mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 22:33:40 +01:00
don't retry protocols we know don't work
When connection is unsuccessful with a given protocol, don't try it again since we probably exhausted the ciphers supported by the protocol makes scanning about 10% faster
This commit is contained in:
parent
0e6c40ad83
commit
2e9c3fcc90
@ -52,6 +52,8 @@ unset known_certs
|
|||||||
declare -A known_certs
|
declare -A known_certs
|
||||||
unset cert_checksums
|
unset cert_checksums
|
||||||
declare -A cert_checksums
|
declare -A cert_checksums
|
||||||
|
unset ok_protocols
|
||||||
|
declare -A ok_protocols
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [--savecrt directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [--savecrt directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
||||||
@ -126,6 +128,9 @@ test_cipher_on_target() {
|
|||||||
certificates=""
|
certificates=""
|
||||||
for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
|
for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
|
||||||
do
|
do
|
||||||
|
if [[ ${ok_protocols[$tls_version]} -eq 1 ]]; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
# sslv2 client hello doesn't support SNI extension
|
# sslv2 client hello doesn't support SNI extension
|
||||||
# in SSLv3 mode OpenSSL just ignores the setting so it's ok
|
# in SSLv3 mode OpenSSL just ignores the setting so it's ok
|
||||||
# -status exception is ignored in SSLv2, go figure
|
# -status exception is ignored in SSLv2, go figure
|
||||||
@ -250,6 +255,7 @@ test_cipher_on_target() {
|
|||||||
|
|
||||||
# parsing finished, report result
|
# parsing finished, report result
|
||||||
if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
|
if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
|
||||||
|
ok_protocols["$tls_version"]=1
|
||||||
# connection failed, try again with next TLS version
|
# connection failed, try again with next TLS version
|
||||||
continue
|
continue
|
||||||
else
|
else
|
||||||
@ -617,6 +623,8 @@ results=()
|
|||||||
|
|
||||||
# Call to the recursive loop that retrieves the cipher preferences
|
# Call to the recursive loop that retrieves the cipher preferences
|
||||||
get_cipher_pref $CIPHERSUITE
|
get_cipher_pref $CIPHERSUITE
|
||||||
|
unset ok_protocols
|
||||||
|
declare -A ok_protocols
|
||||||
|
|
||||||
test_serverside_ordering
|
test_serverside_ordering
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user