-
Notifications
You must be signed in to change notification settings - Fork 4.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Handpick cluster cipher suites when they're not user-set (#7487)
* Handpick cluster cipher suites when they're not user-set There is an undocumented way for users to choose cluster cipher suites but for the most part this is to paper over the fact that there are undesirable suites in TLS 1.2. If not explicitly set, have the set of cipher suites for the cluster port come from a hand-picked list; either the allowed TLS 1.3 set (for forwards compatibility) or the three identical ones for TLS 1.2. The 1.2 suites have been supported in Go until at least as far back as Go 1.9 from two years ago. As a result in cases where no specific suites have been chosen this _ought_ to have no compatibility issues. Also includes a useful test script.
- Loading branch information
Showing
3 changed files
with
54 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/usr/bin/env bash | ||
|
||
# Adapted from https://superuser.com/a/224263 | ||
|
||
# OpenSSL requires the port number. | ||
SERVER=$1 | ||
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g') | ||
|
||
echo Obtaining cipher list from $(openssl version). | ||
|
||
for cipher in ${ciphers[@]} | ||
do | ||
echo -n Testing $cipher... | ||
result=$(echo -n | openssl s_client -cipher "$cipher" -alpn req_fw_sb-act_v1 -connect $SERVER 2>&1) | ||
if [[ "$result" =~ ":error:" ]] ; then | ||
error=$(echo -n $result | cut -d':' -f6) | ||
echo NO \($error\) | ||
else | ||
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then | ||
echo YES | ||
else | ||
echo UNKNOWN RESPONSE | ||
echo $result | ||
fi | ||
fi | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters