From b8b779b419be90e45f08e3c682fe0273f4b3250c Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 17 Jun 2016 16:33:00 -0400 Subject: [PATCH] Use sockets for client simulations Modify run_client_simulation() to send the ClientHello from https://api.dev.ssllabs.com/api/v3/getClients (modified to use the correct value in the server name extension) if $EXPERIMENTAL is true, $STARTTLS is empty, and $SSL_NATIVE is false. --- testssl.sh | 401 +++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 361 insertions(+), 40 deletions(-) diff --git a/testssl.sh b/testssl.sh index cb8147e..da2bc2c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1455,7 +1455,22 @@ openssl2rfc() { } rfc2openssl() { - : + local hexcode ossl_hexcode ossl_name + local -i len + + hexcode=$(grep -iw "$1" "$MAPPING_FILE_RFC" 2>>$ERRFILE | head -1 | awk '{ print $1 }') + [[ -z "$hexcode" ]] && return 0 + len=${#hexcode} + case $len in + 3) ossl_hexcode="0x00,0x${hexcode:1:2}" ;; + 5) ossl_hexcode="0x${hexcode:1:2},0x${hexcode:3:2}" ;; + 7) ossl_hexcode="0x${hexcode:1:2},0x${hexcode:3:2},0x${hexcode:5:2}" ;; + *) return 0 ;; + esac + ossl_name="$($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' | grep -i " $ossl_hexcode " | awk '{ print $3 }')" + [[ -z "$ossl_name" ]] && ossl_name="-" + out "$ossl_name" + return 0 } @@ -1789,6 +1804,155 @@ run_cipher_per_proto() { return 0 } +# arg1 is an ASCII-HEX encoded SSLv3 or TLS ClientHello. +# If the ClientHello contains a server name extension, then +# either: +# 1) replace it with one corresponding to $SNI; or +# 2) remove it, if $SNI is empty +create_client_simulation_tls_clienthello() { + local tls_handshake_ascii="$1" + local -i len offset tls_handshake_ascii_len len_all len_clienthello + local -i len_extensions len_extension + local content_type tls_version_reclayer handshake_msg_type tls_clientversion + local tls_random tls_sid tls_cipher_suites tls_compression_methods + local tls_extensions="" extension_type len_extensions_hex + local len_servername hexdump_format_str servername_hexstr + local len_servername_hex len_sni_listlen len_sni_ext + local tls_client_hello len_clienthello_hex tls_handshake_ascii_len_hex + local sni_extension_found=false + + tls_handshake_ascii_len=${#tls_handshake_ascii} + + tls_content_type="${tls_handshake_ascii:0:2}" + tls_version_reclayer="${tls_handshake_ascii:2:4}" + len_all=$(hex2dec "${tls_handshake_ascii:6:4}") + + handshake_msg_type="${tls_handshake_ascii:10:2}" + len_clienthello=$(hex2dec "${tls_handshake_ascii:12:6}") + tls_clientversion="${tls_handshake_ascii:18:4}" + tls_random="${tls_handshake_ascii:22:64}" + len=2*$(hex2dec "${tls_handshake_ascii:86:2}")+2 + tls_sid="${tls_handshake_ascii:86:$len}" + offset=86+$len + + len=2*$(hex2dec "${tls_handshake_ascii:$offset:4}")+4 + tls_cipher_suites="${tls_handshake_ascii:$offset:$len}" + offset=$offset+$len + + len=2*$(hex2dec "${tls_handshake_ascii:$offset:2}")+2 + tls_compression_methods="${tls_handshake_ascii:$offset:$len}" + offset=$offset+$len + + if [[ $offset -ge $tls_handshake_ascii_len ]]; then + # No extensions + out "$tls_handshake_ascii" + return 0 + fi + + len_extensions=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") + offset=$offset+4 + for (( 1; offset < tls_handshake_ascii_len; 1 )); do + extension_type="${tls_handshake_ascii:$offset:4}" + offset=$offset+4 + len_extension=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") + + if [[ "$extension_type" != "0000" ]]; then + # The extension will just be copied into the revised ClientHello + sni_extension_found=true + offset=$offset-4 + len=$len_extension+8 + tls_extensions+="${tls_handshake_ascii:$offset:$len}" + offset=$offset+$len + elif [[ -n "$SNI" ]]; then + # Create a server name extension that corresponds to $SNI + len_servername=${#NODE} + hexdump_format_str="$len_servername/1 \"%02x\"" + servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}") + # convert lengths we need to fill in from dec to hex: + len_servername_hex=$(printf "%02x\n" $len_servername) + len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) + len_sni_ext=$(printf "%02x\n" $((len_servername+5))) + tls_extensions+="000000${len_sni_ext}00${len_sni_listlen}0000${len_servername_hex}${servername_hexstr}" + offset=$offset+$len_extension+4 + fi + done + + if ! $sni_extension_found; then + out "$tls_handshake_ascii" + return 0 + fi + + len_extensions=${#tls_extensions}/2 + len_extensions_hex=$(printf "%02x\n" $len_extensions) + len2twobytes "$len_extensions_hex" + tls_extensions="${LEN_STR:0:2}${LEN_STR:4:2}${tls_extensions}" + + tls_client_hello="${tls_clientversion}${tls_random}${tls_sid}${tls_cipher_suites}${tls_compression_methods}${tls_extensions}" + len_clienthello=${#tls_client_hello}/2 + len_clienthello_hex=$(printf "%02x\n" $len_clienthello) + len2twobytes "$len_clienthello_hex" + tls_handshake_ascii="${handshake_msg_type}00${LEN_STR:0:2}${LEN_STR:4:2}${tls_client_hello}" + + tls_handshake_ascii_len=${#tls_handshake_ascii}/2 + tls_handshake_ascii_len_hex=$(printf "%02x\n" $tls_handshake_ascii_len) + len2twobytes "$tls_handshake_ascii_len_hex" + tls_handshake_ascii="${tls_content_type}${tls_version_reclayer}${LEN_STR:0:2}${LEN_STR:4:2}${tls_handshake_ascii}" + out "$tls_handshake_ascii" + return 0 +} + +client_simulation_sockets() { + local -i len i ret=0 + local -i save=0 + local lines clienthello data="" + local cipher_list_2send + + if [[ "${1:0:4}" == "1603" ]]; then + clienthello="$(create_client_simulation_tls_clienthello "$1")" + else + clienthello="$1" + fi + len=${#clienthello} + for (( i=0; i < len; i=i+2 )); do + data+=", ${clienthello:i:2}" + done + debugme echo "sending client hello..." + code2network "${data}" + fd_socket 5 || return 6 + data=$(echo $NW_STR) + [[ "$DEBUG" -ge 4 ]] && echo "\"$data\"" + printf -- "$data" >&5 2>/dev/null & + sleep $USLEEP_SND + + sockread_serverhello 32768 + TLS_NOW=$(LC_ALL=C date "+%s") + debugme outln "reading server hello..." + if [[ "$DEBUG" -ge 4 ]]; then + hexdump -C $SOCK_REPLY_FILE | head -6 + echo + fi + + parse_tls_serverhello "$SOCK_REPLY_FILE" + save=$? + + # see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL + lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>$ERRFILE)") + debugme out " (returned $lines lines) " + + # determine the return value for higher level, so that they can tell what the result is + if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then + ret=1 # NOT available + else + ret=0 + fi + debugme outln + + close_socket + TMPFILE=$SOCK_REPLY_FILE + tmpfile_handle $FUNCNAME.dd + return $ret +} + run_client_simulation() { # Runs browser simulations. Browser capabilities gathered from: # https://www.ssllabs.com/ssltest/clients.html on 10 jan 2016 @@ -1799,7 +1963,16 @@ run_client_simulation() { local tlsvers=() local sni=() local warning=() + local handshakebytes=() + local lowest_protocol=() + local highest_protocol=() local i=0 + local name tls proto cipher + local using_sockets=true + + if $SSL_NATIVE || [[ -n "$STARTTLS" ]] || ! $EXPERIMENTAL; then + using_sockets=false + fi # doesn't make sense for other services if [[ $SERVICE != "HTTP" ]]; then @@ -1814,14 +1987,20 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("") warning+=("") + handshakebytes+=("160301004b010000470301531f3de6b36804738bbb94a6ecd570a544789c3bb0a6ef8b9d702f997d928d4b00002000040005002f00330032000a00160013000900150012000300080014001100ff0100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.0.4 ") short+=("android_404") protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") - ciphers+=("CDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") + ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100c6010000c20301531f479cc7785f455ca7a70142af5be929c1ba931eedbf46dba6b6638da75e95000038c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc0020005000400ff020100006000000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f00100011001200130014001500160017001800190023000033740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.1.1 ") short+=("android_411") @@ -1830,6 +2009,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d7010000d30301531f3f6dd9eb5f6b3586c628cc2cdc82cdb259b1a096237ba4df30dbbc0f26fb000044c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400ff020100006500000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f00010133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.2.2 ") short+=("android_422") @@ -1838,22 +2020,31 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d1010000cd0301531f40a89e11d5681f563f3dad094375227035d4e9d2c1654d7d3954e3254558000044c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400ff0100006000000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f001000110023000033740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.3 ") short+=("android_43") - protos+=("-no_ssl2") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d1010000cd0301531f41c3c5110dd688458e5e48e06d30814572ad7b8f9d9df1b0a8820b270685000044c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400ff0100006000000014001200000f7777772e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f001000110023000033740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Android 4.4.2 ") short+=("android_442") protos+=("-no_ssl2") - ciphers+=("CDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") - tlsvers+=("-tl1_2 -tls1_1 -tls1") + ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") + tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d1010000cd0303531f4317998fb70d57feded18c14433a1b665f963f7e3b1b045b6cc3d61bf21300004cc030c02cc014c00a00a3009f006b006a00390038009d003d0035c012c00800160013000ac02fc02bc027c023c013c00900a2009e0067004000330032009c003c002fc011c0070005000400ff0100005800000014001200000f7777772e73736c6c6162732e636f6d000b00020100000a0008000600190018001700230000000d00220020060106020603050105020503040104020403030103020303020102020203010133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Android 5.0.0 ") short+=("android_500") @@ -1862,6 +2053,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100bd010000b9030354c21737f3d9d10696c91debf12415f9c45833a83cfbbd4c60c9b91407d2316b000038cc14cc13cc15c014c00a003900380035c012c00800160013000ac02fc02bc013c00900a2009e00330032009c002fc011c0070005000400ff0100005800000014001200000f6465762e73736c6c6162732e636f6d00230000000d00220020060106020603050105020503040104020403030103020303020102020203010133740000000b00020100000a00080006001900180017") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Baidu Jan 2015 ") short+=("baidu_jan_2015") @@ -1870,6 +2064,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100a30100009f030154c1a814c755540538a93b25e7824623d0ee9fc294ee752869cf76819edb3aa200004800ffc00ac0140088008700390038c00fc00500840035c007c009c011c0130045004400330032c00cc00ec002c0040096004100040005002fc008c01200160013c00dc003feff000a0100002e00000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b0002010000230000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("BingPreview Jan 2015 ") short+=("bingpreview_jan_2015") @@ -1878,6 +2075,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030101510100014d030354c13b79c1ca7169ae70c45d43311f9290d8ac1e326dfc36ff0aa99ea85406d50000a0c030c02cc028c024c014c00ac022c02100a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c012c008c01cc01b00160013c00dc003000ac02fc02bc027c023c013c009c01fc01e00a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff020100008300000014001200000f6465762e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000d002200200601060206030501050205030401040204030301030203030201020202030101000f000101") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Chrome 47 / OSX ") short+=("chrome_47_osx") @@ -1886,6 +2086,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100ca010000c6030361f8858af23cda649baf596105ec66bfe5b4642046c486e3e5321b26588392f400001ec02bc02f009ecc14cc13c00ac0140039c009c0130033009c0035002f000a0100007fff0100010000000014001200000f6465762e73736c6c6162732e636f6d0017000000230000000d001600140601060305010503040104030301030302010203000500050100000000337400000012000000100017001508687474702f312e3108737064792f332e3102683275500000000b00020100000a0006000400170018") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Firefox 31.3.0ESR / Win7 ") short+=("firefox_3130esr_win7") @@ -1894,6 +2097,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b1010000ad030357ce74b9799a67f62ffd7f53fde81675039c3597b2b17f9e18dbbbd418dd68f600002ec02bc02fc00ac009c013c014c012c007c0110033003200450039003800880016002f004100350084000a000500040100005600000014001200000f6465762e73736c6c6162732e636f6dff01000100000a00080006001700180019000b000201000023000033740000000500050100000000000d0012001004010501020104030503020304020202") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Firefox 42 / OSX ") short+=("firefox_42_osx") @@ -1902,6 +2108,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b8010000b403038abe51f10e414011c88d4807c3cf465ae02ba1ef74dd1d59a0b8f04c4f13c969000016c02bc02fc00ac009c013c01400330039002f0035000a0100007500000014001200000f6465762e73736c6c6162732e636f6dff01000100000a00080006001700180019000b00020100002300003374000000100017001502683208737064792f332e3108687474702f312e31000500050100000000000d001600140401050106010201040305030603020304020202") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("GoogleBot Feb 2015 ") short+=("googlebot_feb_2015") @@ -1910,62 +2119,86 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100db010000d70303d9c72e000f6a7f0a156840bd4aa9fd0612df4aeb69a1a1c6452c5f1f4d0ba6b000002ac02bc02fc007c011c009c013c00ac014009c00050004002f000a003500330032001600130039003800ff0100008400000014001200000f6465762e73736c6c6162732e636f6d00230000000d0020001e06010602060305010502050304010402040303010302030302010202020333740000000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("IE6 / XP ") short+=("ie6_xp") - protos+=("-no_tls1") + protos+=("-no_tls1_2 -no_tls1_1 -no_tls1") tlsvers+=("") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:RC4-MD5:DES-CBC3-MD5:RC2-CBC-MD5:DES-CBC-SHA:DES-CBC-MD5:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") sni+=("") warning+=("") + handshakebytes+=("804c01030000330000001000000400000500000a0100800700c003008000000906004000006400006200000300000602008004008000001300001200006317411550ac4c45ccbc8f4538dbc56d3a") + lowest_protocol+=("0x0200") + highest_protocol+=("0x0300") names+=("IE7 / Vista ") short+=("ie7_vista") - protos+=("-no_ssl2") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("160301007d01000079030151fa62ab452795b7003c5f93ab677dbf57dd62bfa39e0ffaaeabe45b06552452000018002f00350005000ac009c00ac013c01400320038001300040100003800000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a00080006001700180019000b00020100ff01000100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("IE8 / XP ") short+=("ie8_xp") - protos+=("-no_ssl2") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") tlsvers+=("-tls1") sni+=("") warning+=("") + handshakebytes+=("16030100410100003d030151fa5ac223f1d72558e48bb4f144baa494403ca6c360349cbd1449997d8dd1ec00001600040005000a000900640062000300060013001200630100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("IE8-10 / Win7 ") short+=("ie10_win7") - protos+=("-no_ssl2") - ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5") - tlsvers+=("-tls1") - sni+=("$SNI") - warning+=("") - - names+=("IE11 / Win7 ") - short+=("ie11_win7") - protos+=("-no_ssl2 -no_ssl3") - ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5") - tlsvers+=("-tls1_2 -tls1_1 -tls1") - sni+=("$SNI") - warning+=("") - - names+=("IE11 / Win8.1 ") - short+=("ie11_win81") - protos+=("-no_ssl2 -no_ssl3") - ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA") - tlsvers+=("-tls1_2 -tls1_1 -tls1") - sni+=("$SNI") - warning+=("") - - names+=("IE10 / Win Phone 8.0 ") - short+=("ie10_winphone_80") - protos+=("-no_ssl2") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("160301007b01000077030151d156b7a2f14154f4e58272d8e272392bb33c1110f21d3b7a3ea2b09fb14c5a000018002f00350005000ac013c014c009c00a003200380013000401000036ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") + + names+=("IE11 / Win7 ") + short+=("ie11_win7") + protos+=("-no_ssl2") + ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") + tlsvers+=("-tls1_2 -tls1_1 -tls1") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030300a10100009d0303528113a0e622051411874ae3411d7e9f63c4f2671cec1d9c87f2654f88c1bed400002a003c002f003d00350005000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001300040100004aff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e0401050102010403050302030202") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") + + names+=("IE11 / Win8.1 ") + short+=("ie11_win81") + protos+=("-no_ssl2") + ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA") + tlsvers+=("-tls1_2 -tls1_1 -tls1") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030300bb010000b7030352678fd707022be386508c7e5837f03bcb1b91c372733322f87872ff873af1db000026003c002f003d0035000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001301000068ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000100012001006737064792f3308687474702f312e3133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") + + names+=("IE10 / Win Phone 8.0 ") + short+=("ie10_winphone_80") + protos+=("-no_tls1_2 -no_tls1_1 -no_ssl2") + ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") + tlsvers+=("-tls1") + sni+=("$SNI") + warning+=("") + handshakebytes+=("160301007f0100007b0301536487d458b1a364f27085798ca9e06353f0b300baeecd775e6ccc90a97037c2000018002f00350005000ac013c014c009c00a00320038001300040100003aff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b0002010000230000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("IE11 / Win Phone 8.1 ") short+=("ie10_winphone_81") @@ -1974,6 +2207,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300bb010000b703035363d297ad92a8fe276a4e5b9395d593e96fff9c3df0987e5dfbab544ce05832000026003c002f003d0035000ac027c013c014c02bc023c02cc024c009c00a00400032006a0038001301000068ff0100010000000014001200000f7777772e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000100012001006737064792f3308687474702f312e3133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("IE11 / Win Phone 8.1 Update") short+=("ie10_winphone_81_update") @@ -1982,6 +2218,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300c5010000c103035537a79a55362d42c3b3308fea91e85c5656021153d0a4baf03e7fef6e315c72000030c028c027c014c013009f009e009d009c003d003c0035002fc02cc02bc024c023c00ac009006a004000380032000a001301000068ff0100010000000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000100012001006737064792f3308687474702f312e3133740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("IE11 / Win10 ") short+=("ie11_win10") @@ -1990,6 +2229,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300c9010000c50303558923f4d57c2d79aba0360f4030073f0554d057176bd610fb2aa74ee4407361000034c030c02fc028c027c014c013009f009e009d009c003d003c0035002fc02cc02bc024c023c00ac009006a004000380032000a00130100006800000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d00140012040105010201040305030203020206010603002300000010000e000c02683208687474702f312e3100170000ff01000100") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Edge 13 / Win10 ") short+=("edge13_win10") @@ -1998,14 +2240,20 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300d3010000cf0303565ee009f8e3f685347567b3edfd626034a1125966e4d818ec6f57a022d2fc9e000034c02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a006a00400038003200130100007200000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d00140012040105010201040305030203020206010603002300000010000e000c02683208687474702f312e310017000055000006000100020002ff01000100") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") - names+=("Edge 12 / Win Phone 10 ") + names+=("Edge 13 / Win Phone 10 ") short+=("edge13_winphone10") protos+=("-no_ssl2 -no_ssl3") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300d3010000cf0303565ee836e62e7b9b734f4dca5f3f1ad62dc4e5f87bdf6c90f325b6a2e0012705000034c02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a006a00400038003200130100007200000014001200000f6465762e73736c6c6162732e636f6d000500050100000000000a0006000400170018000b00020100000d00140012040105010201040305030203020206010603002300000010000e000c02683208687474702f312e310017000055000006000100020002ff01000100") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Java 6u45 ") short+=("java6u45") @@ -2014,6 +2262,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("") warning+=("") + handshakebytes+=("8065010301003c0000002000000401008000000500002f00003300003200000a0700c00000160000130000090600400000150000120000030200800000080000140000110000ff52173357f48ce6722f974dbb429b9279208d1cf5b9088947c9ba16d9ecbc0fa6") + lowest_protocol+=("0x0200") + highest_protocol+=("0x0301") names+=("Java 7u25 ") short+=("java7u25") @@ -2022,6 +2273,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100ad010000a9030152178334e8b855253e50e4623e475b6941c18cc312de6395a98e1cd4fd6735e700002ac009c013002fc004c00e00330032c007c0110005c002c00cc008c012000ac003c00d00160013000400ff01000056000a0034003200170001000300130015000600070009000a0018000b000c0019000d000e000f001000110002001200040005001400080016000b0002010000000014001200000f7777772e73736c6c6162732e636f6d") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Java 8u31 ") short+=("java8u31") @@ -2030,6 +2284,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300e7010000e3030354c21168512b37f2a7410028c16673626ff931146918c7b29f78150b7339e5af000046c023c027003cc025c02900670040c009c013002fc004c00e00330032c02bc02f009cc02dc031009e00a2c008c012000ac003c00d00160013c007c0110005c002c00c000400ff01000074000a0034003200170001000300130015000600070009000a0018000b000c0019000d000e000f001000110002001200040005001400080016000b00020100000d001a001806030601050305010403040103030301020302010202010100000014001200000f6465762e73736c6c6162732e636f6d") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("OpenSSL 0.9.8y ") short+=("openssl098y") @@ -2038,6 +2295,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100730100006f0301521782e707c1a780d3124742f35573dbb693babe5d3a7e9405c706af18b636bf00002a00390038003500160013000a00330032002f0007000500040015001200090014001100080006000300ff0100001c00000014001200000f7777772e73736c6c6162732e636f6d00230000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("OpenSSL 1.0.1l ") short+=("openssl101l") @@ -2046,6 +2306,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("160301014f0100014b030332b230e5dd8c5573c219a243f397e31f407c7a93b60a26e7c3d5cca06a566fe1000094c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0100008e00000014001200000f6465762e73736c6c6162732e636f6d000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000d0020001e060106020603050105020503040104020403030103020303020102020203000500050100000000000f000101") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("OpenSSL 1.0.2e ") short+=("openssl102") @@ -2055,6 +2318,9 @@ run_client_simulation() { sni+=("$SNI") #warning+=("Tests are based on OpenSSL 1.0.1, therefore ciphers 0xe and 0xb are missing") warning+=("") + handshakebytes+=("16030101590100015503032a9db79b37d9364a9a685dc25bfec88c21ef88c206a20b9801108c67607e79800000b6c030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc00200050004c012c008001600130010000dc00dc003000a00150012000f000c000900ff0100007600000014001200000f6465762e73736c6c6162732e636f6d000b000403000102000a001c001a00170019001c001b0018001a0016000e000d000b000c0009000a00230000000d0020001e060106020603050105020503040104020403030103020303020102020203000500050100000000000f000101") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 5.1.9/ OSX 10.6.8 ") short+=("safari519_osx1068") @@ -2063,6 +2329,9 @@ run_client_simulation() { tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("160301009d01000099030151d15dc2887b1852fd4291e36c3f4e8a35266e15dd6354779fbf5438b59b42da000046c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110100002a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Safari 6 / iOS 6.0.1 ") short+=("safari6_ios601") @@ -2071,14 +2340,20 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030300bf010000bb030351d15ce21834380a8b5f491a00790b6d097014bb1e04124706631c6a6a3f973800005800ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c004c005c002c003c00ec00fc00cc00d003d003c002f000500040035000a0067006b003300390016c006c010c001c00b003b000200010100003a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a05010401020104030203") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 6.0.4/ OS X 10.8.4 ") short+=("safari604_osx1084") protos+=("-no_ssl2 -no_tls1_2 -no_tls1_1") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA") - tlsvers+=("-tls1_2 -tls1_1 -tls1") + tlsvers+=("-tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100a9010000a5030151fa327c6576dadde1e8a89d4d45bdc1d0c107b8cbe998337e02ca419a0bcb30204dd1c85d9fbc1607b27a35ec9dfd1dae2c589483843a73999c9de205748633b1003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0033003900160100002a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0301") names+=("Safari 7 / iOS 7.1 ") short+=("safari7_ios71") @@ -2087,6 +2362,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b1010000ad0303532017204048bb5331c62bf295ab4c2f2b3964f515c649a7d0947c8102d7348600004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b0033003900160100003a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a05010401020104030203") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 7 / OS X 10.9 ") short+=("safari7_osx109") @@ -2095,6 +2373,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100d1010000cd030351fa3664edce86d82606540539ccd388418b1a5cb8cfda5e15349c635d4b028b203bf83c63e3da6777e407300b5d657e429f11cd7d857977e4390fda365b8d4664004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b0033003900160100003a00000014001200000f7777772e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a05010401020104030203") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 