[thirdparty/cups.git] / cups / tlscheck.c

/*
 * "$Id$"
 *
 * TLS check program for CUPS.
 *
 * Copyright 2007-2015 by Apple Inc.
 * Copyright 1997-2006 by Easy Software Products.
 *
 * These coded instructions, statements, and computer programs are the
 * property of Apple Inc. and are protected by Federal copyright
 * law.  Distribution and use rights are outlined in the file "LICENSE.txt"
 * which should have been included with this file.  If this file is
 * file is missing or damaged, see the license at "http://www.cups.org/".
 *
 * This file is subject to the Apple OS-Developed Software exception.
 */

/*
 * Include necessary headers...
 */

#include "cups-private.h"


/*
 * 'main()' - Main entry.
 */

int					/* O - Exit status */
main(int  argc,				/* I - Number of command-line arguments */
     char *argv[])			/* I - Command-line arguments */
{
  http_t	*http;			/* HTTP connection */
  const char	*server = argv[1];	/* Hostname from command-line */
  int		port = 631;		/* Port number */
  const char	*cipherName = "UNKNOWN";/* Cipher suite name */
  int		tlsVersion = 0;		/* TLS version number */


  if (argc < 2 || argc > 3)
  {
    puts("Usage: ./tlscheck server [port]");
    puts("");
    puts("The default port is 631.");
    return (1);
  }

  if (argc == 3)
  {
    if (argv[2][0] == '=')
      port = atoi(argv[2] + 1);
    else
      port = atoi(argv[2]);
  }

  http = httpConnect2(server, port, NULL, AF_UNSPEC, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
  if (!http)
  {
    printf("%s: ERROR (%s)\n", server, cupsLastErrorString());
    return (1);
  }

#ifdef __APPLE__
  SSLProtocol protocol;
  SSLCipherSuite cipher;
  char unknownCipherName[256];
  int paramsNeeded = 0;
  const void *params;
  size_t paramsLen;
  OSStatus err;

  if ((err = SSLGetNegotiatedProtocolVersion(http->tls, &protocol)) != noErr)
  {
    printf("%s: ERROR (No protocol version - %d)\n", server, (int)err);
    httpClose(http);
    return (1);
  }

  switch (protocol)
  {
    default :
        tlsVersion = 0;
        break;
    case kSSLProtocol3 :
        tlsVersion = 30;
        break;
    case kTLSProtocol1 :
        tlsVersion = 10;
        break;
    case kTLSProtocol11 :
        tlsVersion = 11;
        break;
    case kTLSProtocol12 :
        tlsVersion = 12;
        break;
  }

  if ((err = SSLGetNegotiatedCipher(http->tls, &cipher)) != noErr)
  {
    printf("%s: ERROR (No cipher suite - %d)\n", server, (int)err);
    httpClose(http);
    return (1);
  }

