Bash implements a backwards-compatible sh syntax for [ .. ], which
handles undef variables poorly. Use [[ .. ]] instead, to take full
advantage of the Bash improvements to the comparison brackets.
because subprocess returns `bytes` in Python 3
we need to interpret them to characters, which are needed by json
input and string parsing
fixes#69, #71
buggy servers may choke on large ClientHello's, TLSv1.2 ClientHello's,
etc. try to detect such failures and report them
among tried connections are TLS1.2, TLS1.1, TLS1.0 and SSLv3 with
ability to downgrade to lower protocol versions as well as a size
limited client hello, both TLS1.2 and TLS1.0 version
EXP is self explanatory - export grade
DES-CBC3-MD5 is available only in SSLv2 - not secure
RC4-64-MD5 is also a weakened version (though not marked as export grade)
It's unlikely that there are SSLv2 only servers on the 'net, all
that were detected as such and I've checked actually are intolerant
to low placement of RC4 in cipher order or intolerant to large client
hello in general. In case we detect issues with the server, switch to
reduced cipher set and run the test again that should give better results
for about 3% of hosts
because to advertise curves to server we need extensions and
extensions are only available in TLSv1.0 or later, we need to force
OpenSSL not to send SSLv2 compatible hello if it thinks it's ok to
do (when there are SSLv2 ciphers present in cipherstring it will try to)
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported
use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.