Merge 32eba4e644 into afcc92db02

2025-06-07 11:43:39 +02:00 · 2014-04-05 18:25:52 +00:00 · 2014-04-05 18:25:52 +00:00 · 2d91350f56
commit 2d91350f56
parent afcc92db02 32eba4e644
2 changed files with 27 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -45,24 +45,24 @@ Testing plain SSL/TLS:
 linux $ ./cipherscan www.google.com:443
 ...................
 prio  ciphersuite                  protocols                    pfs_keysize
-1     ECDHE-RSA-CHACHA20-POLY1305  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-2     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-3     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-4     ECDHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-5     AES128-GCM-SHA256            SSLv3,TLSv1,TLSv1.1,TLSv1.2
-6     RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
-7     RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
-8     ECDHE-RSA-AES256-GCM-SHA384  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-9     ECDHE-RSA-AES256-SHA384      SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-10    ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-11    AES256-GCM-SHA384            SSLv3,TLSv1,TLSv1.1,TLSv1.2
-12    AES256-SHA256                SSLv3,TLSv1,TLSv1.1,TLSv1.2
-13    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
-14    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-15    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
-16    ECDHE-RSA-AES128-SHA256      SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
-17    AES128-SHA256                SSLv3,TLSv1,TLSv1.1,TLSv1.2
-18    AES128-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
+1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                      ECDH,P-256,256bits
+2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
+3     ECDHE-RSA-AES128-SHA         TLSv1.2                      ECDH,P-256,256bits
+4     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
+5     AES128-GCM-SHA256            TLSv1.2
+6     AES128-SHA256                TLSv1.2
+7     AES128-SHA                   TLSv1.2
+8     RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
+9     RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
+10    ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      ECDH,P-256,256bits
+11    ECDHE-RSA-AES256-SHA384      TLSv1.2                      ECDH,P-256,256bits
+12    ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
+13    AES256-GCM-SHA384            TLSv1.2
+14    AES256-SHA256                TLSv1.2
+15    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
+16    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
+17    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
+18    ECDHE-RSA-AES128-SHA256      TLSv1.2                      ECDH,P-256,256bits
 ```

 Testing STARTTLS:
--- a/9
+++ b/9
@ -64,6 +64,7 @@ test_cipher_on_target() {
    cipher=""
    protocols=""
    pfs=""
+    previous_cipher=""
    for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
    do
        debug echo \"quit\\n\" \| $sslcommand $tls_version
@ -74,7 +75,15 @@ test_cipher_on_target() {
        if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
            # connection failed, try again with next TLS version
            continue
+        else
+            verbose "connection successful; protocol: $current_protocol, cipher: $current_cipher, previous cipher: $previous_cipher"
        fi
+        # handling of TLSv1.2 only cipher suites
+        if [ ! -z "$previous_cipher" ] && [ "$previous_cipher" != "$current_cipher" ] && [ "$current_cipher" != "0000" ]; then
+            unset protocols
+        fi
+        previous_cipher=$current_cipher
+
        # connection succeeded, add TLS version to positive results
        if [ -z "$protocols" ]; then
            protocols=$current_protocol