8 / iOS 8.4 ") short+=("safari8_ios84") @@ -2103,6 +2384,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b5010000b1030354c20f1647345d0cac1db29f0489aab5e2016e6b2baca65e8c5eb6dd48a1fcd400004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c000500040100003e00000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a0501040102010403020333740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 8 / OS X 10.10 ") short+=("safari8_osx1010") @@ -2111,6 +2395,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100b5010000b1030354c20a44e0d7681f3d55d7e9a764b67e6ffa6722c17b21e15bc2c9c98892460a00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c000500040100003e00000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000c000a0501040102010403020333740000") + lowest_protocol+=("0x0300") + highest_protocol+=("0x0303") names+=("Safari 9 / iOS 9 ") short+=("safari9_ios9") @@ -2119,6 +2406,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100e2010000de030355fb38fdc94c6c1ff6ee066f0e69579f40a83ce5454787e8834b60fd8c31e5ac00003400ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000ac007c011000500040100008100000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000e000c0501040102010503040302033374000000100030002e0268320568322d31360568322d31350568322d313408737064792f332e3106737064792f3308687474702f312e3100050005010000000000120000") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") names+=("Safari 9 / OS X 10.11 ") short+=("safari9_osx1011") @@ -2127,6 +2417,9 @@ run_client_simulation() { tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") warning+=("") + handshakebytes+=("16030100e2010000de030355def1c4d1f6a12227389012da236581104b0bfa8b8a5bc849372531349dccc600003400ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000ac007c011000500040100008100000014001200000f6465762e73736c6c6162732e636f6d000a00080006001700180019000b00020100000d000e000c0501040102010503040302033374000000100030002e0268320568322d31360568322d31350568322d313408737064792f332e3106737064792f3308687474702f312e3100050005010000000000120000") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") outln pr_headlineln " Running browser simulations (experimental) " @@ -2136,17 +2429,29 @@ run_client_simulation() { for name in "${short[@]}"; do #FIXME: printf formatting would look better, especially if we want a wide option here out " ${names[i]} " - $OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE - debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $ERRFILE + fi + else + $OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE + debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE @@ -2172,6 +2477,7 @@ run_client_simulation() { fi #FiXME: awk cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://') + $using_sockets && [[ -n "${handshakebytes[i]}" ]] && cipher="$(rfc2openssl "$cipher")" outln "$proto $cipher" if [[ -n "${warning[i]}" ]]; then out " " @@ -4244,6 +4550,7 @@ parse_tls_serverhello() { TLS_TIME="" DETECTED_TLS_VERSION="" + [[ -n "$tls_hello_ascii" ]] && echo "CONNECTED(00000003)" > $TMPFILE # $tls_hello_ascii may contain trailing whitespace. Remove it: tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}" @@ -4474,6 +4781,19 @@ parse_tls_serverhello() { let offset=74+$tls_sid_len tls_compression_method="${tls_serverhello_ascii:$offset:2}" + if [[ "$tls_protocol2" == "0300" ]]; then + echo "Protocol : SSLv3" >> $TMPFILE + else + echo "Protocol : TLSv1.$((0x$tls_protocol2-0x0301))" >> $TMPFILE + fi + echo "===============================================================================" >> $TMPFILE + if [[ "${tls_cipher_suite:0:2}" == "00" ]]; then + echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:2:2}"))" >> $TMPFILE + else + echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:0:4}"))" >> $TMPFILE + fi + echo "===============================================================================" >> $TMPFILE + if [[ $DEBUG -ge 2 ]]; then echo "TLS server hello message:" if [[ $DEBUG -ge 4 ]]; then @@ -4496,6 +4816,7 @@ parse_tls_serverhello() { esac outln fi + tmpfile_handle $FUNCNAME.txt return 0 }