LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 22:33:40 +01:00
Code Issues Releases Wiki Activity

don't retry protocols we know don't work

Browse Source 
When connection is unsuccessful with a given protocol, don't try it again
since we probably exhausted the ciphers supported by the protocol

makes scanning about 10% faster
This commit is contained in:
Hubert Kario 2014-07-12 01:30:17 +02:00 committed by Hubert Kario
parent d2f112033d
commit caa534bfd7
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cipherscan
View File

@ -33,6 +33,8 @@ TIMEOUT=10
# trust anchors are stored # trust anchors are stored
CAPATH="" CAPATH=""
SAVECRT="" SAVECRT=""
unset ok_protocols
declare -A ok_protocols
usage() { usage() {
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [--savecrt directory] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port> echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [--savecrt directory] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
@ -107,6 +109,9 @@ test_cipher_on_target() {
certificates="" certificates=""
for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2" for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
do do
if [[ ${ok_protocols[$tls_version]} -eq 1 ]]; then
continue
fi
# sslv2 client hello doesn't support SNI extension # sslv2 client hello doesn't support SNI extension
# in SSLv3 mode OpenSSL just ignores the setting so it's ok # in SSLv3 mode OpenSSL just ignores the setting so it's ok
# -status exception is ignored in SSLv2, go figure # -status exception is ignored in SSLv2, go figure
@ -218,6 +223,7 @@ test_cipher_on_target() {
# parsing finished, report result # parsing finished, report result
if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
ok_protocols["$tls_version"]=1
# connection failed, try again with next TLS version # connection failed, try again with next TLS version
continue continue
else else
@ -287,7 +293,6 @@ bench_cipher() {
cipherbenchms="$((t/1000/$BENCHMARKITER))" cipherbenchms="$((t/1000/$BENCHMARKITER))"
} }
# Connect to the target and retrieve the chosen cipher # Connect to the target and retrieve the chosen cipher
# recursively until the connection fails # recursively until the connection fails
get_cipher_pref() { get_cipher_pref() {
@ -582,6 +587,8 @@ results=()
# Call to the recursive loop that retrieves the cipher preferences # Call to the recursive loop that retrieves the cipher preferences
get_cipher_pref $CIPHERSUITE get_cipher_pref $CIPHERSUITE
unset ok_protocols
declare -A ok_protocols
test_serverside_ordering test_serverside_ordering