| # Checks to make sure TLSv1.0 or later is allowed by a server. |
| shift # past argument or value |
| declare -A EXPECT_NEGOTIATE |
| EXPECT_NEGOTIATE[tls1_1]=1 |
| EXPECT_NEGOTIATE[tls1_2]=1 |
| EXPECT_NEGOTIATE[tls1_3]=1 |
| for PROTO in "${!EXPECT_NEGOTIATE[@]}"; do |
| echo "openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -$PROTO 2>&1 < /dev/null" |
| nego=$(openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -$PROTO 2>&1 < /dev/null) |
| echo "result of command: $negodenied" |
| res="enabled"; if [[ ${EXPECT_NEGOTIATE[$PROTO]} -eq 0 ]]; then res="disabled"; fi |
| if [[ $negodenied -ne ${EXPECT_NEGOTIATE[$PROTO]} ]]; then |
| echo "$PROTO negotiation allowed" |
| echo "[warn] $PROTO negotiation did not work" |
| if [[ $failures -eq 4 ]]; then |
| echo "[fail] At least one of TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3 needs to work, but does not" |
| echo "[pass] At least one of TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3 worked" |