diff --git a/testssl.sh b/testssl.sh index 0be8cf8..9851520 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4530,38 +4530,22 @@ sslv2_sockets() { # ARG1: TLS version low byte (00: SSLv3, 01: TLS 1.0, 02: TLS 1.1, 03: TLS 1.2) # ARG2: CIPHER_SUITES string socksend_tls_clienthello() { -#FIXME: redo this with all extensions! local tls_low_byte="$1" local tls_word_reclayer="03, 01" # the first TLS version number is the record layer and always 0301 -- except: SSLv3 local servername_hexstr len_servername len_servername_hex - local hexdump_format_str - local all_extensions - local len_sni_listlen len_sni_ext len_extension_hex - local cipher_suites len_ciph_suites len_ciph_suites_word + local hexdump_format_str part1 part2 + local all_extensions="" + local -i i j len_extension len_padding_extension len_all + local len_sni_listlen len_sni_ext len_extension_hex len_padding_extension_hex + local cipher_suites len_ciph_suites len_ciph_suites_byte len_ciph_suites_word local len_client_hello_word len_all_word - - #len_servername=$(echo ${#NODE}) - len_servername=${#NODE} - hexdump_format_str="$len_servername/1 \"%02x,\"" - servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}" | sed 's/,$//') + local ecc_cipher_suite_found=false + local extension_signature_algorithms extension_heartbeat + local extension_session_ticket extension_next_protocol extensions_ecc extension_padding code2network "$2" # convert CIPHER_SUITES cipher_suites="$NW_STR" # we don't have the leading \x here so string length is two byte less, see next -#formatted example for SNI -#00 00 # extension server_name -#00 1a # length = the following +2 = server_name length + 5 -#00 18 # server_name list_length = server_name length +3 -#00 # server_name type (hostname) -#00 15 # server_name length -#66 66 66 66 66 66 2e 66 66 66 66 66 66 66 66 66 66 2e 66 66 66 target.mydomain1.tld # server_name target - - # convert lengths we need to fill in from dec to hex: - len_servername_hex=$(printf "%02x\n" $len_servername) - len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) - len_sni_ext=$(printf "%02x\n" $((len_servername+5))) - len_extension_hex=$(printf "%02x\n" $((len_servername+9))) #FIXME: for TLS 1.2 and IIS servers we need extension_signature_algorithms!! - len_ciph_suites_byte=$(echo ${#cipher_suites}) let "len_ciph_suites_byte += 2" @@ -4571,6 +4555,136 @@ socksend_tls_clienthello() { len_ciph_suites_word="$LEN_STR" #[[ $DEBUG -ge 3 ]] && echo $len_ciph_suites_word + if [[ "$tls_low_byte" != "00" ]]; then + # Add extensions + + # Check to see if any ECC cipher suites are included in cipher_suites + for (( i=0; i