From 5c98fe2107627ae6db6796614fadc60f3515871a Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Fri, 29 May 2015 20:25:47 +0200 Subject: [PATCH] do a scan with -no_tlsext openssl if possible --- cipherscan | 31 +++++++++++++++++++++++++++++++ top1m/parse_results.py | 6 ++++-- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/cipherscan b/cipherscan index 9c3c3dc..8b539ae 100755 --- a/cipherscan +++ b/cipherscan @@ -283,6 +283,20 @@ c_hash() { done } +crude_grep() { + while read line; do + if [[ $line =~ $1 ]]; then + return 0 + fi + done + return 1 +} + +check_option_support() { + $OPENSSLBIN s_client -help 2>&1 | crude_grep "$1" + return $? +} + parse_openssl_output() { # clear variables in case matching doesn't hit them current_ocspstaple="False" @@ -1220,6 +1234,23 @@ test_tls_tolerance() { tls_tolerance['small-TLSv1.0']="True $current_protocol $current_cipher $current_trusted" fi + # + # v3 format TLSv1.0 hello, small cipher list, no extensions + # + if check_option_support "-no_tlsext"; then + ratelimit + verbose "Testing fallback with $sslcommand -no_tls1_2 -no_tls1_1 -no_tlsext" + local tmp=$(echo Q | $sslcommand -no_tls1_2 -no_tls1_1 -no_tlsext 2>/dev/null) + parse_openssl_output <<<"$tmp" + verbose "Negotiated proto: $current_protocol, cipher: $current_cipher" + if [[ -z $current_protocol || $current_cipher == "(NONE)" \ + || $current_cipher == '0000' ]]; then + tls_tolerance['small-TLSv1.0-notlsext']="False" + else + tls_tolerance['small-TLSv1.0-notlsext']="True $current_protocol $current_cipher $current_trusted" + fi + fi + # # v3 format SSLv3 hello, small cipher list # diff --git a/top1m/parse_results.py b/top1m/parse_results.py index 62179fa..56631b6 100644 --- a/top1m/parse_results.py +++ b/top1m/parse_results.py @@ -112,6 +112,8 @@ fallback_ids[' '] = i i+=1 fallback_ids['small-SSLv3'] = i i+=1 +fallback_ids['small-TLSv1.0-notlsext'] = i +i+=1 fallback_ids['small-TLSv1.0'] = i i+=1 fallback_ids['small-TLSv1.1'] = i @@ -734,8 +736,8 @@ for stat in sorted(protocolstats): print("\nRequired fallbacks Count Percent") print("----------------------------------------+---------+-------") -print("big smal v2 ") -print("----+----+-----+------------------------+---------+-------") +print("big small v2 ") +print("----+-----+-----+------------------------+---------+-------") for stat in sorted(fallbacks): percent = round(fallbacks[stat] / total * 100, 4) sys.stdout.write(stat.ljust(40) + " " + str(fallbacks[stat]).ljust(10) + str(percent).ljust(4) + "\n")