Merge branch 'master' into openss2rfc_rfc2openssl

This commit is contained in:
David Cooper 2016-08-29 10:00:18 -04:00
commit 01391e318a
2 changed files with 88 additions and 72 deletions

View File

@ -20,10 +20,12 @@
- Detection of insecure redirects
- JSON and CSV output
- Client simulations
- CI integration, test cases for it
* David Cooper
- Detection + output of multiple certificates
- several cleanups of server certificate related stuff
- several minor fixes
- improved parsing of TLS ServerHello messages
- speed improvements when testing all ciphers

View File

@ -83,7 +83,7 @@ readonly PS4='${LINENO}> ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
# make sure that temporary files are cleaned up after use in ANY case
trap "cleanup" QUIT EXIT
readonly VERSION="2.8rc1"
readonly VERSION="2.8rc2"
readonly SWCONTACT="dirk aet testssl dot sh"
egrep -q "dev|rc" <<< "$VERSION" && \
SWURL="https://testssl.sh/dev/" ||
@ -212,6 +212,7 @@ OSSL_VER_APPENDIX="none"
HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables
HAS_SSL2=false
HAS_SSL3=false
HAS_NO_SSL2=false
HAS_ALPN=false
HAS_SPDY=false
ADD_RFC_STR="rfc" # display RFC ciphernames
@ -2809,6 +2810,7 @@ run_client_simulation() {
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
fi
else
! "$HAS_NO_SSL2" && protos[i]="$(sed 's/-no_ssl2//' <<< "${protos[i]}")"
$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
sclient_connect_successful $? $TMPFILE
@ -2933,6 +2935,7 @@ run_protocols() {
local supported_no_ciph2="supported but couldn't detect a cipher"
local latest_supported="" # version.major and version.minor of highest version supported by the server.
local detected_version_string latest_supported_string
local lines nr_ciphers_detected
local extra_spaces=" "
outln; pr_headline " Testing protocols "
@ -2957,7 +2960,40 @@ run_protocols() {
pr_bold " SSLv2 $extra_spaces";
if ! "$SSL_NATIVE"; then
sslv2_sockets #FIXME: messages/output need to be moved to this (higher) level
sslv2_sockets
case $? in
7) # strange reply, couldn't convert the cipher spec length to a hex number
pr_cyan "strange v2 reply "
outln " (rerun with DEBUG >=2)"
[[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1
fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
;;
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
pr_done_bestln "not offered (OK)"
fileout "sslv2" "OK" "SSLv2 not offered (OK)"
;;
0) # reset
pr_done_bestln "not offered (OK)"
fileout "sslv2" "OK" "SSLv2 not offered (OK)"
;;
3) # everything else
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
if [[ "$lines" -gt 1 ]]; then
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
add_tls_offered "ssl2"
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197"
else
pr_svrty_critical "offered (NOT ok), also VULNERABLE to DROWN attack";
outln " -- $nr_ciphers_detected ciphers"
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to DROWN attack. Detected ciphers: $nr_ciphers_detected"
fi
fi ;;
esac
pr_off
debugme outln
else
run_prototest_openssl "-ssl2"
case $? in
@ -3138,7 +3174,6 @@ run_protocols() {
1)
pr_svrty_mediumln "not offered"
if ! "$using_sockets" || ! "$EXPERIMENTAL" || [[ -z $latest_supported ]]; then
outln
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
else
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
@ -3467,7 +3502,11 @@ run_server_preference() {
out " (SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\"" ; outln ")";
continue
fi
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
if [[ "$p" =~ ssl ]]; then
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
else
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
fi
if sclient_connect_successful $? $TMPFILE; then
proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
@ -3598,7 +3637,7 @@ check_tls12_pref() {
cipher_pref_check() {
local p proto protos npn_protos
local p proto protos npn_protos sni
local tested_cipher cipher order
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
@ -3615,11 +3654,12 @@ cipher_pref_check() {
continue
fi
# with the supplied binaries SNI works also for SSLv2 (+ SSLv3)
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
