mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-31 22:09:44 +01:00
Only update DH_GROUP_OFFERED for non-TLSv1.3 ciphers
run_logjam() is only related to TLSv1.2 and earlier ciphers. So, run_pfs() should only update $DH_GROUP_OFFERED if a DH group was found using a non-TLSv1.3 cipher. On the other side, if run_logjam() happened to have been run first, and it found an ffdhe cipher, then there is no need for run_pfs() to test for it.
This commit is contained in:
parent
df6870a92b
commit
e0021c0416
@ -8800,6 +8800,7 @@ run_pfs() {
|
||||
nr_curves=0
|
||||
for curve in "${ffdhe_groups_output[@]}"; do
|
||||
supported_curve[nr_curves]=false
|
||||
[[ "$DH_GROUP_OFFERED" =~ "$curve" ]] && supported_curve[nr_curves]=true
|
||||
nr_curves+=1
|
||||
done
|
||||
protos_to_try=""
|
||||
@ -8827,6 +8828,10 @@ run_pfs() {
|
||||
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
|
||||
curve_found="${temp#*, }"
|
||||
curve_found="${curve_found%%,*}"
|
||||
if [[ "$proto" == "03" ]] && [[ -z "$DH_GROUP_OFFERED" ]] && [[ "$curve_found" =~ ffdhe ]]; then
|
||||
DH_GROUP_OFFERED="RFC7919/$curve_found"
|
||||
DH_GROUP_LEN_P="${curve_found#ffdhe}"
|
||||
fi
|
||||
[[ ! "$curve_found" =~ ffdhe ]] && break
|
||||
for (( i=0; i < nr_curves; i++ )); do
|
||||
! "${supported_curve[i]}" && [[ "${ffdhe_groups_output[i]}" == "$curve_found" ]] && break
|
||||
@ -8855,9 +8860,6 @@ run_pfs() {
|
||||
key_bitstring="$(awk '/-----BEGIN PUBLIC KEY/,/-----END PUBLIC KEY/ { print $0 }' $TEMPDIR/$NODEIP.parse_tls_serverhello.txt)"
|
||||
get_common_prime "$jsonID" "$key_bitstring" ""
|
||||
[[ $? -eq 0 ]] && curves_offered="$DH_GROUP_OFFERED" && len_dh_p=$DH_GROUP_LEN_P
|
||||
elif [[ -n "$curves_offered" ]]; then
|
||||
DH_GROUP_OFFERED="$curves_offered"
|
||||
[[ ! "$curves_offered" =~ \ ]] && DH_GROUP_LEN_P="${DH_GROUP_OFFERED#ffdhe}"
|
||||
fi
|
||||
if [[ -n "$curves_offered" ]]; then
|
||||
if [[ ! "$curves_offered" =~ ffdhe ]] || [[ ! "$curves_offered" =~ \ ]]; then
|
||||
|
Loading…
Reference in New Issue
Block a user