Only update DH_GROUP_OFFERED for non-TLSv1.3 ciphers

run_logjam() is only related to TLSv1.2 and earlier ciphers. So, run_pfs() should only update $DH_GROUP_OFFERED if a DH group was found using a non-TLSv1.3 cipher. On the other side, if run_logjam() happened to have been run first, and it found an ffdhe cipher, then there is no need for run_pfs() to test for it.
2025-01-31 04:41:15 +01:00 · 2018-10-24 11:12:56 -04:00 · 2018-10-24 11:12:56 -04:00 · e0021c0416
commit e0021c0416
parent df6870a92b
1 changed files with 5 additions and 3 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -8800,6 +8800,7 @@ run_pfs() {
          nr_curves=0
          for curve in "${ffdhe_groups_output[@]}"; do
               supported_curve[nr_curves]=false
+               [[ "$DH_GROUP_OFFERED" =~ "$curve" ]] && supported_curve[nr_curves]=true
               nr_curves+=1
          done
          protos_to_try=""
@ -8827,6 +8828,10 @@ run_pfs() {
                    temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
                    curve_found="${temp#*, }"
                    curve_found="${curve_found%%,*}"
+                    if [[ "$proto" == "03" ]] && [[ -z "$DH_GROUP_OFFERED" ]] && [[ "$curve_found" =~ ffdhe ]]; then
+                         DH_GROUP_OFFERED="RFC7919/$curve_found"
+                         DH_GROUP_LEN_P="${curve_found#ffdhe}"
+                    fi
                    [[ ! "$curve_found" =~ ffdhe ]] && break
                    for (( i=0; i < nr_curves; i++ )); do
                         ! "${supported_curve[i]}" && [[ "${ffdhe_groups_output[i]}" == "$curve_found" ]] && break
@ -8855,9 +8860,6 @@ run_pfs() {
               key_bitstring="$(awk '/-----BEGIN PUBLIC KEY/,/-----END PUBLIC KEY/ { print $0 }' $TEMPDIR/$NODEIP.parse_tls_serverhello.txt)"
               get_common_prime "$jsonID" "$key_bitstring" ""
               [[ $? -eq 0 ]] && curves_offered="$DH_GROUP_OFFERED" && len_dh_p=$DH_GROUP_LEN_P
-          elif [[ -n "$curves_offered" ]]; then
-               DH_GROUP_OFFERED="$curves_offered"
-               [[ ! "$curves_offered" =~ \  ]] && DH_GROUP_LEN_P="${DH_GROUP_OFFERED#ffdhe}"
          fi
          if [[ -n "$curves_offered" ]]; then
               if [[ ! "$curves_offered" =~ ffdhe ]] || [[ ! "$curves_offered" =~ \  ]]; then