Script to help properly size the `CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN` setting

get_cert_size.sh

#!/bin/bash

# Function to display usage
show_usage() {
    echo "Usage: $0 <domain> [cipher] [curve]"
    echo "Example: $0 google.com"
    echo "Example: $0 google.com ECDHE-RSA-AES256-GCM-SHA384"
    echo "Example: $0 google.com ECDHE-RSA-AES256-GCM-SHA384 X25519"
    echo ""
    echo "Arguments:"
    echo "  domain  - Target domain to analyze (required)"
    echo "  cipher  - SSL cipher suite (optional)"
    echo "  curve   - Elliptic curve (optional)"
}

# Check if domain is provided as argument
if [ $# -eq 0 ]; then
    show_usage
    exit 1
fi

DOMAIN="$1"
CIPHER="$2"
CURVES="$3"

echo "Connecting to $DOMAIN and analyzing TLS message sizes..."

# Build openssl command with optional parameters
OPENSSL_CMD="openssl s_client -connect $DOMAIN:443 -tls1_2"

if [ -n "$CIPHER" ]; then
    OPENSSL_CMD="$OPENSSL_CMD -cipher $CIPHER"
    echo "Using cipher: $CIPHER"
fi

if [ -n "$CURVES" ]; then
    OPENSSL_CMD="$OPENSSL_CMD -curves $CURVES"
    echo "Using curve: $CURVES"
fi

OPENSSL_CMD="$OPENSSL_CMD -showcerts -msg"

echo "Running command: timeout 10s $OPENSSL_CMD"
echo ""

# Run openssl command with timeout and proper termination, extract hex lengths, find max, convert to decimal
max_length_decimal=$(timeout 10s $OPENSSL_CMD </dev/null 2>/dev/null | \
    grep -oP "length \K[0-9a-f]+" | \
    while read hex_val; do
        printf "%d %s\n" "0x$hex_val" "$hex_val"
    done | \
    sort -nr | \
    head -n1 | \
    cut -d' ' -f1)

if [ -z "$max_length_decimal" ]; then
    echo "No TLS message lengths found. Check if the domain is reachable."
    exit 1
fi

echo "Largest TLS message length: $max_length_decimal bytes"