mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-12-26 04:33:42 +01:00
do fallback scan in case of problems
It's unlikely that there are SSLv2 only servers on the 'net, all that were detected as such and I've checked actually are intolerant to low placement of RC4 in cipher order or intolerant to large client hello in general. In case we detect issues with the server, switch to reduced cipher set and run the test again that should give better results for about 3% of hosts
This commit is contained in:
parent
3bc8dc5583
commit
8bde9c4d03
54
cipherscan
54
cipherscan
@ -58,6 +58,44 @@ fi
|
||||
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
|
||||
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
|
||||
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
|
||||
# as some servers are intolerant to large client hello's (or ones that have
|
||||
# RC4 ciphers below position 64), use the following for cipher testing in case
|
||||
# of problems
|
||||
FALLBACKCIPHERSUITE=(
|
||||
'ECDHE-RSA-AES128-GCM-SHA256'
|
||||
'ECDHE-RSA-AES128-SHA256'
|
||||
'ECDHE-RSA-AES128-SHA'
|
||||
'ECDHE-RSA-DES-CBC3-SHA'
|
||||
'ECDHE-RSA-RC4-SHA'
|
||||
'DHE-RSA-AES128-SHA'
|
||||
'DHE-DSS-AES128-SHA'
|
||||
'DHE-RSA-CAMELLIA128-SHA'
|
||||
'DHE-RSA-AES256-SHA'
|
||||
'DHE-DSS-AES256-SHA'
|
||||
'DHE-RSA-CAMELLIA256-SHA'
|
||||
'EDH-RSA-DES-CBC3-SHA'
|
||||
'AES128-SHA'
|
||||
'CAMELLIA128-SHA'
|
||||
'AES256-SHA'
|
||||
'CAMELLIA256-SHA'
|
||||
'DES-CBC3-SHA'
|
||||
'RC4-SHA'
|
||||
'RC4-MD5'
|
||||
'SEED-SHA'
|
||||
'IDEA-CBC-SHA'
|
||||
'IDEA-CBC-MD5'
|
||||
'RC2-CBC-MD5'
|
||||
'DES-CBC3-MD5'
|
||||
'EXP1024-DHE-DSS-DES-CBC-SHA'
|
||||
'EDH-RSA-DES-CBC-SHA'
|
||||
'EXP1024-DES-CBC-SHA'
|
||||
'DES-CBC-MD5'
|
||||
'EXP1024-RC4-SHA'
|
||||
'EXP-EDH-RSA-DES-CBC-SHA'
|
||||
'EXP-DES-CBC-SHA'
|
||||
'EXP-RC2-CBC-MD5'
|
||||
'EXP-RC4-MD5'
|
||||
)
|
||||
DEBUG=0
|
||||
VERBOSE=0
|
||||
DELAY=0
|
||||
@ -1056,6 +1094,22 @@ results=()
|
||||
# Call to the recursive loop that retrieves the cipher preferences
|
||||
get_cipher_pref $CIPHERSUITE
|
||||
|
||||
# in case the server is intolerant to our big hello, try again with
|
||||
# a smaller one
|
||||
# do that either when the normal scan returns no ciphers or just SSLv2
|
||||
# ciphers (where it's likely that the limiting by OpenSSL worked)
|
||||
pref=(${cipherspref[0]})
|
||||
if [[ ${#cipherspref[@]} -eq 0 ]] || [[ ${pref[1]} == "SSLv2" ]]; then
|
||||
cipherspref=()
|
||||
ciphercertificates=()
|
||||
results=()
|
||||
OLDIFS="$IFS"
|
||||
IFS=":"
|
||||
CIPHERS="${FALLBACKCIPHERSUITE[*]}"
|
||||
IFS="$OLDIFS"
|
||||
get_cipher_pref "$CIPHERS"
|
||||
fi
|
||||
|
||||
test_serverside_ordering
|
||||
|
||||
if [[ $TEST_CURVES == "True" ]]; then
|
||||
|
Loading…
Reference in New Issue
Block a user