From 1388e2ac2b739e1a1f15cfcb2136689ae582683f Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Thu, 3 Apr 2014 23:37:46 +0200
Subject: [PATCH 1/2] Correctly report TLSv1.2 only ciphers as negotiable with
 TLSv1.2

Previously scan would report:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Now it correctly reports:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
---
 cipherscan | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/cipherscan b/cipherscan
index 84fc0a3..7e9b1d1 100755
--- a/cipherscan
+++ b/cipherscan
@@ -68,6 +68,7 @@ test_cipher_on_target() {
     cipher=""
     protocols=""
     pfs=""
+    previous_cipher=""
     for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
     do
         local tmp=$(mktemp)
@@ -82,6 +83,21 @@ EOF
             rm "$tmp"
             continue
         fi
+        # handling of TLSv1.2 only cipher suites
+        if [ ! -z "$previous_cipher" ] && [ "$previous_cipher" != "$current_cipher" ]; then
+            protocols=""
+        fi
+        previous_cipher=$cipher
+        # SSLv2 ciphers use their own specific namespace (and RC4-MD5 is the
+        # only cipher that exists in both and we care for for)
+        if [ "$current_protocol" == "SSLv2" ] && [ "$current_cipher" != "RC4-MD5" ]; then
+            protocols=$current_protocol
+            cipher=$current_cipher
+            pfs=$current_pfs
+            rm "$tmp"
+            break 1
+        fi
+
         # connection succeeded, add TLS version to positive results
         if [ -z "$protocols" ]; then
             protocols=$current_protocol

From 5f670deb10e6751fde76d14c31598485fa09be24 Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Thu, 3 Apr 2014 23:40:24 +0200
Subject: [PATCH 2/2] update examples from README

since now the scan reports protocols correctly, update the example
to ilustrate that
---
 README.md | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 0392b4f..170b119 100644
--- a/README.md
+++ b/README.md
@@ -30,24 +30,24 @@ Example
 $ ./cipherscan www.google.com:443
 ...................
 prio  ciphersuite                  protocols                    pfs_keysize
-1     ECDHE-RSA-CHACHA20-POLY1305  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-2     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-3     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-4     ECDHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-5     AES128-GCM-SHA256            SSLv3,TLSv1,TLSv1.1,TLSv1.2
-6     RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
-7     RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
-8     ECDHE-RSA-AES256-GCM-SHA384  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-9     ECDHE-RSA-AES256-SHA384      SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-10    ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-11    AES256-GCM-SHA384            SSLv3,TLSv1,TLSv1.1,TLSv1.2
-12    AES256-SHA256                SSLv3,TLSv1,TLSv1.1,TLSv1.2
-13    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
-14    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-15    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
-16    ECDHE-RSA-AES128-SHA256      SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-17    AES128-SHA256                SSLv3,TLSv1,TLSv1.1,TLSv1.2
-18    AES128-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
+1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                      ECDH,P-256,256bits
+2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
+3     ECDHE-RSA-AES128-SHA         TLSv1.2                      ECDH,P-256,256bits
+4     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
+5     AES128-GCM-SHA256            TLSv1.2
+6     AES128-SHA256                TLSv1.2
+7     AES128-SHA                   TLSv1.2
+8     RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
+9     RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
+10    ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      ECDH,P-256,256bits
+11    ECDHE-RSA-AES256-SHA384      TLSv1.2                      ECDH,P-256,256bits
+12    ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
+13    AES256-GCM-SHA384            TLSv1.2
+14    AES256-SHA256                TLSv1.2
+15    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
+16    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
+17    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
+18    ECDHE-RSA-AES128-SHA256      TLSv1.2                      ECDH,P-256,256bits
 $ ./cipherscan -starttls xmpp jabber.ccc.de:5222
 .........
 prio  ciphersuite           protocols    pfs_keysize