Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-21 07:59:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve LibreSSL 3.1.0 compatibility

Browse Source 
This commit addresses two compatibility issues with LibreSSL 3.1.0, which has added client support for TLS 1.3.

The first issue is that LibreSSL has named the TLS 1.3 ciphers that it supports AEAD-AES256-GCM-SHA384, AEAD-CHACHA20-POLY1305-SHA256, and AEAD-AES128-GCM-SHA256, rather than using the OpenSSL names, which are TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, and TLS_AES_128_GCM_SHA256. (Draft versions of OpenSSL 1.1.1 names these ciphers TLS13-AES-256-GCM-SHA384, TLS13-CHACHA20-POLY1305-SHA256, TLS13-AES-128-GCM-SHA256.) There are several places where testssl.sh checks whether a cipher suite is a TLS 1.3 cipher by checking whether its OpenSSL name begins with "TLS_" (or "TLS13"). In order to work with LibreSSL 3.1.0, these checks also need to consider names that begin with "AEAD-" to be TLS 1.3 ciphers.

Second, in sub_session_resumption() there is code that adds "-no_ssl2" to the "$OPENSSL s_client" command line if that option is supported. If "-no_ssl2" is not supported, then other protocol information is added to the command line. I believe this code was written with the assumption that any version of OpenSSL that supports "-no_ssl2" does not support TLS 1.3. However, LibreSSL 3.1.0 supports both. So, this commit changes the code to add the "-no_ssl2" option only if TLS 1.3 is not supported.
This commit is contained in:
David Cooper 2020-04-30 10:54:41 -04:00
parent a1f6fe49ba
commit a5a28d2457
1 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
testssl.sh
View File

