From 2e9c3fcc90f0d008a6c5cf7429c7649a9d96c987 Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Sat, 12 Jul 2014 01:30:17 +0200
Subject: [PATCH] don't retry protocols we know don't work

When connection is unsuccessful with a given protocol, don't try it again
since we probably exhausted the ciphers supported by the protocol

makes scanning about 10% faster
---
 cipherscan | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cipherscan b/cipherscan
index d1ff13f..016c5a4 100755
--- a/cipherscan
+++ b/cipherscan
@@ -52,6 +52,8 @@ unset known_certs
 declare -A known_certs
 unset cert_checksums
 declare -A cert_checksums
+unset ok_protocols
+declare -A ok_protocols
 
 usage() {
     echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [--savecrt directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
@@ -126,6 +128,9 @@ test_cipher_on_target() {
     certificates=""
     for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
     do
+        if [[ ${ok_protocols[$tls_version]} -eq 1 ]]; then
+            continue
+        fi
         # sslv2 client hello doesn't support SNI extension
         # in SSLv3 mode OpenSSL just ignores the setting so it's ok
         # -status exception is ignored in SSLv2, go figure
@@ -250,6 +255,7 @@ test_cipher_on_target() {
 
         # parsing finished, report result
         if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
+            ok_protocols["$tls_version"]=1
             # connection failed, try again with next TLS version
             continue
         else
@@ -617,6 +623,8 @@ results=()
 
 # Call to the recursive loop that retrieves the cipher preferences
 get_cipher_pref $CIPHERSUITE
+unset ok_protocols
+declare -A ok_protocols
 
 test_serverside_ordering