From 273361fbb94a03a2941a713f96d78d47bcd4a984 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 20 Mar 2017 22:53:18 +0100 Subject: [PATCH 01/17] raw time assements via env var MEASURE_TIME=true --- testssl.sh | 55 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 24 deletions(-) diff --git a/testssl.sh b/testssl.sh index fa70164..38fe297 100755 --- a/testssl.sh +++ b/testssl.sh @@ -190,6 +190,7 @@ HAD_SLEPT=0 CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) FNAME=${FNAME:-""} # file name to read commands from IKNOW_FNAME=false +MEASURE_TIME=${MEASURE_TIME:-false} # further global vars just declared here readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1" @@ -12283,42 +12284,47 @@ reset_hostdepended_vars() { SERVER_SIZE_LIMIT_BUG=false } +time_right_align() { + "$MEASURE_TIME" && printf "%${COLUMNS}s" "$START_TIME + $(($(date +%s) - START_TIME )) " +} lets_roll() { local ret local section_number=1 + START_TIME=$(date +%s) + "$MEASURE_TIME" && printf "%${COLUMNS}s" "$START_TIME + $(($(date +%s) - START_TIME )) " + [[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" 2 nodeip_to_proper_ip6 reset_hostdepended_vars determine_rdns - START_TIME=$(date +%s) - ((SERVER_COUNTER++)) determine_service "$1" # any starttls service goes here $do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets "" "true"; echo "$?" ; exit 0; } $do_tls_sockets && [[ $TLS_LOW_BYTE -ne 22 ]] && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all"; echo "$?" ; exit 0; } - $do_test_just_one && test_just_one ${single_cipher} + $do_test_just_one && test_just_one ${single_cipher} && time_right_align # all top level functions now following have the prefix "run_" fileout_section_header $section_number false && ((section_number++)) $do_protocols && { run_protocols; ret=$(($? + ret)); } $do_spdy && { run_spdy; ret=$(($? + ret)); } $do_http2 && { run_http2; ret=$(($? + ret)); } + ( $do_protocols || $do_spdy || $do_http2 ) && time_right_align fileout_section_header $section_number true && ((section_number++)) - $do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); } + $do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); } && time_right_align fileout_section_header $section_number true && ((section_number++)) - $do_pfs && { run_pfs; ret=$(($? + ret)); } + $do_pfs && { run_pfs; ret=$(($? + ret)); } && time_right_align fileout_section_header $section_number true && ((section_number++)) - $do_server_preference && { run_server_preference; ret=$(($? + ret)); } + $do_server_preference && { run_server_preference; ret=$(($? + ret)); } && time_right_align fileout_section_header $section_number true && ((section_number++)) - $do_server_defaults && { run_server_defaults; ret=$(($? + ret)); } + $do_server_defaults && { run_server_defaults; ret=$(($? + ret)); } && time_right_align if $do_header; then #TODO: refactor this into functions @@ -12333,6 +12339,7 @@ lets_roll() { run_cookie_flags "$URL_PATH" run_more_flags "$URL_PATH" run_rp_banner "$URL_PATH" + time_right_align fi else ((section_number++)) @@ -12345,27 +12352,27 @@ lets_roll() { fi fileout_section_header $section_number true && ((section_number++)) - $do_heartbleed && { run_heartbleed; ret=$(($? + ret)); } - $do_ccs_injection && { run_ccs_injection; ret=$(($? + ret)); } - $do_renego && { run_renego; ret=$(($? + ret)); } - $do_crime && { run_crime; ret=$(($? + ret)); } - $do_breach && { run_breach "$URL_PATH" ; ret=$(($? + ret)); } - $do_ssl_poodle && { run_ssl_poodle; ret=$(($? + ret)); } - $do_tls_fallback_scsv && { run_tls_fallback_scsv; ret=$(($? + ret)); } - $do_sweet32 && { run_sweet32; ret=$(($? + ret)); } - $do_freak && { run_freak; ret=$(($? + ret)); } - $do_drown && { run_drown ret=$(($? + ret)); } - $do_logjam && { run_logjam; ret=$(($? + ret)); } - $do_beast && { run_beast; ret=$(($? + ret)); } - $do_lucky13 && { run_lucky13; ret=$(($? + ret)); } - $do_rc4 && { run_rc4; ret=$(($? + ret)); } + $do_heartbleed && { run_heartbleed; ret=$(($? + ret)); } && time_right_align + $do_ccs_injection && { run_ccs_injection; ret=$(($? + ret)); } && time_right_align + $do_renego && { run_renego; ret=$(($? + ret)); } && time_right_align + $do_crime && { run_crime; ret=$(($? + ret)); } && time_right_align + $do_breach && { run_breach "$URL_PATH" ; ret=$(($? + ret)); } && time_right_align + $do_ssl_poodle && { run_ssl_poodle; ret=$(($? + ret)); } && time_right_align + $do_tls_fallback_scsv && { run_tls_fallback_scsv; ret=$(($? + ret)); } && time_right_align + $do_sweet32 && { run_sweet32; ret=$(($? + ret)); } && time_right_align + $do_freak && { run_freak; ret=$(($? + ret)); } && time_right_align + $do_drown && { run_drown ret=$(($? + ret)); } && time_right_align + $do_logjam && { run_logjam; ret=$(($? + ret)); } && time_right_align + $do_beast && { run_beast; ret=$(($? + ret)); } && time_right_align + $do_lucky13 && { run_lucky13; ret=$(($? + ret)); } && time_right_align + $do_rc4 && { run_rc4; ret=$(($? + ret)); } && time_right_align fileout_section_header $section_number true && ((section_number++)) - $do_allciphers && { run_allciphers; ret=$(($? + ret)); } - $do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); } + $do_allciphers && { run_allciphers; ret=$(($? + ret)); } && time_right_align + $do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); } && time_right_align fileout_section_header $section_number true && ((section_number++)) - $do_client_simulation && { run_client_simulation; ret=$(($? + ret)); } + $do_client_simulation && { run_client_simulation; ret=$(($? + ret)); } && time_right_align fileout_section_footer true From 8c0b0083d06b0011fbd073b53d1132679f3d2654 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 21 Mar 2017 09:15:30 +0100 Subject: [PATCH 02/17] further separation of data / code --- etc/tls_data.txt | 231 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 231 insertions(+) create mode 100755 etc/tls_data.txt diff --git a/etc/tls_data.txt b/etc/tls_data.txt new file mode 100755 index 0000000..1ee1eda --- /dev/null +++ b/etc/tls_data.txt @@ -0,0 +1,231 @@ + +# data we need for socket based handshakes + +# 133 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN HTTP2/ALPN +readonly TLS12_CIPHER=" +cc,14, cc,13, cc,15, c0,30, c0,2c, c0,28, c0,24, c0,14, +c0,0a, c0,22, c0,21, c0,20, 00,a5, 00,a3, 00,a1, 00,9f, +00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, 00,80, 00,81, 00,82, 00,83, +c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, +00,86, 00,85, c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, +c0,79, c0,75, 00,9d, 00,3d, 00,35, 00,c0, 00,84, c0,2f, +c0,2b, c0,27, c0,23, c0,13, c0,09, c0,1f, c0,1e, c0,1d, +00,a4, 00,a2, 00,a0, 00,9e, 00,67, 00,40, 00,3f, 00,3e, +00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, +00,bc, 00,bb, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44, +00,43, 00,42, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, +c0,78, c0,74, 00,9c, 00,3c, 00,2f, 00,ba, 00,96, 00,41, +00,07, c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, +c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, +00,0d, c0,0d, c0,03, 00,0a, 00,63, 00,15, 00,12, 00,0f, +00,0c, 00,62, 00,09, 00,65, 00,64, 00,14, 00,11, 00,0e, +00,0b, 00,08, 00,06, 00,03, 00,ff" + +# 76 standard cipher + 4x GOST for SSLv3, TLS 1, TLS 1.1 +readonly TLS_CIPHER=" +c0,14, c0,0a, c0,22, c0,21, c0,20, 00,39, 00,38, 00,37, +00,36, 00,88, 00,87, 00,86, 00,85, c0,0f, c0,05, 00,35, +00,84, c0,13, c0,09, c0,1f, c0,1e, c0,1d, 00,33, 00,32, 00,80, 00,81, 00,82, 00,83, +00,31, 00,30, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44, +00,43, 00,42, c0,0e, c0,04, 00,2f, 00,96, 00,41, 00,07, +c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, c0,12, +c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, +c0,0d, c0,03, 00,0a, 00,63, 00,15, 00,12, 00,0f, 00,0c, +00,62, 00,09, 00,65, 00,64, 00,14, 00,11, 00,0e, 00,0b, +00,08, 00,06, 00,03, 00,ff" + +readonly -a TLS13_KEY_SHARES=( + "0" "1" "2" "3" "4" "5" "6" "7" "8" "9" "a" "b" "c" "d" "e" "f" + "10" "11" "12" "13" "14" "15" "16" +"-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIHEhQsBkqt1i15mG1wluq/zLqDmjqNQegtgxyNBfRbZSoAoGCCqGSM49 +AwEHoUQDQgAEJP3GoZyVYrabOauJMWUZJxM0PEbtjTxW7K8V+JMDhJa+UyRQm8Tf +2LDnzCAiuwzF8m0KhcloHEoptD2WBUmJlQ== +-----END EC PRIVATE KEY----- +" +"-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDA7MCUdHy2+Kc73fWph++jWo18LHzzm7SKLgycQBNtmeJu3w1y9pK0G +EXgAWsIePIOgBwYFK4EEACKhZANiAAT/x7tN8plE6gbA6D4Igp3ash5EvZxvNqdG +Q50fcDrIco91ybaVlg2tdngZgurTzte+jv7kdkYrILUmLnXxAUGg4d86yStfcZaI +rDEB8Hc9BgJkFFoLSsXMVCKfoEo777k= +-----END EC PRIVATE KEY----- +" +"-----BEGIN EC PARAMETERS----- +BgUrgQQAIw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIHbAgEBBEFjBqkejwKserOf+LoY6xeSUUoLSZQDz/oNLXLB3NQJ3ewDkhbjOvcL +jG1on33V080fXRTN3eNdfvzcqDw4c0GGCKAHBgUrgQQAI6GBiQOBhgAEAHuBnMpQ ++30lnd/gWrHwjLrXQ+EwtxYzMjSDkfRxr0UQ0YuzDNzsVP0azylC06BUlcAvVgiX ++61BiUapw+37EORuAaHOlob0nobmFND7peN0YglQuBeSdqK3cbdP/u9jffGr2H99 +bONJgO7LSp05PXa79CEi8sydmKYiH1pSLAzRiQnh +-----END EC PRIVATE KEY----- +" "1a" "1b" "1c" +"-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VuBCIEIACiKGKr1nm2eobXvsI3HrWNKR5wEVAIf7KaCmDPxsJR +-----END PRIVATE