Certain SSL servers may emit a different certificate for each TLS
protocol version. Previously, we simply emitted one of their signature
algorithms. Now, we emit an array where each element corresponds to the
array of TLS versions.
This will be extended to the other certificate-dependent attributes in
future commits.
Rather than doing if-return, elif-return, else-return, just do
if-return, if-return, if-return. This provides no immediate benefit to
the code itself, but permits the introduction of code that alters the
$sigalg variable in between the first if-return and the latter two in an
upcoming commit.
tls_tolerance is an array, so we need to use array syntax...
since if the server is tls version intolerant we will be printing
a lot of info, space it out from the certificate-related summary
ephemeral sigalgs are also printing a lot of information, so space
them from the TLS Tolerance test results
fixes two issues
1). -help message is used from the openssl set with the -o option
2). doesn't use GOST config unconditionally - verifies that it works
first
based partially off of Greg Owen <gowen@swynwyr.com> work in #67fixes#86
a 2047 bit RSA certificate is just as secure as 2048 bit one (and
known good algorithms can very infrequently provide them when asked for
2048) so accept them too
DSA keys are bad in every case, so always red color them
ECDSA keys are OK above 256 bits
since the signature and hash algorithm in TLSv1.2 is selectable by server
and negotiated using TLS extensions, we can check what sig algs is
the server willing to perform and whatever it does honour client
selection
it also tests what happens if the client doesn't offer any sigalgs that
are necessary to use the ciphers selected by server
In cipherscan line 851:
local selected=($result)
^-- SC2128: Expanding an array without an index only gives the first element.
In cipherscan line 852:
if [[ $selected == "$prefered" ]]; then
^-- SC2128: Expanding an array without an index only gives the first element.
In cipherscan line 469:
if [[ ${known_certs[$cksum]} == $cert ]]; then
^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.
In cipherscan line 852:
if [[ $selected == $prefered ]]; then
^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.
In cipherscan line 915:
if [[ "$cname" == ${curves[$id]} ]]; then
^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.
In cipherscan line 294:
echo $identifier
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 587:
current_curves="$(get_curve_name $(echo $pfs|cut -d ',' -f2))"
^-- SC2046: Quote this to prevent word splitting.
In cipherscan line 603:
debug Connection $i
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 715:
echo $header
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 719:
echo $result|grep -v '(NONE)'
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 897:
local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 910:
cname="$(get_curve_name ${ephem_data[1]})"
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 953:
local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 967:
local cname="$(get_curve_name ${ephem_data[1]})"
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 1017:
local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 1030:
local cname="$(get_curve_name ${ephem_data[1]})"
^-- SC2086: Double quote to prevent globbing and word splitting.