Skip to content

Commit 74a60d2

Browse files
dcooper16dcooper16
committed
Identity TLS 1.3 ciphers by OpenSSL name
This commit changes the way that TLS 1.3 ciphers are identified by the OpenSSL names. To the degree possible, rather than checking for prefixes that have historically been used in various versions of OpenSSL and LibreSSL, the cipher name being checked against the known list of TLS 1.3 cipher suites that $OPENSSL supports. In the few places in which the cipher suite name to be checked may not be supported by $OPENSSL, a check for the prefix "TLS_" is also used.
1 parent 57cca5c commit 74a60d2

1 file changed

Lines changed: 12 additions & 14 deletions

File tree

testssl.sh

Lines changed: 12 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -4120,7 +4120,7 @@ run_cipher_match(){
41204120
tls13_ciphers_to_test=""
41214121
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
41224122
if ! "${ciphers_found2[i]}"; then
4123-
if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]] || [[ "${ciph2[i]}" == AEAD-* ]]; then
4123+
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph2[i]}: ]]; then
41244124
tls13_ciphers_to_test+=":${ciph2[i]}"
41254125
else
41264126
ciphers_to_test+=":${ciph2[i]}"
@@ -4138,7 +4138,7 @@ run_cipher_match(){
41384138
[[ $i -eq $end_of_bundle ]] && break
41394139
i=${index[i]}
41404140
ciphers_found[i]=true
4141-
if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]] || [[ "$cipher" == AEAD-* ]]; then
4141+
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${cipher}: ]]; then
41424142
kx[i]="$(read_dhtype_from_file $TMPFILE)"
41434143
fi
41444144
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
@@ -4394,7 +4394,7 @@ run_allciphers() {
43944394
tls13_ciphers_to_test=""
43954395
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
43964396
if ! "${ciphers_found2[i]}"; then
4397-
if [[ "${ciph2[i]}" == TLS13* ]] || [[ "${ciph2[i]}" == TLS_* ]] || [[ "${ciph2[i]}" == AEAD-* ]]; then
4397+
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph2[i]}: ]]; then
43984398
tls13_ciphers_to_test+=":${ciph2[i]}"
43994399
else
44004400
ciphers_to_test+=":${ciph2[i]}"
@@ -4412,7 +4412,7 @@ run_allciphers() {
44124412
[[ $i -eq $end_of_bundle ]] && break
44134413
i=${index[i]}
44144414
ciphers_found[i]=true
4415-
if [[ "$cipher" == TLS13* ]] || [[ "$cipher" == TLS_* ]] || [[ "$cipher" == AEAD-* ]]; then
4415+
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${cipher}: ]]; then
44164416
kx[i]="$(read_dhtype_from_file $TMPFILE)"
44174417
fi
44184418
if [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]]; then
@@ -4603,11 +4603,9 @@ ciphers_by_strength() {
46034603
fi
46044604
while read hexc n ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
46054605
if [[ "$proto" == -tls1_3 ]]; then
4606-
[[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]] || [[ "${ciph[nr_ciphers]}" == AEAD-* ]] || continue
4606+
[[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[nr_ciphers]}: ]] || continue
46074607
elif [[ "$proto" == -tls1_2 ]]; then
4608-
if [[ "${ciph[nr_ciphers]}" == TLS13* ]] || [[ "${ciph[nr_ciphers]}" == TLS_* ]] || [[ "${ciph[nr_ciphers]}" == AEAD-* ]]; then
4609-
continue
4610-
fi
4608+
[[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[nr_ciphers]}: ]] && continue
46114609
elif [[ "${ciph[nr_ciphers]}" == *-SHA256 ]] || [[ "${ciph[nr_ciphers]}" == *-SHA384 ]] || \
46124610
[[ "${ciph[nr_ciphers]}" == *-CCM ]] || [[ "${ciph[nr_ciphers]}" == *-CCM8 ]] || \
46134611
[[ "${ciph[nr_ciphers]}" =~ CHACHA20-POLY1305 ]]; then
@@ -11184,7 +11182,7 @@ run_fs() {
1118411182
tls13_ciphers_to_test=""
1118511183
for (( i=0; i < nr_supported_ciphers; i++ )); do
1118611184
if ! "${ciphers_found[i]}" && "${ossl_supported[i]}"; then
11187-
if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then
11185+
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]]; then
1118811186
tls13_ciphers_to_test+=":${ciph[i]}"
1118911187
else
1119011188
ciphers_to_test+=":${ciph[i]}"
@@ -11211,7 +11209,7 @@ run_fs() {
1121111209
done
1121211210
[[ $i -eq $nr_supported_ciphers ]] && break
1121311211
ciphers_found[i]=true
11214-
if [[ "$fs_cipher" == TLS13* ]] || [[ "$fs_cipher" == TLS_* ]] || [[ "$fs_cipher" == AEAD-* ]]; then
11212+
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${fs_cipher}: ]]; then
1121511213
fs_tls13_offered=true
1121611214
"$WIDE" && kx[i]="$(read_dhtype_from_file $TMPFILE)"
1121711215
elif [[ "$fs_cipher" == ECDHE-* ]]; then
@@ -11281,12 +11279,12 @@ run_fs() {
1128111279
fi
1128211280
fs_ciphers+="$fs_cipher "
1128311281

11284-
if [[ "${ciph[i]}" == ECDHE-* ]] || [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || \
11285-
[[ "${ciph[i]}" == AEAD-* ]] || { "$using_sockets" && [[ "${rfc_ciph[i]}" == TLS_ECDHE_* ]]; }; then
11282+
if [[ "${ciph[i]}" == ECDHE-* ]] || [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]] || [[ "${ciph[i]}" == TLS_* ]] || \
11283+
{ "$using_sockets" && [[ "${rfc_ciph[i]}" == TLS_ECDHE_* ]]; }; then
1128611284
ecdhe_offered=true
1128711285
ecdhe_cipher_list_hex+=", ${hexcode[i]}"
1128811286
if [[ "${ciph[i]}" != "-" ]]; then
11289-
if [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then
11287+
if [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]] || [[ "${ciph[i]}" == TLS_* ]]; then
1129011288
tls13_cipher_list+=":$fs_cipher"
1129111289
else
1129211290
ecdhe_cipher_list+=":$fs_cipher"
@@ -11296,7 +11294,7 @@ run_fs() {
1129611294
if [[ "${ciph[i]}" == "DHE-"* ]] || { "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_DHE_"* ]]; }; then
1129711295
ffdhe_offered=true
1129811296
ffdhe_cipher_list_hex+=", ${hexcode[i]}"
11299-
elif [[ "${ciph[i]}" == TLS13* ]] || [[ "${ciph[i]}" == TLS_* ]] || [[ "${ciph[i]}" == AEAD-* ]]; then
11297+
elif [[ ":$TLS13_OSSL_CIPHERS:" =~ :${ciph[i]}: ]] || [[ "${ciph[i]}" == TLS_* ]]; then
1130011298
ffdhe_cipher_list_hex+=", ${hexcode[i]}"
1130111299
fi
1130211300
fi

0 commit comments

Comments
 (0)