tls-attacker
diff --git a/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/config/ServerScannerConfig.java
Lines changed: 12 additions & 0 deletions b/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/config/ServerScannerConfig.java
Lines changed: 12 additions & 0 deletions
diff --git a/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/execution/TlsServerScanner.java
Lines changed: 3 additions & 1 deletion b/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/execution/TlsServerScanner.java
Lines changed: 3 additions & 1 deletion
diff --git a/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/HeartbleedProbe.java
Lines changed: 1 addition & 1 deletion b/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/HeartbleedProbe.java
Lines changed: 1 addition & 1 deletion
diff --git a/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/NamedGroupsProbe.java
Lines changed: 4 additions & 1 deletion b/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/NamedGroupsProbe.java
Lines changed: 4 additions & 1 deletion
diff --git a/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerReport.java
Lines changed: 20 additions & 0 deletions b/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerReport.java
Lines changed: 20 additions & 0 deletions
diff --git a/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/selector/ConfigFilter.java
Lines changed: 108 additions & 0 deletions b/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/selector/ConfigFilter.java
Lines changed: 108 additions & 0 deletions
diff --git a/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/selector/ConfigFilterProfile.java
Lines changed: 16 additions & 0 deletions b/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/selector/ConfigFilterProfile.java
Lines changed: 16 additions & 0 deletions
diff --git a/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/selector/ConfigFilterType.java
Lines changed: 46 additions & 0 deletions b/‎TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/selector/ConfigFilterType.java
Lines changed: 46 additions & 0 deletions
@@ -63,6 +63,10 @@ public class ServerScannerConfig extends ScannerConfig {
     @ParametersDelegate
     private CallbackDelegate callbackDelegate;
 
+    @Parameter(names = "-configSearchCooldown", required = false,
+        description = "Pause between config tests to ensure the server finished processing the previously rejected messages")
+    private boolean configSearchCooldown = false;
+
     private List<ProbeType> probes = null;
 
     public ServerScannerConfig(GeneralDelegate delegate) {
@@ -163,4 +167,12 @@ public void setCustomCAPathList(List<String> customCAPathList) {
         this.customCAPathList = customCAPathList;
     }
 
+    public boolean isConfigSearchCooldown() {
+        return configSearchCooldown;
+    }
+
+    public void setConfigSearchCooldown(boolean configSearchCooldown) {
+        this.configSearchCooldown = configSearchCooldown;
+    }
+
 }
@@ -281,7 +281,9 @@ public ServerReport scan() {
             if (isConnectable()) {
                 isConnectable = true;
                 LOGGER.debug(config.getClientDelegate().getHost() + " is connectable");
-                configSelector.findWorkingConfig();
+                configSelector.findWorkingConfigs();
+                serverReport.setConfigProfileIdentifier(configSelector.getConfigProfileIdentifier());
+                serverReport.setConfigProfileIdentifierTls13(configSelector.getConfigProfileIdentifierTls13());
                 if (configSelector.isSpeaksProtocol()) {
                     speaksProtocol = true;
                     LOGGER.debug(config.getClientDelegate().getHost() + " speaks " + protocolType.getName());
 
@@ -60,7 +60,7 @@ private WorkflowTrace getTrace(Config tlsConfig) {
             .createWorkflowTrace(WorkflowTraceType.DYNAMIC_HANDSHAKE, RunningModeType.CLIENT);
         HeartbeatMessage heartbeatMessage = new HeartbeatMessage(tlsConfig);
         heartbeatMessage.setPayload(Modifiable.explicit(new byte[] { 1, 3 }));
-        heartbeatMessage.setPayloadLength(Modifiable.explicit(20000));
+        heartbeatMessage.setPayloadLength(Modifiable.explicit(10));
         trace.addTlsAction(new SendAction(heartbeatMessage));
         trace.addTlsAction(new ReceiveAction(new HeartbeatMessage()));
         return trace;
 
@@ -92,7 +92,10 @@ public NamedGroupResult executeTest() {
         TestResult supportsExplicitPrime = getExplicitCurveSupport(EllipticCurveType.EXPLICIT_PRIME);
         TestResult supportsExplicitChar2 = getExplicitCurveSupport(EllipticCurveType.EXPLICIT_CHAR2);
 
-        Map<NamedGroup, NamedGroupWitness> groupsTls13 = getTls13SupportedGroups();
+        Map<NamedGroup, NamedGroupWitness> groupsTls13 = new HashMap<>();
+        if (!configSelector.getScannerConfig().getDtlsDelegate().isDTLS()) {
+            groupsTls13 = getTls13SupportedGroups();
+        }
 
