mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Merge pull request #2024 from dcooper16/improve_cipher_pref_check
Improve cipher_pref_check()
This commit is contained in:
commit
dc074ebdf1
102
testssl.sh
102
testssl.sh
@ -6841,14 +6841,24 @@ run_server_preference() {
|
|||||||
# arg1: true if the list that is returned does not need to be ordered by preference.
|
# arg1: true if the list that is returned does not need to be ordered by preference.
|
||||||
check_tls12_pref() {
|
check_tls12_pref() {
|
||||||
local unordered_list_ok="$1"
|
local unordered_list_ok="$1"
|
||||||
|
local chacha20_ciphers="" non_chacha20_ciphers=""
|
||||||
local batchremoved="-CAMELLIA:-IDEA:-KRB5:-PSK:-SRP:-aNULL:-eNULL"
|
local batchremoved="-CAMELLIA:-IDEA:-KRB5:-PSK:-SRP:-aNULL:-eNULL"
|
||||||
local batchremoved_success=false
|
local batchremoved_success=false
|
||||||
local tested_cipher="" cipher ciphers_to_test
|
local tested_cipher="" cipher ciphers_to_test
|
||||||
local order=""
|
local order=""
|
||||||
local -i nr_ciphers_found_r1=0 nr_ciphers_found_r2=0
|
local -i nr_ciphers_found_r1=0 nr_ciphers_found_r2=0
|
||||||
|
|
||||||
|
# Place ChaCha20 ciphers at the end of the list to avoid accidentally
|
||||||
|
# triggering the server's PrioritizeChaCha setting.
|
||||||
|
ciphers_to_test="$(actually_supported_osslciphers "ALL:$batchremoved" "" "")"
|
||||||
|
for cipher in $(colon_to_spaces "$ciphers_to_test"); do
|
||||||
|
[[ "$cipher" =~ CHACHA20 ]] && chacha20_ciphers+="$cipher:" || non_chacha20_ciphers+="$cipher:"
|
||||||
|
done
|
||||||
|
ciphers_to_test="$non_chacha20_ciphers$chacha20_ciphers"
|
||||||
|
ciphers_to_test="${ciphers_to_test%:}"
|
||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS -tls1_2 $BUGS -cipher "ALL$tested_cipher:$batchremoved" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS -tls1_2 $BUGS -cipher "$ciphers_to_test:$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
if sclient_connect_successful $? $TMPFILE ; then
|
if sclient_connect_successful $? $TMPFILE ; then
|
||||||
cipher=$(get_cipher $TMPFILE)
|
cipher=$(get_cipher $TMPFILE)
|
||||||
order+=" $cipher"
|
order+=" $cipher"
|
||||||
@ -6882,7 +6892,14 @@ check_tls12_pref() {
|
|||||||
|
|
||||||
if "$batchremoved_success" && ! "$unordered_list_ok"; then
|
if "$batchremoved_success" && ! "$unordered_list_ok"; then
|
||||||
# now we combine the two cipher sets from both while loops
|
# now we combine the two cipher sets from both while loops
|
||||||
combined_ciphers="$order"
|
|
||||||
|
# Place ChaCha20 ciphers at the end of the list to avoid accidentally
|
||||||
|
# triggering the server's PrioritizeChaCha setting.
|
||||||
|
chacha20_ciphers=""; non_chacha20_ciphers=""
|
||||||
|
for cipher in $order; do
|
||||||
|
[[ "$cipher" =~ CHACHA20 ]] && chacha20_ciphers+="$cipher " || non_chacha20_ciphers+="$cipher "
|
||||||
|
done
|
||||||
|
combined_ciphers="$non_chacha20_ciphers$chacha20_ciphers"
|
||||||
order="" ; tested_cipher=""
|
order="" ; tested_cipher=""
|
||||||
while true; do
|
while true; do
|
||||||
ciphers_to_test=""
|
ciphers_to_test=""
|
||||||
@ -6921,16 +6938,15 @@ cipher_pref_check() {
|
|||||||
local proto="$1" proto_hex="$2" proto_text="$3"
|
local proto="$1" proto_hex="$2" proto_text="$3"
|
||||||
local using_sockets="$4"
|
local using_sockets="$4"
|
||||||
local wide="$5" # at the moment always = true
|
local wide="$5" # at the moment always = true
|
||||||
local tested_cipher cipher order rfc_cipher rfc_order
|
local tested_cipher cipher order="" rfc_cipher rfc_order
|
||||||
local -i i nr_ciphers nr_nonossl_ciphers num_bundles bundle_size bundle end_of_bundle success
|
local -i i nr_ciphers nr_nonossl_ciphers num_bundles bundle_size bundle end_of_bundle success
|
||||||
local -i nr_ciphers_found
|
local -i nr_ciphers_found
|
||||||
local hexc ciphers_to_test
|
local hexc ciphers_to_test cipher_list chacha20_ciphers non_chacha20_ciphers
|
||||||
local -a normalized_hexcode ciph kx enc export2 sigalg
|
local -a normalized_hexcode ciph kx enc export2 sigalg
|
||||||
local -a rfc_ciph hexcode ciphers_found="" ciphers_found2
|
local -a rfc_ciph hexcode ciphers_found="" ciphers_found2
|
||||||
local -a -i index
|
local -a -i index
|
||||||
local ciphers_found_with_sockets
|
local ciphers_found_with_sockets=false
|
||||||
|
|
||||||
order=""; ciphers_found_with_sockets=false
|
|
||||||
if [[ $proto == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
|
if [[ $proto == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
|
||||||
prln_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
prln_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
||||||
return 0
|
return 0
|
||||||
@ -6947,25 +6963,31 @@ cipher_pref_check() {
|
|||||||
ciphers_found="$order"
|
ciphers_found="$order"
|
||||||
fi
|
fi
|
||||||
if "$wide" || [[ -z "$order" ]]; then
|
if "$wide" || [[ -z "$order" ]]; then
|
||||||
|
# Place ChaCha20 ciphers at the end of the list to avoid accidentally
|
||||||
|
# triggering the server's PrioritizeChaCha setting.
|
||||||
|
cipher_list=""; chacha20_ciphers=""; non_chacha20_ciphers=""
|
||||||
|
if [[ $proto == tls1_3 ]]; then
|
||||||
|
cipher_list="$(colon_to_spaces "$TLS13_OSSL_CIPHERS")"
|
||||||
|
elif [[ -n "$ciphers_found" ]]; then
|
||||||
|
cipher_list="$ciphers_found"
|
||||||
|
else
|
||||||
|
cipher_list="$(colon_to_spaces "$(actually_supported_osslciphers "ALL:COMPLEMENTOFALL" "" "")")"
|
||||||
|
fi
|
||||||
|
for cipher in $cipher_list; do
|
||||||
|
[[ "$cipher" =~ CHACHA20 ]] && chacha20_ciphers+="$cipher " || non_chacha20_ciphers+="$cipher "
|
||||||
|
done
|
||||||
|
cipher_list="$non_chacha20_ciphers $chacha20_ciphers"
|
||||||
|
|
||||||
tested_cipher=""; order=""; nr_ciphers_found=0
|
tested_cipher=""; order=""; nr_ciphers_found=0
|
||||||
while true; do
|
while true; do
|
||||||
|
ciphers_to_test=""
|
||||||
|
for cipher in $cipher_list; do
|
||||||
|
[[ ! "$tested_cipher:" =~ :-$cipher: ]] && ciphers_to_test+=":$cipher"
|
||||||
|
done
|
||||||
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
if [[ $proto != tls1_3 ]]; then
|
if [[ $proto != tls1_3 ]]; then
|
||||||
if [[ -n "$ciphers_found" ]]; then
|
ciphers_to_test="-cipher ${ciphers_to_test:1}"
|
||||||
ciphers_to_test=""
|
|
||||||
for cipher in $ciphers_found; do
|
|
||||||
[[ ! "$tested_cipher:" =~ :-$cipher: ]] && ciphers_to_test+=":$cipher"
|
|
||||||
done
|
|
||||||
[[ -z "$ciphers_to_test" ]] && break
|
|
||||||
ciphers_to_test="-cipher ${ciphers_to_test:1}"
|
|
||||||
else
|
|
||||||
ciphers_to_test="-cipher ALL:COMPLEMENTOFALL${tested_cipher}"
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
ciphers_to_test=""
|
|
||||||
for cipher in $(colon_to_spaces "$TLS13_OSSL_CIPHERS"); do
|
|
||||||
[[ ! "$tested_cipher:" =~ :-$cipher: ]] && ciphers_to_test+=":$cipher"
|
|
||||||
done
|
|
||||||
[[ -z "$ciphers_to_test" ]] && break
|
|
||||||
ciphers_to_test="-ciphersuites ${ciphers_to_test:1}"
|
ciphers_to_test="-ciphersuites ${ciphers_to_test:1}"
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS -"$proto" $BUGS $ciphers_to_test -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS -"$proto" $BUGS $ciphers_to_test -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
@ -7004,7 +7026,7 @@ cipher_pref_check() {
|
|||||||
ciphers_found[i]=false
|
ciphers_found[i]=false
|
||||||
hexc="${TLS_CIPHER_HEXCODE[i]}"
|
hexc="${TLS_CIPHER_HEXCODE[i]}"
|
||||||
if [[ ${#hexc} -eq 9 ]]; then
|
if [[ ${#hexc} -eq 9 ]]; then
|
||||||
if [[ " $order " =~ " ${TLS_CIPHER_OSSL_NAME[i]} " ]]; then
|
if [[ " $order " =~ \ ${TLS_CIPHER_OSSL_NAME[i]}\ ]]; then
|
||||||
ciphers_found[i]=true
|
ciphers_found[i]=true
|
||||||
else
|
else
|
||||||
ciphers_found2[nr_nonossl_ciphers]=false
|
ciphers_found2[nr_nonossl_ciphers]=false
|
||||||
@ -7018,8 +7040,8 @@ cipher_pref_check() {
|
|||||||
[[ "${hexc:2:2}" != 13 ]] && nr_nonossl_ciphers+=1
|
[[ "${hexc:2:2}" != 13 ]] && nr_nonossl_ciphers+=1
|
||||||
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA256 ]] && \
|
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA256 ]] && \
|
||||||
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA384 ]] && \
|
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA384 ]] && \
|
||||||
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM" ]] && \
|
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *_CCM ]] && \
|
||||||
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM_8" ]]; then
|
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *_CCM_8 ]]; then
|
||||||
nr_nonossl_ciphers+=1
|
nr_nonossl_ciphers+=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -7074,21 +7096,45 @@ cipher_pref_check() {
