introducing --fast for the impatient

This commit is contained in:
Dirk 2016-11-15 12:59:07 +01:00
parent 37933d6fa1
commit d4ed7466ce

View File

@ -151,6 +151,7 @@ DEBUG=${DEBUG:-0} # 1: normal putput the files in /tmp/ ar
# 4: display bytes sent via sockets # 4: display bytes sent via sockets
# 5: display bytes received via sockets # 5: display bytes received via sockets
# 6: whole 9 yards # 6: whole 9 yards
FAST=${FAST:-false} # preference: show only first cipher, run_allciphers with openssl instead of sockets
WIDE=${WIDE:-false} # whether to display for some options just ciphers or a table w hexcode/KX,Enc,strength etc. WIDE=${WIDE:-false} # whether to display for some options just ciphers or a table w hexcode/KX,Enc,strength etc.
LOGFILE=${LOGFILE:-""} # logfile if used LOGFILE=${LOGFILE:-""} # logfile if used
JSONFILE=${JSONFILE:-""} # jsonfile if used JSONFILE=${JSONFILE:-""} # jsonfile if used
@ -2038,9 +2039,8 @@ run_allciphers() {
local has_dh_bits="$HAS_DH_BITS" local has_dh_bits="$HAS_DH_BITS"
local using_sockets=true local using_sockets=true
if "$SSL_NATIVE" || [[ -n "$STARTTLS" ]]; then "$SSL_NATIVE" && using_sockets=false
using_sockets=false "$FAST" && using_sockets=false
fi
if "$using_sockets"; then if "$using_sockets"; then
# get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values) # get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values)
@ -2065,7 +2065,6 @@ run_allciphers() {
fi fi
done done
nr_ciphers=$TLS_NR_CIPHERS nr_ciphers=$TLS_NR_CIPHERS
sslv2_sockets "${sslv2_ciphers:2}" "true" sslv2_sockets "${sslv2_ciphers:2}" "true"
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
sslv2_supported=true sslv2_supported=true
@ -3888,7 +3887,7 @@ run_server_preference() {
fi fi
fi fi
if $has_cipher_order; then if "$has_cipher_order"; then
cipher1=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g') cipher1=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
addcmd2="" addcmd2=""
if [[ -n "$STARTTLS_OPTIMAL_PROTO" ]]; then if [[ -n "$STARTTLS_OPTIMAL_PROTO" ]]; then
@ -4195,14 +4194,16 @@ cipher_pref_check() {
out "$order" out "$order"
else else
out " $cipher" # this is the first cipher for protocol out " $cipher" # this is the first cipher for protocol
while true; do if ! "$FAST"; then
$OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE while true; do
sclient_connect_successful $? $TMPFILE || break $OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE
cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE) sclient_connect_successful $? $TMPFILE || break
out " $cipher" cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE)
order+=" $cipher" out " $cipher"
tested_cipher="$tested_cipher:-$cipher" order+=" $cipher"
done tested_cipher="$tested_cipher:-$cipher"
done
fi
fi fi
fi fi
[[ -z "$order" ]] || fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order" [[ -z "$order" ]] || fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order"
@ -4220,14 +4221,16 @@ cipher_pref_check() {
printf " %-10s %s " "$p:" "$cipher" printf " %-10s %s " "$p:" "$cipher"
tested_cipher="-"$cipher tested_cipher="-"$cipher
order="$cipher" order="$cipher"
while true; do if ! "$FAST"; then
$OPENSSL s_client -cipher "ALL:$tested_cipher" $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE while true; do
sclient_connect_successful $? $TMPFILE || break $OPENSSL s_client -cipher "ALL:$tested_cipher" $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE) sclient_connect_successful $? $TMPFILE || break
out "$cipher " cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
tested_cipher="$tested_cipher:-$cipher" out "$cipher "
order+=" $cipher" tested_cipher="$tested_cipher:-$cipher"
done order+=" $cipher"
done
fi
outln outln
[[ -n $order ]] && fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p: $order" [[ -n $order ]] && fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p: $order"
done done
@ -8605,6 +8608,8 @@ single check as <options> ("$PROG_NAME URI" does everything except -E):
-4, --rc4, --appelbaum which RC4 ciphers are being offered? -4, --rc4, --appelbaum which RC4 ciphers are being offered?
tuning / connect options (most also can be preset via environment variables): tuning / connect options (most also can be preset via environment variables):
--fast omits some checks: using openssl for all ciphers (-e), show only first
preferred cipher
--bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s
--assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks
--ssl-native fallback to checks with OpenSSL where sockets are normally used --ssl-native fallback to checks with OpenSSL where sockets are normally used
@ -10197,6 +10202,9 @@ parse_cmd_line() {
--show[-_]each) --show[-_]each)
SHOW_EACH_C=true SHOW_EACH_C=true
;; ;;
--fast)
FAST=true
;;
--bugs) --bugs)
BUGS="-bugs" BUGS="-bugs"
;; ;;