-die "Unable to open $ossl" unless -f $ossl;
-my $ossl = "$ossl" . " ciphers -V 'ALL:COMPLEMENTOFALL:\@STRENGTH'";
-
-foreach my $line ( split /\n/, `$ossl` ) {
-	my @fields = split /\s+/, $line;
-	my $hex = "";
-	foreach my $byte ( split /,/, $fields[1] ) {
-		$byte = lc $byte;
-		$byte =~ s/^0x//;
-		$hex .= $byte;
-	}
-	$hex =~ s/^0+//;
-	$ciphers{"0x$hex"} = $fields[3];
-}
-#die Dumper \%ciphers;
-#exit;
-
-my @ciphers = ();
-while (<>) {
-	if ( /^\s*Cipher Suite\:/ ) {
-		/\((0x[0-9a-f]+)\)\s*$/;
-		my $n = $1;
-		$n =~ s/0x0*/0x/;
-		if ( $n && exists $ciphers{$n} ) {
-			push @ciphers, $ciphers{$n};
-		} else {
-			print STDERR "No matching cipher for: $n on line\n$_"
-		}
-	} else {
-		print STDERR "Ignoring line $_"
-	}
-}
-
-print "\n\n" . join ":", @ciphers;
-print "\n";