Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-04-17 15:06:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

run_pfs() speedup + sockets

Browse Source 
This PR implements `run_pfs()` in a manner similar to `run_allciphers()`. It uses OpenSSL followed by `tls_sockets()` to test for both supported PFS cipher suites as well as elliptic curves offered.

I made an attempt at addressing  by using different colors to print the different curve names, depending on strength. The colors chosen are exactly the same as those that would be chosen by `read_dhbits_from_file()`:
```
     # bits <= 163:       pr_svrty_medium
     163 < # bits <= 193: pr_svrty_minor
     193 < # bits <= 224: out
     # bits > 224:        pr_done_good
```

I also added code for  to create a list of the DH groups from RFC 7919 that a server supports. However, since no servers seem to support this at the moment (except with TLS 1.3), I marked this code to only run if the $EXPERIMENTAL flag is set.
This commit is contained in:
David Cooper 2016-12-08 12:36:45 -05:00 committed by GitHub
parent 72a96f64e4
commit 97652e64e0
1 changed files with 279 additions and 96 deletions

375
testssl.sh

@ -5781,38 +5781,98 @@ run_server_defaults() {
run_pfs() {
local -i sclient_success
local pfs_offered=false ecdhe_offered=false
local tmpfile
local dhlen
local hexcode dash pfs_cipher sslvers kx auth enc mac curve
local pfs_cipher_list="$ROBUST_PFS_CIPHERS"
local ecdhe_cipher_list=""
local pfs_offered=false ecdhe_offered=false ffdhe_offered=false
local hexc dash pfs_cipher sslvers auth mac export curve dhlen
local -a hexcode normalized_hexcode ciph rfc_ciph kx enc ciphers_found sigalg ossl_supported
local pfs_cipher_list="$ROBUST_PFS_CIPHERS" pfs_hex_cipher_list="" ciphers_to_test
local ecdhe_cipher_list="" ecdhe_cipher_list_hex="" ffdhe_cipher_list_hex=""
local curves_hex=("00,01" "00,02" "00,03" "00,04" "00,05" "00,06" "00,07" "00,08" "00,09" "00,0a" "00,0b" "00,0c" "00,0d" "00,0e" "00,0f" "00,10" "00,11" "00,12" "00,13" "00,14" "00,15" "00,16" "00,17" "00,18" "00,19" "00,1a" "00,1b" "00,1c" "00,1d" "00,1e")
local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
local -a curves_ossl_output=("K-163" "sect163r1" "B-163" "sect193r1" "sect193r2" "K-233" "B-233" "sect239k1" "K-283" "B-283" "K-409" "B-409" "K-571" "B-571" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "P-192" "secp224k1" "P-224" "secp256k1" "P-256" "P-384" "P-521" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
local -a supported_curves=()
local -i nr_supported_ciphers=0 nr_curves=0 i j low high
local pfs_ciphers curves_offered curves_to_test temp
local curve_found curve_used
local -a ffdhe_groups_hex=("01,00" "01,01" "01,02" "01,03" "01,04")
local -a ffdhe_groups_output=("ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192")
local -a supported_curve bits
local -i nr_supported_ciphers=0 nr_curves=0 nr_ossl_curves=0 i j low high
local pfs_ciphers curves_offered="" curves_offered_text="" curves_to_test temp
local len1 len2 curve_found
local has_dh_bits="$HAS_DH_BITS"
local using_sockets=true
"$SSL_NATIVE" && using_sockets=false
"$FAST" && using_sockets=false
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
outln
pr_headlineln " Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 "
if ! "$HAS_DH_BITS" && "$WIDE"; then
pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)"
fi
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $pfs_cipher_list))
debugme echo $nr_supported_ciphers
debugme echo $(actually_supported_ciphers $pfs_cipher_list)
if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then
if ! "$using_sockets"; then
[[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl"
if ! "$HAS_DH_BITS" && "$WIDE"; then
[[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "."