KEY----- +" "1e" "1f" + "20" "21" "22" "23" "24" "25" "26" "27" "28" "29" "2a" "2b" "2c" "2d" "2e" "2f" + "30" "31" "32" "33" "34" "35" "36" "37" "38" "39" "3a" "3b" "3c" "3d" "3e" "3f" + "40" "41" "42" "43" "44" "45" "46" "47" "48" "49" "4a" "4b" "4c" "4d" "4e" "4f" + "50" "51" "52" "53" "54" "55" "56" "57" "58" "59" "5a" "5b" "5c" "5d" "5e" "5f" + "60" "61" "62" "63" "64" "65" "66" "67" "68" "69" "6a" "6b" "6c" "6d" "6e" "6f" + "70" "71" "72" "73" "74" "75" "76" "77" "78" "79" "7a" "7b" "7c" "7d" "7e" "7f" + "80" "81" "82" "83" "84" "85" "86" "87" "88" "89" "8a" "8b" "8c" "8d" "8e" "8f" + "90" "91" "92" "93" "94" "95" "96" "97" "98" "99" "9a" "9b" "9c" "9d" "9e" "9f" + "a0" "a1" "a2" "a3" "a4" "a5" "a6" "a7" "a8" "a9" "aa" "ab" "ac" "ad" "ae" "af" + "b0" "b1" "b2" "b3" "b4" "b5" "b6" "b7" "b8" "b9" "ba" "bb" "bc" "bd" "be" "bf" + "c0" "c1" "c2" "c3" "c4" "c5" "c6" "c7" "c8" "c9" "ca" "cb" "cc" "cd" "ce" "cf" + "d0" "d1" "d2" "d3" "d4" "d5" "d6" "d7" "d8" "d9" "da" "db" "dc" "dd" "de" "df" + "e0" "e1" "e2" "e3" "e4" "e5" "e6" "e7" "e8" "e9" "ea" "eb" "ec" "ed" "ee" "ef" + "f0" "f1" "f2" "f3" "f4" "f5" "f6" "f7" "f8" "f9" "fa" "fb" "fc" "fd" "fe" "ff" + "-----BEGIN PRIVATE KEY----- +MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhKFyX//////////8C +AQIEggEEAoIBAHxYskjJGeKwSGdAf//JLxPmGRGP6Uylmt12QX5w1FfFXQVJdrsY +unjdqhTwgV1vTZ1QApd0uZB//q8ZNNM8SZK0elY4ZJsHJAIdJ/ROmvPvkMCkU0fK +S/uUHroP6tEDyKF+v7ooiBF2KXS5CkOYRTKhiOBaWGsdhiFIkd+O7oY6oyhPxPNT +2zQEdhIu3ZgFG/ZcscdliMPMmZnKvt/dF4yV8RnCHl3MRDRdL/3McDAb4z89bWqR +HRexppcgNa9lhOvR+nF/55NCzT3KwkFPQODQmMRH3bzmME+48HZrFcaaom3/DGt+ +EC+vidtEr4YW86tV6jvig5+uNR1mIKpE8N4= +-----END PRIVATE KEY----- +" +"-----BEGIN PRIVATE KEY----- +MIIDJgIBADCCAZcGCSqGSIb3DQEDATCCAYgCggGBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhH8/c3jVbO2UZA1u8 +NPTe+ZwCOGG0b8nW5skHetkdJpH39+5ZjLD6wYbZHK7+EwmFE5JwtBMMk7xDeUT0 +/URS4tdN02Ty4h5x9Uv/XK6Cq5yd9p7obSvFIjY6DavFIZebDeraHb+aQtXESE4K +vNBr+lPd7zwbIO4/1Z18JeQdK2bGLjf//////////wIBAgSCAYQCggGAV6hlUz0f +RwpauhaumL+dFJQcZHgYghHX9JfNDZv1uMzkTiKxgVutrtFmfHoaTaYNgw+HEQSF +ZRnGzyOXb14/ZoGWo727N4T5usOqINFcHIeAbPiRimo0mwS7ivYKxEFBaw4N7OyE +zfNKAYWNQe0J+R2FLMKBSbJ+b1nGQ/cUSQDffDpKSUS94+XxwxcvNaCv9Ygtkvnl +e/t61L/0eQu/nmi0o7PzR4brmyVTXGnj2LujG/KOtIB4pXQ1GqrvsYLB3pCUTDdA +E0heXfpYGZJK10ByMkWmOuH3pCuI8C+7+Bh7JwQAXUtSpZ+hp1Bz7v1PKwY/3fG1 +2HcPXp85q5N9x9zYZv1vmwFAd0nTdoWdtMbiEJxhCdr6sRpi1+KPg6W3Kqtfcv2f +ZZC6MwVFtxogjzIlXt68O7HRH7Adz+DGhEeZqdxIQpaQR50p4LF7gqQ/mzXq8oCe +XKC3XxrfV5h3OrPEL/zNTd2pzh3LLQB349aOHNz1F+3YPyPlvwOsXkeT +-----END PRIVATE KEY----- +" +"-----BEGIN PRIVATE KEY----- +MIIEJgIBADCCAhcGCSqGSIb3DQEDATCCAggCggIBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhH8/c3jVbO2UZA1u8 +NPTe+ZwCOGG0b8nW5skHetkdJpH39+5ZjLD6wYbZHK7+EwmFE5JwtBMMk7xDeUT0 +/URS4tdN02Ty4h5x9Uv/XK6Cq5yd9p7obSvFIjY6DavFIZebDeraHb+aQtXESE4K +vNBr+lPd7zwbIO4/1Z18JeQdK2aeHvFub1LDFk30+3kw6eTliFe2rH1fQtafbRh3 +Y88dVQNABIf1W6V+Mcx6cTXIhu+0MYrtah4BLZ5oMqkHYAqRgTDEbcd4+XGtADgJ +KZmjM8uLehoduT1xQAA8Kk7OqfmNCswKgpHNzsl9z47JtVp/iKRrTbWoUfRBguHG +igB+XmVfav//////////AgECBIICBAKCAgBKs8VkNMjroMib7Wuw71hVoHiB7lF9 +3FQsDwU3y//RgETN2CEx8gdarvb35ldNEkypxtiaYck+a5qKVkP8uW4/AUoGlH4V +mIVz8R9e0Cewc4X8229+AgvyguaEhJHozp7EqIYEYlpLyn5GL53l2OYvBB3eH9Yi +yjYKe5vCe16Jy88oJYrS6+ybYLXHcfJsLHIppMS17KuDdH/DUiCvy5HE5fA5ufD3 +ExQImgsDa3rm8nW6NUCix9Pl4X5OkWieYE7pXBePZ8Yk8BD4JpPbhsh/9husS4XL +/IpSq+tzgXq44SKQv0o9hbkGaxR6xmTjTwOjRiqW1D/1pS/wHxZbH1qbgJSKq7Fx +6VZZjH5Hyx9Zh5p3mksa7iZ4DQXVW/8ffz+8UdVRQolVUQxXWihcU5qfdtmDEPI0 +4dRR5mI/Pk1n7lAhdyE4H/Tz0TmqItfScZvNaj6RbPbk6KOapgHFKIX7dmtPxAOv +oMMudOwsBg7md3CY08zH/XdE6O8lmVgCJQMjfwJ7QMayOKL1NYNMmUDPP0WIxOyz +5UJj3GzmNrKgYftgr2o8blEwwDbETYN/hpgTPyWl8ieVxK2bn7SX8dFXXEwSdCAt +Cg5c3H+YOc+ahx7VYXJtBDyAKuygUKnVqZ1ht6/xLUyJUxiSMZLbFKHBLkR3UuQa +HyRwI92yYN4+Zg== +-----END PRIVATE KEY----- +" +"-----BEGIN PRIVATE KEY----- +MIIGJgIBADCCAxcGCSqGSIb3DQEDATCCAwgCggMBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhH8/c3jVbO2UZA1u8 +NPTe+ZwCOGG0b8nW5skHetkdJpH39+5ZjLD6wYbZHK7+EwmFE5JwtBMMk7xDeUT0 +/URS4tdN02Ty4h5x9Uv/XK6Cq5yd9p7obSvFIjY6DavFIZebDeraHb+aQtXESE4K +vNBr+lPd7zwbIO4/1Z18JeQdK2aeHvFub1LDFk30+3kw6eTliFe2rH1fQtafbRh3 +Y88dVQNABIf1W6V+Mcx6cTXIhu+0MYrtah4BLZ5oMqkHYAqRgTDEbcd4+XGtADgJ +KZmjM8uLehoduT1xQAA8Kk7OqfmNCswKgpHNzsl9z47JtVp/iKRrTbWoUfRBguHG +igB+Xg3ZAgv9ZLZFA2x6Tmd9LDhTKjojukRCyvU+pju0VDKbdiTIkXvdZLHA/Uyz +jowzTHAcOs2tBlf8z+xxmx9cPk5GBB84gUf7TP20d6UkcfepqWkQuFUyLttjQNig +DvCSNQUR4wq+wf/546Juf7KfjBgwI8NYfjjaAHfZtHY+TkuUsrvBlMZlHnfK+ZLu +qsAjKigb9rOnOcEiYRaCCujbWEemfL75yQkbRi1TjNcrA3Rq539eYiksMRViqEZQ +XcgtuFQziuSfUjXJW5EXjM8t1crO9APsnRgQxicrBFs7cfnca4DWP91KjprbHmli +ppUm1DFhwaQdVw15ONrUpA4ynNDkDmX//////////wIBAgSCAwQCggMAVvLSfpPC +OJVhuOkMtOYtl6vcKtuP0RXXZYBfMFufb5gQJrEypjSIxS+kRyBjNMk3qSt9iBbG +dpSe5fuu9RtI5O5eD/UXrDNBbI2/ldLNDarV3g+hcYklzKQE6kBSWEt1soktPXEq +PIcvYFVrOtWrH3Nw0UT/brRLZ+Ea9mnRG6CCICM0K2UxMhyjDheGCVCpmZfYJycP +mx0H1SA5RI9lP+GkDm096CgAEtXqk1eej8/9F4vsEn5r48HKobXlZEBp+HFcIq7s +DqrNZkg6jRhMusGjVM7mpFuyt0D5LIshsDBHjwkULJUX9Zd7pcVizbHbst2rpi8u +n7H908pdRFvdQYfvjBwvewl7DwZoFOsL+qA5Jo1MtfgpgegouKsS3jmyRSmY4wLp +uOjv6S1//A1sctJNwXlMI7/3IcONT3bmOwNnyvUeFJE4+lnYeClEpAsrCegcljQa +UNOeSKR1x9ctvzlWaBM5EP2daF0JiYdo3Ug/YISDX5dJFOW4gWz95W8Ii9//6zim +8LgA2/NP5IJBs0DPQxVbEVUI0wRPYMI4aZBm2n5bQFQKI95FQfv8ncKSul/fuTtY +du8INZR6ogMpWdDSz5UsIMwjLzXfg30ehcCyy9ebkDtiPDr8++HrwWKGVvuQaa4p +rPiac3fF1+DCHVKwxRsqM1zgDzNtI59Y9wb85kyPRsHTuG5kR3KUMUUYWmbuuMG6 +3yMm7K3hJhlhfiO8hIWt+ZJJHCIEJOFK7FJbsZWmFbS6ukcl1uwlmQzote2aFfYA +5fsL7VeUaXKkJPKY3p05rvHJkayUpxn+oamOA1qW4eVYzio/ZiRtaUNLbmOvb0pU +Z1fyypnlaVzAVynoIF43LfbJ7cdpfnoz6hd//SVA742kuQMA4VeQoXLh6dX1/qZV +8QF7gNjLxgJoqGssaOUwxdxcXqMl+9JUBL/LtvxYs1xcrzla/tj+26XcPT+/tIWR +89TyyCWVPBvFLeWfG5+iIXT0X6g8zJP6d9QCL+2F3yStbJngWCZtFDFD +-----END PRIVATE KEY----- +" +"-----BEGIN PRIVATE KEY----- +MIIIJgIBADCCBBcGCSqGSIb3DQEDATCCBAgCggQBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhH8/c3jVbO2UZA1u8 +NPTe+ZwCOGG0b8nW5skHetkdJpH39+5ZjLD6wYbZHK7+EwmFE5JwtBMMk7xDeUT0 +/URS4tdN02Ty4h5x9Uv/XK6Cq5yd9p7obSvFIjY6DavFIZebDeraHb+aQtXESE4K +vNBr+lPd7zwbIO4/1Z18JeQdK2aeHvFub1LDFk30+3kw6eTliFe2rH1fQtafbRh3 +Y88dVQNABIf1W6V+Mcx6cTXIhu+0MYrtah4BLZ5oMqkHYAqRgTDEbcd4+XGtADgJ +KZmjM8uLehoduT1xQAA8Kk7OqfmNCswKgpHNzsl9z47JtVp/iKRrTbWoUfRBguHG +igB+Xg3ZAgv9ZLZFA2x6Tmd9LDhTKjojukRCyvU+pju0VDKbdiTIkXvdZLHA/Uyz +jowzTHAcOs2tBlf8z+xxmx9cPk5GBB84gUf7TP20d6UkcfepqWkQuFUyLttjQNig +DvCSNQUR4wq+wf/546Juf7KfjBgwI8NYfjjaAHfZtHY+TkuUsrvBlMZlHnfK+ZLu +qsAjKigb9rOnOcEiYRaCCujbWEemfL75yQkbRi1TjNcrA3Rq539eYiksMRViqEZQ +XcgtuFQziuSfUjXJW5EXjM8t1crO9APsnRgQxicrBFs7cfnca4DWP91KjprbHmli +ppUm1DFhwaQdVw15ONrUpA4ynM/0aqo2rQBM9gDIOB5CWjHZUa5k/bI/zslQnUNo +f+tp7dHMXguMw732SxDvhrYxQqOriClVWy90fJMmZcssDxzAG9cCKTiIOdKvBeRU +UErHi3WCgihGwLo1w19cWRYMwEb9glFUH8aMnIawIrtwmYdqRg50UaipMQlwP+4c +IX5sOCblLFGqaR4OQjz8menjFlDBIXtiSBbNrZqV+dW4AZSI2cCgof4wdaV34jGD ++B1KPy+kVx78jOC6ik/otoVd/nKwpm7e0vur++WKMPr6vhxdcah+L3Qe+MH+hv6m +u/3lMGd/DZfRHUn3qEQ9CCLlBqn0YU4BHiqUg4/4jNaMi7fFxkJM//////////8C +AQIEggQEAoIEAFBZTkIN/znN/euu0INkB365wc9kj/ibO/Hj3mHLa+NHoaKH4A33 +kd3WQCjRmLnLZHlodMbrgJ8vxHtKdeFiv4i1gefsv0aVv7zX9Sp3zpRJC/bhNJkz +BsVJwwp9b+OPfc13d2vb3ZsVyqmfUO6NdMz1x9cEiR+wrpJjrMbWqByliAkByI5w +Znlm/aLrwOWOZ0lkY2SzB5qDcNM/I9m7Uk9pW3Q0GugWC/PMzv/+VCMb/Q56pABX +310qNm0AZov4cBWz5qtD8AQ+cZWBndX4ydL+jLT5n5SwrXR3z8biCBdJWpxpKeVJ +3Dal4LC1UcuJDuwtxswlm+AzfVJI3eiKL5uwsSbIg0Ls7bk7FO1LWGHbGwbL+eof +TijrETwUgsBNiLdmLeDtfWBTDAH3kZnBpZjRhCgIRuRUleTRevvnMtBXR9td5Lkj +N4quHZbx0S9novQLV7EF6+mNW0fddbHxC6mK0C3vCGCTLUTjFoyW6DJMInUYrerO +kTEyH0JCMrA/mIGmU4QR7dXuMPJiTwg+TS3jZYmwa4nL5hES7Ssf9PSaqdyV2ZzU +/oVLTfIuvpFbcidZF7j2DFaObtV6ZjqegufOaNJmTItWJzNJ31s0ZUGwXLq5jygh +HMAW+uzNVX5nv7ezvjOANrOAosSDN1zFVRrUBOilaKbvguwp1fym2bnqiCFD1tKw +CMgtTOTwP8/j1XAMlD/Afu/VTJls3IY3r6ANoCX8hLTXK3ykcewV2irV4nB+8p09 +KhhWSr3zF0qj5Keo33oMUnEaN2eIeIUegXKxpp4WtT4JEUE0ritZF8SzZmoHkANw +dgtDm8Ryx/SaZ+QwrqhVFOsSU8TgvIHc455j4M1o8DBAdUiTbXniYlSNslzbvfbK +57uJbPwrw/Op3DzFvZPnOx5vfnDsR9qOmAknfNfgKtEFc0AAno5BiyaiIlHuBUte +TS5AsCL7q4Q9ybS7WehGOWOwHzZEa7DlUJ1kqjFCxBXgYMEKSbwKF5vHpp6x2O3x +0OPzODz1JGoRT5yYXY3UiboRlkldet4NPNufg4MoKW6XooLXq/bIVQNSZtg1gBO6 +ipWJlxpfmPhjOdljGlXsstvaazESsMaff5xG8dIIOb+yMFh6DC6GElU49GGzfnAe +EB+RNHS/o8boRFQn4r6/KiVCODk0qGK3TvYStsjXo93vA+KfJwSsqtckwX+wcl5l +mWWvMF+iHQ+gL4L1hz7hH/m7UZGy+o/7mi7lKDSPLvSlGwzzdWcvEQj4Hv4IHQQh +eeSHdeSwhqaL1XjP6JXa+IEY/wXzwIMHohtw+epFwLZhg8NFxkzHUpCKLDZrEDc8 +Y9zPgF69gpA9VpStqLAqHxBvEm4BYFoFyfw= +-----END PRIVATE KEY----- +" "105" "106" "107" "108" "109" "10a" "10b" "10c" "10d" "10e" "10f" ) From 27d0570fb5f15e1636e571b166d9879a62e15e82 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 21 Mar 2017 12:44:03 +0100 Subject: [PATCH 03/17] - changed performance debugging options (small solution) so that the last delta is being shown - PS4 improved: has now a performance debugging options (big solution) - PS4 with proper alignment - SCAN_TIME is now global so that it can be used not only by JSON-PRETTY (small performance debugging options uses it) - prepare_debug() has now debugging stuff only, rest went to prepare_arrays() --- testssl.sh | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/testssl.sh b/testssl.sh index 38fe297..62b0169 100755 --- a/testssl.sh +++ b/testssl.sh @@ -78,7 +78,8 @@ # debugging help: -readonly PS4='${LINENO}> ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' +#readonly PS4='${LINENO}> $(date "+%s.%N")\011 ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' +readonly PS4='|$(date "+%s.