2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-12-27 05:03:42 +01:00

Test all versions of SSL and TLS

This commit is contained in:
Julien Vehent 2013-11-20 10:30:45 -05:00
parent 69087f27ac
commit a0e4f96a7b

View File

@ -23,21 +23,49 @@ verbose() {
# Connect to a target host with the selected ciphersuite
test_cipher_on_target() {
local sslcommand=$@
local tmp=$(mktemp)
$sslcommand 1>"$tmp" 2>/dev/null << EOF
cipher=""
protocols=""
pfs=""
for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
do
local tmp=$(mktemp)
$sslcommand $tls_version 1>"$tmp" 2>/dev/null << EOF
$REQUEST
EOF
# Parse the result
result="$(grep "New, " $tmp|awk '{print $5}') $(grep -E "^\s+Protocol\s+:" $tmp|awk '{print $3}') $(grep 'Server Temp Key' $tmp|awk '{print $4$5$6$7}')"
rm "$tmp"
if [ -z "$result" ]; then
current_cipher=$(grep "New, " $tmp|awk '{print $5}')
current_pfs=$(grep 'Server Temp Key' $tmp|awk '{print $4$5$6$7}')
current_protocol=$(grep -E "^\s+Protocol\s+:" $tmp|awk '{print $3}')
if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
# connection failed, try again with next TLS version
continue
fi
# connection succeeded, add TLS version to positive results
if [ -z "$protocols" ]; then
protocols=$current_protocol
else
protocols="$protocols,$current_protocol"
fi
cipher=$current_cipher
pfs=$current_pfs
# grab the cipher and PFS key size
rm "$tmp"
done
# if cipher is empty, that means none of the TLS version worked with
# the current cipher
if [ -z "$cipher" ]; then
verbose "handshake failed, no ciphersuite was returned"
result='ConnectionFailure'
return 2
elif [ "$result" == '(NONE) ' ]; then
# if cipher contains NONE, the cipher wasn't accepted
elif [ "$cipher" == '(NONE) ' ]; then
result="$cipher $protocols $pfs"
verbose "handshake failed, server returned ciphersuite '$result'"
return 1
# the connection succeeded
else
result="$cipher $protocols $pfs"
verbose "handshake succeeded, server returned ciphersuite '$result'"
return 0
fi
@ -67,15 +95,16 @@ EOF
# Connect to the target and retrieve the chosen cipher
# recursively until the connection fails
get_cipher_pref() {
local ciphersuite="$1"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
test_cipher_on_target "$sslcommand"
local success=$?
cipherspref=("${cipherspref[@]}" "$result")
# If the connection succeeded with the current cipher, benchmark and store
if [ $success -eq 0 ]; then
cipherspref=("${cipherspref[@]}" "$result")
pciph=$(echo $result|awk '{print $1}')
get_cipher_pref "!$pciph:$ciphersuite"
return 0
@ -111,6 +140,8 @@ results=()
# Call to the recursive loop that retrieves the cipher preferences
get_cipher_pref $CIPHERSUITE
# Display the results
ctr=1
for cipher in "${cipherspref[@]}"; do
pciph=$(echo $cipher|awk '{print $1}')
@ -125,9 +156,9 @@ for cipher in "${cipherspref[@]}"; do
done
if [ $DOBENCHMARK -eq 1 ]; then
header="prio ciphersuite protocol pfs_keysize avg_handshake_microsec"
header="prio ciphersuite protocols pfs_keysize avg_handshake_microsec"
else
header="prio ciphersuite protocol pfs_keysize"
header="prio ciphersuite protocols pfs_keysize"
fi
ctr=0
for result in "${results[@]}"; do