add test for TLSv1.2 PFS key exchange

since the signature and hash algorithm in TLSv1.2 is selectable by server and negotiated using TLS extensions, we can check what sig algs is the server willing to perform and whatever it does honour client selection it also tests what happens if the client doesn't offer any sigalgs that are necessary to use the ciphers selected by server
2026-02-05 22:55:15 +01:00 · 2014-11-01 20:26:31 +01:00
parent 460f9cf1f6
commit 434b383f01
3 changed files with 367 additions and 4 deletions
--- a/top1m/parse_results.py
+++ b/top1m/parse_results.py
@@ -135,6 +135,8 @@ fallback_ids['v2-big-TLSv1.2'] = i
 i+=1
 # 3rd padding space
 fallback_ids['   '] = i
+pfssigalgfallback = defaultdict(int)
+pfssigalgs = defaultdict(int)
 dsarsastack = 0
 total = 0
 for r,d,flist in os.walk(path):
@@ -155,6 +157,8 @@ for r,d,flist in os.walk(path):
        tempfallbacks = {}
        """ supported ciphers by the server under scan """
        tempcipherstats = {}
+        temppfssigalgfallback = {}
+        temppfssigalgs = {}
        ciphertypes = 0
        AESGCM = False
        AESCBC = False
@@ -249,6 +253,23 @@ for r,d,flist in os.walk(path):
                if len(results['curve']) == 1:
                    tempecccurve[curve + ' Only'] = 1

+            """ collect TLSv1.2 PFS ciphersuite sigalgs """
+            if 'sigalgs' in results:
+                if results['sigalgs']['ECDSA-fallback']:
+                    temppfssigalgfallback['ECDSA ' + results['sigalgs']['ECDSA-fallback']] = 1
+                if results['sigalgs']['RSA-fallback']:
+                    temppfssigalgfallback['RSA ' + results['sigalgs']['RSA-fallback']] = 1
+                if 'RSA' in results['sigalgs'] and results['sigalgs']['RSA'][0] != 'Fail':
+                    for pfssigalg in results['sigalgs']['RSA']:
+                        temppfssigalgs['RSA-' + pfssigalg]=1
+                    if len(results['sigalgs']['RSA']) == 1:
+                        temppfssigalgs['RSA-' + results['sigalgs']['RSA'][0] + ' Only'] = 1
+                if 'ECDSA' in results['sigalgs'] and results['sigalgs']['ECDSA'][0] != 'Fail':
+                    for pfssigalg in results['sigalgs']['ECDSA']:
+                        temppfssigalgs['ECDSA-' + pfssigalg]=1
+                    if len(results['sigalgs']['ECDSA']) == 1:
+                        temppfssigalgs['ECDSA-' + results['sigalgs']['ECDSA'][0] + ' Only'] = 1
+
            if 'configs' in results:
                tolerance = [' '] * len(fallback_ids)
                for entry in results['configs']:
@@ -531,6 +552,11 @@ for r,d,flist in os.walk(path):
        else:
            ocspstaple['Unsupported'] += 1

+        for s in temppfssigalgfallback:
+            pfssigalgfallback[s] += 1
+        for s in temppfssigalgs:
+            pfssigalgs[s] += 1
+
        """ store cipher stats """
        if AESGCM:
            cipherstats['AES-GCM'] += 1
@@ -735,6 +761,18 @@ for stat in sorted(eccordering):
    percent = round(eccordering[stat] / total * 100, 4)
    sys.stdout.write(stat.ljust(25) + " " + str(eccordering[stat]).ljust(10) + str(percent).ljust(9) + "\n")

+print("\nTLSv1.2 PFS supported sigalgs  Count     Percent ")
+print("------------------------------+---------+--------")
+for stat in sorted(pfssigalgs):
+    percent = round(pfssigalgs[stat] / total * 100, 4)
+    sys.stdout.write(stat.ljust(30) + " " + str(pfssigalgs[stat]).ljust(10) + str(percent).ljust(9) + "\n")
+
+print("\nTLSv1.2 PFS sigalg fallback    Count     Percent ")
+print("------------------------------+---------+--------")
+for stat in sorted(pfssigalgfallback):
+    percent = round(pfssigalgfallback[stat] / total * 100, 4)
+    sys.stdout.write(stat.ljust(30) + " " + str(pfssigalgfallback[stat]).ljust(10) + str(percent).ljust(9) + "\n")
+
 print("\nTLS session ticket hint   Count     Percent ")
 print("-------------------------+---------+--------")
 for stat in natural_sort(tickethint):
--- a/top1m/testtop1m.sh
+++ b/top1m/testtop1m.sh
@@ -68,7 +68,7 @@ function scan_host() {
    if [ $? -gt 0 ]; then
        return
    fi
-    ../cipherscan --capath ca_files --saveca --curves --savecrt certs --delay 2 -json -servername $1 $2:443 > results/$1@$2
+    ../cipherscan --capath ca_files --saveca --curves --savecrt certs --delay 2 --sigalg -json -servername $1 $2:443 > results/$1@$2
 }

 function scan_host_no_sni() {
@@ -80,7 +80,7 @@ function scan_host_no_sni() {
    if [ $? -gt 0 ]; then
        return
    fi
-    ../cipherscan --capath ca_files --saveca --curves --savecrt certs --delay 2 -json $1:443 > results/$1
+    ../cipherscan --capath ca_files --saveca --curves --savecrt certs --delay 2 --sigalg -json $1:443 > results/$1
 }

 function scan_hostname() {