mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Faster version of run_allciphers()
This PR speeds up the implementation of `run_allciphers()` by introducing a number of changes: * Rather than check for implemented ciphers in a hierarchical manner (as introduced in #326), this PR follows the approach of `cipher_pref_check()`. Testing a block of ciphers, marking the selected cipher as implemented, and then testing same block of ciphers, minus those that have previously been selected, until a test fails. Thus the number of calls to `$OPENSSL s_client` is just one more than the number of ciphers implemented. (Since some servers cannot handle ClientHellos with more than 128 messages, the tests are performed on blocks of 128 or few ciphers. So, if OpenSSL supports 197 ciphers, the number of calls to `$OPENSSL s_client` is 2 plus the number of ciphers supported by the server. * If $using_sockets is true, then OpenSSL is used first to find all supported ciphers that OpenSSL supports (since OpenSSL is faster than `tls_sockets()`), and then `tls_sockets()` is only used to test those cipher suites that were not found to be supported by OpenSSL. * The `prepare_debug()` function, which reads in `$CIPHERS_BY_STRENGTH_FILE` determines which ciphers are supported by the version of OpenSSL being used. If a version of OpenSSL older than 1.0 is being used, then this is used to determine which ciphers to test using OpenSSL rather than using `$OPENSSL ciphers -V`. Following the approach of `cipher_pref_check()` reduces the number of queries to the server. Using OpenSSL before `tls_sockets()` reduces the number of calls to `tls_sockets()` to 3 plus the number of ciphers supported by the server that are not supported by OpenSSL, so the cost penalty over just using OpenSSL is fairly small.
This commit is contained in:
parent
e8ce1fcb74
commit
ea10f1ee93
338
testssl.sh
338
testssl.sh
@ -354,6 +354,7 @@ declare TLS_CIPHER_KX=()
|
|||||||
declare TLS_CIPHER_AUTH=()
|
declare TLS_CIPHER_AUTH=()
|
||||||
declare TLS_CIPHER_ENC=()
|
declare TLS_CIPHER_ENC=()
|
||||||
declare TLS_CIPHER_EXPORT=()
|
declare TLS_CIPHER_EXPORT=()
|
||||||
|
declare TLS_CIPHER_OSSL_SUPPORTED=()
|
||||||
|
|
||||||
###### output functions ######
|
###### output functions ######
|
||||||
# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest.
|
# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest.
|
||||||
@ -2026,31 +2027,34 @@ test_just_one(){
|
|||||||
|
|
||||||
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad)
|
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad)
|
||||||
run_allciphers() {
|
run_allciphers() {
|
||||||
local tmpfile
|
local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 ret
|
||||||
local -i nr_ciphers=0 ret
|
local n auth mac export hexc sslv2_ciphers="" s
|
||||||
local n auth mac export hexc sslv2_ciphers=""
|
local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported
|
||||||
local -a normalized_hexcode hexcode ciph sslvers kx enc export2
|
local -i i end_of_bundle bundle bundle_size num_bundles mod_check
|
||||||
local -i i j parent child end_of_bundle round_num bundle_size num_bundles mod_check
|
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
|
||||||
local -a ciphers_found
|
local -i -a index
|
||||||
local dhlen
|
local dhlen available ciphers_to_test supported_sslv2_ciphers addcmd=""
|
||||||
local available
|
|
||||||
local ciphers_to_test
|
|
||||||
local sslv2_supported=false
|
|
||||||
local has_dh_bits="$HAS_DH_BITS"
|
local has_dh_bits="$HAS_DH_BITS"
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
|
|
||||||
"$SSL_NATIVE" && using_sockets=false
|
"$SSL_NATIVE" && using_sockets=false
|
||||||
"$FAST" && using_sockets=false
|
"$FAST" && using_sockets=false
|
||||||
|
|
||||||
if "$using_sockets"; then
|
# get a list of all the cipher suites to test
|
||||||
# get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values)
|
if "$using_sockets" || [[ $OSSL_VER_MAJOR -lt 1 ]]; then
|
||||||
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
||||||
hexc=$(echo "${TLS_CIPHER_HEXCODE[i]}" | tr 'A-Z' 'a-z')
|
hexc="$(tolower "${TLS_CIPHER_HEXCODE[i]}")"
|
||||||
ciph[i]="${TLS_CIPHER_OSSL_NAME[i]}"
|
ciph[i]="${TLS_CIPHER_OSSL_NAME[i]}"
|
||||||
sslvers[i]="${TLS_CIPHER_SSLVERS[i]}"
|
sslvers[i]="${TLS_CIPHER_SSLVERS[i]}"
|
||||||
kx[i]="${TLS_CIPHER_KX[i]}"
|
kx[i]="${TLS_CIPHER_KX[i]}"
|
||||||
enc[i]="${TLS_CIPHER_ENC[i]}"
|
enc[i]="${TLS_CIPHER_ENC[i]}"
|
||||||
export2[i]="${TLS_CIPHER_EXPORT[i]}"
|
export2[i]="${TLS_CIPHER_EXPORT[i]}"
|
||||||
|
ciphers_found[i]=false
|
||||||
|
sigalg[i]=""
|
||||||
|
ossl_supported[i]=${TLS_CIPHER_OSSL_SUPPORTED[i]}
|
||||||
|
if "$using_sockets" && ! "$HAS_DH_BITS" && ( [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]] ); then
|
||||||
|
ossl_supported[i]=false
|
||||||
|
fi
|
||||||
if [[ ${#hexc} -eq 9 ]]; then
|
if [[ ${#hexc} -eq 9 ]]; then
|
||||||
hexcode[i]="${hexc:2:2},${hexc:7:2}"
|
hexcode[i]="${hexc:2:2},${hexc:7:2}"
|
||||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
if [[ "${hexc:2:2}" == "00" ]]; then
|
||||||
@ -2063,157 +2067,207 @@ run_allciphers() {
|
|||||||
normalized_hexcode[i]="x${hexc:2:2}${hexc:7:2}${hexc:12:2}"
|
normalized_hexcode[i]="x${hexc:2:2}${hexc:7:2}${hexc:12:2}"
|
||||||
sslv2_ciphers="$sslv2_ciphers, ${hexcode[i]}"
|
sslv2_ciphers="$sslv2_ciphers, ${hexcode[i]}"
|
||||||
fi
|
fi
|
||||||
|
if "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}"; then
|
||||||
|
nr_ciphers_tested+=1
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
nr_ciphers=$TLS_NR_CIPHERS
|
nr_ciphers=$TLS_NR_CIPHERS
|
||||||
sslv2_sockets "${sslv2_ciphers:2}" "true"
|
|
||||||
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
|
||||||
sslv2_supported=true
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
# get a list of all the cipher suites to test (only need the hexcode, ciph, sslvers, kx, enc, and export values)
|
while read hexc n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
|
||||||
while read hexcode[nr_ciphers] n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
|
ciphers_found[nr_ciphers]=false
|
||||||
|
if [[ ${#hexc} -eq 9 ]]; then
|
||||||
|
if [[ "${hexc:2:2}" == "00" ]]; then
|
||||||
|
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:7:2}")"
|
||||||
|
else
|
||||||
|
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:2:2}${hexc:7:2}")"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:2:2}${hexc:7:2}${hexc:12:2}")"
|
||||||
|
fi
|
||||||
|
sigalg[nr_ciphers]=""
|
||||||
|
ossl_supported[nr_ciphers]=true
|
||||||
nr_ciphers=$nr_ciphers+1
|
nr_ciphers=$nr_ciphers+1
|
||||||
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
|
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
|
||||||
|
nr_ciphers_tested=$nr_ciphers
|
||||||
|
fi
|
||||||
|
|
||||||
if "$HAS_SSL2"; then
|
if "$using_sockets"; then
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
|
sslv2_sockets "${sslv2_ciphers:2}" "true"
|
||||||
sclient_connect_successful "$?" "$TMPFILE"
|
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
||||||
[[ "$?" -eq 0 ]] && sslv2_supported=true
|
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
||||||
|
"$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
||||||
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
|
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ "${normalized_hexcode[i]}" ]]; then
|
||||||
|
ciphers_found[i]=true
|
||||||
|
"$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
elif "$HAS_SSL2"; then
|
||||||
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
|
sclient_connect_successful "$?" "$TMPFILE"
|
||||||
|
if [[ "$?" -eq 0 ]]; then
|
||||||
|
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
|
||||||
|
"$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
||||||
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
|
