mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-11-03 23:35:26 +01:00
Dirk Wetter
@@ -28,6 +28,8 @@ If you want to check trust against e.g. a company internal CA you need to use ``
|
|||||||
|
|
||||||
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
|
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
|
||||||
|
|
||||||
|
* ``curves-mapping.txt`` contains information about all of the eliptic curves defined by IANA
|
||||||
|
|
||||||
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
|
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
|
||||||
``~/utils/create_ca_hashes.sh`` for an update
|
``~/utils/create_ca_hashes.sh`` for an update
|
||||||
|
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ The whole process is done manually.
|
|||||||
* Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
|
* Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
|
||||||
* Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
|
* Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
|
||||||
* Adjust "lowest_protocol" and "highest_protocol" accordingly.
|
* Adjust "lowest_protocol" and "highest_protocol" accordingly.
|
||||||
* Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE.
|
* For "curves" mark the supported groups TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`
|
||||||
* Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010).
|
* Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010).
|
||||||
* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
|
* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
|
||||||
* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
|
* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
|
||||||
|
|||||||
47
etc/curves-mapping.txt
Normal file
47
etc/curves-mapping.txt
Normal file
@@ -0,0 +1,47 @@
|
|||||||
|
0x00,0x00 - NULL TPM_ECC_NONE
|
||||||
|
0x00,0x01 - sect163k1 sect163k1
|
||||||
|
0x00,0x02 - sect163r1 sect163r1
|
||||||
|
0x00,0x03 - sect163r2 sect163r2
|
||||||
|
0x00,0x04 - sect193r1 sect193r1
|
||||||
|
0x00,0x05 - sect193r2 sect193r2
|
||||||
|
0x00,0x06 - sect233k1 sect233k1
|
||||||
|
0x00,0x07 - sect233r1 sect233r1
|
||||||
|
0x00,0x08 - sect239k1 sect239k1
|
||||||
|
0x00,0x09 - sect283k1 sect283k1
|
||||||
|
0x00,0x0a - sect283r1 sect283r1
|
||||||
|
0x00,0x0b - sect409k1 sect409k1
|
||||||
|
0x00,0x0c - sect409r1 sect409r1
|
||||||
|
0x00,0x0d - sect571k1 sect571k1
|
||||||
|
0x00,0x0e - sect571r1 sect571r1
|
||||||
|
0x00,0x0f - secp160k1 secp160k1
|
||||||
|
0x00,0x10 - secp160r1 secp160r1
|
||||||
|
0x00,0x11 - secp160r2 secp160r2
|
||||||
|
0x00,0x12 - secp192k1 secp192k1
|
||||||
|
0x00,0x13 - secp192r1 secp192r1
|
||||||
|
0x00,0x14 - secp224k1 secp224k1
|
||||||
|
0x00,0x15 - secp224r1 secp224r1
|
||||||
|
0x00,0x16 - secp256k1 secp256k1
|
||||||
|
0x00,0x17 - secp256r1 secp256r1
|
||||||
|
0x00,0x18 - secp384r1 secp384r1
|
||||||
|
0x00,0x19 - secp521r1 secp521r1
|
||||||
|
0x00,0x1a - brainpoolP256r1 brainpoolP256r1
|
||||||
|
0x00,0x1b - brainpoolP384r1 brainpoolP384r1
|
||||||
|
0x00,0x1c - brainpoolP512r1 brainpoolP512r1
|
||||||
|
0x00,0x1d - x25519 x25519
|
||||||
|
0x00,0x1e - x448 x448
|
||||||
|
0x00,0x1f - brainpoolP256r1tls13 brainpoolP256r1tls13
|
||||||
|
0x00,0x20 - brainpoolP384r1tls13 brainpoolP384r1tls13
|
||||||
|
0x00,0x21 - brainpoolP512r1tls13 brainpoolP512r1tls13
|
||||||
|
0x00,0x22 - GC256A GC256A
|
||||||
|
0x00,0x23 - GC256B GC256B
|
||||||
|
0x00,0x24 - GC256C GC256C
|
||||||
|
0x00,0x25 - GC256D GC256D
|
||||||
|
0x00,0x26 - GC512A GC512A
|
||||||
|
0x00,0x27 - GC512B GC512B
|
||||||
|
0x00,0x28 - GC512C GC512C
|
||||||
|
0x00,0x29 - curveSM2 curveSM2
|
||||||
|
0x00,0x100 - ffdhe2048 ffdhe2048
|
||||||
|
0x00,0x101 - ffdhe3072 ffdhe3072
|
||||||
|
0x00,0x102 - ffdhe4096 ffdhe4096
|
||||||
|
0x00,0x103 - ffdhe6144 ffdhe6144
|
||||||
|
0x00,0x104 - ffdhe8192 ffdhe8192
|
||||||
36
utils/hexstream2curves.sh
Executable file
36
utils/hexstream2curves.sh
Executable file
@@ -0,0 +1,36 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
hs="$1"
|
||||||
|
len=${#hs}
|
||||||
|
echo "# curves: $((len/4))"
|
||||||
|
|
||||||
|
mapfile="etc/curves-mapping.txt"
|
||||||
|
[ -s $mapfile ] || mapfile="../$mapfile"
|
||||||
|
[ -s $mapfile ] || exit 255
|
||||||
|
|
||||||
|
cur=""
|
||||||
|
first=true
|
||||||
|
|
||||||
|
for ((i=0; i<len ; i+=4)); do
|
||||||
|
printf "%02d" "$i"
|
||||||
|
echo -n ": ${hs:$i:4}"
|
||||||
|
grepstr="0x${hs:$i:2},0x${hs:$((i+2)):2}"
|
||||||
|
echo -n " --> $grepstr --> "
|
||||||
|
cur=$(grep -i -E "^ *${grepstr}" $mapfile | awk '{ print $3 }')
|
||||||
|
if [[ $grepstr == 0x00,0xff ]]; then
|
||||||
|
echo TPM_ECC_NONE
|
||||||
|
else
|
||||||
|
echo $cur
|
||||||
|
fi
|
||||||
|
if "$first"; then
|
||||||
|
curves="$cur"
|
||||||
|
first=false
|
||||||
|
else
|
||||||
|
curves="$curves:$cur"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
echo
|
||||||
|
# remove leading : because of GREASE, and trailing because of TPM_ECC_NONE
|
||||||
|
curves="${curves%:}"
|
||||||
|
echo ${curves#:}
|
||||||
Reference in New Issue
Block a user