mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-31 22:09:44 +01:00
This commit backports PR #2157, #2160, and #2162 from the 3.1dev branch to the 3.0 branch.
This commit is contained in:
parent
793eaa3f84
commit
aaf7bf8505
16
etc/tls_data.txt
Executable file → Normal file
16
etc/tls_data.txt
Executable file → Normal file
@ -45,6 +45,22 @@ c0,1c, c0,1b, c0,1a, c0,17, 00,1b, 00,93, 00,8b, 00,1f,
|
||||
c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e,
|
||||
00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,ff"
|
||||
|
||||
# 97 less common ciphers for TLS 1.2 and SPDY/NPN HTTP2/ALPN
|
||||
readonly TLS12_CIPHER_3RD_TRY="
|
||||
c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,47, c0,49, c0,4b,
|
||||
c0,4d, c0,4f, c0,51, c0,53, c0,55, c0,57, c0,59, c0,5b,
|
||||
c0,5d, c0,5f, c0,61, c0,63, c0,65, c0,67, c0,69, c0,6b,
|
||||
c0,6d, c0,6f, c0,71, c0,7b, c0,7d, c0,7f, c0,81, c0,83,
|
||||
c0,85, c0,87, c0,89, c0,8b, c0,8d, c0,8f, c0,91, c0,93,
|
||||
16,b7, 16,b8, 16,b9, 16,ba, c0,3c, c0,3e, c0,40, c0,42,
|
||||
c0,44, c0,46, c0,48, c0,4a, c0,4c, c0,4e, c0,50, c0,52,
|
||||
c0,54, c0,56, c0,58, c0,5a, c0,5c, c0,5e, c0,60, c0,62,
|
||||
c0,64, c0,66, c0,68, c0,6a, c0,6c, c0,6e, c0,70, c0,7a,
|
||||
c0,7c, c0,7e, c0,80, c0,82, c0,84, c0,86, c0,88, c0,8a,
|
||||
c0,8c, c0,8e, c0,90, c0,92, fe,ff, ff,e0, 00,1e, 00,22,
|
||||
fe,fe, ff,e1, 00,27, 00,26, 00,2a, 00,29, 00,28, 00,2b,
|
||||
ff,87, 00,ff"
|
||||
|
||||
# 76 standard cipher + 4x GOST for SSLv3, TLS 1, TLS 1.1
|
||||
readonly TLS_CIPHER="
|
||||
c0,14, c0,0a, c0,22, c0,21, c0,20, 00,39, 00,38, 00,37,
|
||||
|
72
testssl.sh
72
testssl.sh
@ -1226,14 +1226,22 @@ count_ciphers() {
|
||||
#arg3: options (e.g., -V)
|
||||
actually_supported_osslciphers() {
|
||||
local tls13_ciphers="$TLS13_OSSL_CIPHERS"
|
||||
local options="$3 "
|
||||
|
||||
[[ "$2" != ALL ]] && tls13_ciphers="$2"
|
||||
if "$HAS_CIPHERSUITES"; then
|
||||
$OPENSSL ciphers $3 $OSSL_CIPHERS_S -ciphersuites "$tls13_ciphers" "$1" 2>/dev/null || echo ""
|
||||
elif [[ -n "$tls13_ciphers" ]]; then
|
||||
$OPENSSL ciphers $3 $OSSL_CIPHERS_S "$tls13_ciphers:$1" 2>/dev/null || echo ""
|
||||
# With OpenSSL 1.0.2 the only way to exclude SSLv2 ciphers is to use the -tls1 option.
|
||||
# However, with newer versions of OpenSSL, the -tls1 option excludes TLSv1.2 ciphers.
|
||||
if "$HAS_SSL2"; then
|
||||
options="${options//-no_ssl2 /-tls1 }"
|
||||
else
|
||||
$OPENSSL ciphers $OSSL_CIPHERS_S $3 "$1" 2>/dev/null || echo ""
|
||||
options="${options//-no_ssl2 /}"
|
||||
fi
|
||||
if "$HAS_CIPHERSUITES"; then
|
||||
$OPENSSL ciphers $options $OSSL_CIPHERS_S -ciphersuites "$tls13_ciphers" "$1" 2>/dev/null || echo ""
|
||||
elif [[ -n "$tls13_ciphers" ]]; then
|
||||
$OPENSSL ciphers $options $OSSL_CIPHERS_S "$tls13_ciphers:$1" 2>/dev/null || echo ""
|
||||
else
|
||||
$OPENSSL ciphers $OSSL_CIPHERS_S $options "$1" 2>/dev/null || echo ""
|
||||
fi
|
||||
}
|
||||
|
||||
@ -3241,6 +3249,8 @@ openssl2hexcode() {
|
||||
if [[ $TLS_NR_CIPHERS -eq 0 ]]; then
|
||||
if "$HAS_CIPHERSUITES"; then
|
||||
hexc="$($OPENSSL ciphers -V -ciphersuites "$TLS13_OSSL_CIPHERS" 'ALL:COMPLEMENTOFALL:@STRENGTH' | awk '/ '"$1"' / { print $1 }')"
|
||||
elif "$HAS_SSL2"; then
|
||||
hexc="$($OPENSSL ciphers -V -tls1 'ALL:COMPLEMENTOFALL:@STRENGTH' | awk '/ '"$1"' / { print $1 }')"
|
||||
else
|
||||
hexc="$($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | awk '/ '"$1"' / { print $1 }')"
|
||||
fi
|
||||
@ -4898,10 +4908,11 @@ run_prototest_openssl() {
|
||||
# arg2: available (yes) or not (no)
|
||||
add_tls_offered() {
|
||||
# the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2
|
||||
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
|
||||
# we got that protocol already
|
||||
:
|
||||
else
|
||||
if [[ "$2" == yes ]] && [[ "$PROTOS_OFFERED" =~ $1:no ]]; then
|
||||
# In rare cases, a protocol may be marked as not available even though it is
|
||||
# (e.g., the connection fails with tls_sockets() but succeeds with $OPENSSL.
|
||||
PROTOS_OFFERED="${PROTOS_OFFERED/$1:no/$1:$2}"
|
||||
elif [[ ! "$PROTOS_OFFERED" =~ $1: ]]; then
|
||||
PROTOS_OFFERED+="${1}:$2 "
|
||||
fi
|
||||
}
|
||||
@ -6364,7 +6375,7 @@ run_server_preference() {
|
||||
[[ $DEBUG -ge 4 ]] && echo -e "\n Forward: ${list_fwd}"
|
||||
$OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2") </dev/null 2>$ERRFILE >$TMPFILE
|
||||
if ! sclient_connect_successful $? $TMPFILE; then
|
||||
list_fwd="$(actually_supported_osslciphers $list_fwd '' '-tls1')"
|
||||
list_fwd="$(actually_supported_osslciphers $list_fwd '' '-no_ssl2')"
|
||||
pr_warning "no matching cipher in this list found (pls report this): "
|
||||
outln "$list_fwd . "
|
||||
fileout "$jsonID" "WARN" "Could not determine server cipher order, no matching cipher in list found (pls report this): $list_fwd"
|
||||
@ -17623,11 +17634,7 @@ prepare_arrays() {
|
||||
|
||||
if [[ -e "$CIPHERS_BY_STRENGTH_FILE" ]]; then
|
||||
"$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
|
||||
if "$HAS_SSL2"; then
|
||||
ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-tls1 -V")"
|
||||
else
|
||||
ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")"
|
||||
fi
|
||||
ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-no_ssl2 -V")"
|
||||
TLS13_OSSL_CIPHERS=""
|
||||
while read hexc n TLS_CIPHER_OSSL_NAME[i] TLS_CIPHER_RFC_NAME[i] TLS_CIPHER_SSLVERS[i] TLS_CIPHER_KX[i] TLS_CIPHER_AUTH[i] TLS_CIPHER_ENC[i] mac TLS_CIPHER_EXPORT[i]; do
|
||||
TLS_CIPHER_HEXCODE[i]="$hexc"
|
||||
@ -18411,7 +18418,7 @@ sclient_auth() {
|
||||
# This information can be used by determine_optimal_proto() to help distinguish between a server
|
||||
# that is not TLS/SSL enabled and one that is not compatible with the version of OpenSSL being used.
|
||||
determine_optimal_sockets_params() {
|
||||
local -i ret1=1 ret2=1
|
||||
local -i ret1=1 ret2=1 ret3=1
|
||||
local i proto cipher_offered
|
||||
local all_failed=true
|
||||
|
||||
@ -18480,8 +18487,6 @@ determine_optimal_sockets_params() {
|
||||
add_tls_offered tls1_2 yes
|
||||
TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY"
|
||||
all_failed=false
|
||||
else
|
||||
add_tls_offered tls1_2 no
|
||||
fi
|
||||
if [[ $ret2 -eq 2 ]]; then
|
||||
case $DETECTED_TLS_VERSION in
|
||||
@ -18493,7 +18498,32 @@ determine_optimal_sockets_params() {
|
||||
all_failed=false
|
||||
fi
|
||||
fi
|
||||
if [[ $ret1 -eq 0 ]] || [[ $ret2 -eq 0 ]]; then
|
||||
# Try a third time with cipher suites not in $TLS12_CIPHER or
|
||||
# $TLS12_CIPHER_2ND_TRY. If using these cipher suites results in a
|
||||
# successful connection, then change $TLS12_CIPHER to these
|
||||
# cipher suites so that later tests will use this list of cipher
|
||||
# suites.
|
||||
if [[ $ret1 -ne 0 ]] && [[ $ret2 -ne 0 ]]; then
|
||||
tls_sockets "03" "$TLS12_CIPHER_3RD_TRY"
|
||||
ret3=$?
|
||||
if [[ $ret3 -eq 0 ]]; then
|
||||
add_tls_offered tls1_2 yes
|
||||
TLS12_CIPHER="$TLS12_CIPHER_3RD_TRY"
|
||||
all_failed=false
|
||||
else
|
||||
add_tls_offered tls1_2 no
|
||||
fi
|
||||
if [[ $ret3 -eq 2 ]]; then
|
||||
case $DETECTED_TLS_VERSION in
|
||||
0302) add_tls_offered tls1_1 yes ;;
|
||||
0301) add_tls_offered tls1 yes ;;
|
||||
0300) add_tls_offered ssl3 yes ;;
|
||||
esac
|
||||
[[ $ret1 -ne 2 ]] && [[ $ret2 -ne 2 ]] && TLS12_CIPHER="$TLS12_CIPHER_3RD_TRY"
|
||||
all_failed=false
|
||||
fi
|
||||
fi
|
||||
if [[ $ret1 -eq 0 ]] || [[ $ret2 -eq 0 ]] || [[ $ret3 -eq 0 ]]; then
|
||||
cipher_offered="$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")"
|
||||
if [[ "$cipher_offered" == TLS_* ]] || [[ "$cipher_offered" == SSL_* ]]; then
|
||||
cipher_offered="$(rfc2hexcode "$cipher_offered")"
|
||||
@ -18614,6 +18644,10 @@ determine_optimal_proto() {
|
||||
[[ "$(has_server_protocol "tls1_1")" -ne 0 ]] && [[ "$(has_server_protocol "tls1")" -ne 0 ]] &&
|
||||
[[ "$(has_server_protocol "ssl3")" -ne 0 ]]; then
|
||||
TLS13_ONLY=true
|
||||
elif [[ -z "$TLS12_CIPHER_OFFERED" ]] && [[ "$(has_server_protocol "tls1_2")" -eq 0 ]] && [[ "$(get_protocol $TMPFILE)" == TLSv1.2 ]]; then
|
||||
TLS12_CIPHER_OFFERED="$(get_cipher $TMPFILE)"
|
||||
TLS12_CIPHER_OFFERED="$(openssl2hexcode "$TLS12_CIPHER_OFFERED")"
|
||||
[[ ${#TLS12_CIPHER_OFFERED} -eq 9 ]] && TLS12_CIPHER_OFFERED="${TLS12_CIPHER_OFFERED:2:2},${TLS12_CIPHER_OFFERED:7:2}" || TLS12_CIPHER_OFFERED=""
|
||||
fi
|
||||
|
||||
if [[ "$optimal_proto" == -ssl2 ]]; then
|
||||
|
Loading…
Reference in New Issue
Block a user