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ "${ciph[i]}" ]]; then
|
||||||
|
ciphers_found[i]=true
|
||||||
|
"$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||||
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
outln
|
outln
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
pr_headlineln " Testing $nr_ciphers via sockets against the server, ordered by encryption strength "
|
pr_headlineln " Testing $nr_ciphers_tested via OpenSSL and sockets against the server, ordered by encryption strength "
|
||||||
else
|
else
|
||||||
pr_headlineln " Testing all $nr_ciphers locally available ciphers against the server, ordered by encryption strength "
|
pr_headlineln " Testing all $nr_ciphers_tested locally available ciphers against the server, ordered by encryption strength "
|
||||||
"$HAS_DH_BITS" || pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)"
|
"$HAS_DH_BITS" || pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
neat_header
|
neat_header
|
||||||
|
|
||||||
# Split ciphers into bundles of size 4**n, starting with an "n" that
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
# splits the ciphers into 4 bundles, and then reducing "n" by one in each
|
if "${ossl_supported[i]}"; then
|
||||||
# round. Only test a bundle of 4**n ciphers against the server if it was
|
ciphers_found2[nr_ossl_ciphers]=false
|
||||||
# part of a bundle of 4**(n+1) ciphers that included a cipher supported by
|
sslvers2[nr_ossl_ciphers]="${sslvers[i]}"
|
||||||
# the server. Continue until n=0.
|
ciph2[nr_ossl_ciphers]="${ciph[i]}"
|
||||||
|
index[nr_ossl_ciphers]=$i
|
||||||
# Determine bundle size that will result in their being exactly four bundles.
|
nr_ossl_ciphers+=1
|
||||||
for (( bundle_size=1; bundle_size < nr_ciphers; bundle_size*=4 )); do
|
fi
|
||||||
:
|
|
||||||
done
|
done
|
||||||
|
|
||||||
# set ciphers_found[1] so that all bundles will be tested in round 0.
|
if [[ $nr_ossl_ciphers -eq 0 ]]; then
|
||||||
ciphers_found[1]=true
|
num_bundles=0
|
||||||
# Some servers can't handle a handshake with >= 128 ciphers.
|
else
|
||||||
for (( round_num=0; bundle_size/4 >= 128; bundle_size/=4 )); do
|
# Some servers can't handle a handshake with >= 128 ciphers. So,
|
||||||
round_num=$round_num+1
|
# test cipher suites in bundles of 128 or less.
|
||||||
for (( i=4**$round_num; i<2*4**$round_num; i++ )); do
|
num_bundles=$nr_ossl_ciphers/128
|
||||||
ciphers_found[i]=true
|
mod_check=$nr_ossl_ciphers%128
|
||||||
|
[[ $mod_check -ne 0 ]] && num_bundles=$num_bundles+1
|
||||||
|
|
||||||
|
bundle_size=$nr_ossl_ciphers/$num_bundles
|
||||||
|
mod_check=$nr_ossl_ciphers%$num_bundles
|
||||||
|
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
"$HAS_NO_SSL2" && addcmd="-no_ssl2"
|
||||||
|
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
||||||
|
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
||||||
|
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
|
||||||
|
for (( success=0; success==0 ; 1 )); do
|
||||||
|
ciphers_to_test=""
|
||||||
|
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||||
|
[[ "${sslvers2[i]}" != "SSLv2" ]] && ! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}"
|
||||||
|
done
|
||||||
|
success=1
|
||||||
|
if [[ -n "$ciphers_to_test" ]]; then
|
||||||
|
$OPENSSL s_client $addcmd -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
|
sclient_connect_successful "$?" "$TMPFILE"
|
||||||
|
if [[ "$?" -eq 0 ]]; then
|
||||||
|
cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE)
|
||||||
|
if [[ -n "$cipher" ]]; then
|
||||||
|
success=0
|
||||||
|
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||||
|
[[ "$cipher" == "${ciph2[i]}" ]] && ciphers_found2[i]=true && break
|
||||||
|
done
|
||||||
|
i=${index[i]}
|
||||||
|
ciphers_found[i]=true
|
||||||
|
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
|
||||||
|
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
|
||||||
|
kx[i]="${kx[i]} $dhlen"
|
||||||
|
fi
|
||||||
|
"$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
|
||||||
|
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
for (( bundle_size/=4; bundle_size>=1; bundle_size/=4 )); do
|
if "$using_sockets"; then
|
||||||
# Note that since the number of ciphers isn't a power of 4, the number
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
# of bundles may be may be less than 4**(round_num+1), and the final
|
if ! "${ciphers_found[i]}"; then
|
||||||
# bundle may have fewer than bundle_size ciphers.
|
ciphers_found2[nr_nonossl_ciphers]=false
|
||||||
num_bundles=$nr_ciphers/$bundle_size
|
sslvers2[nr_nonossl_ciphers]="${sslvers[i]}"
|
||||||
mod_check=$nr_ciphers%$bundle_size
|
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
|
||||||
[[ $mod_check -ne 0 ]] && num_bundles=$num_bundles+1
|
rfc_ciph2[nr_nonossl_ciphers]="${TLS_CIPHER_RFC_NAME[i]}"
|
||||||
for (( i=0; i<num_bundles; i++ )); do
|
index[nr_nonossl_ciphers]=$i
|
||||||
# parent=index of bundle from previous round that includes this bundle of ciphers
|
nr_nonossl_ciphers+=1
|
||||||
parent=4**$round_num+$i/4
|
|
||||||
# child=index for this bundle of ciphers
|
|
||||||
child=4*4**$round_num+$i
|
|
||||||
if ${ciphers_found[parent]}; then
|
|
||||||
ciphers_to_test=""
|
|
||||||
end_of_bundle=$i*$bundle_size+$bundle_size
|
|
||||||
[[ $end_of_bundle -gt $nr_ciphers ]] && end_of_bundle=$nr_ciphers
|
|
||||||
if "$using_sockets"; then
|
|
||||||
for (( j=i*bundle_size; j<end_of_bundle; j++ )); do
|
|
||||||
# Exclude the SSLv2 ciphers
|
|
||||||
hexc="${hexcode[j]}"
|
|
||||||
[[ ${#hexc} -eq 5 ]] && ciphers_to_test="${ciphers_to_test}, ${hexcode[j]}"
|
|
||||||
done
|
|
||||||
ciphers_found[child]=false
|
|
||||||
if [[ -n "${ciphers_to_test:2}" ]]; then
|
|
||||||
if [[ $bundle_size -eq 1 ]]; then
|
|
||||||
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
|
|
||||||
else
|
|
||||||
tls_sockets "03" "${ciphers_to_test:2}, 00,ff"
|
|
||||||
fi
|
|
||||||
ret=$?
|
|
||||||
if [[ $ret -eq 0 ]] || [[ $ret -eq 2 ]]; then
|
|
||||||
ciphers_found[child]=true
|
|
||||||
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
for (( j=i*bundle_size; j<end_of_bundle; j++ )); do
|
|
||||||
[[ "${sslvers[j]}" != "SSLv2" ]] && ciphers_to_test="${ciphers_to_test}:${ciph[j]}"
|
|
||||||
done
|
|
||||||
ciphers_found[child]=false
|
|
||||||
if [[ -n "${ciphers_to_test:1}" ]]; then
|
|
||||||
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
|
||||||
sclient_connect_successful "$?" "$TMPFILE"
|
|
||||||
[[ "$?" -eq 0 ]] && ciphers_found[child]=true
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# No need to test, since test of parent demonstrated none of these ciphers work.
|
|
||||||
ciphers_found[child]=false
|
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
if $sslv2_supported && [[ $bundle_size -eq 1 ]] && [[ "${sslvers[i]}" == "SSLv2" ]]; then
|
if [[ $nr_nonossl_ciphers -eq 0 ]]; then
|
||||||
if "$using_sockets"; then
|
num_bundles=0
|
||||||
if grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt" | grep -q "${normalized_hexcode[i]}"; then