pr_warning " (Your $OPENSSL cannot show DH/ECDH bits)"
fi
outln
local_problem_ln "You only have $nr_supported_ciphers PFS ciphers on the client side "
fileout "pfs" "WARN" "(Perfect) Forward Secrecy tests: Skipped. You only have $nr_supported_ciphers PFS ciphers on the client site. ($CLIENT_MIN_PFS are required)"
return 1
fi
$OPENSSL s_client -cipher $pfs_cipher_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE
if [[ $? -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then
if "$using_sockets" || [[ $OSSL_VER_MAJOR -lt 1 ]]; then
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
pfs_cipher="${TLS_CIPHER_RFC_NAME[i]}"
if ( [[ "$pfs_cipher" == "TLS_DHE_"* ]] || [[ "$pfs_cipher" == "TLS_ECDHE_"* ]] ) && \
[[ ! "$pfs_cipher" =~ "NULL" ]] && [[ ! "$pfs_cipher" =~ "DES" ]] && [[ ! "$pfs_cipher" =~ "RC4" ]] && \
[[ ! "$pfs_cipher" =~ "PSK" ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then
hexc="${TLS_CIPHER_HEXCODE[i]}"
pfs_hex_cipher_list+=", ${hexc:2:2},${hexc:7:2}"
ciph[nr_supported_ciphers]="${TLS_CIPHER_OSSL_NAME[i]}"
rfc_ciph[nr_supported_ciphers]="${TLS_CIPHER_RFC_NAME[i]}"
kx[nr_supported_ciphers]="${TLS_CIPHER_KX[i]}"
enc[nr_supported_ciphers]="${TLS_CIPHER_ENC[i]}"
ciphers_found[nr_supported_ciphers]=false
sigalg[nr_supported_ciphers]=""
ossl_supported[nr_supported_ciphers]="${TLS_CIPHER_OSSL_SUPPORTED[i]}"
hexcode[nr_supported_ciphers]="${hexc:2:2},${hexc:7:2}"
if [[ "${hexc:2:2}" == "00" ]]; then
normalized_hexcode[nr_supported_ciphers]="x${hexc:7:2}"
else
normalized_hexcode[nr_supported_ciphers]="x${hexc:2:2}${hexc:7:2}"
fi
"$using_sockets" && ! "$has_dh_bits" && "$WIDE" && ossl_supported[nr_supported_ciphers]=false
nr_supported_ciphers+=1
fi
done
else
while read hexc dash ciph[nr_supported_ciphers] sslvers kx[nr_supported_ciphers] auth enc[nr_supported_ciphers] mac export; do
ciphers_found[nr_supported_ciphers]=false
if [[ "${hexc:2:2}" == "00" ]]; then
normalized_hexcode[nr_supported_ciphers]="x${hexc:7:2}"
else
normalized_hexcode[nr_supported_ciphers]="x${hexc:2:2}${hexc:7:2}"
fi
sigalg[nr_supported_ciphers]=""
ossl_supported[nr_supported_ciphers]=true
nr_supported_ciphers+=1
done < <($OPENSSL ciphers -V "$pfs_cipher_list" 2>$ERRFILE)
fi
export=""
if "$using_sockets"; then
tls_sockets "03" "${pfs_hex_cipher_list:2}"
sclient_success=$?
[[ $sclient_success -eq 2 ]] && sclient_success=0
else
debugme echo $nr_supported_ciphers
debugme echo $(actually_supported_ciphers $pfs_cipher_list)
if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then
outln
local_problem_ln "You only have $nr_supported_ciphers PFS ciphers on the client side "
fileout "pfs" "WARN" "(Perfect) Forward Secrecy tests: Skipped. You only have $nr_supported_ciphers PFS ciphers on the client site. ($CLIENT_MIN_PFS are required)"
return 1
fi
$OPENSSL s_client -cipher $pfs_cipher_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE
sclient_success=$?
