Compiled for 64-bit-linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Commands used:
./Configure linux-x86_64 no-shared zlib enable-gost enable-ec_nistp_64_gcc_128 enable-idea \
enable-md2 enable-rc5 enable-rfc3779 enable-ssl2 experimental-jpake
make depend
make
make report
bash has a built in regular expression processor, we can match
lines using =~
moreover, stuff that will match while being inside parentheses is
later available in the BASH_REMATCH array
the IFS (Internal Field Separator) by default includes space, tab and
new line, as such we can use it to split longer lines to separate
words, just as awk '{print $1}' can, just need to put the value to
an array for that
we also don't have to use $(echo $var) when assigning variables, $var
is enough
bash has also built in substitution engine, so we can do ${var/,/ & }
to switch all commas to ampersands when using the variable
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)
Use the mechanism from cipherscan to find location of ca cert bundle
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
This version uses slightly different syntax that is compatible with old
awk
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection
secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
it's relatively easy to make the cipher selection generic,
so that adding different clients is as easy as converting their
client hello cipher ordering to openssl cipher names
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
because neither M2crypto nor OpenSSL packages provide extensive
enough API to do certificate chain building, verification
and outputting of details, we have to pre-parse the data
with a C app that can access the full OpenSSL API.
I've also tried monkey patching the packages, but unfortunately
the result wasn't working reliably
The actual statistic collection (both about the chains and
specific certificates) will be done in a python script