From faad7128a78f80359f8eefc9a4c987d702feb25c Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 28 Oct 2020 10:13:22 +0100 Subject: [PATCH] If we are sure we don't have sslv2 we don't need to test any RC4 SSLv2 ciphers --- testssl.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 9b00b6a..cea2094 100755 --- a/testssl.sh +++ b/testssl.sh @@ -17870,7 +17870,8 @@ run_rc4() { return 0 fi - # get a list of all the cipher suites to test + # Get a list of all the cipher suites to test. #FIXME: This is rather ineffective as RC4 ciphers won't change. + # We should instead build a fixed list here like @ other functions if "$using_sockets" || [[ $OSSL_VER_MAJOR -lt 1 ]]; then for (( i=0; i < TLS_NR_CIPHERS; i++ )); do if [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ RC4 ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then @@ -17925,7 +17926,7 @@ run_rc4() { done < <($OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) fi - if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]]; then + if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then sslv2_sockets "${sslv2_ciphers_hex:2}" "true" if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")" @@ -17938,7 +17939,7 @@ run_rc4() { fi done fi - elif "$HAS_SSL2" && [[ -n "$sslv2_ciphers_ossl" ]]; then + elif "$HAS_SSL2" && [[ -n "$sslv2_ciphers_ossl" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then $OPENSSL s_client -cipher "${sslv2_ciphers_ossl:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE