mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 14:23:41 +01:00
Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2
Previously scan would report: prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 2 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits Now it correctly reports: prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits 2 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
This commit is contained in:
parent
1f92094b3d
commit
1388e2ac2b
16
cipherscan
16
cipherscan
@ -68,6 +68,7 @@ test_cipher_on_target() {
|
||||
cipher=""
|
||||
protocols=""
|
||||
pfs=""
|
||||
previous_cipher=""
|
||||
for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
|
||||
do
|
||||
local tmp=$(mktemp)
|
||||
@ -82,6 +83,21 @@ EOF
|
||||
rm "$tmp"
|
||||
continue
|
||||
fi
|
||||
# handling of TLSv1.2 only cipher suites
|
||||
if [ ! -z "$previous_cipher" ] && [ "$previous_cipher" != "$current_cipher" ]; then
|
||||
protocols=""
|
||||
fi
|
||||
previous_cipher=$cipher
|
||||
# SSLv2 ciphers use their own specific namespace (and RC4-MD5 is the
|
||||
# only cipher that exists in both and we care for for)
|
||||
if [ "$current_protocol" == "SSLv2" ] && [ "$current_cipher" != "RC4-MD5" ]; then
|
||||
protocols=$current_protocol
|
||||
cipher=$current_cipher
|
||||
pfs=$current_pfs
|
||||
rm "$tmp"
|
||||
break 1
|
||||
fi
|
||||
|
||||
# connection succeeded, add TLS version to positive results
|
||||
if [ -z "$protocols" ]; then
|
||||
protocols=$current_protocol
|
||||
|
Loading…
Reference in New Issue
Block a user