mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 14:23:41 +01:00
Fix curve fallback detection
This commit is contained in:
parent
b2a399617f
commit
a966574edc
21
cipherscan
21
cipherscan
@ -840,10 +840,8 @@ test_curves() {
|
|||||||
local cname="$(get_curve_name ${ephem_data[1]})"
|
local cname="$(get_curve_name ${ephem_data[1]})"
|
||||||
if [ "$cname" == "$most_wanted" ]; then
|
if [ "$cname" == "$most_wanted" ]; then
|
||||||
curves_ordering="client"
|
curves_ordering="client"
|
||||||
break
|
|
||||||
else
|
else
|
||||||
curves_ordering="server"
|
curves_ordering="server"
|
||||||
break
|
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# some servers downgrade to non ECDH when curve order is changed
|
# some servers downgrade to non ECDH when curve order is changed
|
||||||
@ -858,7 +856,12 @@ test_curves_fallback() {
|
|||||||
local fallback_available="False"
|
local fallback_available="False"
|
||||||
# return variable: whatever a server will fall back to non ECC suite when
|
# return variable: whatever a server will fall back to non ECC suite when
|
||||||
# client doesn't advertise support for curves the server needs
|
# client doesn't advertise support for curves the server needs
|
||||||
fallback_supported="False"
|
fallback_supported="unknown"
|
||||||
|
|
||||||
|
if [ "$ecc_ciphers" == "" ]; then
|
||||||
|
verbose "No ECC cipher found, can't test curve fallback"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
# prepare the ssl command we'll be using
|
# prepare the ssl command we'll be using
|
||||||
local sslcommand=""
|
local sslcommand=""
|
||||||
@ -885,20 +888,16 @@ test_curves_fallback() {
|
|||||||
IFS=':'
|
IFS=':'
|
||||||
local test_curves="${curves[*]}"
|
local test_curves="${curves[*]}"
|
||||||
IFS="$OLDIFS"
|
IFS="$OLDIFS"
|
||||||
verbose "Testing $test_curves"
|
verbose "Testing $sslcommand -curves $test_curves"
|
||||||
|
|
||||||
ratelimit
|
ratelimit
|
||||||
local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
|
local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
|
||||||
parse_openssl_output <<<"$tmp"
|
parse_openssl_output <<<"$tmp"
|
||||||
|
|
||||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" || $current_cipher == '0000' ]]; then
|
if [[ -z $current_protocol || $current_cipher == "(NONE)" || $current_cipher == '0000' ]]; then
|
||||||
# server aborted connection
|
verbose "Curve fallback failed, server refused connection"
|
||||||
if [[ $fallback_available == "True" ]]; then
|
fallback_supported="False"
|
||||||
fallback_supported="False"
|
break
|
||||||
else
|
|
||||||
fallback_supported="unknown"
|
|
||||||
fi
|
|
||||||
break
|
|
||||||
else
|
else
|
||||||
# server accepted connection
|
# server accepted connection
|
||||||
local ephem_data=(${current_pfs//,/ })
|
local ephem_data=(${current_pfs//,/ })
|
||||||
|
Loading…
Reference in New Issue
Block a user