From ac3e5f4d6200c3c8fe2e8396f6f86fdeadf32ab1 Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Thu, 3 Apr 2014 23:37:46 +0200
Subject: [PATCH] Correctly report TLSv1.2 only ciphers as negotiable with
 TLSv1.2

Previously scan would report:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Now it correctly reports:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
---
 cipherscan | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cipherscan b/cipherscan
index 4d861aa..4bb7b75 100755
--- a/cipherscan
+++ b/cipherscan
@@ -64,6 +64,7 @@ test_cipher_on_target() {
     cipher=""
     protocols=""
     pfs=""
+    previous_cipher=""
     for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2"
     do
         debug echo \"quit\\n\" \| $sslcommand $tls_version
@@ -74,7 +75,15 @@ test_cipher_on_target() {
         if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
             # connection failed, try again with next TLS version
             continue
+        else
+            verbose "connection successful; protocol: $current_protocol, cipher: $current_cipher, previous cipher: $previous_cipher"
         fi
+        # handling of TLSv1.2 only cipher suites
+        if [ ! -z "$previous_cipher" ] && [ "$previous_cipher" != "$current_cipher" ] && [ "$current_cipher" != "0000" ]; then
+            unset protocols
+        fi
+        previous_cipher=$current_cipher
+
         # connection succeeded, add TLS version to positive results
         if [ -z "$protocols" ]; then
             protocols=$current_protocol