Add TLSv1.3 support for run_allciphers()
This PR adds TLSv1.3 support for run_allciphers(). It also addresses issue #660 for run_allciphers().
This commit is contained in:
parent
50fa1e74bd
commit
fb5c049fd7
127
testssl.sh
127
testssl.sh
|
@ -3026,6 +3026,7 @@ run_allciphers() {
|
||||||
local -i i end_of_bundle bundle bundle_size num_bundles mod_check
|
local -i i end_of_bundle bundle bundle_size num_bundles mod_check
|
||||||
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
|
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
|
||||||
local -i -a index
|
local -i -a index
|
||||||
|
local proto protos_to_try
|
||||||
local dhlen available ciphers_to_test supported_sslv2_ciphers
|
local dhlen available ciphers_to_test supported_sslv2_ciphers
|
||||||
local has_dh_bits="$HAS_DH_BITS"
|
local has_dh_bits="$HAS_DH_BITS"
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
|
@ -3129,6 +3130,7 @@ run_allciphers() {
|
||||||
|
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
if "${ossl_supported[i]}"; then
|
if "${ossl_supported[i]}"; then
|
||||||
|
[[ "${sslvers[i]}" == "SSLv2" ]] && continue
|
||||||
ciphers_found2[nr_ossl_ciphers]=false
|
ciphers_found2[nr_ossl_ciphers]=false
|
||||||
sslvers2[nr_ossl_ciphers]="${sslvers[i]}"
|
sslvers2[nr_ossl_ciphers]="${sslvers[i]}"
|
||||||
ciph2[nr_ossl_ciphers]="${ciph[i]}"
|
ciph2[nr_ossl_ciphers]="${ciph[i]}"
|
||||||
|
@ -3151,42 +3153,54 @@ run_allciphers() {
|
||||||
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
if "$HAS_TLS13"; then
|
||||||
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
protos_to_try="-no_ssl2 -tls1_2 -tls1_1 -tls1"
|
||||||
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
|
else
|
||||||
for (( success=0; success==0 ; 1 )); do
|
protos_to_try="-no_ssl2 -tls1_1 -tls1"
|
||||||
ciphers_to_test=""
|
fi
|
||||||
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
"$HAS_SSL3" && protos_to_try+=" -ssl3"
|
||||||
[[ "${sslvers2[i]}" != "SSLv2" ]] && ! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}"
|
|
||||||
done
|
for proto in $protos_to_try; do
|
||||||
success=1
|
if [[ "$proto" == "-tls1_1" ]]; then
|
||||||
if [[ -n "$ciphers_to_test" ]]; then
|
num_bundles=1
|
||||||
$OPENSSL s_client $(s_client_options "-no_ssl2 -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
bundle_size=$nr_ossl_ciphers
|
||||||
sclient_connect_successful "$?" "$TMPFILE"
|
fi
|
||||||
if [[ "$?" -eq 0 ]]; then
|
|
||||||
cipher=$(get_cipher $TMPFILE)
|
[[ "$proto" != "-no_ssl2" ]] && [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
|
||||||
if [[ -n "$cipher" ]]; then
|
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
||||||
success=0
|
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
||||||
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
|
||||||
[[ "$cipher" == "${ciph2[i]}" ]] && ciphers_found2[i]=true && break
|
while true; do
|
||||||
done
|
ciphers_to_test=""
|
||||||
i=${index[i]}
|
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||||
ciphers_found[i]=true
|
! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}"
|
||||||
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
|
done
|
||||||
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
kx[i]="${kx[i]} $dhlen"
|
$OPENSSL s_client $(s_client_options "$proto -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
fi
|
sclient_connect_successful "$?" "$TMPFILE" || break
|
||||||
"$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
|
cipher=$(get_cipher $TMPFILE)
|
||||||
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
[[ -z "$cipher" ]] && break
|
||||||
fi
|
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||||
|
[[ "$cipher" == "${ciph2[i]}" ]] && ciphers_found2[i]=true && break
|
||||||
|
done
|
||||||
|
[[ $i -eq $end_of_bundle ]] && break
|
||||||
|
i=${index[i]}
|
||||||
|
ciphers_found[i]=true
|
||||||
|
[[ "$cipher" == TLS13* ]] && kx[i]="$(read_dhtype_from_file $TMPFILE)"
|
||||||
|
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
|
||||||
|
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
|
||||||
|
kx[i]="${kx[i]} $dhlen"
|
||||||
fi
|
fi
|
||||||
fi
|
"$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
|
||||||
|
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
||||||
|
done
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
if ! "${ciphers_found[i]}"; then
|
if ! "${ciphers_found[i]}"; then
|
||||||
|
[[ "${sslvers[i]}" == "SSLv2" ]] && continue
|
||||||
ciphers_found2[nr_nonossl_ciphers]=false
|
ciphers_found2[nr_nonossl_ciphers]=false
|
||||||
sslvers2[nr_nonossl_ciphers]="${sslvers[i]}"
|
sslvers2[nr_nonossl_ciphers]="${sslvers[i]}"
|
||||||
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
|
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
|
||||||
|
@ -3211,37 +3225,40 @@ run_allciphers() {
|
||||||
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
for proto in 04 03 02 01 00; do
|
||||||
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
||||||
[[ $end_of_bundle -gt $nr_nonossl_ciphers ]] && end_of_bundle=$nr_nonossl_ciphers
|
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
||||||
for (( success=0; success==0 ; 1 )); do
|
[[ $end_of_bundle -gt $nr_nonossl_ciphers ]] && end_of_bundle=$nr_nonossl_ciphers
|
||||||
ciphers_to_test=""
|
while true; do
|
||||||
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
ciphers_to_test=""
|
||||||
[[ "${sslvers2[i]}" != "SSLv2" ]] && ! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}"
|
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||||
done
|
! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}"
|
||||||
success=1
|
done
|
||||||
if [[ -n "$ciphers_to_test" ]]; then
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
|
[[ "$proto" == "04" ]] && [[ ! "${ciphers_to_test:2}" =~ ,\ 13,[0-9a-f][0-9a-f] ]] && break
|
||||||
|
ciphers_to_test="$(strip_inconsistent_ciphers "$proto" "$ciphers_to_test")"
|
||||||
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
if "$SHOW_SIGALGO"; then
|
if "$SHOW_SIGALGO"; then
|
||||||
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "all"
|
tls_sockets "$proto" "${ciphers_to_test:2}, 00,ff" "all"
|
||||||
else
|
else
|
||||||
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
|
tls_sockets "$proto" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
|
||||||
fi
|
fi
|
||||||
ret=$?
|
ret=$?
|
||||||
if [[ $ret -eq 0 ]] || [[ $ret -eq 2 ]]; then
|
[[ $ret -ne 0 ]] && [[ $ret -ne 2 ]] && break
|
||||||
success=0
|
cipher=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
|
||||||
cipher=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
|
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||||
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
[[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break
|
||||||
[[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break
|
done
|
||||||
done
|
[[ $i -eq $end_of_bundle ]] && break
|
||||||
i=${index[i]}
|
i=${index[i]}
|
||||||
ciphers_found[i]=true
|
ciphers_found[i]=true
|
||||||
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
|
[[ "${kx[i]}" == "Kx=any" ]] && kx[i]="$(read_dhtype_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")"
|
||||||
dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet)
|
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
|
||||||
kx[i]="${kx[i]} $dhlen"
|
dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet)
|
||||||
fi
|
kx[i]="${kx[i]} $dhlen"
|
||||||
"$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
|
||||||
fi
|
fi
|
||||||
fi
|
"$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
||||||
|
done
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue