diff --git a/testssl.sh b/testssl.sh index ebd9754..d896276 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2350,8 +2350,8 @@ run_allciphers() { pr_headlineln " Testing $nr_ciphers_tested via OpenSSL and sockets against the server, ordered by encryption strength " else pr_headlineln " Testing all $nr_ciphers_tested locally available ciphers against the server, ordered by encryption strength " - outln [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" + outln if ! "$HAS_DH_BITS"; then [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "." pr_warningln " Your $OPENSSL cannot show DH/ECDH bits" @@ -2526,8 +2526,8 @@ run_cipher_per_proto() { pr_headlineln " Testing per protocol via OpenSSL and sockets against the server, ordered by encryption strength " else pr_headlineln " Testing all locally available ciphers per protocol against the server, ordered by encryption strength " - outln [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" + outln if ! "$HAS_DH_BITS"; then [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "." pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)" @@ -9062,16 +9062,24 @@ run_freak() { run_logjam() { local -i sclient_success=0 local exportdhe_cipher_list="EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA" - local -i nr_supported_ciphers=0 - local addtl_warning="" + local exportdhe_cipher_list_hex="00,63, 00,65, 00,14, 00,11" + local -i i nr_supported_ciphers=0 + local addtl_warning="" hexc local cve="CVE-2015-4000" local cwe="CWE-310" local hint="" + local using_sockets=true + + "$SSL_NATIVE" && using_sockets=false [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln pr_bold " LOGJAM"; out " ($cve), experimental " - nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list)) + if "$using_sockets"; then + nr_supported_ciphers=$(count_words "$exportdhe_cipher_list_hex") + else + nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list)) + fi case $nr_supported_ciphers in 0) @@ -9083,16 +9091,22 @@ run_logjam() { 3) addtl_warning=" (tested w/ $nr_supported_ciphers/4 ciphers)" ;; 4) ;; esac - $OPENSSL s_client $STARTTLS $BUGS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE