mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-23 08:59:31 +01:00
Merge branch 'master' into openss2rfc_rfc2openssl
This commit is contained in:
commit
c1624782d5
@ -13,12 +13,12 @@ via the argument (``--openssl=<here>``) or as an environment variable
|
||||
(``OPENSSL=<here> testssl.sh <yourargs>``).
|
||||
|
||||
The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support,
|
||||
they won't be automatically picked up as you need to make sure first they
|
||||
they won't be picked up automatically as you need to make sure first they
|
||||
run (see libraries below).
|
||||
|
||||
All the precompiled binaries provided here have extended support for
|
||||
everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit,
|
||||
export/ANON ciphers, weak DH ciphers, SSLv2 etc. -- all the dirty
|
||||
export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty
|
||||
features needed for testing. OTOH they also come with extended support
|
||||
for new / advanced cipher suites and/or features which are not in the
|
||||
official branch like CHACHA20+POLY1305 and CAMELIA 256 bit ciphers.
|
||||
@ -29,6 +29,9 @@ Peter!
|
||||
|
||||
Compiled Linux binaries so far come from Dirk, other contributors see ../CREDITS.md .
|
||||
|
||||
**__New binaries inluding IPv6 support are @ https://testssl.sh__**. The ones here will be
|
||||
updated soon.
|
||||
|
||||
|
||||
Compiling and Usage Instructions
|
||||
================================
|
||||
@ -38,7 +41,7 @@ General
|
||||
|
||||
Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you
|
||||
cannot use them for older distributions, younger worked in all my test environments.
|
||||
I provide for each distributions two sets of binaries:
|
||||
I provide for each distributions two sets of binaries (no IPv6 here):
|
||||
|
||||
* completely statically linked binaries
|
||||
* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
|
||||
@ -94,7 +97,9 @@ If you want to compile OpenSSL yourself, here are the instructions:
|
||||
-- this doesn't give you the option of an IPv6 enabled proxy -- yet.)
|
||||
|
||||
Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST
|
||||
ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make problems under rare circumstances, so unless you desperately need those ciphers I would stay away from ``-DTEMP_GOST_TLS``.
|
||||
ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make
|
||||
problems under some circumstances, so unless you desperately need those ciphers I would stay away from
|
||||
``-DTEMP_GOST_TLS``.
|
||||
|
||||
If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit "--with-krb5-flavor=MIT"
|
||||
(see examples). If you have another Kerberos flavor you would need to figure out by yourself.
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Value, IANA name,
|
||||
# Value, IANA name, openssl serverhello
|
||||
1, sect163k1, K-163
|
||||
2, sect163r1,
|
||||
3, sect163r2, B-163
|
||||
@ -27,5 +27,5 @@
|
||||
26, brainpoolP256r1,
|
||||
27, brainpoolP384r1,
|
||||
28, brainpoolP512r1,
|
||||
unknown, curve448,
|
||||
unknown, curve25519
|
||||
29, curve25519,
|
||||
30, curve448
|
||||
|
270
etc/mapping.txt
Normal file
270
etc/mapping.txt
Normal file
@ -0,0 +1,270 @@
|
||||
xff03 GOST-GOST89STREAM RSA GOST89 256
|
||||
xff02 GOST-GOST89MAC RSA GOST89 256
|
||||
xff01 GOST-GOST94 RSA GOST89 256
|
||||
xff00 GOST-MD5 RSA GOST89 256
|
||||
xccae RSA-PSK-CHACHA20-POLY1305 RSAPSK CHACHA20 256 TLS_RSA_PSK_WITH_CHACHA20_POLY1305
|
||||
xccad DHE-PSK-CHACHA20-POLY1305 DHEPSK CHACHA20 256 TLS_DHE_PSK_WITH_CHACHA20_POLY1305
|
||||
xccac ECDHE-PSK-CHACHA20-POLY1305 ECDHEPSK CHACHA20 256 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305
|
||||
xccab PSK-CHACHA20-POLY1305 PSK CHACHA20 256 TLS_PSK_WITH_CHACHA20_POLY1305
|
||||
xccaa DHE-RSA-CHACHA20-POLY1305 DH CHACHA20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305
|
||||
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH CHACHA20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH CHACHA20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||
xcc15 DHE-RSA-CHACHA20-POLY1305_OLD DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
xcc14 ECDHE-ECDSA-CHACHA20-POLY1305_OLD ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
xcc13 ECDHE-RSA-CHACHA20-POLY1305_OLD ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
xc5 ADH-CAMELLIA256-SHA256 DH Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
|
||||
xc4 DHE-RSA-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
||||
xc3 DHE-DSS-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256
|
||||
xc2 DH-RSA-CAMELLIA256-SHA256 DH/RSA Camellia 256 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
||||
xc1 DH-DSS-CAMELLIA256-SHA256 DH/DSS Camellia 256 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256
|
||||
xc0 CAMELLIA256-SHA256 RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
||||
xc0af ECDHE-ECDSA-AES256-CCM8 ECDH AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
|
||||
xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
|
||||
xc0ad ECDHE-ECDSA-AES256-CCM ECDH AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM
|
||||
xc0ac ECDHE-ECDSA-AES128-CCM ECDH AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM
|
||||
xc0ab DHE-PSK-AES256-CCM8 DHEPSK AESCCM8 256 TLS_PSK_DHE_WITH_AES_256_CCM_8
|
||||
xc0aa DHE-PSK-AES128-CCM8 DHEPSK AESCCM8 128 TLS_PSK_DHE_WITH_AES_128_CCM_8
|
||||
xc0a9 PSK-AES256-CCM8 PSK AESCCM8 256 TLS_PSK_WITH_AES_256_CCM_8
|
||||
xc0a8 PSK-AES128-CCM8 PSK AESCCM8 128 TLS_PSK_WITH_AES_128_CCM_8
|
||||
xc0a7 DHE-PSK-AES256-CCM DHEPSK AESCCM 256 TLS_DHE_PSK_WITH_AES_256_CCM
|
||||
xc0a6 DHE-PSK-AES128-CCM DHEPSK AESCCM 128 TLS_DHE_PSK_WITH_AES_128_CCM
|
||||
xc0a5 PSK-AES256-CCM PSK AESCCM 256 TLS_PSK_WITH_AES_256_CCM
|
||||
xc0a4 PSK-AES128-CCM PSK AESCCM 128 TLS_PSK_WITH_AES_128_CCM
|
||||
xc0a3 DHE-RSA-AES256-CCM8 DH AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8
|
||||
xc0a2 DHE-RSA-AES128-CCM8 DH AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8
|
||||
xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8
|
||||
xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8
|
||||
xc09f DHE-RSA-AES256-CCM DH AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM
|
||||
xc09e DHE-RSA-AES128-CCM DH AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM
|
||||
xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM
|
||||
xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM
|
||||
xc09b ECDHE-PSK-CAMELLIA256-SHA384 ECDHEPSK Camellia 256 TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
|
||||
xc09a ECDHE-PSK-CAMELLIA128-SHA256 ECDHEPSK Camellia 128 TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xc099 RSA-PSK-CAMELLIA256-SHA384 RSAPSK Camellia 256 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
|
||||
xc098 RSA-PSK-CAMELLIA128-SHA256 RSAPSK Camellia 128 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xc097 DHE-PSK-CAMELLIA256-SHA384 DHEPSK Camellia 256 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
|
||||
xc096 DHE-PSK-CAMELLIA128-SHA256 DHEPSK Camellia 128 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xc095 PSK-CAMELLIA256-SHA384 PSK Camellia 256 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
|
||||
xc094 PSK-CAMELLIA128-SHA256 PSK Camellia 128 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xc079 ECDH-RSA-CAMELLIA256-SHA384 ECDH/RSA Camellia 256 TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
|
||||
xc078 ECDH-RSA-CAMELLIA128-SHA256 ECDH/RSA Camellia 128 TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
|
||||
xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xc075 ECDH-ECDSA-CAMELLIA256-SHA384 ECDH/ECDSA Camellia 256 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
|
||||
xc074 ECDH-ECDSA-CAMELLIA128-SHA256 ECDH/ECDSA Camellia 128 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
|
||||
xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xc03b ECDHE-PSK-NULL-SHA384 ECDHEPSK None None TLS_ECDHE_PSK_WITH_NULL_SHA384
|
||||
xc03a ECDHE-PSK-NULL-SHA256 ECDHEPSK None None TLS_ECDHE_PSK_WITH_NULL_SHA256
|
||||
xc039 ECDHE-PSK-NULL-SHA ECDHEPSK None None TLS_ECDHE_PSK_WITH_NULL_SHA
|
||||
xc038 ECDHE-PSK-AES256-CBC-SHA384 ECDHEPSK AES 256 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
|
||||
xc037 ECDHE-PSK-AES128-CBC-SHA256 ECDHEPSK AES 128 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
|
||||
xc036 ECDHE-PSK-AES256-CBC-SHA ECDHEPSK AES 256 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
|
||||
xc035 ECDHE-PSK-AES128-CBC-SHA ECDHEPSK AES 128 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
|
||||
xc034 ECDHE-PSK-3DES-EDE-CBC-SHA ECDHEPSK 3DES 168 TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
xc032 ECDH-RSA-AES256-GCM-SHA384 ECDH/RSA AESGCM 256 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
|
||||
xc031 ECDH-RSA-AES128-GCM-SHA256 ECDH/RSA AESGCM 128 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
|
||||
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
xc02e ECDH-ECDSA-AES256-GCM-SHA384 ECDH/ECDSA AESGCM 256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
xc02d ECDH-ECDSA-AES128-GCM-SHA256 ECDH/ECDSA AESGCM 128 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
xc02a ECDH-RSA-AES256-SHA384 ECDH/RSA AES 256 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
|
||||
xc029 ECDH-RSA-AES128-SHA256 ECDH/RSA AES 128 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
|
||||
xc028 ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
||||
xc027 ECDHE-RSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
xc026 ECDH-ECDSA-AES256-SHA384 ECDH/ECDSA AES 256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
|
||||
xc025 ECDH-ECDSA-AES128-SHA256 ECDH/ECDSA AES 128 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
|
||||
xc023 ECDHE-ECDSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
xc022 SRP-DSS-AES-256-CBC-SHA SRP AES 256 TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
|
||||
xc021 SRP-RSA-AES-256-CBC-SHA SRP AES 256 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
|
||||
xc020 SRP-AES-256-CBC-SHA SRP AES 256 TLS_SRP_SHA_WITH_AES_256_CBC_SHA
|
||||
xc01f SRP-DSS-AES-128-CBC-SHA SRP AES 128 TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
|
||||
xc01e SRP-RSA-AES-128-CBC-SHA SRP AES 128 TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
|
||||
xc01d SRP-AES-128-CBC-SHA SRP AES 128 TLS_SRP_SHA_WITH_AES_128_CBC_SHA
|
||||
xc01c SRP-DSS-3DES-EDE-CBC-SHA SRP 3DES 168 TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
|
||||
xc01b SRP-RSA-3DES-EDE-CBC-SHA SRP 3DES 168 TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
xc01a SRP-3DES-EDE-CBC-SHA SRP 3DES 168 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA
|
||||
xc019 AECDH-AES256-SHA ECDH AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA
|
||||
xc018 AECDH-AES128-SHA ECDH AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA
|
||||
xc017 AECDH-DES-CBC3-SHA ECDH 3DES 168 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
|
||||
xc016 AECDH-RC4-SHA ECDH RC4 128 TLS_ECDH_anon_WITH_RC4_128_SHA
|
||||
xc015 AECDH-NULL-SHA ECDH None None TLS_ECDH_anon_WITH_NULL_SHA
|
||||
xc014 ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
xc013 ECDHE-RSA-AES128-SHA ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
xc011 ECDHE-RSA-RC4-SHA ECDH RC4 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
||||
xc010 ECDHE-RSA-NULL-SHA ECDH None None TLS_ECDHE_RSA_WITH_NULL_SHA
|
||||
xc00f ECDH-RSA-AES256-SHA ECDH/RSA AES 256 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
|
||||
xc00e ECDH-RSA-AES128-SHA ECDH/RSA AES 128 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
|
||||
xc00d ECDH-RSA-DES-CBC3-SHA ECDH/RSA 3DES 168 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
xc00c ECDH-RSA-RC4-SHA ECDH/RSA RC4 128 TLS_ECDH_RSA_WITH_RC4_128_SHA
|
||||
xc00b ECDH-RSA-NULL-SHA ECDH/RSA None None TLS_ECDH_RSA_WITH_NULL_SHA
|
||||
xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||
xc009 ECDHE-ECDSA-AES128-SHA ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
xc008 ECDHE-ECDSA-DES-CBC3-SHA ECDH 3DES 168 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
xc007 ECDHE-ECDSA-RC4-SHA ECDH RC4 128 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
xc006 ECDHE-ECDSA-NULL-SHA ECDH None None TLS_ECDHE_ECDSA_WITH_NULL_SHA
|
||||
xc005 ECDH-ECDSA-AES256-SHA ECDH/ECDSA AES 256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
||||
xc004 ECDH-ECDSA-AES128-SHA ECDH/ECDSA AES 128 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
||||
xc003 ECDH-ECDSA-DES-CBC3-SHA ECDH/ECDSA 3DES 168 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
xc002 ECDH-ECDSA-RC4-SHA ECDH/ECDSA RC4 128 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
|
||||
xc001 ECDH-ECDSA-NULL-SHA ECDH/ECDSA None None TLS_ECDH_ECDSA_WITH_NULL_SHA
|
||||
xbf ADH-CAMELLIA128-SHA256 DH Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xbe DHE-RSA-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xbd DHE-DSS-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xbc DH-RSA-CAMELLIA128-SHA256 DH/RSA Camellia 128 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xbb DH-DSS-CAMELLIA128-SHA256 DH/DSS Camellia 128 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xba CAMELLIA128-SHA256 RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
xb9 RSA-PSK-NULL-SHA384 RSAPSK None None TLS_RSA_PSK_WITH_NULL_SHA384
|
||||
xb8 RSA-PSK-NULL-SHA256 RSAPSK None None TLS_RSA_PSK_WITH_NULL_SHA256
|
||||
xb7 RSA-PSK-AES256-CBC-SHA384 RSAPSK AES 256 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
|
||||
xb6 RSA-PSK-AES128-CBC-SHA256 RSAPSK AES 128 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
|
||||
xb5 DHE-PSK-NULL-SHA384 DHEPSK None None TLS_DHE_PSK_WITH_NULL_SHA384
|
||||
xb4 DHE-PSK-NULL-SHA256 DHEPSK None None TLS_DHE_PSK_WITH_NULL_SHA256
|
||||
xb3 DHE-PSK-AES256-CBC-SHA384 DHEPSK AES 256 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
|
||||
xb2 DHE-PSK-AES128-CBC-SHA256 DHEPSK AES 128 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
|
||||
xb1 PSK-NULL-SHA384 PSK None None TLS_PSK_WITH_NULL_SHA384
|
||||
xb0 PSK-NULL-SHA256 PSK None None TLS_PSK_WITH_NULL_SHA256
|
||||
xaf PSK-AES256-CBC-SHA384 PSK AES 256 TLS_PSK_WITH_AES_256_CBC_SHA384
|
||||
xae PSK-AES128-CBC-SHA256 PSK AES 128 TLS_PSK_WITH_AES_128_CBC_SHA256
|
||||
xad RSA-PSK-AES256-GCM-SHA384 RSAPSK AESGCM 256 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
|
||||
xac RSA-PSK-AES128-GCM-SHA256 RSAPSK AESGCM 128 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
|
||||
xab DHE-PSK-AES256-GCM-SHA384 DHEPSK AESGCM 256 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
|
||||
xaa DHE-PSK-AES128-GCM-SHA256 DHEPSK AESGCM 128 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
|
||||
xa9 PSK-AES256-GCM-SHA384 PSK AESGCM 256 TLS_PSK_WITH_AES_256_GCM_SHA384
|
||||
xa8 PSK-AES128-GCM-SHA256 PSK AESGCM 128 TLS_PSK_WITH_AES_128_GCM_SHA256
|
||||
xa7 ADH-AES256-GCM-SHA384 DH AESGCM 256 TLS_DH_anon_WITH_AES_256_GCM_SHA384
|
||||
xa6 ADH-AES128-GCM-SHA256 DH AESGCM 128 TLS_DH_anon_WITH_AES_128_GCM_SHA256
|
||||
xa5 DH-DSS-AES256-GCM-SHA384 DH/DSS AESGCM 256 TLS_DH_DSS_WITH_AES_256_GCM_SHA384
|
||||
xa4 DH-DSS-AES128-GCM-SHA256 DH/DSS AESGCM 128 TLS_DH_DSS_WITH_AES_128_GCM_SHA256
|
||||
xa3 DHE-DSS-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
|
||||
xa2 DHE-DSS-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
|
||||
xa1 DH-RSA-AES256-GCM-SHA384 DH/RSA AESGCM 256 TLS_DH_RSA_WITH_AES_256_GCM_SHA384
|
||||
xa0 DH-RSA-AES128-GCM-SHA256 DH/RSA AESGCM 128 TLS_DH_RSA_WITH_AES_128_GCM_SHA256
|
||||
x9f DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
x9e DHE-RSA-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
x9b ADH-SEED-SHA DH SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA
|
||||
x9a DHE-RSA-SEED-SHA DH SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA
|
||||
x99 DHE-DSS-SEED-SHA DH SEED 128 TLS_DHE_DSS_WITH_SEED_CBC_SHA
|
||||
x98 DH-RSA-SEED-SHA DH/RSA SEED 128 TLS_DH_RSA_WITH_SEED_CBC_SHA
|
||||
x97 DH-DSS-SEED-SHA DH/DSS SEED 128 TLS_DH_DSS_WITH_SEED_CBC_SHA
|
||||
x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA
|
||||
x95 RSA-PSK-AES256-CBC-SHA RSAPSK AES 256 TLS_RSA_PSK_WITH_AES_256_CBC_SHA
|
||||
x94 RSA-PSK-AES128-CBC-SHA RSAPSK AES 128 TLS_RSA_PSK_WITH_AES_128_CBC_SHA
|
||||
x93 RSA-PSK-3DES-EDE-CBC-SHA RSAPSK 3DES 168 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
x92 RSA-PSK-RC4-SHA RSAPSK RC4 128 TLS_RSA_PSK_WITH_RC4_128_SHA
|
||||
x91 DHE-PSK-AES256-CBC-SHA DHEPSK AES 256 TLS_DHE_PSK_WITH_AES_256_CBC_SHA
|
||||
x90 DHE-PSK-AES128-CBC-SHA DHEPSK AES 128 TLS_DHE_PSK_WITH_AES_128_CBC_SHA
|
||||
x8f DHE-PSK-3DES-EDE-CBC-SHA DHEPSK 3DES 168 TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
x8d PSK-AES256-CBC-SHA PSK AES 256 TLS_PSK_WITH_AES_256_CBC_SHA
|
||||
x8c PSK-AES128-CBC-SHA PSK AES 128 TLS_PSK_WITH_AES_128_CBC_SHA
|
||||
x8b PSK-3DES-EDE-CBC-SHA PSK 3DES 168 TLS_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
x8a PSK-RC4-SHA PSK RC4 128 TLS_PSK_WITH_RC4_128_SHA
|
||||
x89 ADH-CAMELLIA256-SHA DH Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
|
||||
x88 DHE-RSA-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
x87 DHE-DSS-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
|
||||
x86 DH-RSA-CAMELLIA256-SHA DH/RSA Camellia 256 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
x85 DH-DSS-CAMELLIA256-SHA DH/DSS Camellia 256 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
|
||||
x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
x83 GOST2001-NULL-GOST94 GOST None None TLS_GOSTR341001_WITH_NULL_GOSTR3411
|
||||
x82 GOST94-NULL-GOST94 GOST None None TLS_GOSTR341094_WITH_NULL_GOSTR3411
|
||||
x81 GOST2001-GOST89-GOST89 GOST GOST89 256 TLS_GOSTR341001_WITH_28147_CNT_IMIT
|
||||
x80 GOST94-GOST89-GOST89 GOST GOST89 256 TLS_GOSTR341094_WITH_28147_CNT_IMIT
|
||||
x6d ADH-AES256-SHA256 DH AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA256
|
||||
x6c ADH-AES128-SHA256 DH AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA256
|
||||
x6b DHE-RSA-AES256-SHA256 DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|
||||
x6a DHE-DSS-AES256-SHA256 DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
|
||||
x69 DH-RSA-AES256-SHA256 DH/RSA AES 256 TLS_DH_RSA_WITH_AES_256_CBC_SHA256
|
||||
x68 DH-DSS-AES256-SHA256 DH/DSS AES 256 TLS_DH_DSS_WITH_AES_256_CBC_SHA256
|
||||
x67 DHE-RSA-AES128-SHA256 DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
x66 DHE-DSS-RC4-SHA DH RC4 128 TLS_DHE_DSS_WITH_RC4_128_SHA
|
||||
x65 EXP1024-DHE-DSS-RC4-SHA DH(1024) RC4 56,export TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
|
||||
x64 EXP1024-RC4-SHA RSA(1024) RC4 56,export TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|
||||
x63 EXP1024-DHE-DSS-DES-CBC-SHA DH(1024) DES 56,export TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
|
||||
x62 EXP1024-DES-CBC-SHA RSA(1024) DES 56,export TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|
||||
x61 EXP1024-RC2-CBC-MD5 RSA(1024) RC2 56,export TLS_RSA_EXPORT1024_WITH_RC2_56_MD5
|
||||
x60 EXP1024-RC4-MD5 RSA(1024) RC4 56,export TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
|
||||
x46 ADH-CAMELLIA128-SHA DH Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
|
||||
x45 DHE-RSA-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
x44 DHE-DSS-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
|
||||
x43 DH-RSA-CAMELLIA128-SHA DH/RSA Camellia 128 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
x42 DH-DSS-CAMELLIA128-SHA DH/DSS Camellia 128 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
|
||||
x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
x40 DHE-DSS-AES128-SHA256 DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
|
||||
x3f DH-RSA-AES128-SHA256 DH/RSA AES 128 TLS_DH_RSA_WITH_AES_128_CBC_SHA256
|
||||
x3e DH-DSS-AES128-SHA256 DH/DSS AES 128 TLS_DH_DSS_WITH_AES_128_CBC_SHA256
|
||||
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
|
||||
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
|
||||
x3b NULL-SHA256 RSA None None TLS_RSA_WITH_NULL_SHA256
|
||||
x3a ADH-AES256-SHA DH AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA
|
||||
x39 DHE-RSA-AES256-SHA DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
||||
x38 DHE-DSS-AES256-SHA DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA
|
||||
x37 DH-RSA-AES256-SHA DH/RSA AES 256 TLS_DH_RSA_WITH_AES_256_CBC_SHA
|
||||
x36 DH-DSS-AES256-SHA DH/DSS AES 256 TLS_DH_DSS_WITH_AES_256_CBC_SHA
|
||||
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
|
||||
x34 ADH-AES128-SHA DH AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA
|
||||
x33 DHE-RSA-AES128-SHA DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
||||
x32 DHE-DSS-AES128-SHA DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
|
||||
x31 DH-RSA-AES128-SHA DH/RSA AES 128 TLS_DH_RSA_WITH_AES_128_CBC_SHA
|
||||
x30 DH-DSS-AES128-SHA DH/DSS AES 128 TLS_DH_DSS_WITH_AES_128_CBC_SHA