[[ "$p" =~ ssl ]] && sni="" || sni=$SNI
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then
tested_cipher=""
proto=$(awk '/Protocol/ { print $3 }' $TMPFILE)
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE)
[[ -z "$proto" ]] && continue # for early openssl versions sometimes needed
outln
printf " %-10s" "$proto: "
@ -3642,9 +3682,9 @@ cipher_pref_check() {
else
out " $cipher" # this is the first cipher for protocol
while true; do
$OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
$OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE || break
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE)
out " $cipher"
order+=" $cipher"
tested_cipher="$tested_cipher:-$cipher"
@ -4227,6 +4267,7 @@ certificate_info() {
*DSA*|*dsa*) out "DSA ";;
*ecdsa*|*ecPublicKey) out "ECDSA ";;
*GOST*|*gost*) out "GOST ";;
*dh*|*DH*) out "DH " ;;
*) pr_warning "fixme: $cert_key_algo " ;;
esac
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
@ -4254,7 +4295,8 @@ certificate_info() {
fileout "${json_prefix}key_size" "DEBUG" "Server keys $cert_keysize bits (not expected)"
fi
outln " bits"
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]]; then
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]] || \
[[ $cert_key_algo =~ dhKeyAgreement ]] || [[ $cert_key_algo =~ "X9.42 DH" ]]; then
if [[ "$cert_keysize" -le 512 ]]; then
pr_svrty_critical "$cert_keysize"
outln " bits"
@ -5618,7 +5660,7 @@ parse_tls_serverhello() {
sslv2_sockets() {
local nr_ciphers_detected
local ret
fd_socket 5 || return 6
debugme outln "sending client hello... "
@ -5632,43 +5674,7 @@ sslv2_sockets() {
fi
parse_sslv2_serverhello "$SOCK_REPLY_FILE"
case $? in
7) # strange reply, couldn't convert the cipher spec length to a hex number
pr_cyan "strange v2 reply "
outln " (rerun with DEBUG >=2)"
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
ret=7
fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
;;
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
pr_done_bestln "not offered (OK)"
ret=0
fileout "sslv2" "OK" "SSLv2 not offered (OK)"
;;
0) # reset
pr_done_bestln "not offered (OK)"
ret=0
fileout "sslv2" "OK" "SSLv2 not offered (OK)"
;;
3) # everything else
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)")
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
if [[ "$lines" -gt 1 ]]; then
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
add_tls_offered "ssl2"
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197"
else
pr_svrty_critical "offered (NOT ok), also VULNERABLE to DROWN attack";
outln " -- $nr_ciphers_detected ciphers"
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to DROWN attack. Detected ciphers: $nr_ciphers_detected"
fi
ret=1
fi ;;
esac
pr_off
debugme outln
ret=$?
close_socket
TMPFILE=$SOCK_REPLY_FILE
@ -6458,10 +6464,11 @@ run_ssl_poodle() {
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln
pr_bold " POODLE, SSL"; out " (CVE-2014-3566) "
locally_supported "-ssl3" || return 0
cbc_ciphers=$(actually_supported_ciphers $cbc_ciphers)
debugme echo $cbc_ciphers
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
$OPENSSL s_client -ssl3 $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE
sclient_success=$?
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
@ -6490,7 +6497,7 @@ run_tls_fallback_scsv() {
local -i ret=0
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for TLS_FALLBACK_SCSV Protection " && outln
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507), experim. "
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507), "
# This isn't a vulnerability check per se, but checks for the existence of
# the countermeasure to protect against protocol downgrade attacks.
@ -6661,27 +6668,19 @@ run_drown() {
outln
fi
# if we want to use OPENSSL: check for < openssl 1.0.2g, openssl 1.0.1s if native openssl
pr_bold " DROWN"; out " (2016-0800, CVE-2016-0703), exper. "
fd_socket 5 || return 6
debugme outln "sending client hello... "
socksend_sslv2_clienthello "$SSLv2_CLIENT_HELLO"
sockread_serverhello 32768
