From a20d98bbfae53a77ca5871e87de3ed05f8bc8304 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 28 Jul 2017 12:07:29 -0400 Subject: [PATCH 1/3] Make two attempts to connect with TLSv1.2 In `run_protocols()` for TLS 1.2, try one set of 127 ciphers and if the result isn't a connection at TLSv1.2 then try another set of 127 ciphers before giving up and assuming that TLS 1.2 isn't supported. --- testssl.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 1e7a88a..c9ba3cd 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3831,6 +3831,7 @@ run_protocols() { local latest_supported="" # version.major and version.minor of highest version supported by the server. local detected_version_string latest_supported_string local lines nr_ciphers_detected + local -i ret outln; pr_headline " Testing protocols " @@ -4029,10 +4030,16 @@ run_protocols() { pr_bold " TLS 1.2 "; if "$using_sockets"; then tls_sockets "03" "$TLS12_CIPHER" + ret=$? + if [[ $ret -ne 0 ]]; then + tls_sockets "03" "$TLS12_CIPHER_2ND_TRY" + [[ $? -eq 0 ]] && ret=0 + fi else run_prototest_openssl "-tls1_2" + ret=$? fi - case $? in + case $ret in 0) prln_done_best "offered (OK)" fileout "tls1_2" "OK" "TLSv1.2 is offered" latest_supported="0303" From 7ccb611d135cb8e60bfab70ff4155f34c7c0bc46 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 28 Jul 2017 12:14:44 -0400 Subject: [PATCH 2/3] Update TLS12_CIPHER Update `$TLS12_CIPHER` to contain only 128 ciphers (so that it will work with servers that can't handle larger ClientHello messages), and also add some newer ciphers to `$TLS12_CIPHER`. Also define a `$TLS12_CIPHER_2ND_TRY` containing a list of 127 ciphers that do not appear in `$TLS12_CIPHER`. `$TLS12_CIPHER_2ND_TRY` is used in `run_protocols()` in order to perform a second test against servers that do not establish a TLSv1.2 connection when offered `$TLS12_CIPHER`. --- etc/tls_data.txt | 50 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/etc/tls_data.txt b/etc/tls_data.txt index 1ee1eda..d82760f 100755 --- a/etc/tls_data.txt +++ b/etc/tls_data.txt @@ -1,25 +1,43 @@ # data we need for socket based handshakes -# 133 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN HTTP2/ALPN +# 124 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN HTTP2/ALPN readonly TLS12_CIPHER=" -cc,14, cc,13, cc,15, c0,30, c0,2c, c0,28, c0,24, c0,14, -c0,0a, c0,22, c0,21, c0,20, 00,a5, 00,a3, 00,a1, 00,9f, -00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, 00,80, 00,81, 00,82, 00,83, -c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, -00,86, 00,85, c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, -c0,79, c0,75, 00,9d, 00,3d, 00,35, 00,c0, 00,84, c0,2f, -c0,2b, c0,27, c0,23, c0,13, c0,09, c0,1f, c0,1e, c0,1d, -00,a4, 00,a2, 00,a0, 00,9e, 00,67, 00,40, 00,3f, 00,3e, -00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, +c0,30, c0,2c, c0,28, c0,24, c0,14, c0,0a, 00,9f, 00,6b, +00,39, 00,9d, 00,3d, 00,35, c0,2f, c0,2b, c0,27, c0,23, +c0,13, c0,09, 00,9e, 00,67, 00,33, 00,9c, 00,3c, 00,2f, +cc,a9, cc,a8, cc,aa, cc,14, cc,13, cc,15, 00,a5, 00,a3, +00,a1, 00,6a, 00,69, 00,68, 00,38, 00,37, 00,36, c0,77, +c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, 00,86, +00,85, c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, c0,79, +c0,75, 00,c0, 00,84, 00,a4, 00,a2, 00,a0, 00,40, 00,3f, +00,3e, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, 00,bc, 00,bb, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44, 00,43, 00,42, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, -c0,78, c0,74, 00,9c, 00,3c, 00,2f, 00,ba, 00,96, 00,41, -00,07, c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, -c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, -00,0d, c0,0d, c0,03, 00,0a, 00,63, 00,15, 00,12, 00,0f, -00,0c, 00,62, 00,09, 00,65, 00,64, 00,14, 00,11, 00,0e, -00,0b, 00,08, 00,06, 00,03, 00,ff" +c0,78, c0,74, 00,ba, 00,96, 00,41, 00,07, c0,11, c0,07, +00,66, c0,0c, c0,02, 00,05, 00,04, c0,12, c0,08, 00,16, +00,13, 00,10, 00,0d, c0,0d, c0,03, 00,0a, 00,80, 00,81, +00,82, 00,83, 00,63, 00,15, 00,12, 00,0f, 00,0c, 00,62, +00,09, 00,65, 00,64, 00,14, 00,11, 00,08, 00,03, 00,ff" + +# 127 less common ciphers for TLS 1.2 and SPDY/NPN HTTP2/ALPN +readonly TLS12_CIPHER_2ND_TRY=" +c0,22, c0,21, c0,20, 00,b7, 00,b3, 00,91, c0,9b, c0,99, +c0,97, 00,af, c0,95, c0,af, c0,ad, c0,a3, c0,9f, c0,19, +00,a7, 00,6d, 00,3a, 00,c5, 00,89, 00,ad, 00,ab, cc,ae, +cc,ad, cc,ac, c0,ab, c0,a7, c0,a1, c0,9d, 00,a9, cc,ab, +c0,a9, c0,a5, c0,38, c0,36, 00,95, 00,8d, ff,00, ff,01, +ff,02, ff,03, ff,85, c0,1f, c0,1e, c0,1d, c0,ae, c0,ac, +c0,a2, c0,9e, 00,ac, 00,aa, c0,aa, c0,a6, c0,a0, c0,9c, +00,a8, c0,a8, c0,a4, c0,18, 00,a6, 00,6c, 00,34, 00,bf, +00,9b, 00,46, c0,37, c0,35, 00,b6, 00,b2, 00,90, c0,9a, +c0,98, c0,96, 00,ae, c0,94, 00,94, 00,8c, 00,21, 00,25, +c0,16, 00,18, 00,92, 00,8a, 00,20, 00,24, c0,33, 00,8e, +c0,1c, c0,1b, c0,1a, c0,17, 00,1b, 00,93, 00,8b, 00,1f, +00,23, c0,34, 00,8f, 00,1a, 00,61, 00,60, 00,19, 00,06, +00,0b, 00,0e, 00,17, c0,10, c0,06, c0,15, c0,0b, c0,01, +c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e, +00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,ff" # 76 standard cipher + 4x GOST for SSLv3, TLS 1, TLS 1.1 readonly TLS_CIPHER=" From ee40625d40666712e4e6405533dbc84315dfa935 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 28 Jul 2017 12:23:21 -0400 Subject: [PATCH 3/3] Fix typo in comment $TLS12_CIPHER only includes 123 standard ciphers; 0x00,0xFF doesn't count as a "standard cipher." --- etc/tls_data.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/tls_data.txt b/etc/tls_data.txt index d82760f..cf3bdd4 100755 --- a/etc/tls_data.txt +++ b/etc/tls_data.txt @@ -1,7 +1,7 @@ # data we need for socket based handshakes -# 124 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN HTTP2/ALPN +# 123 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN HTTP2/ALPN readonly TLS12_CIPHER=" c0,30, c0,2c, c0,28, c0,24, c0,14, c0,0a, 00,9f, 00,6b, 00,39, 00,9d, 00,3d, 00,35, c0,2f, c0,2b, c0,27, c0,23,