@@ -10894,7 +10894,7 @@ run_fs() {
1089410894 fi
1089510895 if "$using_sockets"; then
1089610896 protos_to_try=""
10897- "$fs_tls13_offered" && protos_to_try="04"
10897+ "$fs_tls13_offered" && protos_to_try="04-01 04-02 "
1089810898 # For TLS 1.2, find a supported cipher suite corresponding to each of the key types (RSA, ECDSA, DSS).
1089910899 # Need to try each key type separately, otherwise not all supported signature algorithms will be found.
1090010900 if "$fs_tls12_offered"; then
@@ -10910,29 +10910,48 @@ run_fs() {
1091010910 dss_cipher="${hexcode[i]}"
1091110911 fi
1091210912 done
10913- [[ -n "$rsa_cipher" ]] && protos_to_try+=" 03-$rsa_cipher"
10914- [[ -n "$ecdsa_cipher" ]] && protos_to_try+=" 03-$ecdsa_cipher"
10915- [[ -n "$dss_cipher" ]] && protos_to_try+=" 03-$dss_cipher"
10913+ [[ -n "$rsa_cipher" ]] && protos_to_try+=" 03-rsa- $rsa_cipher"
10914+ [[ -n "$ecdsa_cipher" ]] && protos_to_try+=" 03-ecdsa- $ecdsa_cipher"
10915+ [[ -n "$dss_cipher" ]] && protos_to_try+=" 03-dss- $dss_cipher"
1091610916 fi
1091710917 for proto in $protos_to_try; do
1091810918 while true; do
1091910919 i=0
1092010920 sigalgs_to_test=""
10921+ # A few servers get confused if the signature_algorithms extension contains too many entries. So:
10922+ # * For TLS 1.3, break the list into two and test each half separately.
10923+ # * For TLS 1.2, generally limit the signature_algorithms extension to algorithms that are consistent with the key type.
1092110924 for hexc in "${sigalgs_hex[@]}"; do
10922- if [[ "$proto" == 04 ]]; then
10923- ! "${tls13_supported_sigalgs[i]}" && sigalgs_to_test+=", $hexc"
10924- else
10925- ! "${tls12_supported_sigalgs[i]}" && sigalgs_to_test+=", $hexc"
10925+ if [[ "$proto" == 04* ]]; then
10926+ if ! "${tls13_supported_sigalgs[i]}"; then
10927+ if [[ "${proto##*-}" == 01 ]]; then
10928+ [[ $i -le 16 ]] && sigalgs_to_test+=", $hexc"
10929+ else
10930+ [[ $i -gt 16 ]] && sigalgs_to_test+=", $hexc"
10931+ fi
10932+ fi
10933+ elif ! "${tls12_supported_sigalgs[i]}"; then
10934+ if [[ "$proto" =~ rsa ]]; then
10935+ if [[ "${hexc:3:2}" == 01 ]] || [[ "${hexc:0:2}" == 08 ]]; then
10936+ sigalgs_to_test+=", $hexc"
10937+ fi
10938+ elif [[ "$proto" =~ dss ]]; then
10939+ [[ "${hexc:3:2}" == 02 ]] && sigalgs_to_test+=", $hexc"
10940+ else
10941+ if [[ "${hexc:3:2}" == 03 ]] || [[ "${hexc:0:2}" == 08 ]]; then
10942+ sigalgs_to_test+=", $hexc"
10943+ fi
10944+ fi
1092610945 fi
1092710946 i+=1
1092810947 done
1092910948 [[ -z "$sigalgs_to_test" ]] && break
1093010949 len1=$(printf "%02x" "$((2*${#sigalgs_to_test}/7))")
1093110950 len2=$(printf "%02x" "$((2*${#sigalgs_to_test}/7+2))")
10932- if [[ "$proto" == 04 ]]; then
10933- tls_sockets "$proto" "$TLS13_CIPHER" "all+" "00,0d, 00,$len2, 00,$len1, ${sigalgs_to_test:2}"
10951+ if [[ "$proto" == 04* ]]; then
10952+ tls_sockets "${ proto%%-*} " "$TLS13_CIPHER" "all+" "00,0d, 00,$len2, 00,$len1, ${sigalgs_to_test:2}"
1093410953 else
10935- tls_sockets "${proto%-*}" "${proto#*-}, 00,ff" "ephemeralkey" "00,0d, 00,$len2, 00,$len1, ${sigalgs_to_test:2}"
10954+ tls_sockets "${proto%% -*}" "${proto# #*-}, 00,ff" "ephemeralkey" "00,0d, 00,$len2, 00,$len1, ${sigalgs_to_test:2}"
1093610955 fi
1093710956 [[ $? -eq 0 ]] || break
1093810957 sigalg_found="$(awk -F ': ' '/^Peer signing digest/ { print $2 } ' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")"
@@ -10944,7 +10963,7 @@ run_fs() {
1094410963 i+=1
1094510964 done
1094610965 [[ -z "${sigalgs_hex[i]}" ]] && break
10947- if [[ "$proto" == 04 ]]; then
10966+ if [[ "$proto" == 04* ]]; then
1094810967 "${tls13_supported_sigalgs[i]}" && break
1094910968 tls13_supported_sigalgs[i]=true
1095010969 tls13_supported_sigalg_list+=" $sigalg_found"
0 commit comments