From eb752c541c7e5836401150ea367bb3f96e35a887 Mon Sep 17 00:00:00 2001 From: Richard Soderberg Date: Fri, 18 Sep 2015 16:29:32 -0700 Subject: [PATCH] Add handling for TLS-variant ticket hint value. This, as previous commits, adds support for reporting the TLS ticket hint value per-protocol, which results in a lot of 'None' for SSLv3 (as expected). --- cipherscan | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/cipherscan b/cipherscan index 5aef14a..770dd3d 100755 --- a/cipherscan +++ b/cipherscan @@ -512,6 +512,7 @@ test_cipher_on_target() { certificates="" declare -A sigalgs=() declare -A pfses=() + declare -A tickethints=() for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do # sslv2 client hello doesn't support SNI extension # in SSLv3 mode OpenSSL just ignores the setting so it's ok @@ -628,7 +629,7 @@ test_cipher_on_target() { pubkey=$current_pubkey sigalgs[$current_protocol]="$current_sigalg" trusted=$current_trusted - tickethint=$current_tickethint + tickethints[$current_protocol]=$current_tickethint ocspstaple=$current_ocspstaple certificates="$current_certificates" # grab the cipher and PFS key size @@ -677,6 +678,24 @@ test_cipher_on_target() { pfs="${pfses[@]}" fi + # Flatten the tickethints list to a single item if every entry is the same. + if (( ${#tickethints[*]} > 1 )); then + local tickethints_values=() + for each_protocol in "${protocols[@]}"; do + tickethints_values+=("${tickethints[$each_protocol]}") + done + if [[ $OUTPUTFORMAT == 'json' ]]; then + # Don't deduplicate for JSON. + join_array_by_char ',' "${tickethints_values[@]}" + else + flatten_or_join_array_by_char ',' "${tickethints_values[@]}" + fi + tickethint="$joined_array" + else + # Just extract the one value that's present and use it. + tickethint="${tickethints[@]}" + fi + # Pre-join this, since we use it in a couple of places below. join_array_by_char ',' "${protocols[@]}" protocols_csv="$joined_array" @@ -1009,7 +1028,7 @@ display_results_in_json() { if [[ -n $CAPATH ]]; then echo -n "\"certificates\":[${ciphercertificates[$ctr]}]," fi - echo -n "\"ticket_hint\":\"${cipher_arr[5]}\"," + echo -n "\"ticket_hint\":[\"${cipher_arr[5]//,/\",\"}\"]," echo -n "\"ocsp_stapling\":\"${cipher_arr[6]}\"," echo -n "\"pfs\":[\"${cipher_arr[7]//\;/\",\"}\"]" if [[ "${cipher_arr[0]}" =~ ECDH ]]; then