collect TLS ticket lifetime hints

2026-02-06 15:15:16 +01:00 · 2014-05-16 16:55:19 +02:00
parent 1a78172936
commit 0777682aa6
2 changed files with 36 additions and 6 deletions
--- a/25
+++ b/25
@@ -84,6 +84,10 @@ test_cipher_on_target() {
        if [ -z $current_pubkey ]; then
            current_pubkey=0
        fi
+        current_tickethint=$(grep 'ticket lifetime hint' <<<"$tmp"|awk '{print $6 }')
+        if [ -z $current_tickethint ]; then
+            current_tickethint=None
+        fi
        current_sigalg=$(${OPENSSLBIN} x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
        grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
        if [ $? -eq 0 ]; then
@@ -117,6 +121,7 @@ test_cipher_on_target() {
        pubkey=$current_pubkey
        sigalg=$current_sigalg
        trusted=$current_trusted
+        tickethint=$current_tickethint
        # grab the cipher and PFS key size
    done
    # if cipher is empty, that means none of the TLS version worked with
@@ -128,13 +133,13 @@ test_cipher_on_target() {

    # if cipher contains NONE, the cipher wasn't accepted
    elif [ "$cipher" == '(NONE)  ' ]; then
-        result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
+        result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
        verbose "handshake failed, server returned ciphersuite '$result'"
        return 1

    # the connection succeeded
    else
-        result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
+        result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
        verbose "handshake succeeded, server returned ciphersuite '$result'"
        return 0
    fi
@@ -192,6 +197,7 @@ display_results_in_terminal() {
    local pubkey
    local sigalg
    local trusted
+    local tickethint
    local different=False
    for cipher in "${cipherspref[@]}"; do
        pciph=$(echo $cipher|awk '{print $1}')
@@ -205,6 +211,7 @@ display_results_in_terminal() {
            pubkey=$(awk '{print $3}' <<<$cipher)
            sigalg=$(awk '{print $4}' <<<$cipher)
            trusted=$(awk '{print $5}' <<<$cipher)
+            tickethint=$(awk '{print $6}' <<<$cipher)
        else
            if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
                different=True
@@ -215,6 +222,9 @@ display_results_in_terminal() {
            if [ "$trusted" != "$(awk '{print $5}' <<<$cipher)" ]; then
                different=True
            fi
+            if [ "$tickethint" != "$(awk '{print $6}' <<<$cipher)" ]; then
+                different=True
+            fi
        fi
        results=("${results[@]}" "$r")
        ctr=$((ctr+1))
@@ -222,13 +232,13 @@ display_results_in_terminal() {

    if [ $DOBENCHMARK -eq 1 ]; then
        if [ $different == "True" ]; then
-            header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec"
+            header="prio ciphersuite protocols pubkey_size signature_algoritm trusted ticket_hint pfs_keysize avg_handshake_microsec"
        else
            header="prio ciphersuite protocols pfs_keysize avg_handshake_microsec"
        fi
    else
        if [ $different == "True" ]; then
-            header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize"
+            header="prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint pfs_keysize"
        else
            header="prio ciphersuite protocols pfs_keysize"
        fi
@@ -242,7 +252,8 @@ display_results_in_terminal() {
        if [ $different == "True" ]; then
            echo $result|grep -v '(NONE)'
        else
-            echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $7}'
+            # prints priority, ciphersuite, protocols and pfs_keysize
+            echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $8}'
        fi
    done|column -t
    echo
@@ -252,6 +263,7 @@ display_results_in_terminal() {
        else
            echo "Certificate: UNTRUSTED, $pubkey bit, $sigalg signature"
        fi
+        echo "TLS ticket lifetime hint: $tickethint"
    fi
 }

@@ -267,7 +279,8 @@ display_results_in_json() {
        echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
        echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
        echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
-        pfs=$(echo $cipher|awk '{print $6}')
+        echo -n "\"ticket_hint\":\"$(echo $cipher|awk '{print $6}')\","
+        pfs=$(echo $cipher|awk '{print $7}')
        [ "$pfs" == "" ] && pfs="None"
        echo -n "\"pfs\":\"$pfs\"}"
        ctr=$((ctr+1))