mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
commit
cc8c02d653
53
testssl.sh
53
testssl.sh
@ -10250,6 +10250,7 @@ run_fs() {
|
|||||||
local -a supported_curve
|
local -a supported_curve
|
||||||
local -i nr_supported_ciphers=0 nr_curves=0 nr_ossl_curves=0 i j low high
|
local -i nr_supported_ciphers=0 nr_curves=0 nr_ossl_curves=0 i j low high
|
||||||
local fs_ciphers curves_offered="" curves_to_test temp
|
local fs_ciphers curves_offered="" curves_to_test temp
|
||||||
|
local curves_option="" curves_list1="" curves_list2=""
|
||||||
local len1 len2 curve_found
|
local len1 len2 curve_found
|
||||||
local key_bitstring quality_str
|
local key_bitstring quality_str
|
||||||
local -i len_dh_p quality
|
local -i len_dh_p quality
|
||||||
@ -10318,6 +10319,12 @@ run_fs() {
|
|||||||
tls_sockets "04" "${fs_hex_cipher_list:2}, 00,ff"
|
tls_sockets "04" "${fs_hex_cipher_list:2}, 00,ff"
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
||||||
|
# Sometimes a TLS 1.3 ClientHello will fail, but a TLS 1.2 ClientHello will succeed. See #2131.
|
||||||
|
if [[ $sclient_success -ne 0 ]]; then
|
||||||
|
tls_sockets "03" "${fs_hex_cipher_list:2}, 00,ff"
|
||||||
|
sclient_success=$?
|
||||||
|
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
debugme echo $nr_supported_ciphers
|
debugme echo $nr_supported_ciphers
|
||||||
debugme echo $(actually_supported_osslciphers $fs_cipher_list "ALL")
|
debugme echo $(actually_supported_osslciphers $fs_cipher_list "ALL")
|
||||||
@ -10327,10 +10334,39 @@ run_fs() {
|
|||||||
fileout "$jsonID" "WARN" "tests skipped as you only have $nr_supported_ciphers FS ciphers on the client site. ($CLIENT_MIN_FS are required)"
|
fileout "$jsonID" "WARN" "tests skipped as you only have $nr_supported_ciphers FS ciphers on the client site. ($CLIENT_MIN_FS are required)"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
# By default, OpenSSL 1.1.1 and above only include a few curves in the ClientHello, so in order
|
||||||
|
# to test all curves, the -curves option must be added. In addition, OpenSSL limits the number of
|
||||||
|
# curves that can be specified to 28. So, if more than 28 curves are supported, then the curves must
|
||||||
|
# be tested in batches.
|
||||||
|
curves_list1="$(strip_trailing_space "$(strip_leading_space "$OSSL_SUPPORTED_CURVES")")"
|
||||||
|
curves_list1="${curves_list1// / }"
|
||||||
|
if [[ "$(count_words "$OSSL_SUPPORTED_CURVES")" -gt 28 ]]; then
|
||||||
|
# Place the first 28 supported curves in curves_list1 and the remainder in curves_list2.
|
||||||
|
curves_list2="${curves_list1#* * * * * * * * * * * * * * * * * * * * * * * * * * * * }"
|
||||||
|
curves_list1="${curves_list1%$curves_list2}"
|
||||||
|
curves_list1="$(strip_trailing_space "$curves_list1")"
|
||||||
|
curves_list2="${curves_list2// /:}"
|
||||||
|
fi
|
||||||
|
curves_list1="${curves_list1// /:}"
|
||||||
$OPENSSL s_client $(s_client_options "-cipher $fs_cipher_list -ciphersuites ALL $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-cipher $fs_cipher_list -ciphersuites ALL $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ $sclient_success -eq 0 ]] && [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]] && sclient_success=1
|
[[ $sclient_success -eq 0 ]] && [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]] && sclient_success=1
|
||||||
|
# Sometimes a TLS 1.3 ClientHello will fail, but a TLS 1.2 ClientHello will succeed. See #2131.
|
||||||
|
if [[ $sclient_success -ne 0 ]]; then
|
||||||
|
curves_option="-curves $curves_list1"
|
||||||
|
$OPENSSL s_client $(s_client_options "-cipher $fs_cipher_list $curves_option $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
|
sclient_connect_successful $? $TMPFILE
|
||||||
|
sclient_success=$?
