diff --git a/testssl.sh b/testssl.sh index 64a386f..49c8d0e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -10873,22 +10873,18 @@ run_fs() { [[ $i -eq $high ]] && break supported_curve[i]=true done - while true; do - # Versions of TLS prior to 1.3 close the connection if the client does not support the curve - # used in the certificate. The easiest solution is to move the curves to the end of the list. - # instead of removing them from the ClientHello. This is only needed if there is no RSA certificate. - if ((! "$HAS_TLS13" || [[ "$proto" == "-no_tls1_3" ]]) && [[ ! "$ecdhe_cipher_list" == *RSA* ]]) || break; then + # Versions of TLS prior to 1.3 close the connection if the client does not support the curve + # used in the certificate. The easiest solution is to move the curves to the end of the list. + # instead of removing them from the ClientHello. This is only needed if there is no RSA certificate. + if (! "$HAS_TLS13" || [[ "$proto" == "-no_tls1_3" ]]) && [[ ! "$ecdhe_cipher_list" == *RSA* ]]; then + while true; do curves_to_test="" for (( i=low; i < high; i++ )); do - if ! "${curves_deprecated[i]}"; then - "${ossl_supported[i]}" && ! "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}" - fi + "${ossl_supported[i]}" && ! "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}" done [[ -z "$curves_to_test" ]] && break for (( i=low; i < high; i++ )); do - if ! "${curves_deprecated[i]}"; then - "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}" - fi + "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}" done $OPENSSL s_client $(s_client_options "$proto -cipher "\'${ecdhe_cipher_list:1}\'" -ciphersuites "\'${tls13_cipher_list:1}\'" -curves "${curves_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE