Merge branch 'master' into openss2rfc_rfc2openssl
This commit is contained in:
commit
01391e318a
|
@ -20,10 +20,12 @@
|
||||||
- Detection of insecure redirects
|
- Detection of insecure redirects
|
||||||
- JSON and CSV output
|
- JSON and CSV output
|
||||||
- Client simulations
|
- Client simulations
|
||||||
|
- CI integration, test cases for it
|
||||||
|
|
||||||
* David Cooper
|
* David Cooper
|
||||||
- Detection + output of multiple certificates
|
- Detection + output of multiple certificates
|
||||||
- several cleanups of server certificate related stuff
|
- several cleanups of server certificate related stuff
|
||||||
|
- several minor fixes
|
||||||
- improved parsing of TLS ServerHello messages
|
- improved parsing of TLS ServerHello messages
|
||||||
- speed improvements when testing all ciphers
|
- speed improvements when testing all ciphers
|
||||||
|
|
||||||
|
|
152
testssl.sh
152
testssl.sh
|
@ -83,7 +83,7 @@ readonly PS4='${LINENO}> ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
||||||
# make sure that temporary files are cleaned up after use in ANY case
|
# make sure that temporary files are cleaned up after use in ANY case
|
||||||
trap "cleanup" QUIT EXIT
|
trap "cleanup" QUIT EXIT
|
||||||
|
|
||||||
readonly VERSION="2.8rc1"
|
readonly VERSION="2.8rc2"
|
||||||
readonly SWCONTACT="dirk aet testssl dot sh"
|
readonly SWCONTACT="dirk aet testssl dot sh"
|
||||||
egrep -q "dev|rc" <<< "$VERSION" && \
|
egrep -q "dev|rc" <<< "$VERSION" && \
|
||||||
SWURL="https://testssl.sh/dev/" ||
|
SWURL="https://testssl.sh/dev/" ||
|
||||||
|
@ -212,6 +212,7 @@ OSSL_VER_APPENDIX="none"
|
||||||
HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables
|
HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables
|
||||||
HAS_SSL2=false
|
HAS_SSL2=false
|
||||||
HAS_SSL3=false
|
HAS_SSL3=false
|
||||||
|
HAS_NO_SSL2=false
|
||||||
HAS_ALPN=false
|
HAS_ALPN=false
|
||||||
HAS_SPDY=false
|
HAS_SPDY=false
|
||||||
ADD_RFC_STR="rfc" # display RFC ciphernames
|
ADD_RFC_STR="rfc" # display RFC ciphernames
|
||||||
|
@ -2809,6 +2810,7 @@ run_client_simulation() {
|
||||||
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
|
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
! "$HAS_NO_SSL2" && protos[i]="$(sed 's/-no_ssl2//' <<< "${protos[i]}")"
|
||||||
$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
|
$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
|
||||||
debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
|
debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
|
@ -2933,6 +2935,7 @@ run_protocols() {
|
||||||
local supported_no_ciph2="supported but couldn't detect a cipher"
|
local supported_no_ciph2="supported but couldn't detect a cipher"
|
||||||
local latest_supported="" # version.major and version.minor of highest version supported by the server.
|
local latest_supported="" # version.major and version.minor of highest version supported by the server.
|
||||||
local detected_version_string latest_supported_string
|
local detected_version_string latest_supported_string
|
||||||
|
local lines nr_ciphers_detected
|
||||||
local extra_spaces=" "
|
local extra_spaces=" "
|
||||||
|
|
||||||
outln; pr_headline " Testing protocols "
|
outln; pr_headline " Testing protocols "
|
||||||
|
@ -2957,7 +2960,40 @@ run_protocols() {
|
||||||
|
|
||||||
pr_bold " SSLv2 $extra_spaces";
|
pr_bold " SSLv2 $extra_spaces";
|
||||||
if ! "$SSL_NATIVE"; then
|
if ! "$SSL_NATIVE"; then
|
||||||
sslv2_sockets #FIXME: messages/output need to be moved to this (higher) level
|
sslv2_sockets
|
||||||
|
case $? in
|
||||||
|
7) # strange reply, couldn't convert the cipher spec length to a hex number
|
||||||
|
pr_cyan "strange v2 reply "
|
||||||
|
outln " (rerun with DEBUG >=2)"
|
||||||
|
[[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1
|
||||||
|
fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
||||||
|
;;
|
||||||
|
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
|
||||||
|
pr_done_bestln "not offered (OK)"
|
||||||
|
fileout "sslv2" "OK" "SSLv2 not offered (OK)"
|
||||||
|
;;
|
||||||
|
0) # reset
|
||||||
|
pr_done_bestln "not offered (OK)"
|
||||||
|
fileout "sslv2" "OK" "SSLv2 not offered (OK)"
|
||||||
|
;;
|
||||||
|
3) # everything else
|
||||||
|
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
||||||
|
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
|
||||||
|
if [[ "$lines" -gt 1 ]]; then
|
||||||
|
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
||||||
|
add_tls_offered "ssl2"
|
||||||
|
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
||||||
|
pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
|
||||||
|
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197"
|
||||||
|
else
|
||||||
|
pr_svrty_critical "offered (NOT ok), also VULNERABLE to DROWN attack";
|
||||||
|
outln " -- $nr_ciphers_detected ciphers"
|
||||||
|
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to DROWN attack. Detected ciphers: $nr_ciphers_detected"
|
||||||
|
fi
|
||||||
|
fi ;;
|
||||||
|
esac
|
||||||
|
pr_off
|
||||||
|
debugme outln
|
||||||
else
|
else
|
||||||
run_prototest_openssl "-ssl2"
|
run_prototest_openssl "-ssl2"
|
||||||
case $? in
|
case $? in
|
||||||
|
@ -3138,7 +3174,6 @@ run_protocols() {
|
||||||
1)
|
1)
|
||||||
pr_svrty_mediumln "not offered"
|
pr_svrty_mediumln "not offered"
|
||||||
if ! "$using_sockets" || ! "$EXPERIMENTAL" || [[ -z $latest_supported ]]; then
|
if ! "$using_sockets" || ! "$EXPERIMENTAL" || [[ -z $latest_supported ]]; then
|
||||||
outln
|
|
||||||
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
|
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
|
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
|
||||||
|
@ -3467,7 +3502,11 @@ run_server_preference() {
|
||||||
out " (SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\"" ; outln ")";
|
out " (SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\"" ; outln ")";
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
if [[ "$p" =~ ssl ]]; then
|
||||||
|
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
|
else
|
||||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
|
fi
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
||||||
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||||
|
@ -3598,7 +3637,7 @@ check_tls12_pref() {
|
||||||
|
|
||||||
|
|
||||||
cipher_pref_check() {
|
cipher_pref_check() {
|
||||||
local p proto protos npn_protos
|
local p proto protos npn_protos sni
|
||||||
local tested_cipher cipher order
|
local tested_cipher cipher order
|
||||||
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
|
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
|
||||||
|
|
||||||
|
@ -3615,11 +3654,12 @@ cipher_pref_check() {
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
# with the supplied binaries SNI works also for SSLv2 (+ SSLv3)
|
# with the supplied binaries SNI works also for SSLv2 (+ SSLv3)
|
||||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
|
[[ "$p" =~ ssl ]] && sni="" || sni=$SNI
|
||||||
|
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
tested_cipher=""
|
tested_cipher=""
|
||||||
proto=$(awk '/Protocol/ { print $3 }' $TMPFILE)
|
proto=$(awk '/Protocol/ { print $3 }' $TMPFILE)
|
||||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE)
|
||||||
[[ -z "$proto" ]] && continue # for early openssl versions sometimes needed
|
[[ -z "$proto" ]] && continue # for early openssl versions sometimes needed
|
||||||
outln
|
outln
|
||||||
printf " %-10s" "$proto: "
|
printf " %-10s" "$proto: "
|
||||||
|
@ -3642,9 +3682,9 @@ cipher_pref_check() {
|
||||||
else
|
else
|
||||||
out " $cipher" # this is the first cipher for protocol
|
out " $cipher" # this is the first cipher for protocol
|
||||||
