1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
#!/bin/bash
# Connects to a SSL host for a list of ciphers
# Author: Peter Wu <lekensteyn@gmail.com>
host=${1:-localhost}
portbase=${2:-4430}
s_client_client_random() {
awk '
# match Master-Key from SSL Session dump
/Master-Key:/{key=$2}
{
b=1;e=16;
if(l==3)b=7;
if(l==1)e=6;
for (i = b; i <= e; i++)
s=s$i;
# at the end, save random value in map r
if (l--==1)
r[s]=1
}
# Match block containing Crandom bytes (over three lines)
/ ClientHello|ServerHello$/{l=3;s=""}
END{
has_random = 0;
for (rnd in r) {
has_random = 1;
if (key)
print "CLIENT_RANDOM", rnd, key
else
print "# No master key for random", rnd
}
# should not be possible since the first thing we sent out is a
# ClientHello, but just to be sure...
if (!has_random) {
if (key)
print "# No random found for key", key
else
print "# No random nor key found"
}
}'
}
# When stdin is a TTY, try all ciphers
if [ -t 0 ]; then
openssl ciphers -V | awk '{print $3, substr($5, 4), substr($6, 4)}'
else
# otherwise if not TTY, pass-through
cat
fi |
while read cipher keyex auth; do
case $keyex,$auth in
*,RSA)
port=$portbase ;;
ECDH/ECDSA,ECDH|*,ECDSA)
port=$((portbase+1)) ;;
ECDH/RSA,ECDH)
port=$((portbase+2)) ;;
*,DSS)
port=$((portbase+3)) ;;
*,PSK|*)
echo "Skipping unsupported $auth" >&2
continue
;;
esac
echo "# Cipher Suite $cipher"
# It is expected that the other side closes the connection
printf "GET / HTTP/1.0\r\n\r\n" |
openssl s_client -connect "$host:$port" -ign_eof -cipher "$cipher" \
-msg 2>&1 | s_client_client_random
done
# vim: set et sw=4 ts=4:
|