|
||||
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
|
||||
x2e RSA-PSK-NULL-SHA RSAPSK None None TLS_RSA_PSK_WITH_NULL_SHA
|
||||
x2d DHE-PSK-NULL-SHA DHEPSK None None TLS_DHE_PSK_WITH_NULL_SHA
|
||||
x2c PSK-NULL-SHA PSK None None TLS_PSK_WITH_NULL_SHA
|
||||
x2b EXP-KRB5-RC4-MD5 KRB5 RC4 40,export TLS_KRB5_EXPORT_WITH_RC4_40_MD5
|
||||
x2a EXP-KRB5-RC2-CBC-MD5 KRB5 RC2 40,export TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
|
||||
x29 EXP-KRB5-DES-CBC-MD5 KRB5 DES 40,export TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
|
||||
x28 EXP-KRB5-RC4-SHA KRB5 RC4 40,export TLS_KRB5_EXPORT_WITH_RC4_40_SHA
|
||||
x27 EXP-KRB5-RC2-CBC-SHA KRB5 RC2 40,export TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA
|
||||
x26 EXP-KRB5-DES-CBC-SHA KRB5 DES 40,export TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
|
||||
x25 KRB5-IDEA-CBC-MD5 KRB5 IDEA 128 TLS_KRB5_WITH_IDEA_CBC_MD5
|
||||
x24 KRB5-RC4-MD5 KRB5 RC4 128 TLS_KRB5_WITH_RC4_128_MD5
|
||||
x23 KRB5-DES-CBC3-MD5 KRB5 3DES 168 TLS_KRB5_WITH_3DES_EDE_CBC_MD5
|
||||
x22 KRB5-DES-CBC-MD5 KRB5 DES 56 TLS_KRB5_WITH_DES_CBC_MD5
|
||||
x21 KRB5-IDEA-CBC-SHA KRB5 IDEA 128 TLS_KRB5_WITH_IDEA_CBC_SHA
|
||||
x20 KRB5-RC4-SHA KRB5 RC4 128 TLS_KRB5_WITH_RC4_128_SHA
|
||||
x1f KRB5-DES-CBC3-SHA KRB5 3DES 168 TLS_KRB5_WITH_3DES_EDE_CBC_SHA
|
||||
x1e KRB5-DES-CBC-SHA KRB5 DES 56 TLS_KRB5_WITH_DES_CBC_SHA
|
||||
x1b ADH-DES-CBC3-SHA DH 3DES 168 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
|
||||
x1a ADH-DES-CBC-SHA DH DES 56 TLS_DH_anon_WITH_DES_CBC_SHA
|
||||
x19 EXP-ADH-DES-CBC-SHA DH(512) DES 40,export TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|
||||
x18 ADH-RC4-MD5 DH RC4 128 TLS_DH_anon_WITH_RC4_128_MD5
|
||||
x17 EXP-ADH-RC4-MD5 DH(512) RC4 40,export TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
|
||||
x16 EDH-RSA-DES-CBC3-SHA DH 3DES 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
x16 DHE-RSA-DES-CBC3-SHA DH 3DES 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
x15 EDH-RSA-DES-CBC-SHA DH DES 56 TLS_DHE_RSA_WITH_DES_CBC_SHA
|
||||
x14 EXP-EDH-RSA-DES-CBC-SHA DH(512) DES 40,export TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|
||||
x13 EDH-DSS-DES-CBC3-SHA DH 3DES 168 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
|
||||
x13 DHE-DSS-DES-CBC3-SHA DH 3DES 168 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
|
||||
x12 EDH-DSS-DES-CBC-SHA DH DES 56 TLS_DHE_DSS_WITH_DES_CBC_SHA
|
||||
x11 EXP-EDH-DSS-DES-CBC-SHA DH(512) DES 40,export TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
|
||||
x10 DH-RSA-DES-CBC3-SHA DH/RSA 3DES 168 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
x0f DH-RSA-DES-CBC-SHA DH/RSA DES 56 TLS_DH_RSA_WITH_DES_CBC_SHA
|
||||
x0e EXP-DH-RSA-DES-CBC-SHA DH/RSA DES 40,export TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
|
||||
x0d DH-DSS-DES-CBC3-SHA DH/DSS 3DES 168 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
|
||||
x0c DH-DSS-DES-CBC-SHA DH/DSS DES 56 TLS_DH_DSS_WITH_DES_CBC_SHA
|
||||
x0b EXP-DH-DSS-DES-CBC-SHA DH/DSS DES 40,export TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
|
||||
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
x09 DES-CBC-SHA RSA DES 56 TLS_RSA_WITH_DES_CBC_SHA
|
||||
x08 EXP-DES-CBC-SHA RSA(512) DES 40,export TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
|
||||
x080080 RC4-64-MD5 RSA RC4 64 SSL_CK_RC4_64_WITH_MD5
|
||||
x07 IDEA-CBC-SHA RSA IDEA 128 TLS_RSA_WITH_IDEA_CBC_SHA
|
||||
x0700c0 DES-CBC3-MD5 RSA 3DES 168 SSL_CK_DES_192_EDE3_CBC_WITH_MD5
|
||||
x06 EXP-RC2-CBC-MD5 RSA(512) RC2 40,export TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
|
||||
x060040 DES-CBC-MD5 RSA DES 56 SSL_CK_DES_64_CBC_WITH_MD5
|
||||
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
|
||||
x050080 IDEA-CBC-MD5 RSA IDEA 128 SSL_CK_IDEA_128_CBC_WITH_MD5
|
||||
x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5
|
||||
x040080 EXP-RC2-CBC-MD5 RSA(512) RC2 40,export SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
|
||||
x03 EXP-RC4-MD5 RSA(512) RC4 40,export TLS_RSA_EXPORT_WITH_RC4_40_MD5
|
||||
x030080 RC2-CBC-MD5 RSA RC2 128 SSL_CK_RC2_128_CBC_WITH_MD5
|
||||
x02 NULL-SHA RSA None None TLS_RSA_WITH_NULL_SHA
|
||||
x020080 EXP-RC4-MD5 RSA(512) RC4 40,export SSL_CK_RC4_128_EXPORT40_WITH_MD5
|
||||
x01 NULL-MD5 RSA None None TLS_RSA_WITH_NULL_MD5
|
||||
x010080 RC4-MD5 RSA RC4 128 SSL_CK_RC4_128_WITH_MD5
|
||||
x00 NULL-MD5 RSA(512) None None,export TLS_NULL_WITH_NULL_NULL
|
66
testssl.sh
66
testssl.sh
@ -151,7 +151,7 @@ JSONFILE=${JSONFILE:-""} # jsonfile if used
|
||||
CSVFILE=${CSVFILE:-""} # csvfile if used
|
||||
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
||||
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
|
||||
SIZELMT_W_ARND=${SIZELMT_W_ARND:-false} # workaround for servers which have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs)
|
||||
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs)
|
||||
|
||||
# tuning vars, can not be set by a cmd line switch
|
||||
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
||||
@ -2247,6 +2247,15 @@ add_tls_offered() {
|
||||
grep -w "$1" <<< "$PROTOS_OFFERED" || PROTOS_OFFERED+="$1 "
|
||||
}
|
||||
|
||||
# function which checks whether SSLv2 - TLS 1.2 is being offereed
|
||||
has_server_protocol() {
|
||||
[[ -z "$PROTOS_OFFERED" ]] && return 0 # if empty we rather return 0, means check at additional cost=connect will be done
|
||||
if grep -w "$1" <<< "$PROTOS_OFFERED"; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
|
||||
# the protocol check needs to be revamped. It sucks, see above
|
||||
run_protocols() {
|
||||
@ -2258,8 +2267,6 @@ run_protocols() {
|
||||
outln; pr_headline " Testing protocols "
|
||||
via="Protocol tested "
|
||||
|
||||
#FIXME: use PROTOS_OFFERED here
|
||||
|
||||
if $SSL_NATIVE; then
|
||||
using_sockets=false
|
||||
pr_headlineln "(via native openssl)"
|
||||
@ -2279,7 +2286,7 @@ run_protocols() {
|
||||
|
||||
pr_bold " SSLv2 ";
|
||||
if ! $SSL_NATIVE; then
|
||||
sslv2_sockets #FIXME: messages need to be moved to this higher level
|
||||
sslv2_sockets #FIXME: messages/output need to be moved to this (higher) level
|
||||
else
|
||||
run_prototest_openssl "-ssl2"
|
||||
case $? in
|
||||
@ -2299,7 +2306,7 @@ run_protocols() {
|
||||
;;
|
||||
7)
|
||||
fileout "sslv2" "INFO" "SSLv2 is not tested due to lack of local support"
|
||||
;; # no local support
|
||||
;; # no local support
|
||||
esac
|
||||
fi
|
||||
|
||||
@ -2345,11 +2352,11 @@ run_protocols() {
|
||||
outln "offered"
|
||||
fileout "tls1" "INFO" "TLSv1.0 is offered"
|
||||
add_tls_offered "tls1"
|
||||
;; # nothing wrong with it -- per se
|
||||
;; # nothing wrong with it -- per se
|
||||
1)
|
||||
outln "not offered"
|
||||
fileout "tls1" "INFO" "TLSv1.0 is not offered"
|
||||
;; # neither good or bad
|
||||
;; # neither good or bad
|
||||
2)
|
||||
pr_svrty_medium "not offered"
|
||||
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
||||
@ -2741,7 +2748,7 @@ check_tls12_pref() {
|
||||
while true; do
|
||||
$OPENSSL s_client $STARTTLS -tls1_2 $BUGS -cipher "ALL:$tested_cipher:$batchremoved" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
if sclient_connect_successful $? $TMPFILE ; then
|
||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
order+=" $cipher"
|
||||
tested_cipher="$tested_cipher:-$cipher"
|
||||
else
|
||||
@ -2756,7 +2763,7 @@ check_tls12_pref() {
|
||||
$OPENSSL s_client $STARTTLS -tls1_2 $BUGS -cipher "$batchremoved" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
if sclient_connect_successful $? $TMPFILE ; then
|
||||
batchremoved_success=true # signals that we have some of those ciphers and need to put everything together later on
|
||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
order+=" $cipher"
|
||||
batchremoved="$batchremoved:-$cipher"
|
||||
debugme outln "B1: $batchremoved"
|
||||
@ -2773,7 +2780,7 @@ check_tls12_pref() {
|
||||
$OPENSSL s_client $STARTTLS -tls1_2 $BUGS -cipher "$combined_ciphers" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
if sclient_connect_successful $? $TMPFILE ; then
|
||||
# first cipher
|
||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
order="$cipher"
|
||||
tested_cipher="-$cipher"
|
||||
else
|
||||
@ -2783,7 +2790,7 @@ check_tls12_pref() {
|
||||
while true; do
|
||||
$OPENSSL s_client $STARTTLS -tls1_2 $BUGS -cipher "$combined_ciphers:$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
if sclient_connect_successful $? $TMPFILE ; then
|
||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
order+=" $cipher"
|
||||
tested_cipher="$tested_cipher:-$cipher"
|
||||
else
|
||||
@ -2806,41 +2813,51 @@ check_tls12_pref() {
|
||||
cipher_pref_check() {
|
||||
local p proto protos npn_protos
|
||||
local tested_cipher cipher order
|
||||
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
|
||||
|
||||
pr_bold " Cipher order"
|
||||
|
||||
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
|
||||
order=""
|
||||
if [[ $p == ssl2 ]] && ! "$HAS_SSL2"; then
|
||||
out "\n SSLv2: "; local_problem "$OPENSSL doesn't support \"s_client -ssl2\"";
|
||||
out "\n SSLv2: "; local_problem "$OPENSSL doesn't support \"s_client -ssl2\"";
|
||||
continue
|
||||
fi
|
||||
if [[ $p == ssl3 ]] && ! "$HAS_SSL3"; then
|
||||
out "\n SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
||||
out "\n SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
||||
continue
|
||||
fi
|
||||
# with the supplied binaries SNI works also for SSLv2 (+ SSLv3)
|
||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
|
||||
if sclient_connect_successful $? $TMPFILE; then
|
||||
tested_cipher=""
|
||||
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||
proto=$(awk '/Protocol/ { print $3 }' $TMPFILE)
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
[[ -z "$proto" ]] && continue # for early openssl versions sometimes needed
|
||||
outln
|
||||
printf " %-10s" "$proto: "
|
||||
tested_cipher="-"$cipher
|
||||
order="$cipher"
|
||||
if [[ $p == tls1_2 ]] && "$SIZELMT_W_ARND"; then
|
||||
# for some servers the ServerHello is limited to 128 ciphers or the ServerHello itself has a length restriction
|
||||
# thus we reduce the number of ciphers we throw at the server and put later everything together
|
||||
# see #189
|
||||
# so far, this was only observed in TLS 1.2
|
||||
if [[ $p == tls1_2 ]]; then
|
||||
# for some servers the ClientHello is limited to 128 ciphers or the ClientHello itself has a length restriction.
|
||||
# So far, this was only observed in TLS 1.2, affected are e.g. old Cisco LBs or ASAs, see issue #189
|
||||
# To check whether a workaround is needed we send a laaarge list of ciphers/big client hello. If connect fails,
|
||||
# we hit the bug and automagically do the workround. Cost: this is for all servers only 1x more connect
|
||||
$OPENSSL s_client $STARTTLS -tls1_2 $BUGS -cipher "$overflow_probe_cipherlist" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
if ! sclient_connect_successful $? $TMPFILE; then
|
||||
#FIXME this needs to be handled differently. We need 2 status: BUG={true,false,not tested yet}
|
||||
SERVER_SIZE_LIMIT_BUG=true
|
||||
fi
|
||||
fi
|
||||
if [[ $p == tls1_2 ]] && "$SERVER_SIZE_LIMIT_BUG"; then
|
||||
order=$(check_tls12_pref "$cipher")
|
||||
out "$order"
|
||||
else
|
||||
out " $cipher" # this is the first cipher for protocol
|
||||
while true; do
|
||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
sclient_connect_successful $? $TMPFILE || break
|
||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
out " $cipher"
|
||||
order+=" $cipher"
|
||||
tested_cipher="$tested_cipher:-$cipher"
|
||||
@ -2858,14 +2875,14 @@ cipher_pref_check() {
|
||||
for p in $npn_protos; do
|
||||
order=""
|
||||
$OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
printf " %-10s %s " "$p:" "$cipher"
|
||||
tested_cipher="-"$cipher
|
||||
order="$cipher"
|
||||
while true; do
|
||||
$OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
sclient_connect_successful $? $TMPFILE || break
|
||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
out "$cipher "
|
||||
tested_cipher="$tested_cipher:-$cipher"
|
||||
order+=" $cipher"
|
||||
@ -7335,6 +7352,7 @@ reset_hostdepended_vars() {
|
||||
TLS_EXTENSIONS=""
|
||||
PROTOS_OFFERED=""
|
||||
OPTIMAL_PROTO=""
|
||||
SERVER_SIZE_LIMIT_BUG=false
|
||||
}
|
||||
|
||||
|
||||
@ -7474,4 +7492,4 @@ fi
|
||||
exit $?
|
||||
|
||||
|
||||
# $Id: testssl.sh,v 1.496 2016/06/07 21:06:57 dirkw Exp $
|
||||
# $Id: testssl.sh,v 1.499 2016/06/09 13:56:51 dirkw Exp $
|
||||
|
Loading…
Reference in New Issue
Block a user