#!/bin/bash

#
# Checks to make sure SSLv3 is not allowed by a server.
#

THRIFTHOST=localhost
THRIFTPORT=9090

while [[ $# -ge 1 ]]; do
  arg="$1"
  argIN=(${arg//=/ })

  case ${argIN[0]} in
    -h|--host)
    THRIFTHOST=${argIN[1]}
    shift # past argument
    ;;
    -p|--port)
    THRIFTPORT=${argIN[1]}
    shift # past argument
    ;;
    *)
          # unknown option ignored
    ;;
  esac

  shift   # past argument or value
done

function nosslv3
{
  local nego
  local negodenied
  local opensslv

  opensslv=$(openssl version | cut -d' ' -f2)
  if [[ $opensslv > "1.0" ]]; then
    echo "[pass] OpenSSL 1.1 or later - no need to check ssl3"
    return 0
  fi

  # echo "openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -ssl3 2>&1 < /dev/null"
  nego=$(openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -ssl3 2>&1 < /dev/null)
  negodenied=$?

  if [[ $negodenied -ne 0 ]]; then
    echo "[pass] SSLv3 negotiation disabled"
    echo $nego
    return 0
  fi

  echo "[fail] SSLv3 negotiation enabled!  stdout:"
  echo $nego
  return 1
}

nosslv3
exit $?