Better curve detection, detecting new corner case when server preference enforced
parent
395d78bc64
commit
4d90d2e643
|
@ -95,6 +95,7 @@ module CryptCheck
|
|||
else
|
||||
server.new *a, **kargs
|
||||
end
|
||||
exit
|
||||
if grade
|
||||
g = grade.new s
|
||||
Logger.info { '' }
|
||||
|
|
|
@ -7,14 +7,14 @@ module CryptCheck
|
|||
@name = name
|
||||
end
|
||||
|
||||
# SUPPORTED = %w(sect163k1 sect163r1 sect163r2 sect193r1
|
||||
# SUPPORTED = %i(sect163k1 sect163r1 sect163r2 sect193r1
|
||||
# sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1
|
||||
# sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1
|
||||
# secp160r2 secp192k1 secp192r1 secp224k1 secp224r1 secp256k1
|
||||
# secp256r1 secp384r1 secp521r1
|
||||
# prime256v1
|
||||
# brainpoolP256r1 brainpoolP384r1 brainpoolP512r1)
|
||||
SUPPORTED = %w(secp256k1 sect283k1 sect283r1 secp384r1
|
||||
SUPPORTED = %i(secp256k1 sect283k1 sect283r1 secp384r1
|
||||
sect409k1 sect409r1 secp521r1 sect571k1 sect571r1
|
||||
prime192v1 prime256v1
|
||||
brainpoolP256r1 brainpoolP384r1 brainpoolP512r1).collect { |c| self.new c }.freeze
|
||||
|
@ -28,6 +28,17 @@ module CryptCheck
|
|||
def to_s
|
||||
@name
|
||||
end
|
||||
|
||||
def ==(other)
|
||||
case other
|
||||
when String
|
||||
@name == other.to_sym
|
||||
when Symbol
|
||||
@name == other
|
||||
else
|
||||
@name == other.name
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -28,7 +28,7 @@ module CryptCheck
|
|||
class ConnectionError < ::StandardError
|
||||
end
|
||||
|
||||
attr_reader :certs, :keys, :dh
|
||||
attr_reader :certs, :keys, :dh, :supported_curves
|
||||
|
||||
def initialize(hostname, family, ip, port)
|
||||
@hostname, @family, @ip, @port = hostname, family, ip, port
|
||||
|
@ -168,15 +168,20 @@ module CryptCheck
|
|||
begin
|
||||
connection = ssl_client method, ecdsa, curves: [curve, ecdsa_curve]
|
||||
# Not too fast !!!
|
||||
# Handshake will **always** succeed, because ECDSA curve is always supported
|
||||
# So, need to test for the real curve
|
||||
# Handshake will **always** succeed, because ECDSA
|
||||
# curve is always supported.
|
||||
# So, we need to test for the real curve!
|
||||
# Treaky case : if server preference is enforced,
|
||||
# ECDSA curve can be prefered over ECDHE one and so
|
||||
# really supported curve can be detected as not supported :(
|
||||
|
||||
dh = connection.tmp_key
|
||||
negociated_curve = dh.curve
|
||||
supported = negociated_curve != ecdsa_curve
|
||||
supported = ecdsa_curve != negociated_curve
|
||||
if supported
|
||||
Logger.info { " ECC curve #{curve}" }
|
||||
Logger.info { " ECC curve #{curve.name}" }
|
||||
else
|
||||
Logger.debug { " ECC curve #{curve} : not supported" }
|
||||
Logger.debug { " ECC curve #{curve.name} : not supported" }
|
||||
end
|
||||
supported
|
||||
rescue TLSException
|
||||
|
|
Loading…
Reference in New Issue