The results of using sockets and using openSSL now match perfectly

2025-01-10 10:40:57 +01:00 · 2016-06-21 10:17:46 +02:00 · 2016-06-21 10:17:46 +02:00 · cf8b2f01f2
commit cf8b2f01f2
parent ca937d3b72
3 changed files with 18 additions and 16 deletions
--- a/client-simulation-data.sh
+++ b/client-simulation-data.sh
@ -1398,14 +1398,14 @@ service+=("HTTP")

 # --- testssl.sh maintained clients ---
 	     
-names+=("Mail iOS 9.3.2                ")
-short+=("mail_ios_932")
-ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5")
-sni+=("$SNI")
-warning+=("")
-handshakebytes+=("16030100bb010000b703015767e6ae46f9abf3138e26a9f9880f9697bf3387f7eff709db1fa220e692d80420fb04b0979bae1664e11ef172d4dfba15af59dd200b7831992a35c73cde9efed9003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003c000000190017000014696d61702e73656374696f6e7a65726f2e6f7267000a00080006001700180019000b0002010000050005010000000000120000")
-protos+=("-no_ssl2 -ssl3")
-tlsvers+=("-tls_1_2 -tls_1_1 -tls1")
-lowest_protocol+=("0x0300")
-highest_protocol+=("0x0304")
-service+=("SMTP,POP,IMAP")";
+#names+=("Mail iOS 9.3.2                ")
+#short+=("mail_ios_932")
+#ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5")
+#sni+=("$SNI")
+#warning+=("")
+#handshakebytes+=("16030100bb010000b703015767e6ae46f9abf3138e26a9f9880f9697bf3387f7eff709db1fa220e692d80420fb04b0979bae1664e11ef172d4dfba15af59dd200b7831992a35c73cde9efed9003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003c000000190017000014696d61702e73656374696f6e7a65726f2e6f7267000a00080006001700180019000b0002010000050005010000000000120000")
+#protos+=("-no_ssl2 -ssl3")
+#tlsvers+=("-tls_1_2 -tls_1_1 -tls1")
+#lowest_protocol+=("0x0300")
+#highest_protocol+=("0x0304")
+#service+=("SMTP,POP,IMAP")
--- a/testssl.sh
+++ b/testssl.sh
@ -155,6 +155,7 @@ SERVER_SIZE_LIMIT_BUG=false             # Some servers have either a ClientHello

 # tuning vars, can not be set by a cmd line switch
 EXPERIMENTAL=${EXPERIMENTAL:-false}
+#EXPERIMENTAL=true
 HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5}   # we wait this long before killing the process to retrieve a service banner / http header
 readonly MAX_WAITSOCK=10                # waiting at max 10 seconds for socket reply
 readonly CCS_MAX_WAITSOCK=5             # for the two CCS payload (each)
@ -2013,16 +2014,17 @@ run_client_simulation() {
          else
               #FIXME: awk
               proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
-               if [[ "$proto" == TLSv1.2 ]] && ( ! $using_sockets || [[ -z "${handshakebytes[i]}" ]] ); then
-                    # OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
+               if [[ "$proto" == TLSv1.2 || "$proto" == TLSv1 ]] && ( ! $using_sockets || [[ -z "${handshakebytes[i]}" ]] ); then
+                    # OpenSSL reports TLS1.2/TLSv1 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
                    for tls in ${tlsvers[i]}; do
-                         $OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}  </dev/null >$TMPFILE 2>$ERRFILE
-                         debugme echo "$OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}  </dev/null"
+                         $OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}  </dev/null >$TMPFILE 2>$ERRFILE
+                         debugme echo "$OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}  </dev/null"
                         sclient_connect_successful $? $TMPFILE
                         sclient_success=$?
                         if [[ $sclient_success -eq 0 ]]; then
                              case "$tls" in
                                   "-tls1_2")
+                                        proto="TLSv1.2"
                                        break
                                        ;;
                                   "-tls1_1")
--- a/utils/parse_client_ciphers.pl
+++ b/utils/parse_client_ciphers.pl
@ -137,7 +137,7 @@ print OUT
 #tlsvers+=("-tls_1_2 -tls_1_1 -tls1")
 #lowest_protocol+=("0x0300")
 #highest_protocol+=("0x0304")
-#service+=("SMTP,POP,IMAP")";
+#service+=("SMTP,POP,IMAP")
 ';

 exit;