%N")\011${LINENO}>\011${FUNCNAME[0]:+${FUNCNAME[0]}(): }' # make sure that temporary files are cleaned up after use in ANY case trap "cleanup" QUIT EXIT @@ -260,14 +261,16 @@ GET_REQ11="" readonly UA_STD="TLS tester from $SWURL" readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0" FIRST_FINDING=true # Is this the first finding we are outputting to file? -START_TIME=0 -END_TIME=0 +START_TIME=0 # time in epoch when the action started +END_TIME=0 # .. ended +SCAN_TIME=0 # diff of both: total scan time +LAST_TIME=0 # only used for performance measurements (MEASURE_TIME=true) # Devel stuff, see -q below TLS_LOW_BYTE="" HEX_CIPHER="" -SERVER_COUNTER=0 # Counter for multiple servers +SERVER_COUNTER=0 # Counter for multiple servers #################### SEVERITY #################### INFO=0 @@ -787,7 +790,6 @@ strip_quote() { #################### JSON FILE FORMATING #################### fileout_pretty_json_header() { - START_TIME=$(date +%s) target="$NODE" $do_mx_all_ips && target="$URI" @@ -802,9 +804,8 @@ fileout_pretty_json_header() { } fileout_pretty_json_footer() { - local scan_time=$((END_TIME - START_TIME)) echo -e " ], - \"scanTime\" : \"$scan_time\"\n}" + \"scanTime\" : \"$SCAN_TIME\"\n}" } fileout_json_header() { @@ -10795,7 +10796,6 @@ maketempf() { } prepare_debug() { - local hexc mac ossl_ciph ossl_supported_tls="" ossl_supported_sslv2="" if [[ $DEBUG -ne 0 ]]; then cat >$TEMPDIR/environment.txt << EOF @@ -10873,6 +10873,12 @@ EOF $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' &>$TEMPDIR/all_local_ciphers.txt fi # see also $TEMPDIR/s_client_has.txt from find_openssl_binary +} + + +prepare_arrays() { + local hexc mac ossl_ciph + local ossl_supported_tls="" ossl_supported_sslv2="" if [[ -e $CIPHERS_BY_STRENGTH_FILE ]]; then "$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)" @@ -12284,8 +12290,15 @@ reset_hostdepended_vars() { SERVER_SIZE_LIMIT_BUG=false } +# rough estimate, in the future we maybe want to make use of nano secs (%N) +# note this is for performance debugging purposes (MEASURE_TIME=yes), so eye candy is not important time_right_align() { - "$MEASURE_TIME" && printf "%${COLUMNS}s" "$START_TIME + $(($(date +%s) - START_TIME )) " + local new_delta + + "$MEASURE_TIME" || return + new_delta=$(( $(date +%s) - LAST_TIME )) + printf "%${COLUMNS}s" "$new_delta" + LAST_TIME=$(( $new_delta + LAST_TIME )) } lets_roll() { @@ -12293,7 +12306,8 @@ lets_roll() { local section_number=1 START_TIME=$(date +%s) - "$MEASURE_TIME" && printf "%${COLUMNS}s" "$START_TIME + $(($(date +%s) - START_TIME )) " + LAST_TIME=$START_TIME + time_right_align [[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" 2 nodeip_to_proper_ip6 @@ -12378,8 +12392,11 @@ lets_roll() { outln END_TIME=$(date +%s) + SCAN_TIME=$((END_TIME - START_TIME)) datebanner " Done" + "$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME" + return $ret } @@ -12396,6 +12413,7 @@ set_color_functions maketempf find_openssl_binary prepare_debug +prepare_arrays mybanner check_proxy check4openssl_oldfarts From 43463da4fc3b6272ee9c7a5f5180ce26d561a9d8 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 22 Mar 2017 16:02:48 +0100 Subject: [PATCH 04/17] improvements for performance measurements (small solution) - in gerneral better performance measurements , starts from the real beginning (almost) - allows results to put into file (MEASURE_TIME_FILE=google.txt testssl.sh google.com) --- testssl.sh | 75 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 43 insertions(+), 32 deletions(-) diff --git a/testssl.sh b/testssl.sh index 62b0169..798c89d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -191,7 +191,12 @@ HAD_SLEPT=0 CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) FNAME=${FNAME:-""} # file name to read commands from IKNOW_FNAME=false -MEASURE_TIME=${MEASURE_TIME:-false} +MEASURE_TIME_FILE=${MEASURE_TIME_FILE:-""} +if [[ -n "$MEASURE_TIME_FILE" ]] && [[ -z "$MEASURE_TIME" ]]; then + MEASURE_TIME=true +else + MEASURE_TIME=${MEASURE_TIME:-false} +fi # further global vars just declared here readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1" @@ -12298,6 +12303,7 @@ time_right_align() { "$MEASURE_TIME" || return new_delta=$(( $(date +%s) - LAST_TIME )) printf "%${COLUMNS}s" "$new_delta" + [[ -e "$MEASURE_TIME_FILE" ]] && echo "$1 : $new_delta " >> $MEASURE_TIME_FILE LAST_TIME=$(( $new_delta + LAST_TIME )) } @@ -12305,9 +12311,14 @@ lets_roll() { local ret local section_number=1 - START_TIME=$(date +%s) - LAST_TIME=$START_TIME - time_right_align + if [[ "$1" == init ]]; then + # called once upfront to be able to measure preperation time b4 everything starts + START_TIME=$(date +%s) + LAST_TIME=$START_TIME + [[ -n "$MEASURE_TIME_FILE" ]] && >$MEASURE_TIME_FILE + return 0 + fi + time_right_align initialized [[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" 2 nodeip_to_proper_ip6 @@ -12323,22 +12334,21 @@ lets_roll() { # all top level functions now following have the prefix "run_" fileout_section_header $section_number false && ((section_number++)) - $do_protocols && { run_protocols; ret=$(($? + ret)); } - $do_spdy && { run_spdy; ret=$(($? + ret)); } - $do_http2 && { run_http2; ret=$(($? + ret)); } - ( $do_protocols || $do_spdy || $do_http2 ) && time_right_align + $do_protocols && { run_protocols; ret=$(($? + ret)); time_right_align run_protocols; } + $do_spdy && { run_spdy; ret=$(($? + ret)); time_right_align run_spdy; } + $do_http2 && { run_http2; ret=$(($? + ret)); time_right_align run_http2; } fileout_section_header $section_number true && ((section_number++)) - $do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); } && time_right_align + $do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); time_right_align run_std_cipherlists; } fileout_section_header $section_number true && ((section_number++)) - $do_pfs && { run_pfs; ret=$(($? + ret)); } && time_right_align + $do_pfs && { run_pfs; ret=$(($? + ret)); time_right_align run_pfs; } fileout_section_header $section_number true && ((section_number++)) - $do_server_preference && { run_server_preference; ret=$(($? + ret)); } && time_right_align + $do_server_preference && { run_server_preference; ret=$(($? + ret)); time_right_align run_server_preference; } fileout_section_header $section_number true && ((section_number++)) - $do_server_defaults && { run_server_defaults; ret=$(($? + ret)); } && time_right_align + $do_server_defaults && { run_server_defaults; ret=$(($? + ret)); time_right_align run_server_defaults; } if $do_header; then #TODO: refactor this into functions @@ -12353,7 +12363,7 @@ lets_roll() { run_cookie_flags "$URL_PATH" run_more_flags "$URL_PATH" run_rp_banner "$URL_PATH" - time_right_align + time_right_align do_header fi else ((section_number++)) @@ -12366,36 +12376,37 @@ lets_roll() { fi fileout_section_header $section_number true && ((section_number++)) - $do_heartbleed && { run_heartbleed; ret=$(($? + ret)); } && time_right_align - $do_ccs_injection && { run_ccs_injection; ret=$(($? + ret)); } && time_right_align - $do_renego && { run_renego; ret=$(($? + ret)); } && time_right_align - $do_crime && { run_crime; ret=$(($? + ret)); } && time_right_align - $do_breach && { run_breach "$URL_PATH" ; ret=$(($? + ret)); } && time_right_align - $do_ssl_poodle && { run_ssl_poodle; ret=$(($? + ret)); } && time_right_align - $do_tls_fallback_scsv && { run_tls_fallback_scsv; ret=$(($? + ret)); } && time_right_align - $do_sweet32 && { run_sweet32; ret=$(($? + ret)); } && time_right_align - $do_freak && { run_freak; ret=$(($? + ret)); } && time_right_align - $do_drown && { run_drown ret=$(($? + ret)); } && time_right_align - $do_logjam && { run_logjam; ret=$(($? + ret)); } && time_right_align - $do_beast && { run_beast; ret=$(($? + ret)); } && time_right_align - $do_lucky13 && { run_lucky13; ret=$(($? + ret)); } && time_right_align - $do_rc4 && { run_rc4; ret=$(($? + ret)); } && time_right_align + $do_heartbleed && { run_heartbleed; ret=$(($? + ret)); time_right_align run_heartbleed; } + $do_ccs_injection && { run_ccs_injection; ret=$(($? + ret)); time_right_align run_ccs_injection; } + $do_renego && { run_renego; ret=$(($? + ret)); time_right_align run_renego; } + $do_crime && { run_crime; ret=$(($? + ret)); time_right_align run_crime; } + $do_breach && { run_breach "$URL_PATH" ; ret=$(($? + ret)); time_right_align run_breach; } + $do_ssl_poodle && { run_ssl_poodle; ret=$(($? + ret)); time_right_align run_ssl_poodle; } + $do_tls_fallback_scsv && { run_tls_fallback_scsv; ret=$(($? + ret)); time_right_align run_tls_fallback_scsv; } + $do_sweet32 && { run_sweet32; ret=$(($? + ret)); time_right_align run_sweet32; } + $do_freak && { run_freak; ret=$(($? + ret)); time_right_align run_freak; } + $do_drown && { run_drown ret=$(($? + ret)); time_right_align run_drown; } + $do_logjam && { run_logjam; ret=$(($? + ret)); time_right_align run_logjam; } + $do_beast && { run_beast; ret=$(($? + ret)); time_right_align run_beast; } + $do_lucky13 && { run_lucky13; ret=$(($? + ret)); time_right_align run_lucky13; } + $do_rc4 && { run_rc4; ret=$(($? + ret)); time_right_align run_rc4; } fileout_section_header $section_number true && ((section_number++)) - $do_allciphers && { run_allciphers; ret=$(($? + ret)); } && time_right_align - $do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); } && time_right_align + $do_allciphers && { run_allciphers; ret=$(($? + ret)); time_right_align run_allciphers; } + $do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); time_right_align