2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-12-26 04:33:42 +01:00

do fallback scan in case of problems

It's unlikely that there are SSLv2 only servers on the 'net, all
that were detected as such and I've checked actually are intolerant
to low placement of RC4 in cipher order or intolerant to large client
hello in general. In case we detect issues with the server, switch to
reduced cipher set and run the test again that should give better results
for about 3% of hosts
This commit is contained in:
Hubert Kario 2014-11-11 02:30:38 +01:00
parent 3bc8dc5583
commit 8bde9c4d03

View File

@ -58,6 +58,44 @@ fi
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
# as some servers are intolerant to large client hello's (or ones that have
# RC4 ciphers below position 64), use the following for cipher testing in case
# of problems
FALLBACKCIPHERSUITE=(
'ECDHE-RSA-AES128-GCM-SHA256'
'ECDHE-RSA-AES128-SHA256'
'ECDHE-RSA-AES128-SHA'
'ECDHE-RSA-DES-CBC3-SHA'
'ECDHE-RSA-RC4-SHA'
'DHE-RSA-AES128-SHA'
'DHE-DSS-AES128-SHA'
'DHE-RSA-CAMELLIA128-SHA'
'DHE-RSA-AES256-SHA'
'DHE-DSS-AES256-SHA'
'DHE-RSA-CAMELLIA256-SHA'
'EDH-RSA-DES-CBC3-SHA'
'AES128-SHA'
'CAMELLIA128-SHA'
'AES256-SHA'
'CAMELLIA256-SHA'
'DES-CBC3-SHA'
'RC4-SHA'
'RC4-MD5'
'SEED-SHA'
'IDEA-CBC-SHA'
'IDEA-CBC-MD5'
'RC2-CBC-MD5'
'DES-CBC3-MD5'
'EXP1024-DHE-DSS-DES-CBC-SHA'
'EDH-RSA-DES-CBC-SHA'
'EXP1024-DES-CBC-SHA'
'DES-CBC-MD5'
'EXP1024-RC4-SHA'
'EXP-EDH-RSA-DES-CBC-SHA'
'EXP-DES-CBC-SHA'
'EXP-RC2-CBC-MD5'
'EXP-RC4-MD5'
)
DEBUG=0
VERBOSE=0
DELAY=0
@ -1056,6 +1094,22 @@ results=()
# Call to the recursive loop that retrieves the cipher preferences
get_cipher_pref $CIPHERSUITE
# in case the server is intolerant to our big hello, try again with
# a smaller one
# do that either when the normal scan returns no ciphers or just SSLv2
# ciphers (where it's likely that the limiting by OpenSSL worked)
pref=(${cipherspref[0]})
if [[ ${#cipherspref[@]} -eq 0 ]] || [[ ${pref[1]} == "SSLv2" ]]; then
cipherspref=()
ciphercertificates=()
results=()
OLDIFS="$IFS"
IFS=":"
CIPHERS="${FALLBACKCIPHERSUITE[*]}"
IFS="$OLDIFS"
get_cipher_pref "$CIPHERS"
fi
test_serverside_ordering
if [[ $TEST_CURVES == "True" ]]; then