Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Get supported groups list from OpenSSL 3.5.0

Browse Source 
In OpenSSL 3.5.0 the `list` command can be used to obtain a list of supported groups for TLS. The commit makes use of this command when $OPENSSL is OpenSSL 3.5.0 or later. This should be faster than testing curves one at a time.
This commit is contained in:
David Cooper
2025-03-11 12:21:43 -07:00
parent bc0c9f9c4b
commit 9f48c51dc7
1 changed files with 32 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
testssl.sh
View File

@@ -20472,7 +20472,7 @@ find_openssl_binary() {
local s_client_starttls_has=$TEMPDIR/s_client_starttls_has.txt local s_client_starttls_has=$TEMPDIR/s_client_starttls_has.txt
local s_client_starttls_has2=$TEMPDIR/s_client_starttls_has2 local s_client_starttls_has2=$TEMPDIR/s_client_starttls_has2
local openssl_location="" cwd="" local openssl_location="" cwd=""
local curve="" local curve="" ossl_tls13_supported_curves
local ossl_line1="" yr="" local ossl_line1="" yr=""
local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448" "brainpoolP256r1tls13" "brainpoolP384r1tls13" "brainpoolP512r1tls13" "ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192") local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448" "brainpoolP256r1tls13" "brainpoolP384r1tls13" "brainpoolP512r1tls13" "ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192")
@@ -20665,6 +20665,21 @@ find_openssl_binary() {
fi fi
fi fi
if [[ ! "$OSSL_NAME" =~ LibreSSL ]] && [[ $OSSL_VER_MAJOR -gt 3 || $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 3.[5-9]* ]]; then
OSSL_SUPPORTED_CURVES="$($OPENSSL list -tls1_2 -tls-groups)"
if [[ -n "$OSSL_SUPPORTED_CURVES" ]]; then
OSSL_SUPPORTED_CURVES=" ${OSSL_SUPPORTED_CURVES//:/ } "
ossl_tls13_supported_curves="$($OPENSSL list -tls1_3 -tls-groups)"
for curve in ${ossl_tls13_supported_curves//:/ }; do
[[ ! "$OSSL_SUPPORTED_CURVES" =~ \ $curve\ ]] && OSSL_SUPPORTED_CURVES+="$curve "
done
OSSL_SUPPORTED_CURVES="${OSSL_SUPPORTED_CURVES//secp192r1/prime192v1}"
OSSL_SUPPORTED_CURVES="${OSSL_SUPPORTED_CURVES//secp256r1/prime256v1}"
OSSL_SUPPORTED_CURVES="${OSSL_SUPPORTED_CURVES//x25519/X25519}"
OSSL_SUPPORTED_CURVES="${OSSL_SUPPORTED_CURVES//x448/X448}"
fi
fi
if [[ -z "$OSSL_SUPPORTED_CURVES" ]]; then
if $OPENSSL s_client -curves </dev/null 2>&1 | grep -aiq "unknown option"; then if $OPENSSL s_client -curves </dev/null 2>&1 | grep -aiq "unknown option"; then
if $OPENSSL s_client -groups </dev/null 2>&1 | grep -aiq "unknown option"; then if $OPENSSL s_client -groups </dev/null 2>&1 | grep -aiq "unknown option"; then
# this is for openssl versions like 0.9.8, they do not have -groups or -curves -- just to be safe # this is for openssl versions like 0.9.8, they do not have -groups or -curves -- just to be safe
@@ -20686,6 +20701,7 @@ find_openssl_binary() {
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve " [[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
done done
fi fi
fi
# For the following we feel safe enough to query the s_client help functions. # For the following we feel safe enough to query the s_client help functions.
# That was not good enough for the previous lookups # That was not good enough for the previous lookups