diff --git a/etc/client_simulation.txt b/etc/client_simulation.txt index 938fc7e..2ac0248 100644 --- a/etc/client_simulation.txt +++ b/etc/client_simulation.txt @@ -1,7 +1,7 @@ # Most clients are taken from Qualys SSL Labs --- From: https://api.dev.ssllabs.com/api/v3/getClients - names+=("Android 2.3.7 ") + names+=("Android 2.3.7") short+=("android_237") ciphers+=("RC4-MD5:RC4-SHA:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") sni+=("") @@ -19,7 +19,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 4.1.1 ") + names+=("Android 4.1.1") short+=("android_411") ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -37,7 +37,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 4.2.2 ") + names+=("Android 4.2.2") short+=("android_422") ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -55,7 +55,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 4.4.2 ") + names+=("Android 4.4.2") short+=("android_442") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -73,7 +73,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 5.0.0 ") + names+=("Android 5.0.0") short+=("android_500") ciphers+=("ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:DHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-GCM-SHA256:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -91,7 +91,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 6.0 ") + names+=("Android 6.0") short+=("android_60") ciphers+=("ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:DHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -109,7 +109,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 7.0 ") + names+=("Android 7.0") short+=("android_70") ciphers+=("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -127,7 +127,7 @@ requiresSha2+=(false) current+=(true) - names+=("Baidu Jan 2015 ") + names+=("Baidu Jan 2015") short+=("baidu_jan_2015") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-MD5:RC4-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -145,7 +145,7 @@ requiresSha2+=(false) current+=(true) - names+=("BingPreview Jan 2015 ") + names+=("BingPreview Jan 2015") short+=("bingpreview_jan_2015") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") sni+=("$SNI") @@ -163,7 +163,7 @@ requiresSha2+=(false) current+=(false) - names+=("Chrome 48 OS X ") + names+=("Chrome 48 OS X") short+=("chrome_48_osx") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -181,7 +181,7 @@ requiresSha2+=(false) current+=(false) - names+=("Chrome 51 Win 7 ") + names+=("Chrome 51 Win 7") short+=("chrome_51_win7") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -199,7 +199,7 @@ requiresSha2+=(false) current+=(true) - names+=("Edge 13 Win 10 ") + names+=("Edge 13 Win 10") short+=("edge_13_win10") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -217,7 +217,7 @@ requiresSha2+=(false) current+=(true) - names+=("Edge 13 Win Phone 10 ") + names+=("Edge 13 Win Phone 10") short+=("edge_13_winphone10") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -235,7 +235,7 @@ requiresSha2+=(false) current+=(true) - names+=("Firefox 45 Win 7 ") + names+=("Firefox 45 Win 7") short+=("firefox_45_win7") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -253,7 +253,7 @@ requiresSha2+=(false) current+=(false) - names+=("Firefox 49 Win 7 ") + names+=("Firefox 49 Win 7") short+=("firefox_49_win7") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -271,7 +271,7 @@ requiresSha2+=(false) current+=(true) - names+=("Firefox 49 XP SP3 ") + names+=("Firefox 49 XP SP3") short+=("firefox_49_xpsp3") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -289,7 +289,7 @@ requiresSha2+=(false) current+=(true) - names+=("Googlebot Feb 2015 ") + names+=("Googlebot Feb 2015") short+=("googlebot_feb_2015") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:RC4-SHA:RC4-MD5:AES128-SHA:DES-CBC3-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA") sni+=("$SNI") @@ -307,7 +307,7 @@ requiresSha2+=(false) current+=(false) - names+=("IE 11 Win 10 ") + names+=("IE 11 Win 10") short+=("ie_11_win10") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -325,7 +325,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 11 Win 7 ") + names+=("IE 11 Win 7") short+=("ie_11_win7") ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -343,7 +343,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 11 Win 8.1 ") + names+=("IE 11 Win 8.1") short+=("ie_11_win81") ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -361,7 +361,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 11 Win Phone 8.1 ") + names+=("IE 11 Win Phone 8.1") short+=("ie_11_winphone81") ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -379,7 +379,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 11 Win Phone 8.1 Update ") + names+=("IE 11 Win Phone 8.1 Update") short+=("ie_11_winphone81update") ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -397,7 +397,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 6 XP ") + names+=("IE 6 XP") short+=("ie_6_xp") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:RC4-MD5:DES-CBC3-MD5:RC2-CBC-MD5:DES-CBC-SHA:DES-CBC-MD5:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") sni+=("") @@ -415,7 +415,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 7 Vista ") + names+=("IE 7 Vista") short+=("ie_7_vista") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") sni+=("$SNI") @@ -433,7 +433,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 8 Win 7 ") + names+=("IE 8 Win 7") short+=("ie_8_win7") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") sni+=("$SNI") @@ -451,7 +451,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 8 XP ") + names+=("IE 8 XP") short+=("ie_8_xp") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") sni+=("") @@ -469,7 +469,7 @@ requiresSha2+=(false) current+=(true) - names+=("Java 6u45 ") + names+=("Java 6u45") short+=("java_6u45") ciphers+=("RC4-MD5:RC4-MD5:RC4-SHA:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:DES-CBC3-MD5:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC-SHA:DES-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") sni+=("") @@ -487,7 +487,7 @@ requiresSha2+=(false) current+=(true) - names+=("Java 7u25 ") + names+=("Java 7u25") short+=("java_7u25") ciphers+=("ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") sni+=("$SNI") @@ -505,7 +505,7 @@ requiresSha2+=(false) current+=(true) - names+=("Java 8b132 ") + names+=("Java 8b132") short+=("java_8b132") ciphers+=("ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") sni+=("$SNI") @@ -523,7 +523,7 @@ requiresSha2+=(false) current+=(true) - names+=("OpenSSL 1.0.1l ") + names+=("OpenSSL 1.0.1l") short+=("openssl_101l") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") sni+=("$SNI") @@ -541,7 +541,7 @@ requiresSha2+=(false) current+=(true) - names+=("OpenSSL 1.0.2e ") + names+=("OpenSSL 1.0.2e") short+=("openssl_102e") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA") sni+=("$SNI") @@ -559,7 +559,7 @@ requiresSha2+=(false) current+=(true) - names+=("Opera 17 Win 7 ") + names+=("Opera 17 Win 7") short+=("opera_17_win7") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:AES256-SHA:AES256-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES128-SHA256:DES-CBC3-SHA") sni+=("$SNI") @@ -577,7 +577,7 @@ requiresSha2+=(false) current+=(false) - names+=("Safari 5.1.9 OS X 10.6.8 ") + names+=("Safari 5.1.9 OS X 10.6.8") short+=("safari_519_osx1068") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") sni+=("$SNI") @@ -595,7 +595,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 6.0.4 OS X 10.8.4 ") + names+=("Safari 6.0.4 OS X 10.8.4") short+=("safari_604_osx1084") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA") sni+=("$SNI") @@ -613,7 +613,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 7 OS X 10.9 ") + names+=("Safari 7 OS X 10.9") short+=("safari_7_osx109") ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA") sni+=("$SNI") @@ -631,7 +631,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 8 OS X 10.10 ") + names+=("Safari 8 OS X 10.10") short+=("safari_8_osx1010") ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -649,7 +649,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 9 iOS 9 ") + names+=("Safari 9 iOS 9") short+=("safari_9_ios9") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -667,7 +667,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 9 OS X 10.11 ") + names+=("Safari 9 OS X 10.11") short+=("safari_9_osx1011") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -685,7 +685,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 10 OS X 10.12 ") + names+=("Safari 10 OS X 10.12") short+=("safari_10_osx1012") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -703,7 +703,7 @@ requiresSha2+=(false) current+=(true) - names+=("Apple ATS 9 iOS 9 ") + names+=("Apple ATS 9 iOS 9") short+=("apple_ats_9_ios9") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA") sni+=("$SNI") @@ -721,7 +721,7 @@ requiresSha2+=(true) current+=(true) - names+=("Tor 17.0.9 Win 7 ") + names+=("Tor 17.0.9 Win 7") short+=("tor_1709_win7") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -739,7 +739,7 @@ requiresSha2+=(false) current+=(true) - names+=("Yahoo Slurp Jan 2015 ") + names+=("Yahoo Slurp Jan 2015") short+=("yahoo_slurp_jan_2015") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") sni+=("$SNI") @@ -757,7 +757,7 @@ requiresSha2+=(false) current+=(false) - names+=("YandexBot Jan 2015 ") + names+=("YandexBot Jan 2015") short+=("yandexbot_jan_2015") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") sni+=("$SNI") diff --git a/etc/tls_data.txt b/etc/tls_data.txt new file mode 100755 index 0000000..1ee1eda --- /dev/null +++ b/etc/tls_data.txt @@ -0,0 +1,231 @@ + +# data we need for socket based handshakes + +# 133 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN HTTP2/ALPN +readonly TLS12_CIPHER=" +cc,14, cc,13, cc,15, c0,30, c0,2c, c0,28, c0,24, c0,14, +c0,0a, c0,22, c0,21, c0,20, 00,a5, 00,a3, 00,a1, 00,9f, +00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, 00,80, 00,81, 00,82, 00,83, +c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, +00,86, 00,85, c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, +c0,79, c0,75, 00,9d, 00,3d, 00,35, 00,c0, 00,84, c0,2f, +c0,2b, c0,27, c0,23, c0,13, c0,09, c0,1f, c0,1e, c0,1d, +00,a4, 00,a2, 00,a0, 00,9e, 00,67, 00,40, 00,3f, 00,3e, +00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, +00,bc, 00,bb, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44, +00,43, 00,42, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, +c0,78, c0,74, 00,9c, 00,3c, 00,2f, 00,ba, 00,96, 00,41, +00,07, c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, +c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, +00,0d, c0,0d, c0,03, 00,0a, 00,63, 00,15, 00,12, 00,0f, +00,0c, 00,62, 00,09, 00,65, 00,64, 00,14, 00,11, 00,0e, +00,0b, 00,08, 00,06, 00,03, 00,ff" + +# 76 standard cipher + 4x GOST for SSLv3, TLS 1, TLS 1.1 +readonly TLS_CIPHER=" +c0,14, c0,0a, c0,22, c0,21, c0,20, 00,39, 00,38, 00,37, +00,36, 00,88, 00,87, 00,86, 00,85, c0,0f, c0,05, 00,35, +00,84, c0,13, c0,09, c0,1f, c0,1e, c0,1d, 00,33, 00,32, 00,80, 00,81, 00,82, 00,83, +00,31, 00,30, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44, +00,43, 00,42, c0,0e, c0,04, 00,2f, 00,96, 00,41, 00,07, +c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, c0,12, +c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, +c0,0d, c0,03, 00,0a, 00,63, 00,15, 00,12, 00,0f, 00,0c, +00,62, 00,09, 00,65, 00,64, 00,14, 00,11, 00,0e, 00,0b, +00,08, 00,06, 00,03, 00,ff" + +readonly -a TLS13_KEY_SHARES=( + "0" "1" "2" "3" "4" "5" "6" "7" "8" "9" "a" "b" "c" "d" "e" "f" + "10" "11" "12" "13" "14" "15" "16" +"-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIHEhQsBkqt1i15mG1wluq/zLqDmjqNQegtgxyNBfRbZSoAoGCCqGSM49 +AwEHoUQDQgAEJP3GoZyVYrabOauJMWUZJxM0PEbtjTxW7K8V+JMDhJa+UyRQm8Tf +2LDnzCAiuwzF8m0KhcloHEoptD2WBUmJlQ== +-----END EC PRIVATE KEY----- +" +"-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDA7MCUdHy2+Kc73fWph++jWo18LHzzm7SKLgycQBNtmeJu3w1y9pK0G +EXgAWsIePIOgBwYFK4EEACKhZANiAAT/x7tN8plE6gbA6D4Igp3ash5EvZxvNqdG +Q50fcDrIco91ybaVlg2tdngZgurTzte+jv7kdkYrILUmLnXxAUGg4d86yStfcZaI +rDEB8Hc9BgJkFFoLSsXMVCKfoEo777k= +-----END EC PRIVATE KEY----- +" +"-----BEGIN EC PARAMETERS----- +BgUrgQQAIw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIHbAgEBBEFjBqkejwKserOf+LoY6xeSUUoLSZQDz/oNLXLB3NQJ3ewDkhbjOvcL +jG1on33V080fXRTN3eNdfvzcqDw4c0GGCKAHBgUrgQQAI6GBiQOBhgAEAHuBnMpQ ++30lnd/gWrHwjLrXQ+EwtxYzMjSDkfRxr0UQ0YuzDNzsVP0azylC06BUlcAvVgiX ++61BiUapw+37EORuAaHOlob0nobmFND7peN0YglQuBeSdqK3cbdP/u9jffGr2H99 +bONJgO7LSp05PXa79CEi8sydmKYiH1pSLAzRiQnh +-----END EC PRIVATE KEY----- +" "1a" "1b" "1c" +"-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VuBCIEIACiKGKr1nm2eobXvsI3HrWNKR5wEVAIf7KaCmDPxsJR +-----END PRIVATE KEY----- +" "1e" "1f" + "20" "21" "22" "23" "24" "25" "26" "27" "28" "29" "2a" "2b" "2c" "2d" "2e" "2f" + "30" "31" "32" "33" "34" "35" "36" "37" "38" "39" "3a" "3b" "3c" "3d" "3e" "3f" + "40" "41" "42" "43" "44" "45" "46" "47" "48" "49" "4a" "4b" "4c" "4d" "4e" "4f" + "50" "51" "52" "53" "54" "55" "56" "57" "58" "59" "5a" "5b" "5c" "5d" "5e" "5f" + "60" "61" "62" "63" "64" "65" "66" "67" "68" "69" "6a" "6b" "6c" "6d" "6e" "6f" + "70" "71" "72" "73" "74" "75" "76" "77" "78" "79" "7a" "7b" "7c" "7d" "7e" "7f" + "80" "81" "82" "83" "84" "85" "86" "87" "88" "89" "8a" "8b" "8c" "8d" "8e" "8f" + "90" "91" "92" "93" "94" "95" "96" "97" "98" "99" "9a" "9b" "9c" "9d" "9e" "9f" + "a0" "a1" "a2" "a3" "a4" "a5" "a6" "a7" "a8" "a9" "aa" "ab" "ac" "ad" "ae" "af" + "b0" "b1" "b2" "b3" "b4" "b5" "b6" "b7" "b8" "b9" "ba" "bb" "bc" "bd" "be" "bf" + "c0" "c1" "c2" "c3" "c4" "c5" "c6" "c7" "c8" "c9" "ca" "cb" "cc" "cd" "ce" "cf" + "d0" "d1" "d2" "d3" "d4" "d5" "d6" "d7" "d8" "d9" "da" "db" "dc" "dd" "de" "df" + "e0" "e1" "e2" "e3" "e4" "e5" "e6" "e7" "e8" "e9" "ea" "eb" "ec" "ed" "ee" "ef" + "f0" "f1" "f2" "f3" "f4" "f5" "f6" "f7" "f8" "f9" "fa" "fb" "fc" "fd" "fe" "ff" + "-----BEGIN PRIVATE KEY----- +MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhKFyX//////////8C +AQIEggEEAoIBAHxYskjJGeKwSGdAf//JLxPmGRGP6Uylmt12QX5w1FfFXQVJdrsY +unjdqhTwgV1vTZ1QApd0uZB//q8ZNNM8SZK0elY4ZJsHJAIdJ/ROmvPvkMCkU0fK +S/uUHroP6tEDyKF+v7ooiBF2KXS5CkOYRTKhiOBaWGsdhiFIkd+O7oY6oyhPxPNT +2zQEdhIu3ZgFG/ZcscdliMPMmZnKvt/dF4yV8RnCHl3MRDRdL/3McDAb4z89bWqR +HRexppcgNa9lhOvR+nF/55NCzT3KwkFPQODQmMRH3bzmME+48HZrFcaaom3/DGt+ +EC+vidtEr4YW86tV6jvig5+uNR1mIKpE8N4= +-----END PRIVATE