@@ -10873,22 +10873,18 @@ run_fs() {
1087310873 [[ $i -eq $high ]] && break
1087410874 supported_curve[i]=true
1087510875 done
10876- while true; do
10877- # Versions of TLS prior to 1.3 close the connection if the client does not support the curve
10878- # used in the certificate. The easiest solution is to move the curves to the end of the list .
10879- # instead of removing them from the ClientHello. This is only needed if there is no RSA certificate.
10880- if ((! "$HAS_TLS13" || [[ "$proto" == "-no_tls1_3" ]]) && [[ ! "$ecdhe_cipher_list" == *RSA* ]]) || break; then
10876+ # Versions of TLS prior to 1.3 close the connection if the client does not support the curve
10877+ # used in the certificate. The easiest solution is to move the curves to the end of the list.
10878+ # instead of removing them from the ClientHello. This is only needed if there is no RSA certificate .
10879+ if (! "$HAS_TLS13" || [[ "$proto" == "-no_tls1_3" ]]) && [[ ! "$ecdhe_cipher_list" == * RSA* ]]; then
10880+ while true; do
1088110881 curves_to_test=""
1088210882 for (( i=low; i < high; i++ )); do
10883- if ! "${curves_deprecated[i]}"; then
10884- "${ossl_supported[i]}" && ! "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
10885- fi
10883+ "${ossl_supported[i]}" && ! "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
1088610884 done
1088710885 [[ -z "$curves_to_test" ]] && break
1088810886 for (( i=low; i < high; i++ )); do
10889- if ! "${curves_deprecated[i]}"; then
10890- "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
10891- fi
10887+ "${supported_curve[i]}" && curves_to_test+=":${curves_ossl[i]}"
1089210888 done
1089310889 $OPENSSL s_client $(s_client_options "$proto -cipher "\'${ecdhe_cipher_list:1}\'" -ciphersuites "\'${tls13_cipher_list:1}\'" -curves "${curves_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") &>$TMPFILE </dev/null
1089410890 sclient_connect_successful $? $TMPFILE || break
@@ -10909,8 +10905,8 @@ run_fs() {
1090910905 done
1091010906 [[ $i -eq $high ]] && break
1091110907 supported_curve[i]=true
10912- fi
10913- done
10908+ done
10909+ fi
1091410910 done
1091510911 done
1091610912 fi
@@ -10950,19 +10946,15 @@ run_fs() {
1095010946 # Versions of TLS prior to 1.3 close the connection if the client does not support the curve
1095110947 # used in the certificate. The easiest solution is to move the curves to the end of the list.
1095210948 # instead of removing them from the ClientHello. This is only needed if there is no RSA certificate.
10953- while true; do
10954- if ([[ "$proto" == 03 ]] && [[ ! "$ecdhe_cipher_list" == *RSA* ]]) || break; then
10949+ if ([[ "$proto" == 03 ]] && [[ ! "$ecdhe_cipher_list" == *RSA* ]]); then
10950+ while true; do
1095510951 curves_to_test=""
1095610952 for (( i=0; i < nr_curves; i++ )); do
10957- if ! "${curves_deprecated[i]}" || [[ "$proto" == 03 ]]; then
10958- ! "${supported_curve[i]}" && curves_to_test+=", ${curves_hex[i]}"
10959- fi
10953+ ! "${supported_curve[i]}" && curves_to_test+=", ${curves_hex[i]}"
1096010954 done
1096110955 [[ -z "$curves_to_test" ]] && break
1096210956 for (( i=0; i < nr_curves; i++ )); do
10963- if ! "${curves_deprecated[i]}" || [[ "$proto" == 03 ]]; then
10964- "${supported_curve[i]}" && curves_to_test+=", ${curves_hex[i]}"
10965- fi
10957+ "${supported_curve[i]}" && curves_to_test+=", ${curves_hex[i]}"
1096610958 done
1096710959 len1=$(printf "%02x" "$((2*${#curves_to_test}/7))")
1096810960 len2=$(printf "%02x" "$((2*${#curves_to_test}/7+2))")
@@ -10980,8 +10972,8 @@ run_fs() {
1098010972 done
1098110973 [[ $i -eq $nr_curves ]] && break
1098210974 supported_curve[i]=true
10983- fi
10984- done
10975+ done
10976+ fi
1098510977 done
1098610978 fi
1098710979 if "$ecdhe_offered"; then
0 commit comments