@@ -10852,14 +10852,6 @@ run_fs() {
1085210852 "${ossl_supported[i]}" && ! "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
1085310853 fi
1085410854 done
10855- # Versions of TLS prior to 1.3 close the connection if the client does not support the curve
10856- # used in the certificate. The easiest solution is to move the curves to the end of the list.
10857- # instead of removing them from the ClientHello.
10858- for (( i=low; i < high; i++ )); do
10859- if ! "$HAS_TLS13" || ! "${curves_deprecated[i]}" || [[ "$proto" == "-no_tls1_3" ]]; then
10860- "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
10861- fi
10862- done
1086310855 [[ -z "$curves_to_test" ]] && break
1086410856 $OPENSSL s_client $(s_client_options "$proto -cipher "\'${ecdhe_cipher_list:1}\'" -ciphersuites "\'${tls13_cipher_list:1}\'" -curves "${curves_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE </dev/null
1086510857 sclient_connect_successful $? $TMPFILE || break
@@ -10881,6 +10873,44 @@ run_fs() {
1088110873 [[ $i -eq $high ]] && break
1088210874 supported_curve[i]=true
1088310875 done
10876+ while true; do
10877+ # Versions of TLS prior to 1.3 close the connection if the client does not support the curve
10878+ # used in the certificate. The easiest solution is to move the curves to the end of the list.
10879+ # instead of removing them from the ClientHello. This is only needed if there is no RSA certificate.
10880+ if ((! "$HAS_TLS13" || [[ "$proto" == "-no_tls1_3" ]]) && [[ ! "$ecdhe_cipher_list" == *RSA* ]]) || break; then
10881+ curves_to_test=""
10882+ for (( i=low; i < high; i++ )); do
10883+ if ! "${curves_deprecated[i]}"; then
10884+ "${ossl_supported[i]}" && ! "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
10885+ fi
10886+ done
10887+ [[ -z "$curves_to_test" ]] && break
10888+ for (( i=low; i < high; i++ )); do
10889+ if ! "${curves_deprecated[i]}"; then
10890+ "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
10891+ fi
10892+ done
10893+ $OPENSSL s_client $(s_client_options "$proto -cipher "\'${ecdhe_cipher_list:1}\'" -ciphersuites "\'${tls13_cipher_list:1}\'" -curves "${curves_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE </dev/null
10894+ sclient_connect_successful $? $TMPFILE || break
10895+ temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TMPFILE")
10896+ curve_found="${temp%%,*}"
10897+ if [[ "$curve_found" == ECDH ]]; then
10898+ curve_found="${temp#*, }"
10899+ curve_found="${curve_found%%,*}"
10900+ if "$HAS_TLS13" && [[ ! "$proto" == "-no_tls1_3" ]] && [[ "$curve_found" == brainpoolP[235][581][642]r1 ]]; then
10901+ [[ "$(get_protocol "$TMPFILE")" == TLSv1.3 ]] && curve_found+="tls13"
10902+ fi
10903+ fi
10904+ for (( i=low; i < high; i++ )); do
10905+ if ! "${supported_curve[i]}"; then
10906+ [[ "${curves_ossl_output[i]}" == "$curve_found" ]] && break
10907+ [[ "${curves_ossl[i]}" == "$curve_found" ]] && break
10908+ fi
10909+ done
10910+ [[ $i -eq $high ]] && break
10911+ supported_curve[i]=true
10912+ fi
10913+ done
1088410914 done
1088510915 done
1088610916 fi
@@ -10917,6 +10947,41 @@ run_fs() {
1091710947 [[ $i -eq $nr_curves ]] && break
1091810948 supported_curve[i]=true
1091910949 done
10950+ # Versions of TLS prior to 1.3 close the connection if the client does not support the curve
10951+ # used in the certificate. The easiest solution is to move the curves to the end of the list.
10952+ # instead of removing them from the ClientHello. This is only needed if there is no RSA certificate.
10953+ while true; do
10954+ if ([[ "$proto" == 03 ]] && [[ ! "$ecdhe_cipher_list" == *RSA* ]]) || break; then
10955+ curves_to_test=""
10956+ for (( i=0; i < nr_curves; i++ )); do
10957+ if ! "${curves_deprecated[i]}" || [[ "$proto" == 03 ]]; then
10958+ ! "${supported_curve[i]}" && curves_to_test+=", ${curves_hex[i]}"
10959+ fi
10960+ done
10961+ [[ -z "$curves_to_test" ]] && break
10962+ for (( i=0; i < nr_curves; i++ )); do
10963+ if ! "${curves_deprecated[i]}" || [[ "$proto" == 03 ]]; then
10964+ "${supported_curve[i]}" && curves_to_test+=", ${curves_hex[i]}"
10965+ fi
10966+ done
10967+ len1=$(printf "%02x" "$((2*${#curves_to_test}/7))")
10968+ len2=$(printf "%02x" "$((2*${#curves_to_test}/7+2))")
10969+ tls_sockets "$proto" "${ecdhe_cipher_list_hex:2}, 00,ff" "ephemeralkey" "00, 0a, 00, $len2, 00, $len1, ${curves_to_test:2}"
10970+ sclient_success=$?
10971+ [[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break
10972+ temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
10973+ curve_found="${temp%%,*}"
10974+ if [[ "$curve_found" == "ECDH" ]]; then
10975+ curve_found="${temp#*, }"
10976+ curve_found="${curve_found%%,*}"
10977+ fi
10978+ for (( i=0; i < nr_curves; i++ )); do
10979+ ! "${supported_curve[i]}" && [[ "${curves_ossl_output[i]}" == "$curve_found" ]] && break
10980+ done
10981+ [[ $i -eq $nr_curves ]] && break
10982+ supported_curve[i]=true
10983+ fi
10984+ done
1092010985 done
1092110986 fi
1092210987 if "$ecdhe_offered"; then
0 commit comments