mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-24 23:23:40 +01:00
Pre-cache the cipher array-to-string result to do one less join.
This commit is contained in:
parent
d2e1784eb8
commit
9ea1749f6c
44
cipherscan
44
cipherscan
@ -104,6 +104,18 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
|
|||||||
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
|
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
join_array_by_char() {
|
||||||
|
# Two or less parameters (join + 0 or 1 value), then no need to set IFS because no join occurs.
|
||||||
|
if (( $# >= 3 )); then
|
||||||
|
# Three or more parameters (join + 2 values), then we need to set IFS for the join.
|
||||||
|
local IFS=$1
|
||||||
|
fi
|
||||||
|
# Discard the join string (usually ':', could be others).
|
||||||
|
shift
|
||||||
|
# Store the joined string in the result.
|
||||||
|
joined_array="$*"
|
||||||
|
}
|
||||||
|
|
||||||
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
|
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
|
||||||
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
|
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
|
||||||
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
|
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
|
||||||
@ -135,6 +147,9 @@ SHORTCIPHERSUITE=(
|
|||||||
'RC4-SHA'
|
'RC4-SHA'
|
||||||
'RC4-MD5'
|
'RC4-MD5'
|
||||||
)
|
)
|
||||||
|
join_array_by_char ':' "${SHORTCIPHERSUITE[@]}"
|
||||||
|
SHORTCIPHERSUITESTRING="$joined_array"
|
||||||
|
|
||||||
# as some servers are intolerant to large client hello's (or ones that have
|
# as some servers are intolerant to large client hello's (or ones that have
|
||||||
# RC4 ciphers below position 64), use the following for cipher testing in case
|
# RC4 ciphers below position 64), use the following for cipher testing in case
|
||||||
# of problems
|
# of problems
|
||||||
@ -173,18 +188,8 @@ FALLBACKCIPHERSUITE=(
|
|||||||
'EXP-RC2-CBC-MD5'
|
'EXP-RC2-CBC-MD5'
|
||||||
'EXP-RC4-MD5'
|
'EXP-RC4-MD5'
|
||||||
)
|
)
|
||||||
|
join_array_by_char ':' "${FALLBACKCIPHERSUITE[@]}"
|
||||||
join_array_by_char() {
|
FALLBACKCIPHERSUITESTRING="$joined_array"
|
||||||
# Two or less parameters (join + 0 or 1 value), then no need to set IFS because no join occurs.
|
|
||||||
if (( $# >= 3 )); then
|
|
||||||
# Three or more parameters (join + 2 values), then we need to set IFS for the join.
|
|
||||||
local IFS=$1
|
|
||||||
fi
|
|
||||||
# Discard the join string (usually ':', could be others).
|
|
||||||
shift
|
|
||||||
# Store the joined string in the result.
|
|
||||||
joined_array="$*"
|
|
||||||
}
|
|
||||||
|
|
||||||
DEBUG=0
|
DEBUG=0
|
||||||
VERBOSE=0
|
VERBOSE=0
|
||||||
@ -353,6 +358,9 @@ check_option_support() {
|
|||||||
[[ $OPENSSLBINHELP =~ "$1" ]]
|
[[ $OPENSSLBINHELP =~ "$1" ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# We stop processing certificates on each connection once any of them produces a set of valid certificates.
|
||||||
|
current_sigalg="None"
|
||||||
|
|
||||||
parse_openssl_output() {
|
parse_openssl_output() {
|
||||||
# clear variables in case matching doesn't hit them
|
# clear variables in case matching doesn't hit them
|
||||||
current_ocspstaple="False"
|
current_ocspstaple="False"
|
||||||
@ -362,7 +370,6 @@ parse_openssl_output() {
|
|||||||
current_tickethint="None"
|
current_tickethint="None"
|
||||||
current_pubkey=0
|
current_pubkey=0
|
||||||
current_trusted="False"
|
current_trusted="False"
|
||||||
current_sigalg="None"
|
|
||||||
|
|
||||||
certs_found=0
|
certs_found=0
|
||||||
current_raw_certificates=()
|
current_raw_certificates=()
|
||||||
@ -427,7 +434,7 @@ parse_openssl_output() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# extract certificates
|
# extract certificates
|
||||||
if [[ $line =~ -----BEGIN\ CERTIFICATE----- ]]; then
|
if [[ $current_sigalg == 'None' && $line =~ -----BEGIN\ CERTIFICATE----- ]]; then
|
||||||
current_raw_certificates[$certs_found]="$line"$'\n'
|
current_raw_certificates[$certs_found]="$line"$'\n'
|
||||||
while read data; do
|
while read data; do
|
||||||
current_raw_certificates[$certs_found]+="$data"$'\n'
|
current_raw_certificates[$certs_found]+="$data"$'\n'
|
||||||
@ -1136,8 +1143,7 @@ test_tls_tolerance() {
|
|||||||
#
|
#
|
||||||
# try a smaller, but still v2 compatible Client Hello
|
# try a smaller, but still v2 compatible Client Hello
|
||||||
#
|
#
|
||||||
join_array_by_char ':' "${SHORTCIPHERSUITE[@]}"
|
local ciphers="$SHORTCIPHERSUITESTRING"
|
||||||
local ciphers="$joined_array"
|
|
||||||
|
|
||||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
||||||
if [[ -n "$CAPATH" ]]; then
|
if [[ -n "$CAPATH" ]]; then
|
||||||
@ -1208,8 +1214,7 @@ test_tls_tolerance() {
|
|||||||
#
|
#
|
||||||
# use v3 format TLSv1.2 hello, small cipher list
|
# use v3 format TLSv1.2 hello, small cipher list
|
||||||
#
|
#
|
||||||
join_array_by_char ':' "${SHORTCIPHERSUITE[@]}"
|
local ciphers="$SHORTCIPHERSUITESTRING"
|
||||||
local ciphers="$joined_array"
|
|
||||||
|
|
||||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
||||||
if [[ -n "$CAPATH" ]]; then
|
if [[ -n "$CAPATH" ]]; then
|
||||||
@ -1471,8 +1476,7 @@ if (( ${#cipherspref[@]} == 0 )) || [[ ${pref[1]} == "SSLv2" ]]; then
|
|||||||
cipherspref=()
|
cipherspref=()
|
||||||
ciphercertificates=()
|
ciphercertificates=()
|
||||||
results=()
|
results=()
|
||||||
join_array_by_char ':' "${FALLBACKCIPHERSUITE[@]}"
|
get_cipher_pref "$FALLBACKCIPHERSUITESTRING"
|
||||||
get_cipher_pref "$joined_array"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
test_tls_tolerance
|
test_tls_tolerance
|
||||||
|
Loading…
Reference in New Issue
Block a user