From 8bde9c4d03f7559631a16609a38a2c69689eb90a Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Tue, 11 Nov 2014 02:30:38 +0100
Subject: [PATCH] do fallback scan in case of problems

It's unlikely that there are SSLv2 only servers on the 'net, all
that were detected as such and I've checked actually are intolerant
to low placement of RC4 in cipher order or intolerant to large client
hello in general. In case we detect issues with the server, switch to
reduced cipher set and run the test again that should give better results
for about 3% of hosts
---
 cipherscan | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/cipherscan b/cipherscan
index 985eb07..f86508f 100755
--- a/cipherscan
+++ b/cipherscan
@@ -58,6 +58,44 @@ fi
 # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
 # (probably a result of a workaround for the bug in Apple implementation of ECDSA)
 CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
+# as some servers are intolerant to large client hello's (or ones that have
+# RC4 ciphers below position 64), use the following for cipher testing in case
+# of problems
+FALLBACKCIPHERSUITE=(
+        'ECDHE-RSA-AES128-GCM-SHA256'
+        'ECDHE-RSA-AES128-SHA256'
+        'ECDHE-RSA-AES128-SHA'
+        'ECDHE-RSA-DES-CBC3-SHA'
+        'ECDHE-RSA-RC4-SHA'
+        'DHE-RSA-AES128-SHA'
+        'DHE-DSS-AES128-SHA'
+        'DHE-RSA-CAMELLIA128-SHA'
+        'DHE-RSA-AES256-SHA'
+        'DHE-DSS-AES256-SHA'
+        'DHE-RSA-CAMELLIA256-SHA'
+        'EDH-RSA-DES-CBC3-SHA'
+        'AES128-SHA'
+        'CAMELLIA128-SHA'
+        'AES256-SHA'
+        'CAMELLIA256-SHA'
+        'DES-CBC3-SHA'
+        'RC4-SHA'
+        'RC4-MD5'
+        'SEED-SHA'
+        'IDEA-CBC-SHA'
+        'IDEA-CBC-MD5'
+        'RC2-CBC-MD5'
+        'DES-CBC3-MD5'
+        'EXP1024-DHE-DSS-DES-CBC-SHA'
+        'EDH-RSA-DES-CBC-SHA'
+        'EXP1024-DES-CBC-SHA'
+        'DES-CBC-MD5'
+        'EXP1024-RC4-SHA'
+        'EXP-EDH-RSA-DES-CBC-SHA'
+        'EXP-DES-CBC-SHA'
+        'EXP-RC2-CBC-MD5'
+        'EXP-RC4-MD5'
+        )
 DEBUG=0
 VERBOSE=0
 DELAY=0
@@ -1056,6 +1094,22 @@ results=()
 # Call to the recursive loop that retrieves the cipher preferences
 get_cipher_pref $CIPHERSUITE
 
+# in case the server is intolerant to our big hello, try again with
+# a smaller one
+# do that either when the normal scan returns no ciphers or just SSLv2
+# ciphers (where it's likely that the limiting by OpenSSL worked)
+pref=(${cipherspref[0]})
+if [[ ${#cipherspref[@]} -eq 0 ]] || [[ ${pref[1]} == "SSLv2" ]]; then
+    cipherspref=()
+    ciphercertificates=()
+    results=()
+    OLDIFS="$IFS"
+    IFS=":"
+    CIPHERS="${FALLBACKCIPHERSUITE[*]}"
+    IFS="$OLDIFS"
+    get_cipher_pref "$CIPHERS"
+fi
+
 test_serverside_ordering
 
 if [[ $TEST_CURVES == "True" ]]; then