         TestResult groupsDependOnCipherSuite = getGroupsDependOnCipherSuite(overallSupported);
 
 
@@ -183,6 +183,10 @@ public class ServerReport extends ScanReport {
     private long scanStartTime;
     private long scanEndTime;
 
+    // Config profile used to limit our Client Hello
+    private String configProfileIdentifier;
+    private String configProfileIdentifierTls13;
+
     public ServerReport() {
         host = null;
         port = null;
@@ -785,6 +789,22 @@ public synchronized void setGuidelineReports(List<GuidelineReport> guidelineRepo
         this.guidelineReports = guidelineReports;
     }
 
+    public synchronized String getConfigProfileIdentifier() {
+        return configProfileIdentifier;
+    }
+
+    public synchronized void setConfigProfileIdentifier(String configProfileIdentifier) {
+        this.configProfileIdentifier = configProfileIdentifier;
+    }
+
+    public synchronized String getConfigProfileIdentifierTls13() {
+        return configProfileIdentifierTls13;
+    }
+
+    public synchronized void setConfigProfileIdentifierTls13(String configProfileIdentifierTls13) {
+        this.configProfileIdentifierTls13 = configProfileIdentifierTls13;
+    }
+
     public synchronized Long getClosedAfterFinishedDelta() {
         return closedAfterFinishedDelta;
     }
 
