determine_optimal_sockets_params() makes two attempts to send a TLS 1.2 ClientHello, with each attempt trying 127 ciphers. However, this leaves 97 ciphers from etc/cipher-mapping.txt that are not tried, most of which use ARIA or CAMELLIA. This commit adds a third attempt a send a ClientHello that offers these 97 remaining ciphers. This helps to ensure that support for TLS 1.2 is detected and that later calls to tls_sockets() work, even if the server only supports the ARIA/CAMELLIA ciphers that are not included in TLS12_CIPHER or TLS12_CIPHER_2ND_TRY.
Newer configuration files from openssl may include statements
which aren't compatible with our supplied old openssl version.
This commit adds an autodetection of such a file and uses a
openssl.cnf provided by this project then.
* also ca_hashes.txt
* Used Java SDK 15 instead of JRE 8
* Used Windows 20H2
* Java Keystore has added 5 certificates (90 --> 95)
Updated Readme and make it more reproducible
This commit checks whether any intermediate certificates provided by the server include an extended key usage extension that asserts the OCSP Signing key purpose.
This commit replaces #1680, which checks for such certificates by comparing the server's intermediate certificates against a fixed list of known bad certificates.
to 1.1.0l and 1.1.1d. Seems that for the latter TLS 1.0 and 1.1
are disabled now, looking at the supported version extension.
However on the command line an s_client connect works. So
this commit need to be amended.
The ciphersuites string for Safari 13.0 ends with a colon (':'). which causes OpenSSL to reject the command line when client simulation testing is performed in --ssl-native mode. This PR fixes the problem by removing the trailing colon.
According to MS this is the latest which is from July 2019.
This is the biggest CA store (probably a lot of intermediate
certificates in there).
This was pulled from MS as described in the Readme.md . It
is exactly the same whether CertUtil will be run from Windows 7
(almost: RIP) or Windows 10.
Other than before teh Java store was extracted directly from a keystore
from a Java JRE from https://jdk.java.net/.
The Debian keystore used previously used the certificates from the Debian
machine itself (installation script in ``/etc/ca-certificates/update.d/``.
Check with ``keytool -list -rfc -keystore /etc/ssl/certs/java/cacerts | grep -i 'alias'``
As a consequence this store contains less certificates:
etc/Java.pem:90
etc/Linux.pem:128
and needs some testing whether it really should be still included.
In some rare cases a server does not support any of the ciphers in $TLS12_CIPHER, but does support at least one cipher in $TLS12_CIPHER_2ND_TRY. In such cases, TLS12_CIPHER should be changed to $TLS12_CIPHER_2ND_TRY so that subsequent tests using $TLS12_CIPHER will succeed.
