2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00

Fix curve fallback detection

This commit is contained in:
Julien Vehent 2015-04-01 14:51:01 -04:00
parent b2a399617f
commit a966574edc

View File

@ -840,10 +840,8 @@ test_curves() {
local cname="$(get_curve_name ${ephem_data[1]})" local cname="$(get_curve_name ${ephem_data[1]})"
if [ "$cname" == "$most_wanted" ]; then if [ "$cname" == "$most_wanted" ]; then
curves_ordering="client" curves_ordering="client"
break
else else
curves_ordering="server" curves_ordering="server"
break
fi fi
else else
# some servers downgrade to non ECDH when curve order is changed # some servers downgrade to non ECDH when curve order is changed
@ -858,7 +856,12 @@ test_curves_fallback() {
local fallback_available="False" local fallback_available="False"
# return variable: whatever a server will fall back to non ECC suite when # return variable: whatever a server will fall back to non ECC suite when
# client doesn't advertise support for curves the server needs # client doesn't advertise support for curves the server needs
fallback_supported="False" fallback_supported="unknown"
if [ "$ecc_ciphers" == "" ]; then
verbose "No ECC cipher found, can't test curve fallback"
return
fi
# prepare the ssl command we'll be using # prepare the ssl command we'll be using
local sslcommand="" local sslcommand=""
@ -885,19 +888,15 @@ test_curves_fallback() {
IFS=':' IFS=':'
local test_curves="${curves[*]}" local test_curves="${curves[*]}"
IFS="$OLDIFS" IFS="$OLDIFS"
verbose "Testing $test_curves" verbose "Testing $sslcommand -curves $test_curves"
ratelimit ratelimit
local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null) local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
parse_openssl_output <<<"$tmp" parse_openssl_output <<<"$tmp"
if [[ -z $current_protocol || $current_cipher == "(NONE)" || $current_cipher == '0000' ]]; then if [[ -z $current_protocol || $current_cipher == "(NONE)" || $current_cipher == '0000' ]]; then
# server aborted connection verbose "Curve fallback failed, server refused connection"
if [[ $fallback_available == "True" ]]; then
fallback_supported="False" fallback_supported="False"
else
fallback_supported="unknown"
fi
break break
else else
# server accepted connection # server accepted connection