mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-16 20:03:41 +01:00
Updated cipherscan to handle environmental error conditions better:
1. If bundled openssl is a bad binary (e.g. wrong glibc), use system openssl 2. Skip bundled openssl.cnf if it causes failures (e.g. openssl w/o GOST)
This commit is contained in:
parent
db4b16e50c
commit
b3eb0ac67b
31
cipherscan
31
cipherscan
@ -42,11 +42,6 @@ if [[ "$TIMEOUTOUTPUT" =~ BusyBox ]]; then
|
|||||||
TIMEOUTBIN="$TIMEOUTBIN -t"
|
TIMEOUTBIN="$TIMEOUTBIN -t"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# use custom config file to enable GOST ciphers
|
|
||||||
if [[ -e $(dirname $0)/openssl.cnf ]]; then
|
|
||||||
export OPENSSL_CONF="$(dirname $0)/openssl.cnf"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# find a list of trusted CAs on the local system, or use the provided list
|
# find a list of trusted CAs on the local system, or use the provided list
|
||||||
if [ -z "$CACERTS" ]; then
|
if [ -z "$CACERTS" ]; then
|
||||||
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
|
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
|
||||||
@ -1369,8 +1364,34 @@ if [ ! -x $OPENSSLBIN ]; then
|
|||||||
if [ "$OUTPUTFORMAT" == "terminal" ]; then
|
if [ "$OUTPUTFORMAT" == "terminal" ]; then
|
||||||
echo "custom openssl not executable, falling back to system one from $OPENSSLBIN"
|
echo "custom openssl not executable, falling back to system one from $OPENSSLBIN"
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
tmp=$(echo "quit" | $OPENSSLBIN 2>&1)
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
OPENSSLBIN=$(which openssl)
|
||||||
|
if [ "$OUTPUTFORMAT" == "terminal" ]; then
|
||||||
|
echo "custom openssl fails to execute properly, falling back to system one from $OPENSSLBIN"
|
||||||
|
verbose "execution failure message: $tmp"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# use custom config file to enable GOST ciphers if supported by whatever $OPENSSLBIN we ended up with
|
||||||
|
if [[ -e $(dirname $0)/openssl.cnf ]]; then
|
||||||
|
tmp=$(OPENSSL_CONF="$(dirname $0)/openssl.cnf" $OPENSSLBIN s_client -help 2>&1 | grep :error:)
|
||||||
|
if [ -z "$tmp" ]; then
|
||||||
|
export OPENSSL_CONF="$(dirname $0)/openssl.cnf"
|
||||||
|
if [ "$OUTPUTFORMAT" == "terminal" ]; then
|
||||||
|
verbose "Enabling GOST ciphers via OPENSSL_CONF"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ "$OUTPUTFORMAT" == "terminal" ]; then
|
||||||
|
echo "Not enabling GOST ciphers via OPENSSL_CONF due to errors: see verbose for details"
|
||||||
|
verbose "GOST config failed: $tmp"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
if [ $TEST_CURVES == "True" ]; then
|
if [ $TEST_CURVES == "True" ]; then
|
||||||
if [ ! -z "$($OPENSSLBIN s_client -curves 2>&1|head -1|grep 'unknown option')" ]; then
|
if [ ! -z "$($OPENSSLBIN s_client -curves 2>&1|head -1|grep 'unknown option')" ]; then
|
||||||
echo "curves testing not available with your version of openssl, disabling it"
|
echo "curves testing not available with your version of openssl, disabling it"
|
||||||
|
Loading…
Reference in New Issue
Block a user