@ -3575,7 +3575,7 @@ run_cipher_match(){
tls13_ciphers_to_test="" tls13_ciphers_to_test=""
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
if ! "${ciphers_found2[i]}"; then if ! "${ciphers_found2[i]}"; then
if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]]; then if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]] || [[ "${ciph2[i]}" == AEAD-* ]]; then
tls13_ciphers_to_test+=":${ciph2[i]}" tls13_ciphers_to_test+=":${ciph2[i]}"
else else
ciphers_to_test+=":${ciph2[i]}" ciphers_to_test+=":${ciph2[i]}"
@ -3593,7 +3593,7 @@ run_cipher_match(){
[[ $i -eq $end_of_bundle ]] && break [[ $i -eq $end_of_bundle ]] && break
i=${index[i]} i=${index[i]}
ciphers_found[i]=true ciphers_found[i]=true
if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]]; then if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]] || [[ "$cipher" == AEAD-* ]]; then
kx[i]="$(read_dhtype_from_file $TMPFILE)" kx[i]="$(read_dhtype_from_file $TMPFILE)"
fi fi
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
@ -3849,7 +3849,7 @@ run_allciphers() {
tls13_ciphers_to_test="" tls13_ciphers_to_test=""
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
if ! "${ciphers_found2[i]}"; then if ! "${ciphers_found2[i]}"; then
if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]]; then if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]] || [[ "${ciph2[i]}" == AEAD-* ]]; then
tls13_ciphers_to_test+=":${ciph2[i]}" tls13_ciphers_to_test+=":${ciph2[i]}"
else else
ciphers_to_test+=":${ciph2[i]}" ciphers_to_test+=":${ciph2[i]}"
@ -3867,7 +3867,7 @@ run_allciphers() {
[[ $i -eq $end_of_bundle ]] && break [[ $i -eq $end_of_bundle ]] && break
i=${index[i]} i=${index[i]}
ciphers_found[i]=true ciphers_found[i]=true
if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]]; then if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]] || [[ "$cipher" == AEAD-* ]]; then
kx[i]="$(read_dhtype_from_file $TMPFILE)" kx[i]="$(read_dhtype_from_file $TMPFILE)"
fi fi
if [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]]; then if [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]]; then
@ -4055,9 +4055,9 @@ ciphers_by_strength() {
fi fi
while read hexc n ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do while read hexc n ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
if [[ "$proto" == -tls1_3 ]]; then if [[ "$proto" == -tls1_3 ]]; then
[[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]] || continue [[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]] || [[ "${ciph[nr_ciphers]}" == AEAD-* ]] || continue
elif [[ "$proto" == -tls1_2 ]]; then elif [[ "$proto" == -tls1_2 ]]; then
if [[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]]; then if [[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]] || [[ "${ciph[nr_ciphers]}" == AEAD-* ]]; then
continue continue
fi fi
elif [[ "${ciph[nr_ciphers]}" == *-SHA256 ]] || [[ "${ciph[nr_ciphers]}" == *-SHA384 ]] || \ elif [[ "${ciph[nr_ciphers]}" == *-SHA256 ]] || [[ "${ciph[nr_ciphers]}" == *-SHA384 ]] || \
@ -6203,7 +6203,7 @@ sub_session_resumption() {
fi fi
fi fi
"$CLIENT_AUTH" && return 6 "$CLIENT_AUTH" && return 6
if "$HAS_NO_SSL2"; then if ! "$HAS_TLS13" && "$HAS_NO_SSL2"; then
addcmd+=" -no_ssl2" addcmd+=" -no_ssl2"
else else
protocol=${protocol/\./_} protocol=${protocol/\./_}
@ -9586,7 +9586,7 @@ run_fs() {
tls13_ciphers_to_test="" tls13_ciphers_to_test=""
for (( i=0; i < nr_supported_ciphers; i++ )); do for (( i=0; i < nr_supported_ciphers; i++ )); do
if ! "${ciphers_found[i]}" && "${ossl_supported[i]}"; then if ! "${ciphers_found[i]}" && "${ossl_supported[i]}"; then
if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]]; then if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then
tls13_ciphers_to_test+=":${ciph[i]}" tls13_ciphers_to_test+=":${ciph[i]}"
else else
ciphers_to_test+=":${ciph[i]}" ciphers_to_test+=":${ciph[i]}"
@ -9603,7 +9603,7 @@ run_fs() {
done done
[[ $i -eq $nr_supported_ciphers ]] && break [[ $i -eq $nr_supported_ciphers ]] && break
ciphers_found[i]=true ciphers_found[i]=true
if [[ "$fs_cipher" == TLS13* ]] || [[ "$fs_cipher" == TLS_* ]]; then if [[ "$fs_cipher" == TLS13* ]] || [[ "$fs_cipher" == TLS_* ]] || [[ "$fs_cipher" == AEAD-* ]]; then
fs_tls13_offered=true fs_tls13_offered=true
"$WIDE" && kx[i]="$(read_dhtype_from_file $TMPFILE)" "$WIDE" && kx[i]="$(read_dhtype_from_file $TMPFILE)"
fi fi
@ -9662,11 +9662,12 @@ run_fs() {
fi fi
fs_ciphers+="$fs_cipher " fs_ciphers+="$fs_cipher "
if [[ "${ciph[i]}" == ECDHE-* ]] || [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || ( "$using_sockets" && [[ "${rfc_ciph[i]}" == TLS_ECDHE_* ]] ); then if [[ "${ciph[i]}" == ECDHE-* ]] || [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || \
[[ "${ciph[i]}" == AEAD-* ]] || ( "$using_sockets" && [[ "${rfc_ciph[i]}" == TLS_ECDHE_* ]] ); then
ecdhe_offered=true ecdhe_offered=true
ecdhe_cipher_list_hex+=", ${hexcode[i]}" ecdhe_cipher_list_hex+=", ${hexcode[i]}"
if [[ "${ciph[i]}" != "-" ]]; then if [[ "${ciph[i]}" != "-" ]]; then
if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]]; then if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then
tls13_cipher_list+=":$fs_cipher" tls13_cipher_list+=":$fs_cipher"
else else
ecdhe_cipher_list+=":$fs_cipher" ecdhe_cipher_list+=":$fs_cipher"
@ -9676,7 +9677,7 @@ run_fs() {
if [[ "${ciph[i]}" == "DHE-"* ]] || ( "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_DHE_"* ]] ); then if [[ "${ciph[i]}" == "DHE-"* ]] || ( "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_DHE_"* ]] ); then
ffdhe_offered=true ffdhe_offered=true
ffdhe_cipher_list_hex+=", ${hexcode[i]}" ffdhe_cipher_list_hex+=", ${hexcode[i]}"
elif [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]]; then elif [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then
ffdhe_cipher_list_hex+=", ${hexcode[i]}" ffdhe_cipher_list_hex+=", ${hexcode[i]}"
fi fi
fi fi