[[ $sclient_success -eq 0 ]] && [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]] && sclient_success=1
fi
if [[ $sclient_success -ne 0 ]]; then
outln
pr_svrty_mediumln " No ciphers supporting Forward Secrecy offered"
fileout "pfs" "MEDIUM" "(Perfect) Forward Secrecy : No ciphers supporting Forward Secrecy offered"
@ -5828,112 +5888,235 @@ run_pfs() {
else
out " "
fi
while read hexcode dash pfs_cipher sslvers kx auth enc mac; do
tmpfile=$TMPFILE.$hexcode
$OPENSSL s_client -cipher $pfs_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI &>$tmpfile </dev/null
sclient_connect_successful $? $tmpfile
sclient_success=$?
if [[ "$sclient_success" -ne 0 ]] && ! "$SHOW_EACH_C"; then
continue # no successful connect AND not verbose displaying each cipher
fi
[[ "$sclient_success" -eq 0 ]] && [[ $pfs_cipher == "ECDHE-"* ]] && ecdhe_offered=true && ecdhe_cipher_list+=":$pfs_cipher"
while true; do
ciphers_to_test=""
for (( i=0; i < nr_supported_ciphers; i++ )); do
! "${ciphers_found[i]}" && "${ossl_supported[i]}" && ciphers_to_test+=":${ciph[i]}"
done
[[ -z "$ciphers_to_test" ]] && break
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null
sclient_connect_successful $? $TMPFILE || break
pfs_cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE)
[[ -z "$pfs_cipher" ]] && break
for (( i=0; i < nr_supported_ciphers; i++ )); do
[[ "$pfs_cipher" == "${ciph[i]}" ]] && break
done
ciphers_found[i]=true
if "$WIDE"; then
normalize_ciphercode $hexcode
if [[ $kx == "Kx=ECDH" ]] || [[ $kx == "Kx=DH" ]] || [[ $kx == "Kx=EDH" ]]; then
dhlen=$(read_dhbits_from_file "$tmpfile" quiet)
kx="$kx $dhlen"
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
kx[i]="${kx[i]} $dhlen"
fi
"$WIDE" && "$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
done
if "$using_sockets"; then
while true; do
ciphers_to_test=""
for (( i=0; i < nr_supported_ciphers; i++ )); do
! "${ciphers_found[i]}" && ciphers_to_test+=", ${hexcode[i]}"
done
[[ -z "$ciphers_to_test" ]] && break
if "$WIDE" && "$SHOW_SIGALGO"; then
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "all"
else
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
fi
neat_list $HEXC $pfs_cipher "$kx" $enc $strength
sclient_success=$?
[[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break
pfs_cipher=$(awk '/Cipher *:/ { print $3 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
for (( i=0; i < nr_supported_ciphers; i++ )); do
[[ "$pfs_cipher" == "${rfc_ciph[i]}" ]] && break
done
ciphers_found[i]=true
if "$WIDE"; then
dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet)
kx[i]="${kx[i]} $dhlen"
fi
"$WIDE" && "$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && \
sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
done
fi
for (( i=0; i < nr_supported_ciphers; i++ )); do
! "${ciphers_found[i]}" && ! "$SHOW_EACH_C" && continue
if "${ciphers_found[i]}"; then
if [[ "${ciph[i]}" != "-" ]]; then
pfs_cipher="${ciph[i]}"
else
pfs_cipher="${rfc_ciph[i]}"
fi
pfs_ciphers+="$pfs_cipher "
! "$WIDE" && out "$pfs_cipher "
if [[ "${ciph[i]}" == "ECDHE-"* ]] || ( "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_ECDHE_"* ]] ); then
ecdhe_offered=true
ecdhe_cipher_list_hex+=", ${hexcode[i]}"
[[ "${ciph[i]}" != "-" ]] && ecdhe_cipher_list+=":$pfs_cipher"
fi
if [[ "${ciph[i]}" == "DHE-"* ]] || ( "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_DHE_"* ]] ); then
ffdhe_offered=true
ffdhe_cipher_list_hex+=", ${hexcode[i]}"
fi
fi
if "$WIDE"; then
neat_list "$(tolower "${normalized_hexcode[i]}")" "${ciph[i]}" "${kx[i]}" "${enc[i]}"
if "$SHOW_EACH_C"; then
if [[ $sclient_success -eq 0 ]]; then
if ${ciphers_found[i]}; then
pr_done_best "available"
else
out "not a/v"
fi
else
pfs_offered=true
fi
outln
else
if [[ $sclient_success -eq 0 ]]; then
out "$pfs_cipher "
fi
outln "${sigalg[i]}"
fi
[[ $sclient_success -eq 0 ]] && pfs_ciphers+="$pfs_cipher "
debugme rm $tmpfile
done < <($OPENSSL ciphers -V "$pfs_cipher_list" 2>$ERRFILE) # -V doesn't work with openssl < 1.0
done
debugme echo $pfs_offered
"$WIDE" || outln
if ! "$pfs_offered"; then
pr_svrty_medium "WARN: no PFS ciphers found"
fileout "pfs_ciphers" "MEDIUM" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found"
