diff options
-rw-r--r-- | notes.txt | 4 | ||||
-rwxr-xr-x | openssl-connect | 28 | ||||
-rwxr-xr-x | openssl-listen | 52 |
3 files changed, 63 insertions, 21 deletions
@@ -59,7 +59,7 @@ rm ok.txt nok.txt;time while read url; do cipher="${url%%.*}";cipher="${cipher## for url in $(cat res/ok.txt); do host="${url##*/}"; echo;echo;echo _____ $host;(printf "GET / HTTP/1.1\r\nHost: $host\r\n\r\n";sleep .2) | openssl s_client -connect "$host" -CApath /etc/nginx/certs; done 2>&1 | tee s_client-all-res-ok.txt -The following OpenSSL cipher suites do not connect to nginx: +The following OpenSSL cipher suites do not connect to nginx (obsolete): EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA PSK-RC4-SHA @@ -84,7 +84,7 @@ ECDH-RSA-AES256-GCM-SHA384 Groupable to: - EXP-EDH-{DSS,RSA} - PSK -- ECDH-RSA +- ECDH-RSA (obsolete, it is supported with correct cert) - SRP Not supported by GnuTLS (source: diff --git a/openssl-connect b/openssl-connect index 55e896e..ceb24b2 100755 --- a/openssl-connect +++ b/openssl-connect @@ -25,36 +25,50 @@ s_client_client_random() { / ClientHello|ServerHello$/{l=3;s=""} END{ + has_random = 0; for (rnd in r) { + has_random = 1; if (key) print "CLIENT_RANDOM", rnd, key else print "# No master key for random", rnd } + # should not be possible since the first thing we sent out is a + # ClientHello, but just to be sure... + if (!has_random) { + if (key) + print "# No random found for key", key + else + print "# No random nor key found" + } }' } # When stdin is a TTY, try all ciphers if [ -t 0 ]; then - openssl ciphers -V | awk '{print $3, substr($6, 4)}' + openssl ciphers -V | awk '{print $3, substr($5, 4), substr($6, 4)}' else # otherwise if not TTY, pass-through cat fi | -while read cipher auth; do - case $auth in - RSA) +while read cipher keyex auth; do + case $keyex,$auth in + *,RSA) port=$portbase ;; - ECDH|ECDSA) + ECDH/ECDSA,ECDH|*,ECDSA) port=$((portbase+1)) ;; - DSS) + ECDH/RSA,ECDH) port=$((portbase+2)) ;; - PSK|*) + *,DSS) + port=$((portbase+3)) ;; + *,PSK|*) echo "Skipping unsupported $auth" >&2 continue ;; esac + echo "# Cipher Suite $cipher" + # It is expected that the other side closes the connection printf "GET / HTTP/1.0\r\n\r\n" | openssl s_client -connect "$host:$port" -ign_eof -cipher "$cipher" \ diff --git a/openssl-listen b/openssl-listen index f4cf984..e45e3dd 100755 --- a/openssl-listen +++ b/openssl-listen @@ -6,8 +6,10 @@ rsa_prv=server.pem rsa_pub=server.crt dsa_prv=dsa.pem dsa_pub=dsa.crt -ecc_prv=secp384r1.pem -ecc_pub=secp384r1.crt +ecd_prv=secp384r1-dsa.pem +ecd_pub=secp384r1-dsa.crt +ecc_prv=secp384r1-rsa.pem +ecc_pub=secp384r1-rsa.crt pkdir=$1 portbase=${2:-4430} @@ -27,13 +29,24 @@ if ! mkdir -p "$pkdir"; then exit 1 fi +set -u + pids=() gen_pk() { - local type keyfile crtfile + local type keyfile crtfile x509_opts ca_key ca_crt type=$1 keyfile=$2 crtfile=$3 + # only necessary + ca_key=$4 + ca_crt=$5 + + if [ -n "$ca_key" ]; then + x509_opts=(-CA "$ca_crt" -CAkey "$ca_key" -set_serial 1$RANDOM) + else + x509_opts=(-signkey "$keyfile") + fi case $type in RSA) @@ -42,18 +55,24 @@ gen_pk() { DSS) openssl dsaparam 1024 | openssl gendsa /dev/stdin -out "$keyfile" ;; - ECDH|ECDSA) - openssl ecparam -name prime192v1 -out "$keyfile" -genkey + ECDSA) + openssl ecparam -name secp384r1 -out "$keyfile" -genkey + ;; + ECDH) + openssl ecparam -name secp384r1 -out "$keyfile" -genkey ;; *) echo "Invalid cert type $type" >&2 return 1 esac - openssl req -new -key "$keyfile" -x509 -days 3650 -out "$crtfile" -subj "/CN=Test Certificate $type" + + openssl req -new -key "$keyfile" -subj "/CN=Test Certificate $type" | + openssl x509 -req -days 3650 -out "$crtfile" \ + "${x509_opts[@]}" } start_server() { - local keyfile crtfile port auth + local keyfile crtfile port auth ca_key= ca_crt= auth=$1 case $auth in @@ -62,15 +81,22 @@ start_server() { keyfile=$rsa_prv port=$portbase ;; - ECDH|ECDSA) + ECDSA) + crtfile=$ecd_pub + keyfile=$ecd_prv + port=$((portbase+1)) + ;; + ECDH) crtfile=$ecc_pub keyfile=$ecc_prv - port=$((portbase+1)) + ca_key=$pkdir$rsa_prv + ca_crt=$pkdir$rsa_pub + port=$((portbase+2)) ;; DSS) crtfile=$dsa_pub keyfile=$dsa_prv - port=$((portbase+2)) + port=$((portbase+3)) ;; *) echo "Invalid cert type $auth" >&2 @@ -79,7 +105,9 @@ start_server() { esac if [ ! -e "$pkdir$crtfile" ]; then - gen_pk "$auth" "$pkdir$keyfile" "$pkdir$crtfile" || return 1 + gen_pk "$auth" \ + "$pkdir$keyfile" "$pkdir$crtfile" \ + "$ca_key" "$ca_crt" || return 1 fi openssl s_server -accept $port \ @@ -95,7 +123,7 @@ cleanup() { } trap cleanup EXIT -for auth in RSA ECDH DSS; do +for auth in RSA ECDSA ECDH DSS; do start_server $auth done |