|
|||||||
# If there is a SERVER_SIZE_LIMIT_BUG, then use sockets to find the cipher
|
# If there is a SERVER_SIZE_LIMIT_BUG, then use sockets to find the cipher
|
||||||
# order, but starting with the list of ciphers supported by the server.
|
# order, but starting with the list of ciphers supported by the server.
|
||||||
if "$ciphers_found_with_sockets"; then
|
if "$ciphers_found_with_sockets"; then
|
||||||
|
# Create an array of the ciphers to test with any ChaCha20
|
||||||
|
# listed last in order to avoid accidentally triggering the
|
||||||
|
# server's PriorizeChaCha setting.
|
||||||
order=""; nr_ciphers=0; nr_ciphers_found=0
|
order=""; nr_ciphers=0; nr_ciphers_found=0
|
||||||
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
||||||
|
[[ "${TLS_CIPHER_RFC_NAME[i]}" =~ CHACHA20 ]] && continue
|
||||||
|
[[ "${TLS_CIPHER_OSSL_NAME[i]}" =~ CHACHA20 ]] && continue
|
||||||
hexc="${TLS_CIPHER_HEXCODE[i]}"
|
hexc="${TLS_CIPHER_HEXCODE[i]}"
|
||||||
if "${ciphers_found[i]}" && [[ ${#hexc} -eq 9 ]]; then
|
if "${ciphers_found[i]}" && [[ ${#hexc} -eq 9 ]]; then
|
||||||
ciphers_found2[nr_ciphers]=false
|
ciphers_found2[nr_ciphers]=false
|
||||||
hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}"
|
hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}"
|
||||||
rfc_ciph[nr_ciphers]="${TLS_CIPHER_RFC_NAME[i]}"
|
rfc_ciph[nr_ciphers]="${TLS_CIPHER_RFC_NAME[i]}"
|
||||||
if [[ $proto == tls1_3 ]]; then
|
if [[ $proto == tls1_3 ]]; then
|
||||||
[[ "${hexc:2:2}" == "13" ]] && nr_ciphers+=1
|
[[ "${hexc:2:2}" == 13 ]] && nr_ciphers+=1
|
||||||
elif [[ $proto == tls1_2 ]]; then
|
elif [[ $proto == tls1_2 ]]; then
|
||||||
[[ "${hexc:2:2}" != "13" ]] && nr_ciphers+=1
|
[[ "${hexc:2:2}" != 13 ]] && nr_ciphers+=1
|
||||||
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA256 ]] && \
|
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA256 ]] && \
|
||||||
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA384 ]] && \
|
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA384 ]] && \
|
||||||
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM" ]] && \
|
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *_CCM ]] && \
|
||||||
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM_8" ]]; then
|
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *_CCM_8 ]]; then
|
||||||
|
nr_ciphers+=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
||||||
|
[[ "${TLS_CIPHER_RFC_NAME[i]}" =~ CHACHA20 ]] || [[ "${TLS_CIPHER_OSSL_NAME[i]}" =~ CHACHA20 ]] || continue
|
||||||
|
hexc="${TLS_CIPHER_HEXCODE[i]}"
|
||||||
|
if "${ciphers_found[i]}" && [[ ${#hexc} -eq 9 ]]; then
|
||||||
|
ciphers_found2[nr_ciphers]=false
|
||||||
|
hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}"
|
||||||
|
rfc_ciph[nr_ciphers]="${TLS_CIPHER_RFC_NAME[i]}"
|
||||||
|
if [[ $proto == tls1_3 ]]; then
|
||||||
|
[[ "${hexc:2:2}" == 13 ]] && nr_ciphers+=1
|
||||||
|
elif [[ $proto == tls1_2 ]]; then
|
||||||
|
[[ "${hexc:2:2}" != 13 ]] && nr_ciphers+=1
|
||||||
|
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA256 ]] && \
|
||||||
|
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA384 ]] && \
|
||||||
|
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *_CCM ]] && \
|
||||||
|
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *_CCM_8 ]]; then
|
||||||
nr_ciphers+=1
|
nr_ciphers+=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user