From d7b99f125e3b91e9b0370992acba8709c975354d Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Fri, 9 May 2014 12:00:53 +0200 Subject: [PATCH 1/2] restore `timeout` some servers have port 443 open but won't reply to ClientHello requests, this hangs openssl s_client, as such we need to kill it after some timeout --- cipherscan | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/cipherscan b/cipherscan index ff8d321..2a0ed12 100755 --- a/cipherscan +++ b/cipherscan @@ -18,6 +18,7 @@ VERBOSE=0 DELAY=0 ALLCIPHERS=0 OUTPUTFORMAT="terminal" +TIMEOUT=10 usage() { @@ -140,7 +141,7 @@ test_cipher_on_target() { # Calculate the average handshake time for a specific ciphersuite bench_cipher() { local ciphersuite="$1" - local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" local t="$(date +%s%N)" verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'" for i in $(seq 1 $BENCHMARKITER); do @@ -164,9 +165,9 @@ get_cipher_pref() { [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.' local ciphersuite="$1" if [ -e $CACERTS ]; then - local sslcommand="$OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" else - local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" fi verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" test_cipher_on_target "$sslcommand" @@ -368,7 +369,7 @@ if [ $ALLCIPHERS -gt 0 ]; then echo; echo "All accepted ciphersuites" for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do r="fail" - osslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c" + osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c" test_cipher_on_target "$osslcommand" if [ $? -eq 0 ]; then r="pass" From dca614d2180259fc1edd91f9c6f0752768247ca8 Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Fri, 9 May 2014 14:44:50 +0200 Subject: [PATCH 2/2] use proper quit semantic for openssl s_client openssl s_client expect "Q" as the first character on a line, with case being significant. Also, the \n marker is unnecessary the echo command prints a newline automatically, additionally, for the \n to be actually interpreted, the -e option must be used --- cipherscan | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cipherscan b/cipherscan index 2a0ed12..e063fe8 100755 --- a/cipherscan +++ b/cipherscan @@ -72,8 +72,8 @@ test_cipher_on_target() { previous_cipher="" for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2" do - debug echo \"quit\\n\" \| $sslcommand $tls_version - local tmp=$(echo "quit\n" | $sslcommand $tls_version 1>/dev/stdout 2>/dev/null) + debug echo \"Q\" \| $sslcommand $tls_version + local tmp=$(echo "Q" | $sslcommand $tls_version 1>/dev/stdout 2>/dev/null) current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}') current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}') current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}') @@ -146,7 +146,7 @@ bench_cipher() { verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'" for i in $(seq 1 $BENCHMARKITER); do debug Connection $i - (echo "quit\n" | $sslcommand 2>/dev/null 1>/dev/null) + (echo "Q" | $sslcommand 2>/dev/null 1>/dev/null) if [ $? -gt 0 ]; then break fi