else
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
fi
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
fi
# find out what elliptic curves are supported.
if "$ecdhe_offered"; then
# find out what elliptic curves are supported.
curves_offered=""
for curve in "${curves_ossl[@]}"; do
ossl_supported[nr_curves]=false
supported_curve[nr_curves]=false
$OPENSSL s_client -curves $curve 2>&1 | egrep -iaq "Error with command|unknown option"
[[ $? -ne 0 ]] && nr_curves+=1 && supported_curves+=("$curve")
[[ $? -ne 0 ]] && ossl_supported[nr_curves]=true && nr_ossl_curves+=1
nr_curves+=1
done
# OpenSSL limits the number of curves that can be specified in the
# "-curves" option to 28. So, the list is broken in two since there
# are currently 30 curves defined.
for i in 1 2; do
case $i in
1) low=0; high=$nr_curves/2 ;;
2) low=$nr_curves/2; high=$nr_curves ;;
esac
sclient_success=0
while [[ "$sclient_success" -eq 0 ]]; do
curves_to_test=""
for (( j=low; j < high; j++ )); do
[[ ! " $curves_offered " =~ " ${supported_curves[j]} " ]] && curves_to_test+=":${supported_curves[j]}"
done
if [[ -n "$curves_to_test" ]]; then
$OPENSSL s_client -cipher "${ecdhe_cipher_list:1}" -curves "${curves_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI &>$tmpfile </dev/null
sclient_connect_successful $? $tmpfile
sclient_success=$?
# "-curves" option to 28. So, break the list in two if there are more
# than 28 curves supported by OpenSSL.
for j in 1 2; do
if [[ $j -eq 1 ]]; then
if [[ $nr_ossl_curves -le 28 ]]; then
low=0; high=$nr_curves
else
sclient_success=1
low=0; high=$nr_curves/2
fi
if [[ "$sclient_success" -eq 0 ]]; then
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$tmpfile")
curve_found="$(awk -F',' '{ print $1 }' <<< $temp)"
[[ "$curve_found" == "ECDH" ]] && curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)"
j=0; curve_used=""
for curve in "${curves_ossl[@]}"; do
[[ "${curves_ossl_output[j]}" == "$curve_found" ]] && curve_used="${curves_ossl[j]}" && break
j+=1
done
if [[ -n "$curve_used" ]]; then
curves_offered+="$curve "
else
sclient_success=1
fi
else
if [[ $nr_ossl_curves -le 28 ]]; then
continue # all curves tested in first round
else
low=$nr_curves/2; high=$nr_curves
fi
fi
while true; do
curves_to_test=""
for (( i=low; i < high; i++ )); do
"${ossl_supported[i]}" && ! "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
done
[[ -z "$curves_to_test" ]] && break
$OPENSSL s_client -cipher "${ecdhe_cipher_list:1}" -curves "${curves_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null
sclient_connect_successful $? $TMPFILE || break
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TMPFILE")
curve_found="$(awk -F',' '{ print $1 }' <<< $temp)"
[[ "$curve_found" == "ECDH" ]] && curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)"
for (( i=low; i < high; i++ )); do
! "${supported_curve[i]}" && [[ "${curves_ossl_output[i]}" == "$curve_found" ]] && break
done
[[ $i -eq $high ]] && break
supported_curve[i]=true
bits[i]=$(awk -F',' '{ print $3 }' <<< $temp)
grep -q bits <<< ${bits[i]} || bits[i]=$(awk -F',' '{ print $2 }' <<< $temp)
bits[i]=$(tr -d ' bits' <<< ${bits[i]})
done
done
# Reorder list of curves that were found to match their ordering in NamedCurve
curve_found=""
for curve in "${curves_ossl[@]}"; do
[[ " $curves_offered " =~ " $curve " ]] && curve_found+="$curve "
fi
if "$ecdhe_offered" && "$using_sockets"; then
while true; do
curves_to_test=""
for (( i=0; i < nr_curves; i++ )); do
! "${supported_curve[i]}" && curves_to_test+=", ${curves_hex[i]}"
done
[[ -z "$curves_to_test" ]] && break
len1=$(printf "%02x" "$((2*${#curves_to_test}/7))")
len2=$(printf "%02x" "$((2*${#curves_to_test}/7+2))")
tls_sockets "03" "${ecdhe_cipher_list_hex:2}" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}"
sclient_success=$?