  switch (cipher)
  {
    case TLS_NULL_WITH_NULL_NULL:
	cipherName = "TLS_NULL_WITH_NULL_NULL";
	break;
    case TLS_RSA_WITH_NULL_MD5:
	cipherName = "TLS_RSA_WITH_NULL_MD5";
	break;
    case TLS_RSA_WITH_NULL_SHA:
	cipherName = "TLS_RSA_WITH_NULL_SHA";
	break;
    case TLS_RSA_WITH_RC4_128_MD5:
	cipherName = "TLS_RSA_WITH_RC4_128_MD5";
	break;
    case TLS_RSA_WITH_RC4_128_SHA:
	cipherName = "TLS_RSA_WITH_RC4_128_SHA";
	break;
    case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
	cipherName = "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
	break;
    case TLS_RSA_WITH_NULL_SHA256:
	cipherName = "TLS_RSA_WITH_NULL_SHA256";
	break;
    case TLS_RSA_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA256";
	break;
    case TLS_RSA_WITH_AES_256_CBC_SHA256:
	cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA256";
	break;
    case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
	cipherName = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
	paramsNeeded = 1;
	break;
    case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
	cipherName = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
	paramsNeeded = 1;
	break;
    case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
	cipherName = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
	paramsNeeded = 1;
	break;
    case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
	cipherName = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
	paramsNeeded = 1;
	break;
    case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
	cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
	cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
	cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
	cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DH_anon_WITH_RC4_128_MD5:
	cipherName = "TLS_DH_anon_WITH_RC4_128_MD5";
	paramsNeeded = 1;
	break;
    case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
	cipherName = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
	paramsNeeded = 1;
	break;
    case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
	cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_PSK_WITH_RC4_128_SHA:
	cipherName = "TLS_PSK_WITH_RC4_128_SHA";
	break;
    case TLS_PSK_WITH_3DES_EDE_CBC_SHA:
	cipherName = "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
	break;
    case TLS_PSK_WITH_AES_128_CBC_SHA:
	cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA";
	break;
    case TLS_PSK_WITH_AES_256_CBC_SHA:
	cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA";
	break;
    case TLS_DHE_PSK_WITH_RC4_128_SHA:
	cipherName = "TLS_DHE_PSK_WITH_RC4_128_SHA";
	paramsNeeded = 1;
	break;
    case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
	cipherName = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
	paramsNeeded = 1;
	break;
    case TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
	cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
	paramsNeeded = 1;
	break;
    case TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
	cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
	paramsNeeded = 1;
	break;
    case TLS_RSA_PSK_WITH_RC4_128_SHA:
	cipherName = "TLS_RSA_PSK_WITH_RC4_128_SHA";
	break;
    case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA:
	cipherName = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
	break;
    case TLS_RSA_PSK_WITH_AES_128_CBC_SHA:
	cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
	break;
    case TLS_RSA_PSK_WITH_AES_256_CBC_SHA:
	cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
	break;
    case TLS_PSK_WITH_NULL_SHA:
	cipherName = "TLS_PSK_WITH_NULL_SHA";
	break;
    case TLS_DHE_PSK_WITH_NULL_SHA:
	cipherName = "TLS_DHE_PSK_WITH_NULL_SHA";
	paramsNeeded = 1;
	break;
    case TLS_RSA_PSK_WITH_NULL_SHA:
	cipherName = "TLS_RSA_PSK_WITH_NULL_SHA";
	break;
    case TLS_RSA_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_RSA_WITH_AES_128_GCM_SHA256";
	break;
    case TLS_RSA_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_RSA_WITH_AES_256_GCM_SHA384";
	break;
    case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_PSK_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_PSK_WITH_AES_128_GCM_SHA256";
	break;
    case TLS_PSK_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_PSK_WITH_AES_256_GCM_SHA384";
	break;
    case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
	break;
    case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384";
	break;
    case TLS_PSK_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA256";
	break;
    case TLS_PSK_WITH_AES_256_CBC_SHA384:
	cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA384";
	break;
    case TLS_PSK_WITH_NULL_SHA256:
	cipherName = "TLS_PSK_WITH_NULL_SHA256";
	break;
    case TLS_PSK_WITH_NULL_SHA384:
	cipherName = "TLS_PSK_WITH_NULL_SHA384";
	break;
    case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
	cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_DHE_PSK_WITH_NULL_SHA256:
	cipherName = "TLS_DHE_PSK_WITH_NULL_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_DHE_PSK_WITH_NULL_SHA384:
	cipherName = "TLS_DHE_PSK_WITH_NULL_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
	break;
    case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384:
	cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
	break;
    case TLS_RSA_PSK_WITH_NULL_SHA256:
	cipherName = "TLS_RSA_PSK_WITH_NULL_SHA256";
	break;
    case TLS_RSA_PSK_WITH_NULL_SHA384:
	cipherName = "TLS_RSA_PSK_WITH_NULL_SHA384";
	break;
    case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
	cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
	cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
	cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
	cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
	cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
	cipherName = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
	paramsNeeded = 1;
	break;
    case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
	cipherName = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
	paramsNeeded = 1;
	break;
    default :
        snprintf(unknownCipherName, sizeof(unknownCipherName), "UNKNOWN_%04X", cipher);
        cipherName = unknownCipherName;
        break;
  }

  if (cipher == TLS_RSA_WITH_RC4_128_MD5 ||
      cipher == TLS_RSA_WITH_RC4_128_SHA)
  {
    printf("%s: ERROR (Insecure RC4 negotiated)\n", server);
    httpClose(http);
    return (1);
  }

  if ((err = SSLGetDiffieHellmanParams(http->tls, &params, &paramsLen)) != noErr && paramsNeeded)
  {
    printf("%s: ERROR (Unable to get Diffie Hellman parameters - %d)\n", server, (int)err);
    httpClose(http);
    return (1);
  }

  if (paramsLen < 128 && paramsLen != 0)
  {
    printf("%s: ERROR (Diffie Hellman parameters only %d bytes/%d bits)\n", server, (int)paramsLen, (int)paramsLen * 8);
    httpClose(http);
    return (1);
  }
#endif /* __APPLE__ */

  printf("%s: OK (%d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName);

  httpClose(http);

  return (0);
}


/*
 * End of "$Id$".
 */
Commit	Line	Data
79a37326 MS	1	/*
	2	* "$Id$"
	3	*
	4	* TLS check program for CUPS.
	5	*
	6	* Copyright 2007-2015 by Apple Inc.
	7	* Copyright 1997-2006 by Easy Software Products.
	8	*
	9	* These coded instructions, statements, and computer programs are the
	10	* property of Apple Inc. and are protected by Federal copyright
	11	* law. Distribution and use rights are outlined in the file "LICENSE.txt"
	12	* which should have been included with this file. If this file is
	13	* file is missing or damaged, see the license at "http://www.cups.org/".
	14	*
	15	* This file is subject to the Apple OS-Developed Software exception.
	16	*/
	17
	18	/*
	19	* Include necessary headers...
	20	*/
	21
	22	#include "cups-private.h"
	23
	24
	25	/*
	26	* 'main()' - Main entry.
	27	*/
	28
	29	int /* O - Exit status */
	30	main(int argc, /* I - Number of command-line arguments */
	31	char argv[]) / I - Command-line arguments */
	32	{
	33	http_t http; / HTTP connection */
	34	const char server = argv[1]; / Hostname from command-line */
	35	int port = 631; /* Port number */
	36	const char cipherName = "UNKNOWN";/ Cipher suite name */
72b9a313	37	int tlsVersion = 0; /* TLS version number */
79a37326 MS	38
	39
	40	if (argc < 2 \|\| argc > 3)
	41	{
	42	puts("Usage: ./tlscheck server [port]");
	43	puts("");
	44	puts("The default port is 631.");
	45	return (1);
	46	}
	47
	48	if (argc == 3)
fb9d90d6 MS	49	{
	50	if (argv[2][0] == '=')
	51	port = atoi(argv[2] + 1);
	52	else
	53	port = atoi(argv[2]);
	54	}
79a37326 MS	55
	56	http = httpConnect2(server, port, NULL, AF_UNSPEC, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
	57	if (!http)
	58	{
	59	printf("%s: ERROR (%s)\n", server, cupsLastErrorString());
	60	return (1);
	61	}
	62
	63	#ifdef __APPLE__
72b9a313	64	SSLProtocol protocol;
79a37326 MS	65	SSLCipherSuite cipher;
	66	char unknownCipherName[256];
	67	int paramsNeeded = 0;
	68	const void *params;
	69	size_t paramsLen;
	70	OSStatus err;
	71
72b9a313 MS	72	if ((err = SSLGetNegotiatedProtocolVersion(http->tls, &protocol)) != noErr)
	73	{
	74	printf("%s: ERROR (No protocol version - %d)\n", server, (int)err);
	75	httpClose(http);
	76	return (1);
	77	}
	78
	79	switch (protocol)
	80	{
	81	default :
	82	tlsVersion = 0;
	83	break;
	84	case kSSLProtocol3 :
	85	tlsVersion = 30;
	86	break;
	87	case kTLSProtocol1 :
	88	tlsVersion = 10;
	89	break;
	90	case kTLSProtocol11 :
	91	tlsVersion = 11;
	92	break;
	93	case kTLSProtocol12 :
	94	tlsVersion = 12;
	95	break;
	96	}
	97
79a37326 MS	98	if ((err = SSLGetNegotiatedCipher(http->tls, &cipher)) != noErr)
	99	{
	100	printf("%s: ERROR (No cipher suite - %d)\n", server, (int)err);
	101	httpClose(http);
	102	return (1);
	103	}
	104
	105	switch (cipher)
	106	{
	107	case TLS_NULL_WITH_NULL_NULL:
	108	cipherName = "TLS_NULL_WITH_NULL_NULL";
	109	break;
	110	case TLS_RSA_WITH_NULL_MD5:
	111	cipherName = "TLS_RSA_WITH_NULL_MD5";
	112	break;
	113	case TLS_RSA_WITH_NULL_SHA:
	114	cipherName = "TLS_RSA_WITH_NULL_SHA";
	115	break;
	116	case TLS_RSA_WITH_RC4_128_MD5:
	117	cipherName = "TLS_RSA_WITH_RC4_128_MD5";
	118	break;
	119	case TLS_RSA_WITH_RC4_128_SHA:
	120	cipherName = "TLS_RSA_WITH_RC4_128_SHA";
	121	break;
	122	case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
	123	cipherName = "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
	124	break;
	125	case TLS_RSA_WITH_NULL_SHA256:
	126	cipherName = "TLS_RSA_WITH_NULL_SHA256";
	127	break;
	128	case TLS_RSA_WITH_AES_128_CBC_SHA256:
	129	cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA256";
	130	break;
	131	case TLS_RSA_WITH_AES_256_CBC_SHA256:
	132	cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA256";
	133	break;
	134	case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
	135	cipherName = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
	136	paramsNeeded = 1;
	137	break;
	138	case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
	139	cipherName = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
	140	paramsNeeded = 1;
	141	break;
	142	case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
	143	cipherName = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
	144	paramsNeeded = 1;
	145	break;
	146	case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
	147	cipherName = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
	148	paramsNeeded = 1;
	149	break;
	150	case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
	151	cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
	152	paramsNeeded = 1;
	153	break;
	154	case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
	155	cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
	156	paramsNeeded = 1;
	157	break;
	158	case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
	159	cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
	160	paramsNeeded = 1;
	161	break;
162	case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
163	cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
164	paramsNeeded = 1;
165	break;
166	case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
167	cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
168	paramsNeeded = 1;
169	break;
170	case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