@@ -0,0 +1,108 @@
+/**
+ * TLS-Server-Scanner - A TLS configuration and analysis tool based on TLS-Attacker
+ *
+ * Copyright 2017-2022 Ruhr University Bochum, Paderborn University, Hackmanit GmbH
+ *
+ * Licensed under Apache License, Version 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0.txt
+ */
+
+package de.rub.nds.tlsscanner.serverscanner.selector;
+
+import de.rub.nds.tlsattacker.core.config.Config;
+import de.rub.nds.tlsattacker.core.constants.CipherSuite;
+import de.rub.nds.tlsattacker.core.constants.NamedGroup;
+import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm;
+import java.util.List;
+import java.util.stream.Collectors;
+
+public class ConfigFilter {
+    public static void applyFilterProfile(Config baseConfig, ConfigFilterType[] configFilterTypes) {
+        for (ConfigFilterType filterType : configFilterTypes) {
+            if (filterType.isCipherSuiteFilter()) {
+                filterCipherSuites(baseConfig, filterType);
+            } else if (filterType.isNamedGroupFilter()) {
+                filterNamedGroups(baseConfig, filterType);
+            } else if (filterType.isSignatureAlgorithmFilter()) {
+                filterSignatureAlgorithms(baseConfig, filterType);
+            } else {
+                throw new IllegalArgumentException("No behavior defined for filter " + filterType);
+            }
+        }
+    }
+
+    private static void filterCipherSuites(Config baseConfig, ConfigFilterType filterType) {
+        List<CipherSuite> reducedCipherSuites = baseConfig.getDefaultClientSupportedCipherSuites();
+        switch (filterType) {
+            case CIPHERSUITE_ANON:
+                String anonEnumSubstring = filterType.name().replace("CIPHERSUITE_", "").toLowerCase();
+                reducedCipherSuites =
+                    reducedCipherSuites.stream().filter(cipherSuite -> !cipherSuite.name().contains(anonEnumSubstring))
+                        .collect(Collectors.toList());
+                break;
+            case CIPHERSUITE_ECCPWD:
+            case CIPHERSUITE_EXPORT:
+            case CIPHERSUITE_GREASE:
+            case CIPHERSUITE_GOST:
+            case CIPHERSUITE_KRB5:
+            case CIPHERSUITE_PSK:
+            case CIPHERSUITE_ARIA:
+            case CIPHERSUITE_SRP:
+            case CIPHERSUITE_CAMELLIA:
+            case CIPHERSUITE_UNOFFICIAL:
+                String filteredEnumSubstring = filterType.name().replace("CIPHERSUITE_", "");
+                reducedCipherSuites = reducedCipherSuites.stream()
+                    .filter(cipherSuite -> !cipherSuite.name().contains(filteredEnumSubstring))
+                    .collect(Collectors.toList());
+                break;
+            case CIPHERSUITE_UNNEGOTIABLE:
+                reducedCipherSuites = reducedCipherSuites.stream()
+                    .filter(cipherSuite -> cipherSuite.isRealCipherSuite()).collect(Collectors.toList());
+                break;
+            default:
+                throw new IllegalArgumentException("No behavior defined for filter " + filterType);
+        }
+        baseConfig.setDefaultClientSupportedCipherSuites(reducedCipherSuites);
+    }
+
+    private static void filterNamedGroups(Config baseConfig, ConfigFilterType filterType) {
+        List<NamedGroup> reducedNamedGroups = baseConfig.getDefaultClientNamedGroups();
+        switch (filterType) {
+            case NAMEDGROUP_GREASE:
+            case NAMEDGROUP_SECT:
+                String filteredEnumSubstring = filterType.name().replace("NAMEDGROUP_", "");
+                reducedNamedGroups = reducedNamedGroups.stream()
+                    .filter(group -> !group.name().contains(filteredEnumSubstring)).collect(Collectors.toList());
+                break;
+            case NAMEDGROUP_DEPRECATED:
+                reducedNamedGroups =
+                    reducedNamedGroups.stream().filter(NamedGroup::isTls13).collect(Collectors.toList());
+                break;
+            default:
+                throw new IllegalArgumentException("No behavior defined for filter " + filterType);
+        }
+        baseConfig.setDefaultClientNamedGroups(reducedNamedGroups);
+    }
+
+    private static void filterSignatureAlgorithms(Config baseConfig, ConfigFilterType filterType) {
+        List<SignatureAndHashAlgorithm> reducedSignatureAlgorithms =
+            baseConfig.getDefaultClientSupportedSignatureAndHashAlgorithms();
+        switch (filterType) {
+            case SIGNATUREALGORITHM_ANON:
+            case SIGNATUREALGORITHM_DSA:
+            case SIGNATUREALGORITHM_GREASE:
+                String filteredEnumSubstring = filterType.name().replace("SIGNATUREALGORITHM_", "");
+                reducedSignatureAlgorithms = reducedSignatureAlgorithms.stream()
+                    .filter(algo -> !algo.name().contains(filteredEnumSubstring)).collect(Collectors.toList());
+                break;
+            case SIGNATUREALGORITHM_TLS13:
+                reducedSignatureAlgorithms = reducedSignatureAlgorithms.stream()
+                    .filter(SignatureAndHashAlgorithm.getTls13SignatureAndHashAlgorithms()::contains)
+                    .collect(Collectors.toList());
+                break;
+            default:
+                throw new IllegalArgumentException("No behavior defined for filter " + filterType);
+        }
+        baseConfig.setDefaultClientSupportedSignatureAndHashAlgorithms(reducedSignatureAlgorithms);
+    }
+}
@@ -0,0 +1,16 @@
+/**
+ * TLS-Server-Scanner - A TLS configuration and analysis tool based on TLS-Attacker
+ *
+ * Copyright 2017-2022 Ruhr University Bochum, Paderborn University, Hackmanit GmbH
+ *
+ * Licensed under Apache License, Version 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0.txt
+ */
+
+package de.rub.nds.tlsscanner.serverscanner.selector;
+
+public interface ConfigFilterProfile {
+    public abstract ConfigFilterType[] getConfigFilterTypes();
+
+    public abstract String getIdentifier();
+}
@@ -0,0 +1,46 @@
+/**
+ * TLS-Server-Scanner - A TLS configuration and analysis tool based on TLS-Attacker
+ *
+ * Copyright 2017-2022 Ruhr University Bochum, Paderborn University, Hackmanit GmbH
+ *
+ * Licensed under Apache License, Version 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0.txt
+ */
+
+package de.rub.nds.tlsscanner.serverscanner.selector;
+
+public enum ConfigFilterType {
+    CIPHERSUITE_UNNEGOTIABLE,
+    CIPHERSUITE_UNOFFICIAL,
+    CIPHERSUITE_GREASE,
+    CIPHERSUITE_KRB5,
+    CIPHERSUITE_GOST,
+    CIPHERSUITE_PSK,
+    CIPHERSUITE_SRP,
+    CIPHERSUITE_ECCPWD,
+    CIPHERSUITE_ANON,
+    CIPHERSUITE_ARIA,
+    CIPHERSUITE_CAMELLIA,
+    CIPHERSUITE_EXPORT,
+
+    NAMEDGROUP_GREASE,
+    NAMEDGROUP_DEPRECATED,
+    NAMEDGROUP_SECT,
+
+    SIGNATUREALGORITHM_GREASE,
+    SIGNATUREALGORITHM_ANON,
+    SIGNATUREALGORITHM_DSA,
+    SIGNATUREALGORITHM_TLS13;
+
+    public boolean isCipherSuiteFilter() {
+        return this.name().contains("CIPHERSUITE");
+    }
+
+    public boolean isNamedGroupFilter() {
+        return this.name().contains("NAMEDGROUP");
+    }
+
+    public boolean isSignatureAlgorithmFilter() {
+        return this.name().contains("SIGNATUREALGORITHM");
+    }
+}