while true; do
|
while true; do
|
||||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE || break
|
sclient_connect_successful $? $TMPFILE || break
|
||||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE)
|
||||||
out " $cipher"
|
out " $cipher"
|
||||||
order+=" $cipher"
|
order+=" $cipher"
|
||||||
tested_cipher="$tested_cipher:-$cipher"
|
tested_cipher="$tested_cipher:-$cipher"
|
||||||
|
@ -4227,6 +4267,7 @@ certificate_info() {
|
||||||
*DSA*|*dsa*) out "DSA ";;
|
*DSA*|*dsa*) out "DSA ";;
|
||||||
*ecdsa*|*ecPublicKey) out "ECDSA ";;
|
*ecdsa*|*ecPublicKey) out "ECDSA ";;
|
||||||
*GOST*|*gost*) out "GOST ";;
|
*GOST*|*gost*) out "GOST ";;
|
||||||
|
*dh*|*DH*) out "DH " ;;
|
||||||
*) pr_warning "fixme: $cert_key_algo " ;;
|
*) pr_warning "fixme: $cert_key_algo " ;;
|
||||||
esac
|
esac
|
||||||
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
||||||
|
@ -4254,7 +4295,8 @@ certificate_info() {
|
||||||
fileout "${json_prefix}key_size" "DEBUG" "Server keys $cert_keysize bits (not expected)"
|
fileout "${json_prefix}key_size" "DEBUG" "Server keys $cert_keysize bits (not expected)"
|
||||||
fi
|
fi
|
||||||
outln " bits"
|
outln " bits"
|
||||||
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]]; then
|
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]] || \
|
||||||
|
[[ $cert_key_algo =~ dhKeyAgreement ]] || [[ $cert_key_algo =~ "X9.42 DH" ]]; then
|
||||||
if [[ "$cert_keysize" -le 512 ]]; then
|
if [[ "$cert_keysize" -le 512 ]]; then
|
||||||
pr_svrty_critical "$cert_keysize"
|
pr_svrty_critical "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
|
@ -5618,7 +5660,7 @@ parse_tls_serverhello() {
|
||||||
|
|
||||||
|
|
||||||
sslv2_sockets() {
|
sslv2_sockets() {
|
||||||
local nr_ciphers_detected
|
local ret
|
||||||
|
|
||||||
fd_socket 5 || return 6
|
fd_socket 5 || return 6
|
||||||
debugme outln "sending client hello... "
|
debugme outln "sending client hello... "
|
||||||
|
@ -5632,43 +5674,7 @@ sslv2_sockets() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
parse_sslv2_serverhello "$SOCK_REPLY_FILE"
|
parse_sslv2_serverhello "$SOCK_REPLY_FILE"
|
||||||
case $? in
|
ret=$?
|
||||||
7) # strange reply, couldn't convert the cipher spec length to a hex number
|
|
||||||
pr_cyan "strange v2 reply "
|
|
||||||
outln " (rerun with DEBUG >=2)"
|
|
||||||
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
|
|
||||||
ret=7
|
|
||||||
fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
|
||||||
;;
|
|
||||||
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
|
|
||||||
pr_done_bestln "not offered (OK)"
|
|
||||||
ret=0
|
|
||||||
fileout "sslv2" "OK" "SSLv2 not offered (OK)"
|
|
||||||
;;
|
|
||||||
0) # reset
|
|
||||||
pr_done_bestln "not offered (OK)"
|
|
||||||
ret=0
|
|
||||||
fileout "sslv2" "OK" "SSLv2 not offered (OK)"
|
|
||||||
;;
|
|
||||||
3) # everything else
|
|
||||||
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)")
|
|
||||||
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
|
|
||||||
if [[ "$lines" -gt 1 ]]; then
|
|
||||||
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
|
||||||
add_tls_offered "ssl2"
|
|
||||||
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
|
||||||
pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
|
|
||||||
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197"
|
|
||||||
else
|
|
||||||
pr_svrty_critical "offered (NOT ok), also VULNERABLE to DROWN attack";
|
|
||||||
outln " -- $nr_ciphers_detected ciphers"
|
|
||||||
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to DROWN attack. Detected ciphers: $nr_ciphers_detected"
|
|
||||||
fi
|
|
||||||
ret=1
|
|
||||||
fi ;;
|
|
||||||
esac
|
|
||||||
pr_off
|
|
||||||
debugme outln
|
|
||||||
|
|
||||||
close_socket
|
close_socket
|
||||||
TMPFILE=$SOCK_REPLY_FILE
|
TMPFILE=$SOCK_REPLY_FILE
|
||||||
|
@ -6458,10 +6464,11 @@ run_ssl_poodle() {
|
||||||
|
|
||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln
|
||||||
pr_bold " POODLE, SSL"; out " (CVE-2014-3566) "
|
pr_bold " POODLE, SSL"; out " (CVE-2014-3566) "
|
||||||
|
locally_supported "-ssl3" || return 0
|
||||||
cbc_ciphers=$(actually_supported_ciphers $cbc_ciphers)
|
cbc_ciphers=$(actually_supported_ciphers $cbc_ciphers)
|
||||||
|
|
||||||
debugme echo $cbc_ciphers
|
debugme echo $cbc_ciphers
|
||||||
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
|
@ -6490,7 +6497,7 @@ run_tls_fallback_scsv() {
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
|
|
||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for TLS_FALLBACK_SCSV Protection " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for TLS_FALLBACK_SCSV Protection " && outln
|
||||||
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507), experim. "
|
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507), "