debugme outln "reading server hello... "
if [[ "$DEBUG" -ge 4 ]]; then
hexdump -C "$SOCK_REPLY_FILE" | head -6
outln
fi
parse_sslv2_serverhello "$SOCK_REPLY_FILE"
pr_bold " DROWN"; out " (2016-0800, CVE-2016-0703) "
sslv2_sockets
case $? in
7) # strange reply, couldn't convert the cipher spec length to a hex number
fixme "strange v2 reply "
outln " (rerun with DEBUG >=2)"
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
[[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1
ret=7
fileout "drown" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
;;
3) # vulnerable
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)")
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
debugme out " ($lines lines) "
if [[ "$lines" -gt 1 ]]; then
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
@ -6689,8 +6688,8 @@ run_drown() {
pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)";
fileout "drown" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher"
else
pr_svrty_criticalln "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers";
fileout "drown" "NOT ok" "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"
pr_svrty_criticalln "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers";
fileout "drown" "NOT ok" "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"
fi
fi
ret=1
@ -6753,11 +6752,21 @@ run_beast(){
done
for proto in ssl3 tls1; do
if [[ "$proto" == "ssl3" ]] && ! locally_supported "-$proto"; then
continued=true
out " "
continue
fi
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
if "$continued"; then # second round: we hit TLS1
pr_done_goodln "no SSL3 or TLS1 (OK)"
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
if "$HAS_SSL3"; then
pr_done_goodln "no SSL3 or TLS1 (OK)"
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
else
pr_done_goodln "no TLS1 (OK)"
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no TLS1"
fi
return 0
else # protocol not succeeded but it's the first time
continued=true
@ -7098,6 +7107,9 @@ find_openssl_binary() {
$OPENSSL s_client -ssl3 2>&1 | grep -aq "unknown option" || \
HAS_SSL3=true
$OPENSSL s_client -no_ssl2 2>&1 | grep -aq "unknown option" || \
HAS_NO_SSL2=true
$OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \
HAS_ALPN=true
@ -7283,6 +7295,7 @@ OPENSSL_CONF: $OPENSSL_CONF
HAS_IPv6: $HAS_IPv6
HAS_SSL2: $HAS_SSL2
HAS_SSL3: $HAS_SSL3
HAS_NO_SSL2: $HAS_NO_SSL2
HAS_SPDY: $HAS_SPDY
HAS_ALPN: $HAS_ALPN
@ -8204,6 +8217,7 @@ determine_optimal_proto() {
fi
all_failed=0
done
[[ $all_failed -eq 0 ]] && STARTTLS_OPTIMAL_PROTO=""
debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO"
else
for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do
@ -8215,6 +8229,7 @@ determine_optimal_proto() {
fi
all_failed=0
done
[[ $all_failed -eq 0 ]] && OPTIMAL_PROTO=""
debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO"
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then
pr_magentaln "$NODEIP:$PORT appears to only support SSLv2."
@ -8716,7 +8731,7 @@ parse_cmd_line() {
do_pfs=true
;;
--devel) ### this development feature will soon disappear
HEX_CIPHER=""
HEX_CIPHER="$TLS12_CIPHER"
# DEBUG=3 ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de --> TLS 1.2, old CHACHA/POLY
# DEBUG=3 ./testssl.sh --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com --> new CHACHA/POLY
# DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0
@ -8903,9 +8918,8 @@ lets_roll() {
determine_rdns
determine_service "$1" # any starttls service goes here
$do_tls_sockets && { [[ $TLS_LOW_BYTE -eq 22 ]] && \
sslv2_sockets || \
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER"; echo "$?" ; exit 0; }
$do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets; echo "$?" ; exit 0; }
$do_tls_sockets && [[ $TLS_LOW_BYTE -ne 22 ]] && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER"; echo "$?" ; exit 0; }
$do_test_just_one && test_just_one ${single_cipher}
# all top level functions now following have the prefix "run_"
@ -9032,4 +9046,4 @@ fi
exit $?
# $Id: testssl.sh,v 1.531 2016/07/23 13:12:12 dirkw Exp $
# $Id: testssl.sh,v 1.533 2016/08/28 19:41:29 dirkw Exp $