[[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
curve_found="$(awk -F',' '{ print $1 }' <<< $temp)"
[[ "$curve_found" == "ECDH" ]] && curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)"
for (( i=0; i < nr_curves; i++ )); do
! "${supported_curve[i]}" && [[ "${curves_ossl_output[i]}" == "$curve_found" ]] && break
done
[[ $i -eq $nr_curves ]] && break
supported_curve[i]=true
bits[i]=$(awk -F',' '{ print $3 }' <<< $temp)
grep -q bits <<< ${bits[i]} || bits[i]=$(awk -F',' '{ print $2 }' <<< $temp)
bits[i]=$(tr -d ' bits' <<< ${bits[i]})
done
fi
if "$ecdhe_offered"; then
for (( i=0; i < nr_curves; i++ )); do
if "${supported_curve[i]}"; then
curves_offered+="${curves_ossl[i]} "
if [[ "${bits[i]}" -le 163 ]]; then
curves_offered_text+="$(pr_svrty_medium "${curves_ossl[i]}") "
elif [[ "${bits[i]}" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok
curves_offered_text+="$(pr_svrty_minor "${curves_ossl[i]}") " # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416
elif [[ "${bits[i]}" -le 224 ]]; then
curves_offered_text+="${curves_ossl[i]} "
else
curves_offered_text+="$(pr_done_good "${curves_ossl[i]}") "
fi
fi
done
if [[ -n "$curves_offered" ]]; then
"$WIDE" && outln
pr_bold " Elliptic curves offered: "; outln "$curves_offered"
pr_bold " Elliptic curves offered: "; outln "$curves_offered_text"
fileout "ecdhe_curves" "INFO" "Elliptic curves offered $curves_offered"
fi
fi
outln
if "$ffdhe_offered" && "$using_sockets" && "$EXPERIMENTAL"; then
# Check to see whether RFC 7919 is supported (see Section 4 of RFC 7919)
tls_sockets "03" "${ffdhe_cipher_list_hex:2}" "ephemeralkey" "00, 0a, 00, 04, 00, 02, 01, fb"
sclient_success=$?
if [[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]]; then
# find out what groups from RFC 7919 are supported.
nr_curves=0
for curve in "${ffdhe_groups_output[@]}"; do
supported_curve[nr_curves]=false
nr_curves+=1
done
while true; do
curves_to_test=""
for (( i=0; i < nr_curves; i++ )); do
! "${supported_curve[i]}" && curves_to_test+=", ${ffdhe_groups_hex[i]}"
done
[[ -z "$curves_to_test" ]] && break
len1=$(printf "%02x" "$((2*${#curves_to_test}/7))")
len2=$(printf "%02x" "$((2*${#curves_to_test}/7+2))")
tls_sockets "03" "${ffdhe_cipher_list_hex:2}" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}"
sclient_success=$?
[[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)"
[[ ! "$curve_found" =~ "ffdhe" ]] && break
for (( i=0; i < nr_curves; i++ )); do
! "${supported_curve[i]}" && [[ "${ffdhe_groups_output[i]}" == "$curve_found" ]] && break
done
[[ $i -eq $nr_curves ]] && break
supported_curve[i]=true
done
curves_offered=""
for (( i=0; i < nr_curves; i++ )); do
"${supported_curve[i]}" && curves_offered+="${ffdhe_groups_output[i]} "
done
if [[ -n "$curves_offered" ]]; then
pr_bold " RFC 7919 DH groups offered: "
outln "$curves_offered"
fileout "rfc7919_groups" "INFO" "RFC 7919 DH groups offered $curves_offered"
fi
fi
fi
tmpfile_handle $FUNCNAME.txt
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
# sub1_curves
if "$pfs_offered"; then
return 0