From a966574edc1feef8733422d72d8c9013def0ade5 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Wed, 1 Apr 2015 14:51:01 -0400 Subject: [PATCH] Fix curve fallback detection --- cipherscan | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/cipherscan b/cipherscan index 7804f13..3948edc 100755 --- a/cipherscan +++ b/cipherscan @@ -840,10 +840,8 @@ test_curves() { local cname="$(get_curve_name ${ephem_data[1]})" if [ "$cname" == "$most_wanted" ]; then curves_ordering="client" - break else curves_ordering="server" - break fi else # some servers downgrade to non ECDH when curve order is changed @@ -858,7 +856,12 @@ test_curves_fallback() { local fallback_available="False" # return variable: whatever a server will fall back to non ECC suite when # client doesn't advertise support for curves the server needs - fallback_supported="False" + fallback_supported="unknown" + + if [ "$ecc_ciphers" == "" ]; then + verbose "No ECC cipher found, can't test curve fallback" + return + fi # prepare the ssl command we'll be using local sslcommand="" @@ -885,20 +888,16 @@ test_curves_fallback() { IFS=':' local test_curves="${curves[*]}" IFS="$OLDIFS" - verbose "Testing $test_curves" + verbose "Testing $sslcommand -curves $test_curves" ratelimit local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null) parse_openssl_output <<<"$tmp" if [[ -z $current_protocol || $current_cipher == "(NONE)" || $current_cipher == '0000' ]]; then - # server aborted connection - if [[ $fallback_available == "True" ]]; then - fallback_supported="False" - else - fallback_supported="unknown" - fi - break + verbose "Curve fallback failed, server refused connection" + fallback_supported="False" + break else # server accepted connection local ephem_data=(${current_pfs//,/ })