4e1470f483
* Handpick cluster cipher suites when they're not user-set There is an undocumented way for users to choose cluster cipher suites but for the most part this is to paper over the fact that there are undesirable suites in TLS 1.2. If not explicitly set, have the set of cipher suites for the cluster port come from a hand-picked list; either the allowed TLS 1.3 set (for forwards compatibility) or the three identical ones for TLS 1.2. The 1.2 suites have been supported in Go until at least as far back as Go 1.9 from two years ago. As a result in cases where no specific suites have been chosen this _ought_ to have no compatibility issues. Also includes a useful test script.
27 lines
651 B
Bash
Executable file
27 lines
651 B
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
# Adapted from https://superuser.com/a/224263
|
|
|
|
# OpenSSL requires the port number.
|
|
SERVER=$1
|
|
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
|
|
|
|
echo Obtaining cipher list from $(openssl version).
|
|
|
|
for cipher in ${ciphers[@]}
|
|
do
|
|
echo -n Testing $cipher...
|
|
result=$(echo -n | openssl s_client -cipher "$cipher" -alpn req_fw_sb-act_v1 -connect $SERVER 2>&1)
|
|
if [[ "$result" =~ ":error:" ]] ; then
|
|
error=$(echo -n $result | cut -d':' -f6)
|
|
echo NO \($error\)
|
|
else
|
|
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then
|
|
echo YES
|
|
else
|
|
echo UNKNOWN RESPONSE
|
|
echo $result
|
|
fi
|
|
fi
|
|
done
|