KEY----- +" +"-----BEGIN PRIVATE KEY----- +MIIDJgIBADCCAZcGCSqGSIb3DQEDATCCAYgCggGBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhH8/c3jVbO2UZA1u8 +NPTe+ZwCOGG0b8nW5skHetkdJpH39+5ZjLD6wYbZHK7+EwmFE5JwtBMMk7xDeUT0 +/URS4tdN02Ty4h5x9Uv/XK6Cq5yd9p7obSvFIjY6DavFIZebDeraHb+aQtXESE4K +vNBr+lPd7zwbIO4/1Z18JeQdK2bGLjf//////////wIBAgSCAYQCggGAV6hlUz0f +RwpauhaumL+dFJQcZHgYghHX9JfNDZv1uMzkTiKxgVutrtFmfHoaTaYNgw+HEQSF +ZRnGzyOXb14/ZoGWo727N4T5usOqINFcHIeAbPiRimo0mwS7ivYKxEFBaw4N7OyE +zfNKAYWNQe0J+R2FLMKBSbJ+b1nGQ/cUSQDffDpKSUS94+XxwxcvNaCv9Ygtkvnl +e/t61L/0eQu/nmi0o7PzR4brmyVTXGnj2LujG/KOtIB4pXQ1GqrvsYLB3pCUTDdA +E0heXfpYGZJK10ByMkWmOuH3pCuI8C+7+Bh7JwQAXUtSpZ+hp1Bz7v1PKwY/3fG1 +2HcPXp85q5N9x9zYZv1vmwFAd0nTdoWdtMbiEJxhCdr6sRpi1+KPg6W3Kqtfcv2f +ZZC6MwVFtxogjzIlXt68O7HRH7Adz+DGhEeZqdxIQpaQR50p4LF7gqQ/mzXq8oCe +XKC3XxrfV5h3OrPEL/zNTd2pzh3LLQB349aOHNz1F+3YPyPlvwOsXkeT +-----END PRIVATE KEY----- +" +"-----BEGIN PRIVATE KEY----- +MIIEJgIBADCCAhcGCSqGSIb3DQEDATCCAggCggIBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhH8/c3jVbO2UZA1u8 +NPTe+ZwCOGG0b8nW5skHetkdJpH39+5ZjLD6wYbZHK7+EwmFE5JwtBMMk7xDeUT0 +/URS4tdN02Ty4h5x9Uv/XK6Cq5yd9p7obSvFIjY6DavFIZebDeraHb+aQtXESE4K +vNBr+lPd7zwbIO4/1Z18JeQdK2aeHvFub1LDFk30+3kw6eTliFe2rH1fQtafbRh3 +Y88dVQNABIf1W6V+Mcx6cTXIhu+0MYrtah4BLZ5oMqkHYAqRgTDEbcd4+XGtADgJ +KZmjM8uLehoduT1xQAA8Kk7OqfmNCswKgpHNzsl9z47JtVp/iKRrTbWoUfRBguHG +igB+XmVfav//////////AgECBIICBAKCAgBKs8VkNMjroMib7Wuw71hVoHiB7lF9 +3FQsDwU3y//RgETN2CEx8gdarvb35ldNEkypxtiaYck+a5qKVkP8uW4/AUoGlH4V +mIVz8R9e0Cewc4X8229+AgvyguaEhJHozp7EqIYEYlpLyn5GL53l2OYvBB3eH9Yi +yjYKe5vCe16Jy88oJYrS6+ybYLXHcfJsLHIppMS17KuDdH/DUiCvy5HE5fA5ufD3 +ExQImgsDa3rm8nW6NUCix9Pl4X5OkWieYE7pXBePZ8Yk8BD4JpPbhsh/9husS4XL +/IpSq+tzgXq44SKQv0o9hbkGaxR6xmTjTwOjRiqW1D/1pS/wHxZbH1qbgJSKq7Fx +6VZZjH5Hyx9Zh5p3mksa7iZ4DQXVW/8ffz+8UdVRQolVUQxXWihcU5qfdtmDEPI0 +4dRR5mI/Pk1n7lAhdyE4H/Tz0TmqItfScZvNaj6RbPbk6KOapgHFKIX7dmtPxAOv +oMMudOwsBg7md3CY08zH/XdE6O8lmVgCJQMjfwJ7QMayOKL1NYNMmUDPP0WIxOyz +5UJj3GzmNrKgYftgr2o8blEwwDbETYN/hpgTPyWl8ieVxK2bn7SX8dFXXEwSdCAt +Cg5c3H+YOc+ahx7VYXJtBDyAKuygUKnVqZ1ht6/xLUyJUxiSMZLbFKHBLkR3UuQa +HyRwI92yYN4+Zg== +-----END PRIVATE KEY----- +" +"-----BEGIN PRIVATE KEY----- +MIIGJgIBADCCAxcGCSqGSIb3DQEDATCCAwgCggMBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhH8/c3jVbO2UZA1u8 +NPTe+ZwCOGG0b8nW5skHetkdJpH39+5ZjLD6wYbZHK7+EwmFE5JwtBMMk7xDeUT0 +/URS4tdN02Ty4h5x9Uv/XK6Cq5yd9p7obSvFIjY6DavFIZebDeraHb+aQtXESE4K +vNBr+lPd7zwbIO4/1Z18JeQdK2aeHvFub1LDFk30+3kw6eTliFe2rH1fQtafbRh3 +Y88dVQNABIf1W6V+Mcx6cTXIhu+0MYrtah4BLZ5oMqkHYAqRgTDEbcd4+XGtADgJ +KZmjM8uLehoduT1xQAA8Kk7OqfmNCswKgpHNzsl9z47JtVp/iKRrTbWoUfRBguHG +igB+Xg3ZAgv9ZLZFA2x6Tmd9LDhTKjojukRCyvU+pju0VDKbdiTIkXvdZLHA/Uyz +jowzTHAcOs2tBlf8z+xxmx9cPk5GBB84gUf7TP20d6UkcfepqWkQuFUyLttjQNig +DvCSNQUR4wq+wf/546Juf7KfjBgwI8NYfjjaAHfZtHY+TkuUsrvBlMZlHnfK+ZLu +qsAjKigb9rOnOcEiYRaCCujbWEemfL75yQkbRi1TjNcrA3Rq539eYiksMRViqEZQ +XcgtuFQziuSfUjXJW5EXjM8t1crO9APsnRgQxicrBFs7cfnca4DWP91KjprbHmli +ppUm1DFhwaQdVw15ONrUpA4ynNDkDmX//////////wIBAgSCAwQCggMAVvLSfpPC +OJVhuOkMtOYtl6vcKtuP0RXXZYBfMFufb5gQJrEypjSIxS+kRyBjNMk3qSt9iBbG +dpSe5fuu9RtI5O5eD/UXrDNBbI2/ldLNDarV3g+hcYklzKQE6kBSWEt1soktPXEq +PIcvYFVrOtWrH3Nw0UT/brRLZ+Ea9mnRG6CCICM0K2UxMhyjDheGCVCpmZfYJycP +mx0H1SA5RI9lP+GkDm096CgAEtXqk1eej8/9F4vsEn5r48HKobXlZEBp+HFcIq7s +DqrNZkg6jRhMusGjVM7mpFuyt0D5LIshsDBHjwkULJUX9Zd7pcVizbHbst2rpi8u +n7H908pdRFvdQYfvjBwvewl7DwZoFOsL+qA5Jo1MtfgpgegouKsS3jmyRSmY4wLp +uOjv6S1//A1sctJNwXlMI7/3IcONT3bmOwNnyvUeFJE4+lnYeClEpAsrCegcljQa +UNOeSKR1x9ctvzlWaBM5EP2daF0JiYdo3Ug/YISDX5dJFOW4gWz95W8Ii9//6zim +8LgA2/NP5IJBs0DPQxVbEVUI0wRPYMI4aZBm2n5bQFQKI95FQfv8ncKSul/fuTtY +du8INZR6ogMpWdDSz5UsIMwjLzXfg30ehcCyy9ebkDtiPDr8++HrwWKGVvuQaa4p +rPiac3fF1+DCHVKwxRsqM1zgDzNtI59Y9wb85kyPRsHTuG5kR3KUMUUYWmbuuMG6 +3yMm7K3hJhlhfiO8hIWt+ZJJHCIEJOFK7FJbsZWmFbS6ukcl1uwlmQzote2aFfYA +5fsL7VeUaXKkJPKY3p05rvHJkayUpxn+oamOA1qW4eVYzio/ZiRtaUNLbmOvb0pU +Z1fyypnlaVzAVynoIF43LfbJ7cdpfnoz6hd//SVA742kuQMA4VeQoXLh6dX1/qZV +8QF7gNjLxgJoqGssaOUwxdxcXqMl+9JUBL/LtvxYs1xcrzla/tj+26XcPT+/tIWR +89TyyCWVPBvFLeWfG5+iIXT0X6g8zJP6d9QCL+2F3yStbJngWCZtFDFD +-----END PRIVATE KEY----- +" +"-----BEGIN PRIVATE KEY----- +MIIIJgIBADCCBBcGCSqGSIb3DQEDATCCBAgCggQBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhH8/c3jVbO2UZA1u8 +NPTe+ZwCOGG0b8nW5skHetkdJpH39+5ZjLD6wYbZHK7+EwmFE5JwtBMMk7xDeUT0 +/URS4tdN02Ty4h5x9Uv/XK6Cq5yd9p7obSvFIjY6DavFIZebDeraHb+aQtXESE4K +vNBr+lPd7zwbIO4/1Z18JeQdK2aeHvFub1LDFk30+3kw6eTliFe2rH1fQtafbRh3 +Y88dVQNABIf1W6V+Mcx6cTXIhu+0MYrtah4BLZ5oMqkHYAqRgTDEbcd4+XGtADgJ +KZmjM8uLehoduT1xQAA8Kk7OqfmNCswKgpHNzsl9z47JtVp/iKRrTbWoUfRBguHG +igB+Xg3ZAgv9ZLZFA2x6Tmd9LDhTKjojukRCyvU+pju0VDKbdiTIkXvdZLHA/Uyz +jowzTHAcOs2tBlf8z+xxmx9cPk5GBB84gUf7TP20d6UkcfepqWkQuFUyLttjQNig +DvCSNQUR4wq+wf/546Juf7KfjBgwI8NYfjjaAHfZtHY+TkuUsrvBlMZlHnfK+ZLu +qsAjKigb9rOnOcEiYRaCCujbWEemfL75yQkbRi1TjNcrA3Rq539eYiksMRViqEZQ +XcgtuFQziuSfUjXJW5EXjM8t1crO9APsnRgQxicrBFs7cfnca4DWP91KjprbHmli +ppUm1DFhwaQdVw15ONrUpA4ynM/0aqo2rQBM9gDIOB5CWjHZUa5k/bI/zslQnUNo +f+tp7dHMXguMw732SxDvhrYxQqOriClVWy90fJMmZcssDxzAG9cCKTiIOdKvBeRU +UErHi3WCgihGwLo1w19cWRYMwEb9glFUH8aMnIawIrtwmYdqRg50UaipMQlwP+4c +IX5sOCblLFGqaR4OQjz8menjFlDBIXtiSBbNrZqV+dW4AZSI2cCgof4wdaV34jGD ++B1KPy+kVx78jOC6ik/otoVd/nKwpm7e0vur++WKMPr6vhxdcah+L3Qe+MH+hv6m +u/3lMGd/DZfRHUn3qEQ9CCLlBqn0YU4BHiqUg4/4jNaMi7fFxkJM//////////8C +AQIEggQEAoIEAFBZTkIN/znN/euu0INkB365wc9kj/ibO/Hj3mHLa+NHoaKH4A33 +kd3WQCjRmLnLZHlodMbrgJ8vxHtKdeFiv4i1gefsv0aVv7zX9Sp3zpRJC/bhNJkz +BsVJwwp9b+OPfc13d2vb3ZsVyqmfUO6NdMz1x9cEiR+wrpJjrMbWqByliAkByI5w +Znlm/aLrwOWOZ0lkY2SzB5qDcNM/I9m7Uk9pW3Q0GugWC/PMzv/+VCMb/Q56pABX +310qNm0AZov4cBWz5qtD8AQ+cZWBndX4ydL+jLT5n5SwrXR3z8biCBdJWpxpKeVJ +3Dal4LC1UcuJDuwtxswlm+AzfVJI3eiKL5uwsSbIg0Ls7bk7FO1LWGHbGwbL+eof +TijrETwUgsBNiLdmLeDtfWBTDAH3kZnBpZjRhCgIRuRUleTRevvnMtBXR9td5Lkj +N4quHZbx0S9novQLV7EF6+mNW0fddbHxC6mK0C3vCGCTLUTjFoyW6DJMInUYrerO +kTEyH0JCMrA/mIGmU4QR7dXuMPJiTwg+TS3jZYmwa4nL5hES7Ssf9PSaqdyV2ZzU +/oVLTfIuvpFbcidZF7j2DFaObtV6ZjqegufOaNJmTItWJzNJ31s0ZUGwXLq5jygh +HMAW+uzNVX5nv7ezvjOANrOAosSDN1zFVRrUBOilaKbvguwp1fym2bnqiCFD1tKw +CMgtTOTwP8/j1XAMlD/Afu/VTJls3IY3r6ANoCX8hLTXK3ykcewV2irV4nB+8p09 +KhhWSr3zF0qj5Keo33oMUnEaN2eIeIUegXKxpp4WtT4JEUE0ritZF8SzZmoHkANw +dgtDm8Ryx/SaZ+QwrqhVFOsSU8TgvIHc455j4M1o8DBAdUiTbXniYlSNslzbvfbK +57uJbPwrw/Op3DzFvZPnOx5vfnDsR9qOmAknfNfgKtEFc0AAno5BiyaiIlHuBUte +TS5AsCL7q4Q9ybS7WehGOWOwHzZEa7DlUJ1kqjFCxBXgYMEKSbwKF5vHpp6x2O3x +0OPzODz1JGoRT5yYXY3UiboRlkldet4NPNufg4MoKW6XooLXq/bIVQNSZtg1gBO6 +ipWJlxpfmPhjOdljGlXsstvaazESsMaff5xG8dIIOb+yMFh6DC6GElU49GGzfnAe +EB+RNHS/o8boRFQn4r6/KiVCODk0qGK3TvYStsjXo93vA+KfJwSsqtckwX+wcl5l +mWWvMF+iHQ+gL4L1hz7hH/m7UZGy+o/7mi7lKDSPLvSlGwzzdWcvEQj4Hv4IHQQh +eeSHdeSwhqaL1XjP6JXa+IEY/wXzwIMHohtw+epFwLZhg8NFxkzHUpCKLDZrEDc8 +Y9zPgF69gpA9VpStqLAqHxBvEm4BYFoFyfw= +-----END PRIVATE KEY----- +" "105" "106" "107" "108" "109" "10a" "10b" "10c" "10d" "10e" "10f" ) diff --git a/testssl.sh b/testssl.sh index fa70164..f38c079 100755 --- a/testssl.sh +++ b/testssl.sh @@ -76,9 +76,22 @@ # this missing feature! The idea is if this script can't tell something # for sure it speaks up so that you have clear picture. - # debugging help: -readonly PS4='${LINENO}> ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' +readonly PS4='|${LINENO}> \011${FUNCNAME[0]:+${FUNCNAME[0]}(): }' + +DEBUGTIME=${DEBUGTIME:-false} + +if grep -q xtrace <<< "$SHELLOPTS"; then + if "$DEBUGTIME" ; then + # separate debugging, doesn't mess up the screen, $DEBUGTIME determines whether we also do performance analysis + exec 42>&2 2> >(tee /tmp/testssl-$$.log | sed -u 's/^.