|
else
|
||||||
ciphers_found[child]=true
|
# Some servers can't handle a handshake with >= 128 ciphers. So,
|
||||||
echo "" > $TMPFILE
|
# test cipher suites in bundles of 128 or less.
|
||||||
fi
|
num_bundles=$nr_nonossl_ciphers/128
|
||||||
|
mod_check=$nr_nonossl_ciphers%128
|
||||||
|
[[ $mod_check -ne 0 ]] && num_bundles=$num_bundles+1
|
||||||
|
|
||||||
|
bundle_size=$nr_nonossl_ciphers/$num_bundles
|
||||||
|
mod_check=$nr_nonossl_ciphers%$num_bundles
|
||||||
|
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
||||||
|
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
||||||
|
[[ $end_of_bundle -gt $nr_nonossl_ciphers ]] && end_of_bundle=$nr_nonossl_ciphers
|
||||||
|
for (( success=0; success==0 ; 1 )); do
|
||||||
|
ciphers_to_test=""
|
||||||
|
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||||
|
[[ "${sslvers2[i]}" != "SSLv2" ]] && ! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}"
|
||||||
|
done
|
||||||
|
success=1
|
||||||
|
if [[ -n "$ciphers_to_test" ]]; then
|
||||||
|
if "$SHOW_SIGALGO"; then
|
||||||
|
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "all"
|
||||||
else
|
else
|
||||||
$OPENSSL s_client -cipher "${ciph[i]}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
|
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
|
||||||
sclient_connect_successful "$?" "$TMPFILE"
|
|
||||||
[[ "$?" -eq 0 ]] && ciphers_found[child]=true
|
|
||||||
fi
|
fi
|
||||||
fi
|
ret=$?
|
||||||
# If this is a "leaf" of the test tree, then print out the results.
|
if [[ $ret -eq 0 ]] || [[ $ret -eq 2 ]]; then
|
||||||
if [[ $bundle_size -eq 1 ]] && ( ${ciphers_found[child]} || "$SHOW_EACH_C"); then
|
success=0
|
||||||
export=${export2[i]}
|
cipher=$(awk '/Cipher *:/ { print $3 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
|
||||||
if ! "$using_sockets"; then
|
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||||
normalize_ciphercode "${hexcode[i]}"
|
[[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break
|
||||||
normalized_hexcode[i]="$HEXC"
|
done
|
||||||
fi
|
i=${index[i]}
|
||||||
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
|
ciphers_found[i]=true
|
||||||
if ${ciphers_found[child]}; then
|
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
|
||||||
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
|
dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet)
|
||||||
kx[i]="${kx[i]} $dhlen"
|
kx[i]="${kx[i]} $dhlen"
|
||||||
fi
|
fi
|
||||||
|
"$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
||||||
fi
|
fi
|
||||||
neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}"
|
|
||||||
available=""
|
|
||||||
if "$SHOW_EACH_C"; then
|
|
||||||
if ${ciphers_found[child]}; then
|
|
||||||
available="available"
|
|
||||||
pr_cyan "$available"
|
|
||||||
else
|
|
||||||
available="not a/v"
|
|
||||||
out "$available"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
if "$SHOW_SIGALGO" && ${ciphers_found[child]}; then
|
|
||||||
$OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1
|
|
||||||
else
|
|
||||||
outln
|
|
||||||
fi
|
|
||||||
fileout "cipher_${normalized_hexcode[i]}" "INFO" "$(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}") $available"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
round_num=round_num+1
|
done
|
||||||
|
|
||||||
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
|
if "${ciphers_found[i]}" || ( "$SHOW_EACH_C" && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ) ); then
|
||||||
|
export=${export2[i]}
|
||||||
|
neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}"
|
||||||
|
available=""
|
||||||
|
if "$SHOW_EACH_C"; then
|
||||||
|
if ${ciphers_found[i]}; then
|
||||||
|
available="available"
|
||||||
|
pr_cyan "$available"
|
||||||
|
else
|
||||||
|
available="not a/v"
|
||||||
|
out "$available"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
outln "${sigalg[i]}"
|
||||||
|
fileout "cipher_${normalized_hexcode[i]}" "INFO" "$(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}") $available"