171	cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
172	paramsNeeded = 1;
173	break;
174	case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
175	cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
176	paramsNeeded = 1;
177	break;
178	case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
179	cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
180	paramsNeeded = 1;
181	break;
182	case TLS_DH_anon_WITH_RC4_128_MD5:
183	cipherName = "TLS_DH_anon_WITH_RC4_128_MD5";
184	paramsNeeded = 1;
185	break;
186	case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
187	cipherName = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
188	paramsNeeded = 1;
189	break;
190	case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
191	cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
192	paramsNeeded = 1;
193	break;
194	case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
195	cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
196	paramsNeeded = 1;
197	break;
198	case TLS_PSK_WITH_RC4_128_SHA:
199	cipherName = "TLS_PSK_WITH_RC4_128_SHA";
200	break;
201	case TLS_PSK_WITH_3DES_EDE_CBC_SHA:
202	cipherName = "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
203	break;
204	case TLS_PSK_WITH_AES_128_CBC_SHA:
205	cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA";
206	break;
207	case TLS_PSK_WITH_AES_256_CBC_SHA:
208	cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA";
209	break;
210	case TLS_DHE_PSK_WITH_RC4_128_SHA:
211	cipherName = "TLS_DHE_PSK_WITH_RC4_128_SHA";
212	paramsNeeded = 1;
213	break;
214	case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
215	cipherName = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
216	paramsNeeded = 1;
217	break;
218	case TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
219	cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
220	paramsNeeded = 1;
221	break;
222	case TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
223	cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
224	paramsNeeded = 1;
225	break;
226	case TLS_RSA_PSK_WITH_RC4_128_SHA:
227	cipherName = "TLS_RSA_PSK_WITH_RC4_128_SHA";
228	break;
229	case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA:
230	cipherName = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
231	break;
232	case TLS_RSA_PSK_WITH_AES_128_CBC_SHA:
233	cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
234	break;
235	case TLS_RSA_PSK_WITH_AES_256_CBC_SHA:
236	cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
237	break;
238	case TLS_PSK_WITH_NULL_SHA:
239	cipherName = "TLS_PSK_WITH_NULL_SHA";
240	break;
241	case TLS_DHE_PSK_WITH_NULL_SHA:
242	cipherName = "TLS_DHE_PSK_WITH_NULL_SHA";
243	paramsNeeded = 1;
244	break;
245	case TLS_RSA_PSK_WITH_NULL_SHA:
246	cipherName = "TLS_RSA_PSK_WITH_NULL_SHA";
247	break;
248	case TLS_RSA_WITH_AES_128_GCM_SHA256:
249	cipherName = "TLS_RSA_WITH_AES_128_GCM_SHA256";
250	break;
251	case TLS_RSA_WITH_AES_256_GCM_SHA384:
252	cipherName = "TLS_RSA_WITH_AES_256_GCM_SHA384";
253	break;
254	case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
255	cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
256	paramsNeeded = 1;
257	break;
258	case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
259	cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
260	paramsNeeded = 1;
261	break;
262	case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
263	cipherName = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
264	paramsNeeded = 1;
265	break;
266	case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
267	cipherName = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
268	paramsNeeded = 1;
269	break;
270	case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
271	cipherName = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
272	paramsNeeded = 1;
273	break;
274	case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
275	cipherName = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
276	paramsNeeded = 1;
277	break;
278	case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
279	cipherName = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
280	paramsNeeded = 1;
281	break;
282	case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
283	cipherName = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
284	paramsNeeded = 1;
285	break;
286	case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
287	cipherName = "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
288	paramsNeeded = 1;
289	break;
290	case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
291	cipherName = "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
292	paramsNeeded = 1;
293	break;
294	case TLS_PSK_WITH_AES_128_GCM_SHA256:
295	cipherName = "TLS_PSK_WITH_AES_128_GCM_SHA256";
296	break;
297	case TLS_PSK_WITH_AES_256_GCM_SHA384:
298	cipherName = "TLS_PSK_WITH_AES_256_GCM_SHA384";
299	break;
300	case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:
301	cipherName = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
302	paramsNeeded = 1;
303	break;
304	case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384:
305	cipherName = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
306	paramsNeeded = 1;
307	break;
308	case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256:
309	cipherName = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
310	break;
311	case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384:
312	cipherName = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384";
313	break;
314	case TLS_PSK_WITH_AES_128_CBC_SHA256:
315	cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA256";
316	break;
317	case TLS_PSK_WITH_AES_256_CBC_SHA384:
318	cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA384";
319	break;
320	case TLS_PSK_WITH_NULL_SHA256:
321	cipherName = "TLS_PSK_WITH_NULL_SHA256";
322	break;
323	case TLS_PSK_WITH_NULL_SHA384:
324	cipherName = "TLS_PSK_WITH_NULL_SHA384";
325	break;
326	case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256:
327	cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
328	paramsNeeded = 1;
329	break;
330	case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
331	cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
332	paramsNeeded = 1;
333	break;
334	case TLS_DHE_PSK_WITH_NULL_SHA256:
335	cipherName = "TLS_DHE_PSK_WITH_NULL_SHA256";
336	paramsNeeded = 1;
337	break;
338	case TLS_DHE_PSK_WITH_NULL_SHA384:
339	cipherName = "TLS_DHE_PSK_WITH_NULL_SHA384";
340	paramsNeeded = 1;
341	break;
342	case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256:
343	cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
344	break;
345	case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384:
346	cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
347	break;
348	case TLS_RSA_PSK_WITH_NULL_SHA256:
349	cipherName = "TLS_RSA_PSK_WITH_NULL_SHA256";
350	break;
351	case TLS_RSA_PSK_WITH_NULL_SHA384:
352	cipherName = "TLS_RSA_PSK_WITH_NULL_SHA384";
353	break;
354	case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
355	cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
356	paramsNeeded = 1;
357	break;
358	case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
359	cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
360	paramsNeeded = 1;
361	break;
362	case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
363	cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
364	paramsNeeded = 1;
365	break;
366	case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
367	cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
368	paramsNeeded = 1;
369	break;
370	case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
371	cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
372	paramsNeeded = 1;
373	break;
374	case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
375	cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
376	paramsNeeded = 1;
377	break;
378	case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
379	cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
380	paramsNeeded = 1;
381	break;
382	case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
383	cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
384	paramsNeeded = 1;
385	break;
386	case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
387	cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
388	paramsNeeded = 1;
389	break;
390	case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
391	cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
392	paramsNeeded = 1;
393	break;
394	case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
395	cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
396	paramsNeeded = 1;
397	break;
398	case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
399	cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
400	paramsNeeded = 1;
401	break;
402	case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
403	cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
404	paramsNeeded = 1;
405	break;
406	case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
407	cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
408	paramsNeeded = 1;
409	break;
410	case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
411	cipherName = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
412	paramsNeeded = 1;
413	break;
414	case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
415	cipherName = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
416	paramsNeeded = 1;
417	break;
418	default :
419	snprintf(unknownCipherName, sizeof(unknownCipherName), "UNKNOWN_%04X", cipher);
420	cipherName = unknownCipherName;
421	break;
422	}
423
424	if (cipher == TLS_RSA_WITH_RC4_128_MD5 \|\|
425	cipher == TLS_RSA_WITH_RC4_128_SHA)
426	{
427	printf("%s: ERROR (Insecure RC4 negotiated)\n", server);
428	httpClose(http);
429	return (1);
430	}
431
432	if ((err = SSLGetDiffieHellmanParams(http->tls, &params, &paramsLen)) != noErr && paramsNeeded)
433	{
434	printf("%s: ERROR (Unable to get Diffie Hellman parameters - %d)\n", server, (int)err);
435	httpClose(http);
436	return (1);
437	}
438
439	if (paramsLen < 128 && paramsLen != 0)
440	{
441	printf("%s: ERROR (Diffie Hellman parameters only %d bytes/%d bits)\n", server, (int)paramsLen, (int)paramsLen * 8);
442	httpClose(http);
443	return (1);
444	}
445	#endif /* __APPLE__ */
446
72b9a313	447	printf("%s: OK (%d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName);
79a37326 MS	448
	449	httpClose(http);
	450
	451	return (0);
	452	}
	453
	454
	455	/*
	456	* End of "$Id$".
	457	*/