mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-12-27 05:03:42 +01:00
Add handling for TLS-variant results for the PFS value.
As before with signature algorithms, we need to handle the case where the PFS value varies based on SSL protocol version.
This commit is contained in:
parent
0be95b821a
commit
638e0cbd10
28
cipherscan
28
cipherscan
@ -508,10 +508,10 @@ test_cipher_on_target() {
|
|||||||
local cmnd=""
|
local cmnd=""
|
||||||
protocols=()
|
protocols=()
|
||||||
versions=()
|
versions=()
|
||||||
pfs=""
|
|
||||||
previous_cipher=""
|
previous_cipher=""
|
||||||
certificates=""
|
certificates=""
|
||||||
declare -A sigalgs=()
|
declare -A sigalgs=()
|
||||||
|
declare -A pfses=()
|
||||||
for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do
|
for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do
|
||||||
# sslv2 client hello doesn't support SNI extension
|
# sslv2 client hello doesn't support SNI extension
|
||||||
# in SSLv3 mode OpenSSL just ignores the setting so it's ok
|
# in SSLv3 mode OpenSSL just ignores the setting so it's ok
|
||||||
@ -623,8 +623,8 @@ test_cipher_on_target() {
|
|||||||
# connection succeeded, add TLS version to positive results
|
# connection succeeded, add TLS version to positive results
|
||||||
protocols+=("$current_protocol")
|
protocols+=("$current_protocol")
|
||||||
cipher=$current_cipher
|
cipher=$current_cipher
|
||||||
pfs=$current_pfs
|
[[ -z $current_pfs ]] && current_pfs="None"
|
||||||
[[ -z $pfs ]] && pfs="None"
|
pfses[$current_protocol]="$current_pfs"
|
||||||
pubkey=$current_pubkey
|
pubkey=$current_pubkey
|
||||||
sigalgs[$current_protocol]="$current_sigalg"
|
sigalgs[$current_protocol]="$current_sigalg"
|
||||||
trusted=$current_trusted
|
trusted=$current_trusted
|
||||||
@ -659,6 +659,24 @@ test_cipher_on_target() {
|
|||||||
sigalg="${sigalgs[@]}"
|
sigalg="${sigalgs[@]}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Flatten the pfses list to a single item if every entry is the same.
|
||||||
|
if (( ${#pfses[*]} > 1 )); then
|
||||||
|
local pfses_values=()
|
||||||
|
for each_protocol in "${protocols[@]}"; do
|
||||||
|
pfses_values+=("${pfses[$each_protocol]}")
|
||||||
|
done
|
||||||
|
if [[ $OUTPUTFORMAT == 'json' ]]; then
|
||||||
|
# Don't deduplicate for JSON.
|
||||||
|
join_array_by_char ';' "${pfses_values[@]}"
|
||||||
|
else
|
||||||
|
flatten_or_join_array_by_char ';' "${pfses_values[@]}"
|
||||||
|
fi
|
||||||
|
pfs="$joined_array"
|
||||||
|
else
|
||||||
|
# Just extract the one value that's present and use it.
|
||||||
|
pfs="${pfses[@]}"
|
||||||
|
fi
|
||||||
|
|
||||||
# Pre-join this, since we use it in a couple of places below.
|
# Pre-join this, since we use it in a couple of places below.
|
||||||
join_array_by_char ',' "${protocols[@]}"
|
join_array_by_char ',' "${protocols[@]}"
|
||||||
protocols_csv="$joined_array"
|
protocols_csv="$joined_array"
|
||||||
@ -993,9 +1011,7 @@ display_results_in_json() {
|
|||||||
fi
|
fi
|
||||||
echo -n "\"ticket_hint\":\"${cipher_arr[5]}\","
|
echo -n "\"ticket_hint\":\"${cipher_arr[5]}\","
|
||||||
echo -n "\"ocsp_stapling\":\"${cipher_arr[6]}\","
|
echo -n "\"ocsp_stapling\":\"${cipher_arr[6]}\","
|
||||||
pfs="${cipher_arr[7]}"
|
echo -n "\"pfs\":[\"${cipher_arr[7]//\;/\",\"}\"]"
|
||||||
[[ -z $pfs ]] && pfs="None"
|
|
||||||
echo -n "\"pfs\":\"$pfs\""
|
|
||||||
if [[ "${cipher_arr[0]}" =~ ECDH ]]; then
|
if [[ "${cipher_arr[0]}" =~ ECDH ]]; then
|
||||||
echo -n ","
|
echo -n ","
|
||||||
echo -n "\"curves\":[\"${cipher_arr[8]//,/\",\"}\"]"
|
echo -n "\"curves\":[\"${cipher_arr[8]//,/\",\"}\"]"
|
||||||
|
Loading…
Reference in New Issue
Block a user