mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-16 20:03:41 +01:00
use more robust trust path building by default
use the -trusted_first flag to openssl, so that it tries alternative trust paths to verify validity of server presented certificate
This commit is contained in:
parent
f9f3407bb4
commit
94efc235d0
32
cipherscan
32
cipherscan
@ -690,7 +690,8 @@ get_cipher_pref() {
|
|||||||
elif [[ -e $CACERTS ]]; then
|
elif [[ -e $CACERTS ]]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
sslcommand+=" -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
sslcommand+=" -trusted_first -status $SCLIENTARGS -connect $TARGET"
|
||||||
|
sslcommand+=" -cipher $ciphersuite"
|
||||||
|
|
||||||
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
||||||
# If the connection succeeded with the current cipher, benchmark and store
|
# If the connection succeeded with the current cipher, benchmark and store
|
||||||
@ -1095,7 +1096,8 @@ test_serverside_ordering() {
|
|||||||
elif [[ -e "$CACERTS" ]]; then
|
elif [[ -e "$CACERTS" ]]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
sslcommand+=" -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
sslcommand+=" -trusted_first -status $SCLIENTARGS -connect $TARGET"
|
||||||
|
sslcommand+=" -cipher $ciphersuite"
|
||||||
|
|
||||||
test_cipher_on_target "$sslcommand"
|
test_cipher_on_target "$sslcommand"
|
||||||
if (( $? != 0 )); then
|
if (( $? != 0 )); then
|
||||||
@ -1130,6 +1132,7 @@ test_curves() {
|
|||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
sslcommand+=" -status $SCLIENTARGS -connect $TARGET -cipher $current_cipher"
|
sslcommand+=" -status $SCLIENTARGS -connect $TARGET -cipher $current_cipher"
|
||||||
|
sslcommand+=" -trusted_first"
|
||||||
# force the TLS to send a TLS1.0 client hello at least, as with SSLv2
|
# force the TLS to send a TLS1.0 client hello at least, as with SSLv2
|
||||||
# ciphers present it will try to send a SSLv2 compatible client hello
|
# ciphers present it will try to send a SSLv2 compatible client hello
|
||||||
sslcommand+=" -no_ssl2 -no_ssl3"
|
sslcommand+=" -no_ssl2 -no_ssl3"
|
||||||
@ -1248,6 +1251,7 @@ test_curves_fallback() {
|
|||||||
elif [[ -e "$CACERTS" ]]; then
|
elif [[ -e "$CACERTS" ]]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
|
sslcommand+=" -trusted_first"
|
||||||
sslcommand+=" -status $SCLIENTARGS -connect $TARGET -cipher $ecc_ciphers"
|
sslcommand+=" -status $SCLIENTARGS -connect $TARGET -cipher $ecc_ciphers"
|
||||||
# force the TLS to send a TLS1.0 client hello at least, as with SSLv2
|
# force the TLS to send a TLS1.0 client hello at least, as with SSLv2
|
||||||
# ciphers present it will try to send a SSLv2 compatible client hello
|
# ciphers present it will try to send a SSLv2 compatible client hello
|
||||||
@ -1310,7 +1314,12 @@ test_tls_tolerance() {
|
|||||||
tls_vers_tests['big-SSLv3']="-no_tls1_2 -no_tls1_1 -no_tls1"
|
tls_vers_tests['big-SSLv3']="-no_tls1_2 -no_tls1_1 -no_tls1"
|
||||||
|
|
||||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
||||||
sslcommand+=" -status -nextprotoneg 'http/1.1'"
|
if [ -n "$CAPATH" ]; then
|
||||||
|
sslcommand+=" -CApath $CAPATH -showcerts"
|
||||||
|
elif [ -e "$CACERTS" ]; then
|
||||||
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
|
fi
|
||||||
|
sslcommand+=" -trusted_first -status -nextprotoneg 'http/1.1'"
|
||||||
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $CIPHERSUITE"
|
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $CIPHERSUITE"
|
||||||
|
|
||||||
for version in "${!tls_vers_tests[@]}"; do
|
for version in "${!tls_vers_tests[@]}"; do
|
||||||
@ -1350,7 +1359,7 @@ test_tls_tolerance() {
|
|||||||
elif [[ -e "$CACERTS" ]]; then
|
elif [[ -e "$CACERTS" ]]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
sslcommand+=" -connect $TARGET -cipher $CIPHERSUITE"
|
sslcommand+=" -trusted_first -connect $TARGET -cipher $CIPHERSUITE"
|
||||||
|
|
||||||
ratelimit
|
ratelimit
|
||||||
verbose "Testing fallback with $sslcommand"
|
verbose "Testing fallback with $sslcommand"
|
||||||
@ -1375,7 +1384,7 @@ test_tls_tolerance() {
|
|||||||
elif [[ -e "$CACERTS" ]]; then
|
elif [[ -e "$CACERTS" ]]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
sslcommand+=" -connect $TARGET -cipher $ciphers"
|
sslcommand+=" -trusted_first -connect $TARGET -cipher $ciphers"
|
||||||
|
|
||||||
ratelimit
|
ratelimit
|
||||||
verbose "Testing fallback with $sslcommand"
|
verbose "Testing fallback with $sslcommand"
|
||||||
@ -1446,6 +1455,7 @@ test_tls_tolerance() {
|
|||||||
elif [[ -e "$CACERTS" ]]; then
|
elif [[ -e "$CACERTS" ]]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
|
sslcommand+=" -trusted_first"
|
||||||
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $ciphers:!SSLv2"
|
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $ciphers:!SSLv2"
|
||||||
|
|
||||||
ratelimit
|
ratelimit
|
||||||
@ -1581,7 +1591,8 @@ test_kex_sigalgs() {
|
|||||||
elif [ -e "$CACERTS" ]; then
|
elif [ -e "$CACERTS" ]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $supported_ecdsa_ciphers"
|
sslcommand+=" -trusted_first $SCLIENTARGS -connect $TARGET"
|
||||||
|
sslcommand+=" -cipher $supported_ecdsa_ciphers"
|
||||||
# since some ciphers supported by server may be SSLv2 only, we need to
|
# since some ciphers supported by server may be SSLv2 only, we need to
|
||||||
# force use of TLSv1.2, otherwise openssl will send a SSLv2 compatible
|
# force use of TLSv1.2, otherwise openssl will send a SSLv2 compatible
|
||||||
# client hello
|
# client hello
|
||||||
@ -1661,7 +1672,8 @@ test_kex_sigalgs() {
|
|||||||
elif [ -e "$CACERTS" ]; then
|
elif [ -e "$CACERTS" ]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $supported_rsa_ciphers"
|
sslcommand+=" -trusted_first $SCLIENTARGS -connect $TARGET"
|
||||||
|
sslcommand+=" -cipher $supported_rsa_ciphers"
|
||||||
# since some ciphers supported by server may be SSLv2 only, we need to
|
# since some ciphers supported by server may be SSLv2 only, we need to
|
||||||
# force use of TLSv1.2, otherwise openssl will send a SSLv2 compatible
|
# force use of TLSv1.2, otherwise openssl will send a SSLv2 compatible
|
||||||
# client hello
|
# client hello
|
||||||
@ -1761,7 +1773,8 @@ test_kex_sigalgs() {
|
|||||||
elif [ -e "$CACERTS" ]; then
|
elif [ -e "$CACERTS" ]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $supported_ecdsa_ciphers"
|
sslcommand+=" -trusted_first $SCLIENTARGS -connect $TARGET"
|
||||||
|
sslcommand+=" -cipher $supported_ecdsa_ciphers"
|
||||||
# since some ciphers supported by server may be SSLv2 only, we need to
|
# since some ciphers supported by server may be SSLv2 only, we need to
|
||||||
# force use of TLSv1.2, otherwise openssl will send a SSLv2 compatible
|
# force use of TLSv1.2, otherwise openssl will send a SSLv2 compatible
|
||||||
# client hello
|
# client hello
|
||||||
@ -1805,7 +1818,8 @@ test_kex_sigalgs() {
|
|||||||
elif [ -e "$CACERTS" ]; then
|
elif [ -e "$CACERTS" ]; then
|
||||||
sslcommand+=" -CAfile $CACERTS"
|
sslcommand+=" -CAfile $CACERTS"
|
||||||
fi
|
fi
|
||||||
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $supported_rsa_ciphers"
|
sslcommand+=" -trusted_first $SCLIENTARGS -connect $TARGET"
|
||||||
|
sslcommand+=" -cipher $supported_rsa_ciphers"
|
||||||
# since some ciphers supported by server may be SSLv2 only, we need to
|
# since some ciphers supported by server may be SSLv2 only, we need to
|
||||||
# force use of TLSv1.2, otherwise openssl will send a SSLv2 compatible
|
# force use of TLSv1.2, otherwise openssl will send a SSLv2 compatible
|
||||||
# client hello
|
# client hello
|
||||||
|
Loading…
Reference in New Issue
Block a user