run_cipher_per_proto; } fileout_section_header $section_number true && ((section_number++)) - $do_client_simulation && { run_client_simulation; ret=$(($? + ret)); } && time_right_align + $do_client_simulation && { run_client_simulation; ret=$(($? + ret)); time_right_align run_client_simulation; } fileout_section_footer true outln END_TIME=$(date +%s) - SCAN_TIME=$((END_TIME - START_TIME)) + SCAN_TIME=$(( END_TIME - START_TIME )) datebanner " Done" "$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME" + [[ -e "$MEASURE_TIME_FILE" ]] && echo "Total : $SCAN_TIME " >> $MEASURE_TIME_FILE return $ret } @@ -12404,7 +12415,7 @@ lets_roll() { ################# main ################# - +lets_roll init initialize_globals parse_cmd_line "$@" html_header From 9ad1492236b34268a818eba7d55043be591ddadc Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 22 Mar 2017 15:18:38 -0400 Subject: [PATCH 05/17] Cleanup extraction of TLS extensions Currently there is code to extract TLS extensions in three places, in `get_server_certificate()` and two places in `determine_tls_extensions()`. This PR replaces them with one new function, `extract_new_tls_extensions()`. In order for the new function to work correctly whether OpenSSL or `tls_sockets()` is being used, this PR also changes `parse_tls_serverhello()` so that extensions are formatted in the file it creates in the same way as they are formatted by OpenSSL. --- testssl.sh | 148 ++++++++++++++++++++++++++--------------------------- 1 file changed, 72 insertions(+), 76 deletions(-) diff --git a/testssl.sh b/testssl.sh index 798c89d..92ec191 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5075,6 +5075,30 @@ sclient_connect_successful() { return 1 } +extract_new_tls_extensions() { + local tls_extensions + + # this is not beautiful (grep+sed) + # but maybe we should just get the ids and do a private matching, according to + # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml + tls_extensions=$(grep -a 'TLS server extension ' "$1" | \ + sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ + -e 's/,.*$/,/g' -e 's/),$/\"/g' \ + -e 's/elliptic curves\/#10/supported_groups\/#10/g') + tls_extensions=$(echo $tls_extensions) # into one line + + if [[ -n "$tls_extensions" ]]; then + # check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS + while read -d "\"" -r line; do + if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then + #FIXME: This is a string of quoted strings, so this seems to deterime the output format already. Better e.g. would be an array + TLS_EXTENSIONS+=" \"${line}\"" + fi + done <<<$tls_extensions + [[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}" + fi +} + # Note that since, at the moment, this function is only called by run_server_defaults() # and run_heartbleed(), this function does not look for the status request or NPN # extensions. For run_heartbleed(), only the heartbeat extension needs to be detected. @@ -5117,7 +5141,7 @@ determine_tls_extensions() { success=$? fi [[ $success -eq 2 ]] && success=0 - [[ $success -eq 0 ]] && tls_extensions="$(grep -a 'TLS Extensions: ' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" | sed 's/TLS Extensions: //' )" + [[ $success -eq 0 ]] && extract_new_tls_extensions "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" if [[ -r "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" ]]; then cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE tmpfile_handle $FUNCNAME.txt @@ -5144,24 +5168,9 @@ determine_tls_extensions() { sclient_connect_successful $? $TMPFILE success=$? fi - if [[ $success -eq 0 ]]; then - tls_extensions=$(grep -a 'TLS server extension ' $TMPFILE | \ - sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ - -e 's/,.*$/,/g' -e 's/),$/\"/g' \ - -e 's/elliptic curves\/#10/supported_groups\/#10/g') - tls_extensions=$(echo $tls_extensions) # into one line - fi + [[ $success -eq 0 ]] && extract_new_tls_extensions $TMPFILE tmpfile_handle $FUNCNAME.txt fi - if [[ -n "$tls_extensions" ]]; then - # check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS - while read -d "\"" -r line; do - if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then - TLS_EXTENSIONS+=" \"${line}\"" - fi - done <<<$tls_extensions - [[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}" - fi return $success } @@ -5170,7 +5179,7 @@ determine_tls_extensions() { get_server_certificate() { local protocols_to_try proto addcmd local success - local npn_params="" tls_extensions line + local npn_params="" line local savedir local nrsaved @@ -5246,25 +5255,7 @@ get_server_certificate() { GOST_STATUS_PROBLEM=true fi fi - #tls_extensions=$(awk -F'"' '/TLS server extension / { printf "\""$2"\" " }' $TMPFILE) - # - # this is not beautiful (grep+sed) - # but maybe we should just get the ids and do a private matching, according to - # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml - tls_extensions=$(grep -a 'TLS server extension ' $TEMPDIR/tlsext.txt | \ - sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ - -e 's/,.*$/,/g' -e 's/),$/\"/g' \ - -e 's/elliptic curves\/#10/supported_groups\/#10/g') - tls_extensions=$(echo $tls_extensions) # into one line - - # check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS - while read -d "\"" -r line; do - if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then -#FIXME: This is a string of quoted strings, so this seems to deterime the output format already. Better e.g. would be an array - TLS_EXTENSIONS+=" \"${line}\"" - fi - done <<<$tls_extensions - [[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}" + extract_new_tls_extensions $TMPFILE # Place the server's certificate in $HOSTCERT and any intermediate # certificates that were provided in $TEMPDIR/intermediatecerts.pem @@ -7812,23 +7803,23 @@ parse_tls_serverhello() { return 1 fi case $extension_type in - 0000) tls_extensions+=" \"server name/#0\"" ;; - 0001) tls_extensions+=" \"max fragment length/#1\"" ;; - 0002) tls_extensions+=" \"client certificate URL/#2\"" ;; - 0003) tls_extensions+=" \"trusted CA keys/#3\"" ;; - 0004) tls_extensions+=" \"truncated HMAC/#4\"" ;; - 0005) tls_extensions+=" \"status request/#5\"" ;; - 0006) tls_extensions+=" \"user mapping/#6\"" ;; - 0007) tls_extensions+=" \"client authz/#7\"" ;; - 0008) tls_extensions+=" \"server authz/#8\"" ;; - 0009) tls_extensions+=" \"cert type/#9\"" ;; - 000A) tls_extensions+=" \"supported_groups/#10\"" ;; - 000B) tls_extensions+=" \"EC point formats/#11\"" ;; - 000C) tls_extensions+=" \"SRP/#12\"" ;; - 000D) tls_extensions+=" \"signature algorithms/#13\"" ;; - 000E) tls_extensions+=" \"use SRTP/#14\"" ;; - 000F) tls_extensions+=" \"heartbeat/#15\"" ;; - 0010) tls_extensions+=" \"application layer protocol negotiation/#16\"" + 0000) tls_extensions+="TLS server extension \"server name\" (id=0), len=$extension_len\n" ;; + 0001) tls_extensions+="TLS server extension \"max fragment length\" (id=1), len=$extension_len\n" ;; + 0002) tls_extensions+="TLS server extension \"client certificate URL\" (id=2), len=$extension_len\n" ;; + 0003) tls_extensions+="TLS server extension \"trusted CA keys\" (id=3, len=$extension_len\n)" ;; + 0004) tls_extensions+="TLS server extension \"truncated HMAC\" (id=4), len=$extension_len\n" ;; + 0005) tls_extensions+="TLS server extension \"status request\" (id=5), len=$extension_len\n" ;; + 0006) tls_extensions+="TLS server extension \"user mapping\" (id=6), len=$extension_len\n" ;; + 0007) tls_extensions+="TLS server extension \"client authz\" (id=7), len=$extension_len\n" ;; + 0008) tls_extensions+="TLS server extension \"server authz\" (id=8), len=$extension_len\n" ;; + 0009) tls_extensions+="TLS server extension \"cert type\" (id=9), len=$extension_len\n" ;; + 000A) tls_extensions+="TLS server extension \"supported_groups\" (id=10), len=$extension_len\n" ;; + 000B) tls_extensions+="TLS server extension \"EC point formats\" (id=11), len=$extension_len\n" ;; + 000C) tls_extensions+="TLS server extension \"SRP\" (id=12), len=$extension_len\n" ;; + 000D) tls_extensions+="TLS server extension \"signature algorithms\" (id=13), len=$extension_len\n" ;; + 000E) tls_extensions+="TLS server extension \"use SRTP\" (id=14), len=$extension_len\n" ;; + 000F) tls_extensions+="TLS server extension \"heartbeat\" (id=15), len=$extension_len\n" ;; + 0010) tls_extensions+="TLS server extension \"application layer protocol negotiation\" (id=16), len=$extension_len\n" if [[ $extension_len -lt 4 ]]; then debugme echo "Malformed application layer protocol negotiation extension." return 1 @@ -7851,24 +7842,24 @@ parse_tls_serverhello() { echo "" >> $TMPFILE echo "===============================================================================" >> $TMPFILE ;; - 0011) tls_extensions+=" \"certificate status version 2/#17\"" ;; - 0012) tls_extensions+=" \"signed certificate timestamps/#18\"" ;; - 0013) tls_extensions+=" \"client certificate type/#19\"" ;; - 0014) tls_extensions+=" \"server certificate type/#20\"" ;; - 0015) tls_extensions+=" \"TLS padding/#21\"" ;; - 0016) tls_extensions+=" \"encrypt-then-mac/#22\"" ;; - 0017) tls_extensions+=" \"extended master secret/#23\"" ;; - 0018) tls_extensions+=" \"token binding/#24\"" ;; - 0019) tls_extensions+=" \"cached info/#25\"" ;; - 0023) tls_extensions+=" \"session ticket/#35\"" ;; - 0028) tls_extensions+=" \"key share/#40\"" ;; - 0029) tls_extensions+=" \"pre-shared key/#41\"" ;; - 002A) tls_extensions+=" \"early data/#42\"" ;; - 002B) tls_extensions+=" \"supported versions/#43\"" ;; - 002C) tls_extensions+=" \"cookie/#44\"" ;; - 002D) tls_extensions+=" \"psk key exchange modes/#45\"" ;; - 002E) tls_extensions+=" \"ticket early data info/#46\"" ;; - 3374) tls_extensions+=" \"next protocol/#13172\"" + 0011) tls_extensions+="TLS server extension \"certificate status version 2\" (id=17), len=$extension_len\n" ;; + 0012) tls_extensions+="TLS server extension \"signed certificate timestamps\" (id=18), len=$extension_len\n" ;; + 0013) tls_extensions+="TLS server extension \"client certificate type\" (id=19), len=$extension_len\n" ;; + 0014) tls_extensions+="TLS server extension \"server certificate type\" (id=20), len=$extension_len\n" ;; + 0015) tls_extensions+="TLS server extension \"TLS padding\" (id=21), len=$extension_len\n" ;; + 0016) tls_extensions+="TLS server extension \"encrypt-then-mac\" (id=22), len=$extension_len\n" ;; + 0017) tls_extensions+="TLS server extension \"extended master secret\" (id=23), len=$extension_len\n" ;; + 0018) tls_extensions+="TLS server extension \"token binding\" (id=24), len=$extension_len\n" ;; + 0019) tls_extensions+="TLS server extension \"cached info\" (id=25), len=$extension_len\n" ;; + 0023) tls_extensions+="TLS server extension \"session ticket\" (id=35), len=$extension_len\n" ;; + 0028) tls_extensions+="TLS server extension \"key share\" (id=40), len=$extension_len\n" ;; + 0029) tls_extensions+="TLS server extension \"pre-shared key\" (id=41), len=$extension_len\n" ;; + 002A) tls_extensions+="TLS server extension \"early data\" (id=42), len=$extension_len\n" ;; + 002B) tls_extensions+="TLS server extension \"supported versions\" (id=43), len=$extension_len\n" ;; + 002C) tls_extensions+="TLS server extension \"cookie\" (id=44), len=$extension_len\n" ;; + 002D) tls_extensions+="TLS server extension \"psk key exchange modes\" (id=45), len=$extension_len\n" ;; + 002E) tls_extensions+="TLS server extension \"ticket early data info\" (id=46), len=$extension_len\n" ;; + 3374) tls_extensions+="TLS server extension \"next protocol\" (id=13172), len=$extension_len\n" local -i protocol_len echo -n "Protocols advertised by server: " >> $TMPFILE let offset=$extns_offset+12+$i @@ -7890,8 +7881,8 @@ parse_tls_serverhello() { echo "" >> $TMPFILE echo "===============================================================================" >> $TMPFILE ;; - FF01) tls_extensions+=" \"renegotiation info/#65281\"" ;; - *) tls_extensions+=" \"unrecognized extension/#$(printf "%d\n\n" "0x$extension_type")\"" ;; + FF01) tls_extensions+="TLS server extension \"renegotiation info\" (id=65281), len=$extension_len\n" ;; + *) tls_extensions+="TLS server extension \"unrecognized extension\" (id=$(printf "%d\n\n" "0x$extension_type")), len=$extension_len\n" ;; esac done fi @@ -7921,7 +7912,7 @@ parse_tls_serverhello() { esac echo "===============================================================================" >> $TMPFILE fi - [[ -n "$tls_extensions" ]] && echo "TLS Extensions: ${tls_extensions:1}" >> $TMPFILE + [[ -n "$tls_extensions" ]] && echo -e "$tls_extensions" >> $TMPFILE if [[ $DEBUG -ge 2 ]]; then echo "TLS server hello message:" @@ -7944,7 +7935,12 @@ parse_tls_serverhello() { esac fi if [[ -n "$tls_extensions" ]]; then - echo " tls_extensions: ${tls_extensions:1}" + echo -n " tls_extensions: " + newline_to_spaces "$(grep -a 'TLS server extension ' $TMPFILE | \ + sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ + -e 's/,.*$/,/g' -e 's/),$/\"/g' \ + -e 's/elliptic curves\/#10/supported_groups\/#10/g')" + echo "" if [[ "$tls_extensions" =~ "application layer protocol negotiation" ]]; then echo " ALPN protocol: $(grep "ALPN protocol:" "$TMPFILE" | sed 's/ALPN protocol: //')" fi From 63d02688bc668619232961c9de8d8d96801be8f3 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 22 Mar 2017 15:21:22 -0400 Subject: [PATCH 06/17] Fix typo --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 92ec191..eba3a95 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5091,7 +5091,7 @@ extract_new_tls_extensions() { # check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS while read -d "\"" -r line; do if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then - #FIXME: This is a string of quoted strings, so this seems to deterime the output format already. Better e.g. would be an array +#FIXME: This is a string of quoted strings, so this seems to determine the output format already. Better e.g. would be an array TLS_EXTENSIONS+=" \"${line}\"" fi done <<<$tls_extensions From d5bb4edd80d369781a1b7251716971bcd83fb804 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Mar 2017 16:36:29 +0100 Subject: [PATCH 07/17] * FIX #654 (no logfile when -file is specified) * filename has now instead of just the number p+# * minor polishing --- testssl.sh | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/testssl.sh b/testssl.sh index eba3a95..8433f1d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -76,10 +76,10 @@ # this missing feature! The idea is if this script can't tell something # for sure it speaks up so that you have clear picture. - +DEBUGTIME=${DEBUGTIME:-false} # debugging help: -#readonly PS4='${LINENO}> $(date "+%s.%N")\011 ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' -readonly PS4='|$(date "+%s.%N")\011${LINENO}>\011${FUNCNAME[0]:+${FUNCNAME[0]}(): }' +"$DEBUGTIME" && readonly PS4='|$(date "+%s.%N")\011${LINENO}>\011${FUNCNAME[0]:+${FUNCNAME[0]}(): }' || \ + readonly PS4='|${LINENO}>\011${FUNCNAME[0]:+${FUNCNAME[0]}(): }' # make sure that temporary files are cleaned up after use in ANY case trap "cleanup" QUIT EXIT @@ -980,7 +980,7 @@ html_header() { fname_prefix="mx-$URI" else ( [[ -z "$HTMLFILE" ]] || [[ -d "$HTMLFILE" ]] ) && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now - fname_prefix="$NODE"_"$PORT" + fname_prefix="${NODE}"_p"${PORT}" fi if [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]]; then @@ -10774,7 +10774,7 @@ file output options (can also be preset via environment variables): --htmlfile additional output as HTML to the specifed file --hints additional hints to findings --severity severities with lower level will be filtered for CSV+JSON, possible values - --append if or exists rather append then overwrite + --append if , or exists rather append then overwrite Options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl . @@ -11056,14 +11056,14 @@ parse_hn_port() { NODE="$1" # strip "https" and trailing urlpath supposed it was supplied additionally - echo "$NODE" | grep -q 'https://' && NODE=$(echo "$NODE" | sed -e 's/^https\:\/\///') + grep -q 'https://' <<< "$NODE" && NODE=$(sed -e 's/^https\:\/\///' <<< "$NODE") # strip trailing urlpath - NODE=$(echo "$NODE" | sed -e 's/\/.*$//') + NODE=$(sed -e 's/\/.*$//' <<< "$NODE") # if there's a trailing ':' probably a starttls/application protocol was specified - if grep -q ':$' <<< $NODE; then - if grep -wq http <<< $NODE; then + if grep -q ':$' <<< "$NODE"; then + if grep -wq http <<< "$NODE"; then fatal "\"http\" is not what you meant probably" 1 else fatal "\"$1\" is not a valid URI" 1 @@ -11081,17 +11081,17 @@ parse_hn_port() { NODE=$(sed -e 's/\[//' -e 's/\]//' <<< "$NODE") else # determine v4 port, supposed it was supplied additionally - echo "$NODE" | grep -q ':' && \ - PORT=$(echo "$NODE" | sed 's/^.*\://') && NODE=$(echo "$NODE" | sed 's/\:.*$//') + grep -q ':' <<< "$NODE" && \ + PORT=$(sed 's/^.*\://' <<< "$NODE") && NODE=$(sed 's/\:.*$//' <<< "$NODE") fi debugme echo $NODE:$PORT SNI="-servername $NODE" - URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port - URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> / + URL_PATH=$(sed 's/https:\/\///' <<< "$1" | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port + URL_PATH=$(sed 's/\/\//\//g' <<< "$URL_PATH") # we rather want // -> / [[ -z "$URL_PATH" ]] && URL_PATH="/" debugme echo $URL_PATH - return 0 # NODE, URL_PATH, PORT is set now + return 0 # NODE, URL_PATH, PORT is set now } @@ -11100,7 +11100,7 @@ parse_hn_port() { prepare_logging() { local fname_prefix="$1" - [[ -z "$fname_prefix" ]] && fname_prefix="$NODE"_"$PORT" + [[ -z "$fname_prefix" ]] && fname_prefix="${NODE}"_p"${PORT}" if "$do_logging"; then if [[ -z "$LOGFILE" ]]; then @@ -11111,6 +11111,7 @@ prepare_logging() { else : # just for clarity: a log file was specified, no need to do anything else fi + [[ -e $LOGFILE ]] && fatal "\"$LOGFILE\" exists. Either use \"--append\" or (re)move it" 1 >$LOGFILE tmln_out "## Scan started as: \"$PROG_NAME $CMDLINE\"" >>${LOGFILE} tmln_out "## at $HNAME:$OPENSSL_LOCATION" >>${LOGFILE} @@ -11138,7 +11139,6 @@ prepare_logging() { fi fi fileout_header # write out any CSV/JSON header line - return 0 } @@ -11896,7 +11896,7 @@ parse_opt_equal_sign() { echo ${1#*=} return 1 # = means we don't need to shift args! else - echo $2 + echo "$2" return 0 # we need to shift fi } @@ -12436,6 +12436,7 @@ if $do_display_only; then fi if $do_mass_testing; then + prepare_logging run_mass_testing exit $? fi From 13f42774aeb48d8bd768d2cf087262a8891e1744 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 23 Mar 2017 14:13:47 -0400 Subject: [PATCH 08/17] Use printf to print browser names --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 8433f1d..cb3f740 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3590,7 +3590,7 @@ run_client_simulation() { debugme tmln_out for name in "${short[@]}"; do #FIXME: printf formatting would look better, especially if we want a wide option here - out " ${names[i]} " + out " $(printf -- "%-33s" "${names[i]}")" if "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; then client_simulation_sockets "${handshakebytes[i]}" sclient_success=$? From 005fe3f27e6dd764ac7cf9f1cdf5468faf154afb Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 23 Mar 2017 14:15:26 -0400 Subject: [PATCH 09/17] Remove unnecessary spaces --- etc/client_simulation.txt | 86 +++++++++++++++++++-------------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/etc/client_simulation.txt b/etc/client_simulation.txt index 938fc7e..2ac0248 100644 --- a/etc/client_simulation.txt +++ b/etc/client_simulation.txt @@ -1,7 +1,7 @@ # Most clients are taken from Qualys SSL Labs --- From: https://api.dev.ssllabs.com/api/v3/getClients - names+=("Android 2.3.7 ") + names+=("Android 2.3.7") short+=("android_237") ciphers+=("RC4-MD5:RC4-SHA:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") sni+=("") @@ -19,7 +19,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 4.1.1 ") + names+=("Android 4.1.1") short+=("android_411") ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -37,7 +37,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 4.2.2 ") + names+=("Android 4.2.2") short+=("android_422") ciphers+=("ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -55,7 +55,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 4.4.2 ") + names+=("Android 4.4.2") short+=("android_442") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -73,7 +73,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 5.0.0 ") + names+=("Android 5.0.0") short+=("android_500") ciphers+=("ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:DHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-GCM-SHA256:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -91,7 +91,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 6.0 ") + names+=("Android 6.0") short+=("android_60") ciphers+=("ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:DHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -109,7 +109,7 @@ requiresSha2+=(false) current+=(true) - names+=("Android 7.0 ") + names+=("Android 7.0") short+=("android_70") ciphers+=("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -127,7 +127,7 @@ requiresSha2+=(false) current+=(true) - names+=("Baidu Jan 2015 ") + names+=("Baidu Jan 2015") short+=("baidu_jan_2015") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-MD5:RC4-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -145,7 +145,7 @@ requiresSha2+=(false) current+=(true) - names+=("BingPreview Jan 2015 ") + names+=("BingPreview Jan 2015") short+=("bingpreview_jan_2015") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") sni+=("$SNI") @@ -163,7 +163,7 @@ requiresSha2+=(false) current+=(false) - names+=("Chrome 48 OS X ") + names+=("Chrome 48 OS X") short+=("chrome_48_osx") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -181,7 +181,7 @@ requiresSha2+=(false) current+=(false) - names+=("Chrome 51 Win 7 ") + names+=("Chrome 51 Win 7") short+=("chrome_51_win7") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -199,7 +199,7 @@ requiresSha2+=(false) current+=(true) - names+=("Edge 13 Win 10 ") + names+=("Edge 13 Win 10") short+=("edge_13_win10") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -217,7 +217,7 @@ requiresSha2+=(false) current+=(true) - names+=("Edge 13 Win Phone 10 ") + names+=("Edge 13 Win Phone 10") short+=("edge_13_winphone10") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -235,7 +235,7 @@ requiresSha2+=(false) current+=(true) - names+=("Firefox 45 Win 7 ") + names+=("Firefox 45 Win 7") short+=("firefox_45_win7") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -253,7 +253,7 @@ requiresSha2+=(false) current+=(false) - names+=("Firefox 49 Win 7 ") + names+=("Firefox 49 Win 7") short+=("firefox_49_win7") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -271,7 +271,7 @@ requiresSha2+=(false) current+=(true) - names+=("Firefox 49 XP SP3 ") + names+=("Firefox 49 XP SP3") short+=("firefox_49_xpsp3") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -289,7 +289,7 @@ requiresSha2+=(false) current+=(true) - names+=("Googlebot Feb 2015 ") + names+=("Googlebot Feb 2015") short+=("googlebot_feb_2015") ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:RC4-SHA:RC4-MD5:AES128-SHA:DES-CBC3-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA") sni+=("$SNI") @@ -307,7 +307,7 @@ requiresSha2+=(false) current+=(false) - names+=("IE 11 Win 10 ") + names+=("IE 11 Win 10") short+=("ie_11_win10") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -325,7 +325,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 11 Win 7 ") + names+=("IE 11 Win 7") short+=("ie_11_win7") ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -343,7 +343,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 11 Win 8.1 ") + names+=("IE 11 Win 8.1") short+=("ie_11_win81") ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -361,7 +361,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 11 Win Phone 8.1 ") + names+=("IE 11 Win Phone 8.1") short+=("ie_11_winphone81") ciphers+=("AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -379,7 +379,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 11 Win Phone 8.1 Update ") + names+=("IE 11 Win Phone 8.1 Update") short+=("ie_11_winphone81update") ciphers+=("ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA") sni+=("$SNI") @@ -397,7 +397,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 6 XP ") + names+=("IE 6 XP") short+=("ie_6_xp") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:RC4-MD5:DES-CBC3-MD5:RC2-CBC-MD5:DES-CBC-SHA:DES-CBC-MD5:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") sni+=("") @@ -415,7 +415,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 7 Vista ") + names+=("IE 7 Vista") short+=("ie_7_vista") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") sni+=("$SNI") @@ -433,7 +433,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 8 Win 7 ") + names+=("IE 8 Win 7") short+=("ie_8_win7") ciphers+=("AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") sni+=("$SNI") @@ -451,7 +451,7 @@ requiresSha2+=(false) current+=(true) - names+=("IE 8 XP ") + names+=("IE 8 XP") short+=("ie_8_xp") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") sni+=("") @@ -469,7 +469,7 @@ requiresSha2+=(false) current+=(true) - names+=("Java 6u45 ") + names+=("Java 6u45") short+=("java_6u45") ciphers+=("RC4-MD5:RC4-MD5:RC4-SHA:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:DES-CBC3-MD5:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC-SHA:DES-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") sni+=("") @@ -487,7 +487,7 @@ requiresSha2+=(false) current+=(true) - names+=("Java 7u25 ") + names+=("Java 7u25") short+=("java_7u25") ciphers+=("ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") sni+=("$SNI") @@ -505,7 +505,7 @@ requiresSha2+=(false) current+=(true) - names+=("Java 8b132 ") + names+=("Java 8b132") short+=("java_8b132") ciphers+=("ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5") sni+=("$SNI") @@ -523,7 +523,7 @@ requiresSha2+=(false) current+=(true) - names+=("OpenSSL 1.0.1l ") + names+=("OpenSSL 1.0.1l") short+=("openssl_101l") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") sni+=("$SNI") @@ -541,7 +541,7 @@ requiresSha2+=(false) current+=(true) - names+=("OpenSSL 1.0.2e ") + names+=("OpenSSL 1.0.2e") short+=("openssl_102e") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA") sni+=("$SNI") @@ -559,7 +559,7 @@ requiresSha2+=(false) current+=(true) - names+=("Opera 17 Win 7 ") + names+=("Opera 17 Win 7") short+=("opera_17_win7") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:AES256-SHA:AES256-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES128-SHA256:DES-CBC3-SHA") sni+=("$SNI") @@ -577,7 +577,7 @@ requiresSha2+=(false) current+=(false) - names+=("Safari 5.1.9 OS X 10.6.8 ") + names+=("Safari 5.1.9 OS X 10.6.8") short+=("safari_519_osx1068") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA") sni+=("$SNI") @@ -595,7 +595,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 6.0.4 OS X 10.8.4 ") + names+=("Safari 6.0.4 OS X 10.8.4") short+=("safari_604_osx1084") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA") sni+=("$SNI") @@ -613,7 +613,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 7 OS X 10.9 ") + names+=("Safari 7 OS X 10.9") short+=("safari_7_osx109") ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES128-SHA:RC4-SHA:RC4-MD5:AES256-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA") sni+=("$SNI") @@ -631,7 +631,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 8 OS X 10.10 ") + names+=("Safari 8 OS X 10.10") short+=("safari_8_osx1010") ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -649,7 +649,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 9 iOS 9 ") + names+=("Safari 9 iOS 9") short+=("safari_9_ios9") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -667,7 +667,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 9 OS X 10.11 ") + names+=("Safari 9 OS X 10.11") short+=("safari_9_osx1011") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5") sni+=("$SNI") @@ -685,7 +685,7 @@ requiresSha2+=(false) current+=(true) - names+=("Safari 10 OS X 10.12 ") + names+=("Safari 10 OS X 10.12") short+=("safari_10_osx1012") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -703,7 +703,7 @@ requiresSha2+=(false) current+=(true) - names+=("Apple ATS 9 iOS 9 ") + names+=("Apple ATS 9 iOS 9") short+=("apple_ats_9_ios9") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA") sni+=("$SNI") @@ -721,7 +721,7 @@ requiresSha2+=(true) current+=(true) - names+=("Tor 17.0.9 Win 7 ") + names+=("Tor 17.0.9 Win 7") short+=("tor_1709_win7") ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA") sni+=("$SNI") @@ -739,7 +739,7 @@ requiresSha2+=(false) current+=(true) - names+=("Yahoo Slurp Jan 2015 ") + names+=("Yahoo Slurp Jan 2015") short+=("yahoo_slurp_jan_2015") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") sni+=("$SNI") @@ -757,7 +757,7 @@ requiresSha2+=(false) current+=(false) - names+=("YandexBot Jan 2015 ") + names+=("YandexBot Jan 2015") short+=("yandexbot_jan_2015") ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") sni+=("$SNI") From 7f641704029002c558b6982d8724fa44a2fd4d74 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 23 Mar 2017 16:19:21 -0400 Subject: [PATCH 10/17] Fix two minor bugs This PR fixes two minor bugs: * In `run_hpkp()`, the call to `$OPENSSL s_client` includes the option `-showcerts` twice. This PR removes one of them. * In `get_server_certificate()`, the first call to `$OPENSSL s_client` includes `$addcmd`, but `$addcmd` has not yet been initialized. Instead, `$SNI` should be used. --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8433f1d..570402b 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1777,7 +1777,7 @@ run_hpkp() { hpkp_ca="$($OPENSSL x509 -in $HOSTCERT -issuer -noout|sed 's/^.*CN=//' | sed 's/\/.*$//')" # Get keys/hashes from intermediate certificates - $OPENSSL s_client -showcerts $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE + $OPENSSL s_client $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE # Place the server's certificate in $HOSTCERT and any intermediate # certificates that were provided in $TEMPDIR/intermediatecerts.pem # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ @@ -5228,7 +5228,7 @@ get_server_certificate() { # this all needs to be moved into determine_tls_extensions() >$TEMPDIR/tlsext.txt # first shot w/o any protocol, then in turn we collect all extensions - $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -tlsextdebug -status $ERRFILE >$TMPFILE + $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tlsextdebug -status $ERRFILE >$TMPFILE sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt for proto in $protocols_to_try; do # we could know here which protcols are supported From 3a2dd3e6d17433fa68827987b3a71cd0c319b727 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 23 Mar 2017 16:43:04 -0400 Subject: [PATCH 11/17] Fixing a third minor bug When HTML output is not being created, the print functions last step is to call `html_out()`, which responds to `return` rather than `return 0`. This causes problems for lines of code that rely on receiving a return value of 0. For example: ``` [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LUCKY13 vulnerability " && outln ``` --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 570402b..3e1fd56 100755 --- a/testssl.sh +++ b/testssl.sh @@ -569,7 +569,7 @@ html_reserved(){ } html_out() { - "$do_html" || return + "$do_html" || return 0 [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] && printf -- "%b" "${1//%/%%}" >> "$HTMLFILE" # here and other printf's: a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%'. '--' and %b do the rest. } From 9a86825ec23ccd6809e089bcb4b4f86b488e0e51 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 24 Mar 2017 11:37:06 -0400 Subject: [PATCH 12/17] Fix client simulation In `create_client_simulation_tls_clienthello()` the variable `sni_extension_found` should be set if the ClientHello includes an SNI extension. Instead it was being set if and only if the ClientHello included some extension other than SNI. This bug wasn't detected before for two reasons: * It is rare to have a ClientHello that includes an SNI extension, but no other extensions. * The code still works correctly if `sni_extension_found` is set even if there is no SNI in the ClientHello. So, the bug only creates a problem if the browser's ClientHello include an SNI extension and no other extensions (see "BingPreview Jun 2014" in the client_simulation branch). --- testssl.sh | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/testssl.sh b/testssl.sh index bd344b8..40078af 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3388,29 +3388,31 @@ create_client_simulation_tls_clienthello() { len_extensions=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") offset=$offset+4 for (( 1; offset < tls_handshake_ascii_len; 1 )); do - extension_type="${tls_handshake_ascii:$offset:4}" - offset=$offset+4 - len_extension=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") + extension_type="${tls_handshake_ascii:$offset:4}" + offset=$offset+4 + len_extension=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") - if [[ "$extension_type" != "0000" ]]; then + if [[ "$extension_type" != "0000" ]]; then # The extension will just be copied into the revised ClientHello - sni_extension_found=true offset=$offset-4 len=$len_extension+8 tls_extensions+="${tls_handshake_ascii:$offset:$len}" offset=$offset+$len - elif [[ -n "$SNI" ]]; then - # Create a server name extension that corresponds to $SNI - len_servername=${#NODE} - hexdump_format_str="$len_servername/1 \"%02x\"" - servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}") - # convert lengths we need to fill in from dec to hex: - len_servername_hex=$(printf "%02x\n" $len_servername) - len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) - len_sni_ext=$(printf "%02x\n" $((len_servername+5))) - tls_extensions+="000000${len_sni_ext}00${len_sni_listlen}0000${len_servername_hex}${servername_hexstr}" - offset=$offset+$len_extension+4 - fi + else + sni_extension_found=true + if [[ -n "$SNI" ]]; then + # Create a server name extension that corresponds to $SNI + len_servername=${#NODE} + hexdump_format_str="$len_servername/1 \"%02x\"" + servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}") + # convert lengths we need to fill in from dec to hex: + len_servername_hex=$(printf "%02x\n" $len_servername) + len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) + len_sni_ext=$(printf "%02x\n" $((len_servername+5))) + tls_extensions+="000000${len_sni_ext}00${len_sni_listlen}0000${len_servername_hex}${servername_hexstr}" + offset=$offset+$len_extension+4 + fi + fi done if ! $sni_extension_found; then From 8d60e870409e015269b396e7560d04a1a0dbb90b Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 24 Mar 2017 16:45:39 -0400 Subject: [PATCH 13/17] Fix std_cipherlists with debug `std_cipherlists()` does not include line breaks between tests in the output to the terminal when `$DEBUG` is 1, and it does not include line break between tests in the HTML output whenever `$DEBUG` is greater than 0. --- testssl.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 40078af..e498792 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2368,7 +2368,7 @@ std_cipherlists() { ;; esac tmpfile_handle $FUNCNAME.$debugname.txt - [[ $DEBUG -ge 1 ]] && out " -- $1" || outln #FIXME: should be in standard output at some time + [[ $DEBUG -ge 1 ]] && outln " -- $1" || outln #FIXME: should be in standard output at some time else singlespaces=$(sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g' <<< "$2") if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then @@ -2378,8 +2378,6 @@ std_cipherlists() { fi fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)" fi - # we need 1 x lf in those cases: - debugme echo } From 4ae1597b2b7f58579c75d8239390dbcce925d116 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 25 Mar 2017 12:26:08 +0100 Subject: [PATCH 14/17] FIX #543 --- testssl.sh | 58 ------------------------------------------------------ 1 file changed, 58 deletions(-) diff --git a/testssl.sh b/testssl.sh index 40078af..e7d4b3b 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4516,27 +4516,7 @@ run_server_preference() { i=$(($i + 1)) done - [[ -n "$PROXY" ]] && arg=" SPDY/NPN is" [[ -n "$STARTTLS" ]] && arg=" " - if spdy_pre " $arg" ; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY - # ALPN needs also some lines here - $OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" $SNI >$ERRFILE >$TMPFILE - if sclient_connect_successful $? $TMPFILE; then - proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g') - if [[ -z "${proto[i]}" ]]; then - cipher[i]="" - else - cipher[i]=$(get_cipher $TMPFILE) - if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ -n "${cipher[i]}" ]]; then - cipher[i]="$(openssl2rfc "${cipher[i]}")" - [[ -z "${cipher[i]}" ]] && cipher[i]=$(get_cipher $TMPFILE) - fi - [[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}" - fi - fi - else - outln # we miss for STARTTLS 1x LF otherwise - fi for i in 1 2 3 4 5 6; do if [[ -n "${cipher[i]}" ]]; then # cipher not empty @@ -4834,44 +4814,6 @@ cipher_pref_check() { done outln - if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS? - outln - else - npn_protos=$($OPENSSL s_client $BUGS -nextprotoneg \"\" -connect $NODEIP:$PORT $SNI >$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g') - for p in $npn_protos; do - order="" - $OPENSSL s_client $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI >$ERRFILE >$TMPFILE - cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE) - out "$(printf " %-10s " "$p:")" - tested_cipher="-"$cipher - order="$cipher " - if ! "$FAST"; then - while true; do - $OPENSSL s_client -cipher "ALL:$tested_cipher" $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI >$ERRFILE >$TMPFILE - sclient_connect_successful $? $TMPFILE || break - cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE) - tested_cipher="$tested_cipher:-$cipher" - order+="$cipher " - done - fi - if [[ -n "$order" ]] && [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then - rfc_order="" - while read -d " " cipher; do - rfc_ciph="$(openssl2rfc "$cipher")" - if [[ -n "$rfc_ciph" ]]; then - rfc_order+="$rfc_ciph " - else - rfc_order+="$cipher " - fi - done <<< "$order" - order="$rfc_order" - fi - out_row_aligned_max_width "$order" " " $TERM_WIDTH out - outln - [[ -n $order ]] && fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p: $order" - done - fi - outln tmpfile_handle $FUNCNAME.txt return 0 From 10bbbd93342f3ae07cd723d3358aa4bd68912b91 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 25 Mar 2017 13:23:21 +0100 Subject: [PATCH 15/17] minor cleanups --- testssl.sh | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/testssl.sh b/testssl.sh index ca47415..ead98f1 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2387,9 +2387,9 @@ std_cipherlists() { socksend() { # the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do if "$HAS_SED_E"; then - data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') + data=$(sed -e 's/# .*$//g' -e 's/ //g' <<< "$1" | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') else - data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -r 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') + data=$(sed -e 's/# .*$//g' -e 's/ //g' <<< "$1" | sed -r 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') fi [[ $DEBUG -ge 4 ]] && echo "\"$data\"" printf -- "$data" >&5 2>/dev/null & @@ -3463,7 +3463,6 @@ client_simulation_sockets() { sleep $USLEEP_SND sockread_serverhello 32768 - TLS_NOW=$(LC_ALL=C date "+%s") tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}" @@ -6915,10 +6914,9 @@ close_socket(){ # first: helper function for protocol checks +# arg1: formatted string here in the code code2network() { - # arg1: formatted string here in the code NW_STR=$(sed -e 's/,/\\\x/g' <<< "$1" | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t') - #TODO: just echo, no additional global var } len2twobytes() { @@ -7295,7 +7293,7 @@ parse_sslv2_serverhello() { let offset=26+$certificate_len nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) for (( i=0 ; i> $TMPFILE + echo "Supported cipher: x$(tolower "${v2_hello_ascii:offset:6}")" >> $TMPFILE let offset=$offset+6 done echo "======================================" >> $TMPFILE @@ -8260,7 +8258,7 @@ socksend_tls_clienthello() { local extension_session_ticket extension_next_protocol extension_padding local extension_supported_groups="" extension_supported_point_formats="" local extra_extensions extra_extensions_list="" - local offer_compression=false compression_metods + local offer_compression=false compression_methods # TLSv1.3 ClientHello messages MUST specify only the NULL compression method. [[ "$4" == "true" ]] && [[ "0x$tls_low_byte" -le "0x03" ]] && offer_compression=true @@ -8360,7 +8358,7 @@ socksend_tls_clienthello() { # Each extension should appear in the ClientHello at most once. So, # find out what extensions were provided as an argument and only use # the provided values for those extensions. - extra_extensions="$(echo "$3" | tr 'A-Z' 'a-z')" + extra_extensions="$(tolower "$3")" code2network "$extra_extensions" len_all=${#extra_extensions} for (( i=0; i < len_all; i=i+16+4*0x$len_extension_hex )); do @@ -8475,9 +8473,9 @@ socksend_tls_clienthello() { if "$offer_compression"; then # See http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml#comp-meth-ids-2 - compression_metods="03,01,40,00" # Offer NULL, DEFLATE, and LZS compression + compression_methods="03,01,40,00" # Offer NULL, DEFLATE, and LZS compression else - compression_metods="01,00" # Only offer NULL compression (0x00) + compression_methods="01,00" # Only offer NULL compression (0x00) fi TLS_CLIENT_HELLO=" @@ -8496,7 +8494,7 @@ socksend_tls_clienthello() { ,00 # Session ID length ,$len_ciph_suites_word # Cipher suites length ,$cipher_suites - ,$compression_metods" + ,$compression_methods" fd_socket 5 || return 6 From e268a1564ae091089d78d1cfebd0be6a84ea367b Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 25 Mar 2017 19:37:30 +0100 Subject: [PATCH 16/17] * include runtime per default in "Done" banner * enable better performance analysis * minor polish --- testssl.sh | 41 +++++++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/testssl.sh b/testssl.sh index ead98f1..6737436 100755 --- a/testssl.sh +++ b/testssl.sh @@ -76,10 +76,23 @@ # this missing feature! The idea is if this script can't tell something # for sure it speaks up so that you have clear picture. -DEBUGTIME=${DEBUGTIME:-false} # debugging help: -"$DEBUGTIME" && readonly PS4='|$(date "+%s.%N")\011${LINENO}>\011${FUNCNAME[0]:+${FUNCNAME[0]}(): }' || \ - readonly PS4='|${LINENO}>\011${FUNCNAME[0]:+${FUNCNAME[0]}(): }' +readonly PS4='|${LINENO}> \011${FUNCNAME[0]:+${FUNCNAME[0]}(): }' + +DEBUGTIME=${DEBUGTIME:-false} + +if grep -q xtrace <<< "$SHELLOPTS"; then + if "$DEBUGTIME" ; then + # separate debugging, doesn't mess up the screen, $DEBUGTIME determines whether we also do performance analysis + exec 42>&2 2> >(tee /tmp/testssl-$$.log | sed -u 's/^.*$/now/' | date -f - +%s.%N >/tmp/testssl-$$.time) + # for pasting both togher see https://stackoverflow.com/questions/5014823/how-to-profile-a-bash-shell-script-slow-startup#20855353 + else + # for some reason here it still messes up the screen + exec 42>&2 2>/tmp/testssl-$$.log + BASH_XTRACEFD=42 + fi +fi + # make sure that temporary files are cleaned up after use in ANY case trap "cleanup" QUIT EXIT @@ -3471,7 +3484,7 @@ client_simulation_sockets() { hello_done=$? for(( 1 ; hello_done==1; 1 )); do - sock_reply_file2=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7 + sock_reply_file2=${SOCK_REPLY_FILE}.2 mv "$SOCK_REPLY_FILE" "$sock_reply_file2" debugme echo "requesting more server hello data..." @@ -3489,9 +3502,8 @@ client_simulation_sockets() { hello_done=0 else tls_hello_ascii+="$next_packet" - - sock_reply_file3=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7 - mv "$SOCK_REPLY_FILE" "$sock_reply_file3" + sock_reply_file3=${SOCK_REPLY_FILE}.3 + mv "$SOCK_REPLY_FILE" "$sock_reply_file3" #FIXME: we moved that already mv "$sock_reply_file2" "$SOCK_REPLY_FILE" cat "$sock_reply_file3" >> "$SOCK_REPLY_FILE" rm "$sock_reply_file3" @@ -3613,7 +3625,7 @@ run_client_simulation() { what_dh=$(awk -F',' '{ print $1 }' <<< $temp) bits=$(awk -F',' '{ print $3 }' <<< $temp) grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp) - bits=$(tr -d ' bits' <<< $bits) + bits="${bits/ bits/}" if [[ "$what_dh" == "DH" ]]; then [[ ${minDhBits[i]} -ne -1 ]] && [[ $bits -lt ${minDhBits[i]} ]] && sclient_success=1 [[ ${maxDhBits[i]} -ne -1 ]] && [[ $bits -gt ${maxDhBits[i]} ]] && sclient_success=1 @@ -4223,7 +4235,7 @@ read_dhbits_from_file() { else bits=$(awk -F',' '{ print $2 }' <<< $temp) fi - bits=$(tr -d ' bits' <<< $bits) + bits="${bits/ bits/}" if [[ "$what_dh" == "X25519" ]] || [[ "$what_dh" == "X448" ]]; then curve="$what_dh" @@ -10917,6 +10929,8 @@ cleanup () { outln "$APPEND" || fileout_footer html_footer + # debugging off, see above + grep -q xtrace <<< "$SHELLOPTS" && exec 2>&42 42>&- } fatal() { @@ -11623,7 +11637,14 @@ display_rdns_etc() { } datebanner() { - pr_reverse "$1 $(date +%F) $(date +%T) -->> $NODEIP:$PORT ($NODE) <<--" + local scan_time_f="" + + if [[ "$1" =~ Done ]] ; then + scan_time_f="$(printf "%04ss" "$SCAN_TIME")" + pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $NODEIP:$PORT ($NODE) <<--" + else + pr_reverse "$1 $(date +%F) $(date +%T) -->> $NODEIP:$PORT ($NODE) <<--" + fi outln "\n" [[ "$1" =~ Start ]] && display_rdns_etc } From c281956f6e07d22199c2eb6337fd3ea440b7c7ce Mon Sep 17 00:00:00 2001 From: Dirk Date: Sun, 26 Mar 2017 19:34:02 +0200 Subject: [PATCH 17/17] ifix xtrace --- testssl.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index 6737436..f38c079 100755 --- a/testssl.sh +++ b/testssl.sh @@ -87,9 +87,8 @@ if grep -q xtrace <<< "$SHELLOPTS"; then exec 42>&2 2> >(tee /tmp/testssl-$$.log | sed -u 's/^.*$/now/' | date -f - +%s.%N >/tmp/testssl-$$.time) # for pasting both togher see https://stackoverflow.com/questions/5014823/how-to-profile-a-bash-shell-script-slow-startup#20855353 else - # for some reason here it still messes up the screen - exec 42>&2 2>/tmp/testssl-$$.log - BASH_XTRACEFD=42 + exec 42>| /tmp/testssl-$$.log + BASH_XTRACEFD=42 fi fi @@ -11640,7 +11639,7 @@ datebanner() { local scan_time_f="" if [[ "$1" =~ Done ]] ; then - scan_time_f="$(printf "%04ss" "$SCAN_TIME")" + scan_time_f="$(printf "%04ss" "$SCAN_TIME")" # 4 digits because of windows pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $NODEIP:$PORT ($NODE) <<--" else pr_reverse "$1 $(date +%F) $(date +%T) -->> $NODEIP:$PORT ($NODE) <<--"