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
||||||
|
|
||||||
outln
|
outln
|
||||||
tmpfile_handle $FUNCNAME.txt
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -8673,6 +8727,7 @@ maketempf() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
prepare_debug() {
|
prepare_debug() {
|
||||||
|
local hexc ossl_ciph ossl_supported_tls="" ossl_supported_sslv2=""
|
||||||
if [[ $DEBUG -ne 0 ]]; then
|
if [[ $DEBUG -ne 0 ]]; then
|
||||||
cat >$TEMPDIR/environment.txt << EOF
|
cat >$TEMPDIR/environment.txt << EOF
|
||||||
|
|
||||||
@ -9080,8 +9135,8 @@ EOF
|
|||||||
0x00,0x26 - EXP-KRB5-DES-CBC-SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export
|
0x00,0x26 - EXP-KRB5-DES-CBC-SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export
|
||||||
0x00,0x2A - EXP-KRB5-RC2-CBC-MD5 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export
|
0x00,0x2A - EXP-KRB5-RC2-CBC-MD5 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export
|
||||||
0x00,0x29 - EXP-KRB5-DES-CBC-MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export
|
0x00,0x29 - EXP-KRB5-DES-CBC-MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export
|
||||||
0x00,0x0B - - TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=DES(40) Mac=SHA1 export
|
0x00,0x0B - EXP-DH-DSS-DES-CBC-SHA TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=DES(40) Mac=SHA1 export
|
||||||
0x00,0x0E - - TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=DES(40) Mac=SHA1 export
|
0x00,0x0E - EXP-DH-RSA-DES-CBC-SHA TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=DES(40) Mac=SHA1 export
|
||||||
0x00,0x17 - EXP-ADH-RC4-MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
|
0x00,0x17 - EXP-ADH-RC4-MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
|
||||||
0x00,0x03 - EXP-RC4-MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
|
0x00,0x03 - EXP-RC4-MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
|
||||||
0x02,0x00,0x80 - EXP-RC4-MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
|
0x02,0x00,0x80 - EXP-RC4-MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
|
||||||
@ -9112,7 +9167,26 @@ EOF
|
|||||||
0xFF,0x87 - GOST2012256-NULL-STREEBOG256 - SSLv3 Kx=GOST Au=GOST01 Enc=None Mac=STREEBOG256
|
0xFF,0x87 - GOST2012256-NULL-STREEBOG256 - SSLv3 Kx=GOST Au=GOST01 Enc=None Mac=STREEBOG256
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
while read TLS_CIPHER_HEXCODE[TLS_NR_CIPHERS] n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do
|
"$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
|
||||||
|
ossl_supported_tls="$($OPENSSL ciphers -tls1 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
|
||||||
|
while read hexc n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do
|
||||||
|
TLS_CIPHER_HEXCODE[TLS_NR_CIPHERS]="$hexc"
|
||||||
|
TLS_CIPHER_OSSL_SUPPORTED[TLS_NR_CIPHERS]=false
|
||||||
|
if [[ ${#hexc} -eq 9 ]]; then
|
||||||
|
if [[ $OSSL_VER_MAJOR -lt 1 ]]; then
|
||||||
|
[[ ":${ossl_supported_tls}:" =~ ":${TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS]}:" ]] && TLS_CIPHER_OSSL_SUPPORTED[TLS_NR_CIPHERS]=true
|
||||||
|
else
|
||||||
|
ossl_ciph="$(grep -w "$hexc" <<< "$ossl_supported_tls" | awk '{ print $3 }')"
|
||||||
|
if [[ -n "$ossl_ciph" ]]; then
|
||||||
|
TLS_CIPHER_OSSL_SUPPORTED[TLS_NR_CIPHERS]=true
|
||||||
|
[[ "$ossl_ciph" != "${TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS]}" ]] && TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS]="$ossl_ciph"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
elif [[ $OSSL_VER_MAJOR -lt 1 ]]; then
|
||||||
|
[[ ":${ossl_supported_sslv2}:" =~ ":${TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS]}:" ]] && TLS_CIPHER_OSSL_SUPPORTED[TLS_NR_CIPHERS]=true
|
||||||
|
else
|
||||||
|
grep -qw "$hexc" <<< "$ossl_supported_sslv2" && TLS_CIPHER_OSSL_SUPPORTED[TLS_NR_CIPHERS]=true
|
||||||
|
fi
|
||||||
TLS_NR_CIPHERS+=1
|
TLS_NR_CIPHERS+=1
|
||||||
done < $CIPHERS_BY_STRENGTH_FILE
|
done < $CIPHERS_BY_STRENGTH_FILE
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user