*$/now/' | date -f - +%s.%N >/tmp/testssl-$$.time) + # for pasting both togher see https://stackoverflow.com/questions/5014823/how-to-profile-a-bash-shell-script-slow-startup#20855353 + else + exec 42>| /tmp/testssl-$$.log + BASH_XTRACEFD=42 + fi +fi + # make sure that temporary files are cleaned up after use in ANY case trap "cleanup" QUIT EXIT @@ -190,6 +203,12 @@ HAD_SLEPT=0 CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) FNAME=${FNAME:-""} # file name to read commands from IKNOW_FNAME=false +MEASURE_TIME_FILE=${MEASURE_TIME_FILE:-""} +if [[ -n "$MEASURE_TIME_FILE" ]] && [[ -z "$MEASURE_TIME" ]]; then + MEASURE_TIME=true +else + MEASURE_TIME=${MEASURE_TIME:-false} +fi # further global vars just declared here readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1" @@ -259,14 +278,16 @@ GET_REQ11="" readonly UA_STD="TLS tester from $SWURL" readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0" FIRST_FINDING=true # Is this the first finding we are outputting to file? -START_TIME=0 -END_TIME=0 +START_TIME=0 # time in epoch when the action started +END_TIME=0 # .. ended +SCAN_TIME=0 # diff of both: total scan time +LAST_TIME=0 # only used for performance measurements (MEASURE_TIME=true) # Devel stuff, see -q below TLS_LOW_BYTE="" HEX_CIPHER="" -SERVER_COUNTER=0 # Counter for multiple servers +SERVER_COUNTER=0 # Counter for multiple servers #################### SEVERITY #################### INFO=0 @@ -560,7 +581,7 @@ html_reserved(){ } html_out() { - "$do_html" || return + "$do_html" || return 0 [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] && printf -- "%b" "${1//%/%%}" >> "$HTMLFILE" # here and other printf's: a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%'. '--' and %b do the rest. } @@ -786,7 +807,6 @@ strip_quote() { #################### JSON FILE FORMATING #################### fileout_pretty_json_header() { - START_TIME=$(date +%s) target="$NODE" $do_mx_all_ips && target="$URI" @@ -801,9 +821,8 @@ fileout_pretty_json_header() { } fileout_pretty_json_footer() { - local scan_time=$((END_TIME - START_TIME)) echo -e " ], - \"scanTime\" : \"$scan_time\"\n}" + \"scanTime\" : \"$SCAN_TIME\"\n}" } fileout_json_header() { @@ -973,7 +992,7 @@ html_header() { fname_prefix="mx-$URI" else ( [[ -z "$HTMLFILE" ]] || [[ -d "$HTMLFILE" ]] ) && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now - fname_prefix="$NODE"_"$PORT" + fname_prefix="${NODE}"_p"${PORT}" fi if [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]]; then @@ -1770,7 +1789,7 @@ run_hpkp() { hpkp_ca="$($OPENSSL x509 -in $HOSTCERT -issuer -noout|sed 's/^.*CN=//' | sed 's/\/.*$//')" # Get keys/hashes from intermediate certificates - $OPENSSL s_client -showcerts $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE + $OPENSSL s_client $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE # Place the server's certificate in $HOSTCERT and any intermediate # certificates that were provided in $TEMPDIR/intermediatecerts.pem # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ @@ -2361,7 +2380,7 @@ std_cipherlists() { ;; esac tmpfile_handle $FUNCNAME.$debugname.txt - [[ $DEBUG -ge 1 ]] && out " -- $1" || outln #FIXME: should be in standard output at some time + [[ $DEBUG -ge 1 ]] && outln " -- $1" || outln #FIXME: should be in standard output at some time else singlespaces=$(sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g' <<< "$2") if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then @@ -2371,8 +2390,6 @@ std_cipherlists() { fi fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)" fi - # we need 1 x lf in those cases: - debugme echo } @@ -2382,9 +2399,9 @@ std_cipherlists() { socksend() { # the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do if "$HAS_SED_E"; then - data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') + data=$(sed -e 's/# .*$//g' -e 's/ //g' <<< "$1" | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') else - data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -r 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') + data=$(sed -e 's/# .*$//g' -e 's/ //g' <<< "$1" | sed -r 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') fi [[ $DEBUG -ge 4 ]] && echo "\"$data\"" printf -- "$data" >&5 2>/dev/null & @@ -3381,29 +3398,31 @@ create_client_simulation_tls_clienthello() { len_extensions=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") offset=$offset+4 for (( 1; offset < tls_handshake_ascii_len; 1 )); do - extension_type="${tls_handshake_ascii:$offset:4}" - offset=$offset+4 - len_extension=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") + extension_type="${tls_handshake_ascii:$offset:4}" + offset=$offset+4 + len_extension=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") - if [[ "$extension_type" != "0000" ]]; then + if [[ "$extension_type" != "0000" ]]; then # The extension will just be copied into the revised ClientHello - sni_extension_found=true offset=$offset-4 len=$len_extension+8 tls_extensions+="${tls_handshake_ascii:$offset:$len}" offset=$offset+$len - elif [[ -n "$SNI" ]]; then - # Create a server name extension that corresponds to $SNI - len_servername=${#NODE} - hexdump_format_str="$len_servername/1 \"%02x\"" - servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}") - # convert lengths we need to fill in from dec to hex: - len_servername_hex=$(printf "%02x\n" $len_servername) - len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) - len_sni_ext=$(printf "%02x\n" $((len_servername+5))) - tls_extensions+="000000${len_sni_ext}00${len_sni_listlen}0000${len_servername_hex}${servername_hexstr}" - offset=$offset+$len_extension+4 - fi + else + sni_extension_found=true + if [[ -n "$SNI" ]]; then + # Create a server name extension that corresponds to $SNI + len_servername=${#NODE} + hexdump_format_str="$len_servername/1 \"%02x\"" + servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}") + # convert lengths we need to fill in from dec to hex: + len_servername_hex=$(printf "%02x\n" $len_servername) + len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) + len_sni_ext=$(printf "%02x\n" $((len_servername+5))) + tls_extensions+="000000${len_sni_ext}00${len_sni_listlen}0000${len_servername_hex}${servername_hexstr}" + offset=$offset+$len_extension+4 + fi + fi done if ! $sni_extension_found; then @@ -3456,7 +3475,6 @@ client_simulation_sockets() { sleep $USLEEP_SND sockread_serverhello 32768 - TLS_NOW=$(LC_ALL=C date "+%s") tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}" @@ -3465,7 +3483,7 @@ client_simulation_sockets() { hello_done=$? for(( 1 ; hello_done==1; 1 )); do - sock_reply_file2=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7 + sock_reply_file2=${SOCK_REPLY_FILE}.2 mv "$SOCK_REPLY_FILE" "$sock_reply_file2" debugme echo "requesting more server hello data..." @@ -3483,9 +3501,8 @@ client_simulation_sockets() { hello_done=0 else tls_hello_ascii+="$next_packet" - - sock_reply_file3=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7 - mv "$SOCK_REPLY_FILE" "$sock_reply_file3" + sock_reply_file3=${SOCK_REPLY_FILE}.3 + mv "$SOCK_REPLY_FILE" "$sock_reply_file3" #FIXME: we moved that already mv "$sock_reply_file2" "$SOCK_REPLY_FILE" cat "$sock_reply_file3" >> "$SOCK_REPLY_FILE" rm "$sock_reply_file3" @@ -3583,7 +3600,7 @@ run_client_simulation() { debugme tmln_out for name in "${short[@]}"; do #FIXME: printf formatting would look better, especially if we want a wide option here - out " ${names[i]} " + out " $(printf -- "%-33s" "${names[i]}")" if "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; then client_simulation_sockets "${handshakebytes[i]}" sclient_success=$? @@ -3607,7 +3624,7 @@ run_client_simulation() { what_dh=$(awk -F',' '{ print $1 }' <<< $temp) bits=$(awk -F',' '{ print $3 }' <<< $temp) grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp) - bits=$(tr -d ' bits' <<< $bits) + bits="${bits/ bits/}" if [[ "$what_dh" == "DH" ]]; then [[ ${minDhBits[i]} -ne -1 ]] && [[ $bits -lt ${minDhBits[i]} ]] && sclient_success=1 [[ ${maxDhBits[i]} -ne -1 ]] && [[ $bits -gt ${maxDhBits[i]} ]] && sclient_success=1 @@ -4217,7 +4234,7 @@ read_dhbits_from_file() { else bits=$(awk -F',' '{ print $2 }' <<< $temp) fi - bits=$(tr -d ' bits' <<< $bits) + bits="${bits/ bits/}" if [[ "$what_dh" == "X25519" ]] || [[ "$what_dh" == "X448" ]]; then curve="$what_dh" @@ -4507,27 +4524,7 @@ run_server_preference() { i=$(($i + 1)) done - [[ -n "$PROXY" ]] && arg=" SPDY/NPN is" [[ -n "$STARTTLS" ]] && arg=" " - if spdy_pre " $arg" ; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY - # ALPN needs also some lines here - $OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" $SNI >$ERRFILE >$TMPFILE - if sclient_connect_successful $? $TMPFILE; then - proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g') - if [[ -z "${proto[i]}" ]]; then - cipher[i]="" - else - cipher[i]=$(get_cipher $TMPFILE) - if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ -n "${cipher[i]}" ]]; then - cipher[i]="$(openssl2rfc "${cipher[i]}")" - [[ -z "${cipher[i]}" ]] && cipher[i]=$(get_cipher $TMPFILE) - fi - [[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}" - fi - fi - else - outln # we miss for STARTTLS 1x LF otherwise - fi for i in 1 2 3 4 5 6; do if [[ -n "${cipher[i]}" ]]; then # cipher not empty @@ -4825,44 +4822,6 @@ cipher_pref_check() { done outln - if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS? - outln - else - npn_protos=$($OPENSSL s_client $BUGS -nextprotoneg \"\" -connect $NODEIP:$PORT $SNI >$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g') - for p in $npn_protos; do - order="" - $OPENSSL s_client $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI >$ERRFILE >$TMPFILE - cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE) - out "$(printf " %-10s " "$p:")" - tested_cipher="-"$cipher - order="$cipher " - if ! "$FAST"; then - while true; do - $OPENSSL s_client -cipher "ALL:$tested_cipher" $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI >$ERRFILE >$TMPFILE - sclient_connect_successful $? $TMPFILE || break - cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE) - tested_cipher="$tested_cipher:-$cipher" - order+="$cipher " - done - fi - if [[ -n "$order" ]] && [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then - rfc_order="" - while read -d " " cipher; do - rfc_ciph="$(openssl2rfc "$cipher")" - if [[ -n "$rfc_ciph" ]]; then - rfc_order+="$rfc_ciph " - else - rfc_order+="$cipher " - fi - done <<< "$order" - order="$rfc_order" - fi - out_row_aligned_max_width "$order" " " $TERM_WIDTH out - outln - [[ -n $order ]] && fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p: $order" - done - fi - outln tmpfile_handle $FUNCNAME.txt return 0 @@ -5068,6 +5027,30 @@ sclient_connect_successful() { return 1 } +extract_new_tls_extensions() { + local tls_extensions + + # this is not beautiful (grep+sed) + # but maybe we should just get the ids and do a private matching, according to + # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml + tls_extensions=$(grep -a 'TLS server extension ' "$1" | \ + sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ + -e 's/,.*$/,/g' -e 's/),$/\"/g' \ + -e 's/elliptic curves\/#10/supported_groups\/#10/g') + tls_extensions=$(echo $tls_extensions) # into one line + + if [[ -n "$tls_extensions" ]]; then + # check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS + while read -d "\"" -r line; do + if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then +#FIXME: This is a string of quoted strings, so this seems to determine the output format already. Better e.g. would be an array + TLS_EXTENSIONS+=" \"${line}\"" + fi + done <<<$tls_extensions + [[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}" + fi +} + # Note that since, at the moment, this function is only called by run_server_defaults() # and run_heartbleed(), this function does not look for the status request or NPN # extensions. For run_heartbleed(), only the heartbeat extension needs to be detected. @@ -5110,7 +5093,7 @@ determine_tls_extensions() { success=$? fi [[ $success -eq 2 ]] && success=0 - [[ $success -eq 0 ]] && tls_extensions="$(grep -a 'TLS Extensions: ' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" | sed 's/TLS Extensions: //' )" + [[ $success -eq 0 ]] && extract_new_tls_extensions "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" if [[ -r "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" ]]; then cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE tmpfile_handle $FUNCNAME.txt @@ -5137,24 +5120,9 @@ determine_tls_extensions() { sclient_connect_successful $? $TMPFILE success=$? fi - if [[ $success -eq 0 ]]; then - tls_extensions=$(grep -a 'TLS server extension ' $TMPFILE | \ - sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ - -e 's/,.*$/,/g' -e 's/),$/\"/g' \ - -e 's/elliptic curves\/#10/supported_groups\/#10/g') - tls_extensions=$(echo $tls_extensions) # into one line - fi + [[ $success -eq 0 ]] && extract_new_tls_extensions $TMPFILE tmpfile_handle $FUNCNAME.txt fi - if [[ -n "$tls_extensions" ]]; then - # check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS - while read -d "\"" -r line; do - if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then - TLS_EXTENSIONS+=" \"${line}\"" - fi - done <<<$tls_extensions - [[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}" - fi return $success } @@ -5163,7 +5131,7 @@ determine_tls_extensions() { get_server_certificate() { local protocols_to_try proto addcmd local success - local npn_params="" tls_extensions line + local npn_params="" line local savedir local nrsaved @@ -5212,7 +5180,7 @@ get_server_certificate() { # this all needs to be moved into determine_tls_extensions() >$TEMPDIR/tlsext.txt # first shot w/o any protocol, then in turn we collect all extensions - $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -tlsextdebug -status $ERRFILE >$TMPFILE + $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tlsextdebug -status $ERRFILE >$TMPFILE sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt for proto in $protocols_to_try; do # we could know here which protcols are supported @@ -5239,25 +5207,7 @@ get_server_certificate() { GOST_STATUS_PROBLEM=true fi fi - #tls_extensions=$(awk -F'"' '/TLS server extension / { printf "\""$2"\" " }' $TMPFILE) - # - # this is not beautiful (grep+sed) - # but maybe we should just get the ids and do a private matching, according to - # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml - tls_extensions=$(grep -a 'TLS server extension ' $TEMPDIR/tlsext.txt | \ - sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ - -e 's/,.*$/,/g' -e 's/),$/\"/g' \ - -e 's/elliptic curves\/#10/supported_groups\/#10/g') - tls_extensions=$(echo $tls_extensions) # into one line - - # check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS - while read -d "\"" -r line; do - if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then -#FIXME: This is a string of quoted strings, so this seems to deterime the output format already. Better e.g. would be an array - TLS_EXTENSIONS+=" \"${line}\"" - fi - done <<<$tls_extensions - [[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}" + extract_new_tls_extensions $TMPFILE # Place the server's certificate in $HOSTCERT and any intermediate # certificates that were provided in $TEMPDIR/intermediatecerts.pem @@ -6975,10 +6925,9 @@ close_socket(){ # first: helper function for protocol checks +# arg1: formatted string here in the code code2network() { - # arg1: formatted string here in the code NW_STR=$(sed -e 's/,/\\\x/g' <<< "$1" | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t') - #TODO: just echo, no additional global var } len2twobytes() { @@ -7355,7 +7304,7 @@ parse_sslv2_serverhello() { let offset=26+$certificate_len nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) for (( i=0 ; i> $TMPFILE + echo "Supported cipher: x$(tolower "${v2_hello_ascii:offset:6}")" >> $TMPFILE let offset=$offset+6 done echo "======================================" >> $TMPFILE @@ -7805,23 +7754,23 @@ parse_tls_serverhello() { return 1 fi case $extension_type in - 0000) tls_extensions+=" \"server name/#0\"" ;; - 0001) tls_extensions+=" \"max fragment length/#1\"" ;; - 0002) tls_extensions+=" \"client certificate URL/#2\"" ;; - 0003) tls_extensions+=" \"trusted CA keys/#3\"" ;; - 0004) tls_extensions+=" \"truncated HMAC/#4\"" ;; - 0005) tls_extensions+=" \"status request/#5\"" ;; - 0006) tls_extensions+=" \"user mapping/#6\"" ;; - 0007) tls_extensions+=" \"client authz/#7\"" ;; - 0008) tls_extensions+=" \"server authz/#8\"" ;; - 0009) tls_extensions+=" \"cert type/#9\"" ;; - 000A) tls_extensions+=" \"supported_groups/#10\"" ;; - 000B) tls_extensions+=" \"EC point formats/#11\"" ;; - 000C) tls_extensions+=" \"SRP/#12\"" ;; - 000D) tls_extensions+=" \"signature algorithms/#13\"" ;; - 000E) tls_extensions+=" \"use SRTP/#14\"" ;; - 000F) tls_extensions+=" \"heartbeat/#15\"" ;; - 0010) tls_extensions+=" \"application layer protocol negotiation/#16\"" + 0000) tls_extensions+="TLS server extension \"server name\" (id=0), len=$extension_len\n" ;; + 0001) tls_extensions+="TLS server extension \"max fragment length\" (id=1), len=$extension_len\n" ;; + 0002) tls_extensions+="TLS server extension \"client certificate URL\" (id=2), len=$extension_len\n" ;; + 0003) tls_extensions+="TLS server extension \"trusted CA keys\" (id=3, len=$extension_len\n)" ;; + 0004) tls_extensions+="TLS server extension \"truncated HMAC\" (id=4), len=$extension_len\n" ;; + 0005) tls_extensions+="TLS server extension \"status request\" (id=5), len=$extension_len\n" ;; + 0006) tls_extensions+="TLS server extension \"user mapping\" (id=6), len=$extension_len\n" ;; + 0007) tls_extensions+="TLS server extension \"client authz\" (id=7), len=$extension_len\n" ;; + 0008) tls_extensions+="TLS server extension \"server authz\" (id=8), len=$extension_len\n" ;; + 0009) tls_extensions+="TLS server extension \"cert type\" (id=9), len=$extension_len\n" ;; + 000A) tls_extensions+="TLS server extension \"supported_groups\" (id=10), len=$extension_len\n" ;; + 000B) tls_extensions+="TLS server extension \"EC point formats\" (id=11), len=$extension_len\n" ;; + 000C) tls_extensions+="TLS server extension \"SRP\" (id=12), len=$extension_len\n" ;; + 000D) tls_extensions+="TLS server extension \"signature algorithms\" (id=13), len=$extension_len\n" ;; + 000E) tls_extensions+="TLS server extension \"use SRTP\" (id=14), len=$extension_len\n" ;; + 000F) tls_extensions+="TLS server extension \"heartbeat\" (id=15), len=$extension_len\n" ;; + 0010) tls_extensions+="TLS server extension \"application layer protocol negotiation\" (id=16), len=$extension_len\n" if [[ $extension_len -lt 4 ]]; then debugme echo "Malformed application layer protocol negotiation extension." return 1 @@ -7844,24 +7793,24 @@ parse_tls_serverhello() { echo "" >> $TMPFILE echo "===============================================================================" >> $TMPFILE ;; - 0011) tls_extensions+=" \"certificate status version 2/#17\"" ;; - 0012) tls_extensions+=" \"signed certificate timestamps/#18\"" ;; - 0013) tls_extensions+=" \"client certificate type/#19\"" ;; - 0014) tls_extensions+=" \"server certificate type/#20\"" ;; - 0015) tls_extensions+=" \"TLS padding/#21\"" ;; - 0016) tls_extensions+=" \"encrypt-then-mac/#22\"" ;; - 0017) tls_extensions+=" \"extended master secret/#23\"" ;; - 0018) tls_extensions+=" \"token binding/#24\"" ;; - 0019) tls_extensions+=" \"cached info/#25\"" ;; - 0023) tls_extensions+=" \"session ticket/#35\"" ;; - 0028) tls_extensions+=" \"key share/#40\"" ;; - 0029) tls_extensions+=" \"pre-shared key/#41\"" ;; - 002A) tls_extensions+=" \"early data/#42\"" ;; - 002B) tls_extensions+=" \"supported versions/#43\"" ;; - 002C) tls_extensions+=" \"cookie/#44\"" ;; - 002D) tls_extensions+=" \"psk key exchange modes/#45\"" ;; - 002E) tls_extensions+=" \"ticket early data info/#46\"" ;; - 3374) tls_extensions+=" \"next protocol/#13172\"" + 0011) tls_extensions+="TLS server extension \"certificate status version 2\" (id=17), len=$extension_len\n" ;; + 0012) tls_extensions+="TLS server extension \"signed certificate timestamps\" (id=18), len=$extension_len\n" ;; + 0013) tls_extensions+="TLS server extension \"client certificate type\" (id=19), len=$extension_len\n" ;; + 0014) tls_extensions+="TLS server extension \"server certificate type\" (id=20), len=$extension_len\n" ;; + 0015) tls_extensions+="TLS server extension \"TLS padding\" (id=21), len=$extension_len\n" ;; + 0016) tls_extensions+="TLS server extension \"encrypt-then-mac\" (id=22), len=$extension_len\n" ;; + 0017) tls_extensions+="TLS server extension \"extended master secret\" (id=23), len=$extension_len\n" ;; + 0018) tls_extensions+="TLS server extension \"token binding\" (id=24), len=$extension_len\n" ;; + 0019) tls_extensions+="TLS server extension \"cached info\" (id=25), len=$extension_len\n" ;; + 0023) tls_extensions+="TLS server extension \"session ticket\" (id=35), len=$extension_len\n" ;; + 0028) tls_extensions+="TLS server extension \"key share\" (id=40), len=$extension_len\n" ;; + 0029) tls_extensions+="TLS server extension \"pre-shared key\" (id=41), len=$extension_len\n" ;; + 002A) tls_extensions+="TLS server extension \"early data\" (id=42), len=$extension_len\n" ;; + 002B) tls_extensions+="TLS server extension \"supported versions\" (id=43), len=$extension_len\n" ;; + 002C) tls_extensions+="TLS server extension \"cookie\" (id=44), len=$extension_len\n" ;; + 002D) tls_extensions+="TLS server extension \"psk key exchange modes\" (id=45), len=$extension_len\n" ;; + 002E) tls_extensions+="TLS server extension \"ticket early data info\" (id=46), len=$extension_len\n" ;; + 3374) tls_extensions+="TLS server extension \"next protocol\" (id=13172), len=$extension_len\n" local -i protocol_len echo -n "Protocols advertised by server: " >> $TMPFILE let offset=$extns_offset+12+$i @@ -7883,8 +7832,8 @@ parse_tls_serverhello() { echo "" >> $TMPFILE echo "===============================================================================" >> $TMPFILE ;; - FF01) tls_extensions+=" \"renegotiation info/#65281\"" ;; - *) tls_extensions+=" \"unrecognized extension/#$(printf "%d\n\n" "0x$extension_type")\"" ;; + FF01) tls_extensions+="TLS server extension \"renegotiation info\" (id=65281), len=$extension_len\n" ;; + *) tls_extensions+="TLS server extension \"unrecognized extension\" (id=$(printf "%d\n\n" "0x$extension_type")), len=$extension_len\n" ;; esac done fi @@ -7914,7 +7863,7 @@ parse_tls_serverhello() { esac echo "===============================================================================" >> $TMPFILE fi - [[ -n "$tls_extensions" ]] && echo "TLS Extensions: ${tls_extensions:1}" >> $TMPFILE + [[ -n "$tls_extensions" ]] && echo -e "$tls_extensions" >> $TMPFILE if [[ $DEBUG -ge 2 ]]; then echo "TLS server hello message:" @@ -7937,7 +7886,12 @@ parse_tls_serverhello() { esac fi if [[ -n "$tls_extensions" ]]; then - echo " tls_extensions: ${tls_extensions:1}" + echo -n " tls_extensions: " + newline_to_spaces "$(grep -a 'TLS server extension ' $TMPFILE | \ + sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ + -e 's/,.*$/,/g' -e 's/),$/\"/g' \ + -e 's/elliptic curves\/#10/supported_groups\/#10/g')" + echo "" if [[ "$tls_extensions" =~ "application layer protocol negotiation" ]]; then echo " ALPN protocol: $(grep "ALPN protocol:" "$TMPFILE" | sed 's/ALPN protocol: //')" fi @@ -8315,7 +8269,7 @@ socksend_tls_clienthello() { local extension_session_ticket extension_next_protocol extension_padding local extension_supported_groups="" extension_supported_point_formats="" local extra_extensions extra_extensions_list="" - local offer_compression=false compression_metods + local offer_compression=false compression_methods # TLSv1.3 ClientHello messages MUST specify only the NULL compression method. [[ "$4" == "true" ]] && [[ "0x$tls_low_byte" -le "0x03" ]] && offer_compression=true @@ -8415,7 +8369,7 @@ socksend_tls_clienthello() { # Each extension should appear in the ClientHello at most once. So, # find out what extensions were provided as an argument and only use # the provided values for those extensions. - extra_extensions="$(echo "$3" | tr 'A-Z' 'a-z')" + extra_extensions="$(tolower "$3")" code2network "$extra_extensions" len_all=${#extra_extensions} for (( i=0; i < len_all; i=i+16+4*0x$len_extension_hex )); do @@ -8530,9 +8484,9 @@ socksend_tls_clienthello() { if "$offer_compression"; then # See http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml#comp-meth-ids-2 - compression_metods="03,01,40,00" # Offer NULL, DEFLATE, and LZS compression + compression_methods="03,01,40,00" # Offer NULL, DEFLATE, and LZS compression else - compression_metods="01,00" # Only offer NULL compression (0x00) + compression_methods="01,00" # Only offer NULL compression (0x00) fi TLS_CLIENT_HELLO=" @@ -8551,7 +8505,7 @@ socksend_tls_clienthello() { ,00 # Session ID length ,$len_ciph_suites_word # Cipher suites length ,$cipher_suites - ,$compression_metods" + ,$compression_methods" fd_socket 5 || return 6 @@ -10771,7 +10725,7 @@ file output options (can also be preset via environment variables): --htmlfile additional output as HTML to the specifed file --hints additional hints to findings --severity severities with lower level will be filtered for CSV+JSON, possible values - --append if or exists rather append then overwrite + --append if , or exists rather append then overwrite Options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl . @@ -10794,7 +10748,6 @@ maketempf() { } prepare_debug() { - local hexc mac ossl_ciph ossl_supported_tls="" ossl_supported_sslv2="" if [[ $DEBUG -ne 0 ]]; then cat >$TEMPDIR/environment.txt << EOF @@ -10872,6 +10825,12 @@ EOF $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' &>$TEMPDIR/all_local_ciphers.txt fi # see also $TEMPDIR/s_client_has.txt from find_openssl_binary +} + + +prepare_arrays() { + local hexc mac ossl_ciph + local ossl_supported_tls="" ossl_supported_sslv2="" if [[ -e $CIPHERS_BY_STRENGTH_FILE ]]; then "$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)" @@ -10969,6 +10928,8 @@ cleanup () { outln "$APPEND" || fileout_footer html_footer + # debugging off, see above + grep -q xtrace <<< "$SHELLOPTS" && exec 2>&42 42>&- } fatal() { @@ -11048,14 +11009,14 @@ parse_hn_port() { NODE="$1" # strip "https" and trailing urlpath supposed it was supplied additionally - echo "$NODE" | grep -q 'https://' && NODE=$(echo "$NODE" | sed -e 's/^https\:\/\///') + grep -q 'https://' <<< "$NODE" && NODE=$(sed -e 's/^https\:\/\///' <<< "$NODE") # strip trailing urlpath - NODE=$(echo "$NODE" | sed -e 's/\/.*$//') + NODE=$(sed -e 's/\/.*$//' <<< "$NODE") # if there's a trailing ':' probably a starttls/application protocol was specified - if grep -q ':$' <<< $NODE; then - if grep -wq http <<< $NODE; then + if grep -q ':$' <<< "$NODE"; then + if grep -wq http <<< "$NODE"; then fatal "\"http\" is not what you meant probably" 1 else fatal "\"$1\" is not a valid URI" 1 @@ -11073,17 +11034,17 @@ parse_hn_port() { NODE=$(sed -e 's/\[//' -e 's/\]//' <<< "$NODE") else # determine v4 port, supposed it was supplied additionally - echo "$NODE" | grep -q ':' && \ - PORT=$(echo "$NODE" | sed 's/^.*\://') && NODE=$(echo "$NODE" | sed 's/\:.*$//') + grep -q ':' <<< "$NODE" && \ + PORT=$(sed 's/^.*\://' <<< "$NODE") && NODE=$(sed 's/\:.*$//' <<< "$NODE") fi debugme echo $NODE:$PORT SNI="-servername $NODE" - URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port - URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> / + URL_PATH=$(sed 's/https:\/\///' <<< "$1" | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port + URL_PATH=$(sed 's/\/\//\//g' <<< "$URL_PATH") # we rather want // -> / [[ -z "$URL_PATH" ]] && URL_PATH="/" debugme echo $URL_PATH - return 0 # NODE, URL_PATH, PORT is set now + return 0 # NODE, URL_PATH, PORT is set now } @@ -11092,7 +11053,7 @@ parse_hn_port() { prepare_logging() { local fname_prefix="$1" - [[ -z "$fname_prefix" ]] && fname_prefix="$NODE"_"$PORT" + [[ -z "$fname_prefix" ]] && fname_prefix="${NODE}"_p"${PORT}" if "$do_logging"; then if [[ -z "$LOGFILE" ]]; then @@ -11103,6 +11064,7 @@ prepare_logging() { else : # just for clarity: a log file was specified, no need to do anything else fi + [[ -e $LOGFILE ]] && fatal "\"$LOGFILE\" exists. Either use \"--append\" or (re)move it" 1 >$LOGFILE tmln_out "## Scan started as: \"$PROG_NAME $CMDLINE\"" >>${LOGFILE} tmln_out "## at $HNAME:$OPENSSL_LOCATION" >>${LOGFILE} @@ -11130,7 +11092,6 @@ prepare_logging() { fi fi fileout_header # write