|
||||||
# This isn't a vulnerability check per se, but checks for the existence of
|
# This isn't a vulnerability check per se, but checks for the existence of
|
||||||
# the countermeasure to protect against protocol downgrade attacks.
|
# the countermeasure to protect against protocol downgrade attacks.
|
||||||
|
|
||||||
|
@ -6661,27 +6668,19 @@ run_drown() {
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
# if we want to use OPENSSL: check for < openssl 1.0.2g, openssl 1.0.1s if native openssl
|
# if we want to use OPENSSL: check for < openssl 1.0.2g, openssl 1.0.1s if native openssl
|
||||||
pr_bold " DROWN"; out " (2016-0800, CVE-2016-0703), exper. "
|
pr_bold " DROWN"; out " (2016-0800, CVE-2016-0703) "
|
||||||
fd_socket 5 || return 6
|
sslv2_sockets
|
||||||
debugme outln "sending client hello... "
|
|
||||||
socksend_sslv2_clienthello "$SSLv2_CLIENT_HELLO"
|
|
||||||
sockread_serverhello 32768
|
|
||||||
debugme outln "reading server hello... "
|
|
||||||
if [[ "$DEBUG" -ge 4 ]]; then
|
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -6
|
|
||||||
outln
|
|
||||||
fi
|
|
||||||
parse_sslv2_serverhello "$SOCK_REPLY_FILE"
|
|
||||||
case $? in
|
case $? in
|
||||||
7) # strange reply, couldn't convert the cipher spec length to a hex number
|
7) # strange reply, couldn't convert the cipher spec length to a hex number
|
||||||
fixme "strange v2 reply "
|
fixme "strange v2 reply "
|
||||||
outln " (rerun with DEBUG >=2)"
|
outln " (rerun with DEBUG >=2)"
|
||||||
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
|
[[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1
|
||||||
ret=7
|
ret=7
|
||||||
fileout "drown" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
fileout "drown" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
||||||
;;
|
;;
|
||||||
3) # vulnerable
|
3) # vulnerable
|
||||||
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)")
|
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
||||||
debugme out " ($lines lines) "
|
debugme out " ($lines lines) "
|
||||||
if [[ "$lines" -gt 1 ]]; then
|
if [[ "$lines" -gt 1 ]]; then
|
||||||
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
||||||
|
@ -6689,8 +6688,8 @@ run_drown() {
|
||||||
pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)";
|
pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)";
|
||||||
fileout "drown" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher"
|
fileout "drown" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher"
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers";
|
pr_svrty_criticalln "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers";
|
||||||
fileout "drown" "NOT ok" "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"
|
fileout "drown" "NOT ok" "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
ret=1
|
ret=1
|
||||||
|
@ -6753,11 +6752,21 @@ run_beast(){
|
||||||
done
|
done
|
||||||
|
|
||||||
for proto in ssl3 tls1; do
|
for proto in ssl3 tls1; do
|
||||||
|
if [[ "$proto" == "ssl3" ]] && ! locally_supported "-$proto"; then
|
||||||
|
continued=true
|
||||||
|
out " "
|
||||||
|
continue
|
||||||
|
fi
|
||||||
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
||||||
if "$continued"; then # second round: we hit TLS1
|
if "$continued"; then # second round: we hit TLS1
|
||||||
|
if "$HAS_SSL3"; then
|
||||||
pr_done_goodln "no SSL3 or TLS1 (OK)"
|
pr_done_goodln "no SSL3 or TLS1 (OK)"
|
||||||
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
|
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
|
||||||
|
else
|
||||||
|
pr_done_goodln "no TLS1 (OK)"
|
||||||
|
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no TLS1"
|
||||||
|
fi
|
||||||
return 0
|
return 0
|
||||||
else # protocol not succeeded but it's the first time
|
else # protocol not succeeded but it's the first time
|
||||||
continued=true
|
continued=true
|
||||||
|
@ -7098,6 +7107,9 @@ find_openssl_binary() {
|
||||||
$OPENSSL s_client -ssl3 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -ssl3 2>&1 | grep -aq "unknown option" || \
|
||||||
HAS_SSL3=true
|
HAS_SSL3=true
|
||||||
|
|
||||||
|
$OPENSSL s_client -no_ssl2 2>&1 | grep -aq "unknown option" || \
|
||||||
|
HAS_NO_SSL2=true
|
||||||
|
|
||||||
$OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \
|
$OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \
|
||||||
HAS_ALPN=true
|
HAS_ALPN=true
|
||||||
|
|
||||||
|
@ -7283,6 +7295,7 @@ OPENSSL_CONF: $OPENSSL_CONF
|
||||||
HAS_IPv6: $HAS_IPv6
|
HAS_IPv6: $HAS_IPv6
|
||||||
HAS_SSL2: $HAS_SSL2
|
HAS_SSL2: $HAS_SSL2
|
||||||
HAS_SSL3: $HAS_SSL3
|
HAS_SSL3: $HAS_SSL3
|
||||||
|
HAS_NO_SSL2: $HAS_NO_SSL2
|
||||||
HAS_SPDY: $HAS_SPDY
|
HAS_SPDY: $HAS_SPDY
|
||||||
HAS_ALPN: $HAS_ALPN
|
HAS_ALPN: $HAS_ALPN
|
||||||
|
|
||||||
|
@ -8204,6 +8217,7 @@ determine_optimal_proto() {
|
||||||
fi
|
fi
|
||||||
all_failed=0
|
all_failed=0
|
||||||
done
|
done
|
||||||
|
[[ $all_failed -eq 0 ]] && STARTTLS_OPTIMAL_PROTO=""
|
||||||
debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO"
|
debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO"
|
||||||
else
|
else
|
||||||
for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do
|
for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do
|
||||||
|
@ -8215,6 +8229,7 @@ determine_optimal_proto() {
|
||||||
fi
|
fi
|
||||||
all_failed=0
|
all_failed=0
|
||||||
done
|
done
|
||||||
|
[[ $all_failed -eq 0 ]] && OPTIMAL_PROTO=""
|
||||||
debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO"
|
debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO"
|
||||||
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then
|
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then
|
||||||
pr_magentaln "$NODEIP:$PORT appears to only support SSLv2."
|
pr_magentaln "$NODEIP:$PORT appears to only support SSLv2."
|
||||||
|
@ -8716,7 +8731,7 @@ parse_cmd_line() {
|
||||||
do_pfs=true
|
do_pfs=true
|
||||||
;;
|
;;
|
||||||
--devel) ### this development feature will soon disappear
|
--devel) ### this development feature will soon disappear
|
||||||
HEX_CIPHER=""
|
HEX_CIPHER="$TLS12_CIPHER"
|
||||||
# DEBUG=3 ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de --> TLS 1.2, old CHACHA/POLY
|
# DEBUG=3 ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de --> TLS 1.2, old CHACHA/POLY
|
||||||
# DEBUG=3 ./testssl.sh --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com --> new CHACHA/POLY
|
# DEBUG=3 ./testssl.sh --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com --> new CHACHA/POLY
|
||||||
# DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0
|
# DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0
|
||||||
|
@ -8903,9 +8918,8 @@ lets_roll() {
|
||||||
determine_rdns
|
determine_rdns
|
||||||
determine_service "$1" # any starttls service goes here
|
determine_service "$1" # any starttls service goes here
|
||||||
|
|
||||||
$do_tls_sockets && { [[ $TLS_LOW_BYTE -eq 22 ]] && \
|
$do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets; echo "$?" ; exit 0; }
|
||||||
sslv2_sockets || \
|
$do_tls_sockets && [[ $TLS_LOW_BYTE -ne 22 ]] && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER"; echo "$?" ; exit 0; }
|
||||||
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER"; echo "$?" ; exit 0; }
|
|
||||||
$do_test_just_one && test_just_one ${single_cipher}
|
$do_test_just_one && test_just_one ${single_cipher}
|
||||||
|
|
||||||
# all top level functions now following have the prefix "run_"
|
# all top level functions now following have the prefix "run_"
|
||||||
|
@ -9032,4 +9046,4 @@ fi
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.531 2016/07/23 13:12:12 dirkw Exp $
|
# $Id: testssl.sh,v 1.533 2016/08/28 19:41:29 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue