EXP is self explanatory - export grade
DES-CBC3-MD5 is available only in SSLv2 - not secure
RC4-64-MD5 is also a weakened version (though not marked as export grade)
It's unlikely that there are SSLv2 only servers on the 'net, all
that were detected as such and I've checked actually are intolerant
to low placement of RC4 in cipher order or intolerant to large client
hello in general. In case we detect issues with the server, switch to
reduced cipher set and run the test again that should give better results
for about 3% of hosts
because to advertise curves to server we need extensions and
extensions are only available in TLSv1.0 or later, we need to force
OpenSSL not to send SSLv2 compatible hello if it thinks it's ok to
do (when there are SSLv2 ciphers present in cipherstring it will try to)
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported
use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
Compiled for 64-bit-linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Commands used:
./Configure linux-x86_64 no-shared zlib enable-gost enable-ec_nistp_64_gcc_128 enable-idea \
enable-md2 enable-rc5 enable-rfc3779 enable-ssl2 experimental-jpake
make depend
make
make report
bash has a built in regular expression processor, we can match
lines using =~
moreover, stuff that will match while being inside parentheses is
later available in the BASH_REMATCH array
the IFS (Internal Field Separator) by default includes space, tab and
new line, as such we can use it to split longer lines to separate
words, just as awk '{print $1}' can, just need to put the value to
an array for that
we also don't have to use $(echo $var) when assigning variables, $var
is enough
bash has also built in substitution engine, so we can do ${var/,/ & }
to switch all commas to ampersands when using the variable