|
||||||
|
[[ $sclient_success -eq 0 ]] && [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]] && sclient_success=1
|
||||||
|
if [[ $sclient_success -ne 0 ]] && [[ -n "$curves_list2" ]]; then
|
||||||
|
curves_option="-curves $curves_list2"
|
||||||
|
$OPENSSL s_client $(s_client_options "-cipher $fs_cipher_list $curves_option $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
|
sclient_connect_successful $? $TMPFILE
|
||||||
|
sclient_success=$?
|
||||||
|
[[ $sclient_success -eq 0 ]] && [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]] && sclient_success=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $sclient_success -ne 0 ]]; then
|
if [[ $sclient_success -ne 0 ]]; then
|
||||||
@ -10352,11 +10388,19 @@ run_fs() {
|
|||||||
fi
|
fi
|
||||||
if "$HAS_TLS13"; then
|
if "$HAS_TLS13"; then
|
||||||
protos_to_try="-no_ssl2 -no_tls1_3"
|
protos_to_try="-no_ssl2 -no_tls1_3"
|
||||||
|
! "$using_sockets" && [[ -z "$curves_option" ]] && protos_to_try+=" curves1-no_tls1_3"
|
||||||
|
! "$using_sockets" && [[ -z "$curves_option" ]] && [[ -n "$curves_list2" ]] && protos_to_try+=" curves2-no_tls1_3"
|
||||||
else
|
else
|
||||||
protos_to_try="-no_ssl2"
|
protos_to_try="-no_ssl2"
|
||||||
|
! "$using_sockets" && [[ -z "$curves_option" ]] && protos_to_try+=" curves1-no_ssl2"
|
||||||
|
! "$using_sockets" && [[ -z "$curves_option" ]] && [[ -n "$curves_list2" ]] && protos_to_try+=" curves2-no_ssl2"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for proto in $protos_to_try; do
|
for proto in $protos_to_try; do
|
||||||
|
# If ECDHE ciphers were already found, then no need to try
|
||||||
|
# again with a different "-curves" option.
|
||||||
|
[[ "$proto" =~ curves1 ]] && "$ecdhe_offered" && break
|
||||||
|
[[ "$proto" =~ curves2 ]] && "$ecdhe_offered" && break
|
||||||
while true; do
|
while true; do
|
||||||
ciphers_to_test=""
|
ciphers_to_test=""
|
||||||
tls13_ciphers_to_test=""
|
tls13_ciphers_to_test=""
|
||||||
@ -10370,7 +10414,12 @@ run_fs() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
[[ -z "$ciphers_to_test" ]] && [[ -z "$tls13_ciphers_to_test" ]] && break
|
[[ -z "$ciphers_to_test" ]] && [[ -z "$tls13_ciphers_to_test" ]] && break
|
||||||
$OPENSSL s_client $(s_client_options "$proto -cipher "\'${ciphers_to_test:1}\'" -ciphersuites "\'${tls13_ciphers_to_test:1}\'" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE </dev/null
|
if [[ "$proto" =~ curves1 ]]; then
|
||||||
|
curves_option="-curves $curves_list1"
|
||||||
|
elif [[ "$proto" =~ curves2 ]]; then
|
||||||
|
curves_option="-curves $curves_list2"
|
||||||
|
fi
|
||||||
|
$OPENSSL s_client $(s_client_options "-${proto#*-} -cipher "\'${ciphers_to_test:1}\'" -ciphersuites "\'${tls13_ciphers_to_test:1}\'" $curves_option $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE || break
|
sclient_connect_successful $? $TMPFILE || break
|
||||||
fs_cipher=$(get_cipher $TMPFILE)
|
fs_cipher=$(get_cipher $TMPFILE)
|
||||||
[[ -z "$fs_cipher" ]] && break
|
[[ -z "$fs_cipher" ]] && break
|
||||||
@ -10382,6 +10431,8 @@ run_fs() {
|
|||||||
if [[ "$fs_cipher" == TLS13* ]] || [[ "$fs_cipher" == TLS_* ]] || [[ "$fs_cipher" == AEAD-* ]]; then
|
if [[ "$fs_cipher" == TLS13* ]] || [[ "$fs_cipher" == TLS_* ]] || [[ "$fs_cipher" == AEAD-* ]]; then
|
||||||
fs_tls13_offered=true
|
fs_tls13_offered=true
|
||||||
"$WIDE" && kx[i]="$(read_dhtype_from_file $TMPFILE)"
|
"$WIDE" && kx[i]="$(read_dhtype_from_file $TMPFILE)"
|
||||||
|
elif [[ "$fs_cipher" == ECDHE-* ]]; then
|
||||||
|
ecdhe_offered=true
|
||||||
fi
|
fi
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
|
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
|
||||||
|
Loading…
Reference in New Issue
Block a user