mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-23 06:33:41 +01:00
don't retry protocols we know don't work
When connection is unsuccessful with a given protocol, don't try it again since we probably exhausted the ciphers supported by the protocol makes scanning about 10% faster
This commit is contained in:
parent
d2f112033d
commit
caa534bfd7
@ -33,6 +33,8 @@ TIMEOUT=10
|
|||||||
# trust anchors are stored
|
# trust anchors are stored
|
||||||
CAPATH=""
|
CAPATH=""
|
||||||
SAVECRT=""
|
SAVECRT=""
|
||||||
|
unset ok_protocols
|
||||||
|
declare -A ok_protocols
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [--savecrt directory] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [--savecrt directory] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
||||||
@ -107,6 +109,9 @@ test_cipher_on_target() {
|
|||||||
certificates=""
|
certificates=""
|
||||||
for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
|
for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
|
||||||
do
|
do
|
||||||
|
if [[ ${ok_protocols[$tls_version]} -eq 1 ]]; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
# sslv2 client hello doesn't support SNI extension
|
# sslv2 client hello doesn't support SNI extension
|
||||||
# in SSLv3 mode OpenSSL just ignores the setting so it's ok
|
# in SSLv3 mode OpenSSL just ignores the setting so it's ok
|
||||||
# -status exception is ignored in SSLv2, go figure
|
# -status exception is ignored in SSLv2, go figure
|
||||||
@ -218,6 +223,7 @@ test_cipher_on_target() {
|
|||||||
|
|
||||||
# parsing finished, report result
|
# parsing finished, report result
|
||||||
if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
|
if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
|
||||||
|
ok_protocols["$tls_version"]=1
|
||||||
# connection failed, try again with next TLS version
|
# connection failed, try again with next TLS version
|
||||||
continue
|
continue
|
||||||
else
|
else
|
||||||
@ -287,7 +293,6 @@ bench_cipher() {
|
|||||||
cipherbenchms="$((t/1000/$BENCHMARKITER))"
|
cipherbenchms="$((t/1000/$BENCHMARKITER))"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Connect to the target and retrieve the chosen cipher
|
# Connect to the target and retrieve the chosen cipher
|
||||||
# recursively until the connection fails
|
# recursively until the connection fails
|
||||||
get_cipher_pref() {
|
get_cipher_pref() {
|
||||||
@ -582,6 +587,8 @@ results=()
|
|||||||
|
|
||||||
# Call to the recursive loop that retrieves the cipher preferences
|
# Call to the recursive loop that retrieves the cipher preferences
|
||||||
get_cipher_pref $CIPHERSUITE
|
get_cipher_pref $CIPHERSUITE
|
||||||
|
unset ok_protocols
|
||||||
|
declare -A ok_protocols
|
||||||
|
|
||||||
test_serverside_ordering
|
test_serverside_ordering
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user