TLS scan the SUT multiple times with different cipiher suites and version

Author: akarmegam

config/nist-sp-800-52.json

@@ -0,0 +1,56 @@
+{
+    "tls_versions": [
+        {
+            "version": "1.3",
+            "safer": true
+        },
+        {
+            "version": "1.2",
+            "safer": true
+        },
+        {
+            "version": "1.1",
+            "safer": false
+        },
+        {
+            "version": "1.0",
+            "safer": false
+        },
+        {
+            "version": "3.0",
+            "safer": false
+        }
+    ],
+    "cipher_suites": [
+        {
+            "cipher_suite": "TLS_AES_256_GCM_SHA384",
+            "versions": "tls1_3",
+            "safer": true
+        },
+        {
+            "cipher_suite": "TLS_AES_128_GCM_SHA256",
+            "versions": "tls1_3",
+            "safer": true
+        },
+        {
+            "cipher_suite": "TLS_RSA_WITH_AES_256_CBC_SHA",
+            "versions": "tls1_2",
+            "safer": false
+        },
+        {
+            "cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA",
+            "versions": "tls1_2",
+            "safer": false
+        },
+        {
+            "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+            "versions": "tls1_2",
+            "safer": false
+        },
+        {
+            "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+            "versions": "tls1_2",
+            "safer": false
+        }
+    ]
+}

src/tlsscan

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+NIST_SP_800_52="config/nist-sp-800-52.json"
+
 chk_cmd()
 {
 	if ! command -v $1 &>/dev/null; then
@@ -90,11 +92,27 @@ csvreport()
 EOF
 }
 
+# For TLS 1.2 and older versions, OpenSSL maintains a ciphersuite name
+# different from the name specified in RFC
+declare -A tls12_ossl_cs=(
+	["TLS_RSA_WITH_AES_256_CBC_SHA"]="AES256-SHA"
+	["TLS_RSA_WITH_AES_128_CBC_SHA"]="AES128-SHA"
+	["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"]="ECDHE-RSA-AES256-SHA"
+	["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]="ECDHE-RSA-AES128-SHA"
+)
+
 opensslscan()
 {
 	tmp=/tmp/tls.out
 	rm -f $tmp 2>/dev/null
-	timeout 2s openssl s_client -CApath /etc/ssl/certs/ -connect "$TLS_Address" -brief < /dev/null 2>$tmp
+	if [ $1 == "tls1_3" ]; then
+		cipher_suite=$2
+		s_client_opt="-ciphersuites $cipher_suite -$1 "
+	else
+		cipher_suite=${tls12_ossl_cs[$2]}
+		s_client_opt="-cipher $cipher_suite -$1 "
+	fi
+	timeout 2s openssl s_client -connect $TLS_Address -CApath /etc/ssl/certs/ $s_client_opt -brief < /dev/null 2>$tmp
 #	echo "ret=$ret"
 #	cat $tmp
 	conn_estd=0
@@ -105,6 +123,9 @@ opensslscan()
 		key=${line/:*/}
 		val=${line/*: /}
 		key=${key// /_}
+		if [ "$val" == "$cipher_suite" ]; then
+			val=$2
+		fi
 		printf -v "TLS_$key" '%s' "$val"
 		TLS_Status="TLS"
 	done < $tmp
@@ -119,19 +140,30 @@ unsetvars()
 	unset $varlist
 }
 
-scantls()
+dotlsconnect()
 {
 	TLS_Status="PLAIN_TEXT"
 	nc -w 1 -z ${TLS_Address/:/ }
 	case "$?" in
-		0) opensslscan ;;
+		0) opensslscan $1 $2 ;;
 		*) TLS_Status="CONNFAIL" ;;
 	esac
 
 	jsonreport
 	csvreport
 }
 
+scantls()
+{
+	cs_count=`jq '.cipher_suites | length' $NIST_SP_800_52`
+	for((i=0; i<$cs_count; i++)); do
+		cipher_suite=`jq .cipher_suites[$i].cipher_suite $NIST_SP_800_52 -r`
+		tls_version=`jq .cipher_suites[$i].versions $NIST_SP_800_52 -r`
+		echo "TLS Connect with $tls_version and $cipher_suite"
+		dotlsconnect $tls_version $cipher_suite
+	done
+}
+
 getsummary()
 {
 	status_arr=(