out any CSV/JSON header line - return 0 } @@ -11675,7 +11636,14 @@ display_rdns_etc() { } datebanner() { - pr_reverse "$1 $(date +%F) $(date +%T) -->> $NODEIP:$PORT ($NODE) <<--" + local scan_time_f="" + + if [[ "$1" =~ Done ]] ; then + scan_time_f="$(printf "%04ss" "$SCAN_TIME")" # 4 digits because of windows + pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $NODEIP:$PORT ($NODE) <<--" + else + pr_reverse "$1 $(date +%F) $(date +%T) -->> $NODEIP:$PORT ($NODE) <<--" + fi outln "\n" [[ "$1" =~ Start ]] && display_rdns_etc } @@ -11888,7 +11856,7 @@ parse_opt_equal_sign() { echo ${1#*=} return 1 # = means we don't need to shift args! else - echo $2 + echo "$2" return 0 # we need to shift fi } @@ -12283,42 +12251,60 @@ reset_hostdepended_vars() { SERVER_SIZE_LIMIT_BUG=false } +# rough estimate, in the future we maybe want to make use of nano secs (%N) +# note this is for performance debugging purposes (MEASURE_TIME=yes), so eye candy is not important +time_right_align() { + local new_delta + + "$MEASURE_TIME" || return + new_delta=$(( $(date +%s) - LAST_TIME )) + printf "%${COLUMNS}s" "$new_delta" + [[ -e "$MEASURE_TIME_FILE" ]] && echo "$1 : $new_delta " >> $MEASURE_TIME_FILE + LAST_TIME=$(( $new_delta + LAST_TIME )) +} lets_roll() { local ret local section_number=1 + if [[ "$1" == init ]]; then + # called once upfront to be able to measure preperation time b4 everything starts + START_TIME=$(date +%s) + LAST_TIME=$START_TIME + [[ -n "$MEASURE_TIME_FILE" ]] && >$MEASURE_TIME_FILE + return 0 + fi + time_right_align initialized + [[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" 2 nodeip_to_proper_ip6 reset_hostdepended_vars determine_rdns - START_TIME=$(date +%s) - ((SERVER_COUNTER++)) determine_service "$1" # any starttls service goes here $do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets "" "true"; echo "$?" ; exit 0; } $do_tls_sockets && [[ $TLS_LOW_BYTE -ne 22 ]] && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all"; echo "$?" ; exit 0; } - $do_test_just_one && test_just_one ${single_cipher} + $do_test_just_one && test_just_one ${single_cipher} && time_right_align # all top level functions now following have the prefix "run_" fileout_section_header $section_number false && ((section_number++)) - $do_protocols && { run_protocols; ret=$(($? + ret)); } - $do_spdy && { run_spdy; ret=$(($? + ret)); } - $do_http2 && { run_http2; ret=$(($? + ret)); } + $do_protocols && { run_protocols; ret=$(($? + ret)); time_right_align run_protocols; } + $do_spdy && { run_spdy; ret=$(($? + ret)); time_right_align run_spdy; } + $do_http2 && { run_http2; ret=$(($? + ret)); time_right_align run_http2; } fileout_section_header $section_number true && ((section_number++)) - $do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); } + $do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); time_right_align run_std_cipherlists; } fileout_section_header $section_number true && ((section_number++)) - $do_pfs && { run_pfs; ret=$(($? + ret)); } + $do_pfs && { run_pfs; ret=$(($? + ret)); time_right_align run_pfs; } fileout_section_header $section_number true && ((section_number++)) - $do_server_preference && { run_server_preference; ret=$(($? + ret)); } + $do_server_preference && { run_server_preference; ret=$(($? + ret)); time_right_align run_server_preference; } fileout_section_header $section_number true && ((section_number++)) - $do_server_defaults && { run_server_defaults; ret=$(($? + ret)); } + $do_server_defaults && { run_server_defaults; ret=$(($? + ret)); time_right_align run_server_defaults; } if $do_header; then #TODO: refactor this into functions @@ -12333,6 +12319,7 @@ lets_roll() { run_cookie_flags "$URL_PATH" run_more_flags "$URL_PATH" run_rp_banner "$URL_PATH" + time_right_align do_header fi else ((section_number++)) @@ -12345,34 +12332,38 @@ lets_roll() { fi fileout_section_header $section_number true && ((section_number++)) - $do_heartbleed && { run_heartbleed; ret=$(($? + ret)); } - $do_ccs_injection && { run_ccs_injection; ret=$(($? + ret)); } - $do_renego && { run_renego; ret=$(($? + ret)); } - $do_crime && { run_crime; ret=$(($? + ret)); } - $do_breach && { run_breach "$URL_PATH" ; ret=$(($? + ret)); } - $do_ssl_poodle && { run_ssl_poodle; ret=$(($? + ret)); } - $do_tls_fallback_scsv && { run_tls_fallback_scsv; ret=$(($? + ret)); } - $do_sweet32 && { run_sweet32; ret=$(($? + ret)); } - $do_freak && { run_freak; ret=$(($? + ret)); } - $do_drown && { run_drown ret=$(($? + ret)); } - $do_logjam && { run_logjam; ret=$(($? + ret)); } - $do_beast && { run_beast; ret=$(($? + ret)); } - $do_lucky13 && { run_lucky13; ret=$(($? + ret)); } - $do_rc4 && { run_rc4; ret=$(($? + ret)); } + $do_heartbleed && { run_heartbleed; ret=$(($? + ret)); time_right_align run_heartbleed; } + $do_ccs_injection && { run_ccs_injection; ret=$(($? + ret)); time_right_align run_ccs_injection; } + $do_renego && { run_renego; ret=$(($? + ret)); time_right_align run_renego; } + $do_crime && { run_crime; ret=$(($? + ret)); time_right_align run_crime; } + $do_breach && { run_breach "$URL_PATH" ; ret=$(($? + ret)); time_right_align run_breach; } + $do_ssl_poodle && { run_ssl_poodle; ret=$(($? + ret)); time_right_align run_ssl_poodle; } + $do_tls_fallback_scsv && { run_tls_fallback_scsv; ret=$(($? + ret)); time_right_align run_tls_fallback_scsv; } + $do_sweet32 && { run_sweet32; ret=$(($? + ret)); time_right_align run_sweet32; } + $do_freak && { run_freak; ret=$(($? + ret)); time_right_align run_freak; } + $do_drown && { run_drown ret=$(($? + ret)); time_right_align run_drown; } + $do_logjam && { run_logjam; ret=$(($? + ret)); time_right_align run_logjam; } + $do_beast && { run_beast; ret=$(($? + ret)); time_right_align run_beast; } + $do_lucky13 && { run_lucky13; ret=$(($? + ret)); time_right_align run_lucky13; } + $do_rc4 && { run_rc4; ret=$(($? + ret)); time_right_align run_rc4; } fileout_section_header $section_number true && ((section_number++)) - $do_allciphers && { run_allciphers; ret=$(($? + ret)); } - $do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); } + $do_allciphers && { run_allciphers; ret=$(($? + ret)); time_right_align run_allciphers; } + $do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); time_right_align run_cipher_per_proto; } fileout_section_header $section_number true && ((section_number++)) - $do_client_simulation && { run_client_simulation; ret=$(($? + ret)); } + $do_client_simulation && { run_client_simulation; ret=$(($? + ret)); time_right_align run_client_simulation; } fileout_section_footer true outln END_TIME=$(date +%s) + SCAN_TIME=$(( END_TIME - START_TIME )) datebanner " Done" + "$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME" + [[ -e "$MEASURE_TIME_FILE" ]] && echo "Total : $SCAN_TIME " >> $MEASURE_TIME_FILE + return $ret } @@ -12380,7 +12371,7 @@ lets_roll() { ################# main ################# - +lets_roll init initialize_globals parse_cmd_line "$@" html_header @@ -12389,6 +12380,7 @@ set_color_functions maketempf find_openssl_binary prepare_debug +prepare_arrays mybanner check_proxy check4openssl_oldfarts @@ -12404,6 +12396,7 @@ if $do_display_only; then fi if $do_mass_testing; then + prepare_logging run_mass_testing exit $? fi