From 561df82a4a7db67e0fd0b762d64ed5a5f26219e7 Mon Sep 17 00:00:00 2001 From: Peter Mosmans Date: Sat, 22 Nov 2014 18:32:06 +1000 Subject: [PATCH] show which TLS protocols can't be used for testing The warning message will always be shown (echo'ed instead of verbose) --- cipherscan | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/cipherscan b/cipherscan index 6efb49c..c5d6331 100755 --- a/cipherscan +++ b/cipherscan @@ -12,6 +12,9 @@ DOBENCHMARK=0 BENCHMARKITER=30 OPENSSLBIN="$(dirname $0)/openssl" +# default string of TLS protocols +TLSPROTOCOLS="-ssl2 -ssl3 -tls1 -tls1_1 -tls1_2" + # test that timeout or gtimeout (darwin) are present TIMEOUTBIN="$(which timeout)" if [ "$TIMEOUTBIN" == "" ]; then @@ -108,6 +111,19 @@ debug(){ fi } +check_tls_protocols() { + tls_protocols="" + for supported_protocol in ${TLSPROTOCOLS}; do + ${OPENSSLBIN} s_client "${supported_protocol}" 2>&1 | grep -q "unknown option" + if [ $? -eq 0 ]; then + # always show warning message as it's important to know what won't be tested + echo "${supported_protocol} not supported by ${OPENSSLBIN}" + else + tls_protocols="${tls_protocols} ${supported_protocol}" + fi + done +} + c_hash() { local h=$(${OPENSSLBIN} x509 -hash -noout -in "$1/$2" 2>/dev/null) for ((num=0; num<=100; num++)) ; do @@ -234,7 +250,7 @@ test_cipher_on_target() { pfs="" previous_cipher="" certificates="" - for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2" + for tls_version in ${tls_protocols} do # sslv2 client hello doesn't support SNI extension # in SSLv3 mode OpenSSL just ignores the setting so it's ok @@ -694,7 +710,7 @@ fi SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}") debug "sclientargs: $SCLIENTARGS" - +check_tls_protocols cipherspref=(); ciphercertificates=() results=()