Merge pull request #535 from dcooper16/reorganize_run_server_defaults

Reorganize run_server_defaults()
This commit is contained in:
Dirk Wetter 2016-11-22 10:38:48 +01:00 committed by GitHub
commit 071edc794c
1 changed files with 103 additions and 65 deletions

View File

@ -4691,17 +4691,89 @@ sclient_connect_successful() {
return 1 return 1
} }
# Note that since, at the moment, this function is only called by run_server_defaults()
# and run_heartbleed(), this function does not look for the status request or NPN
# extensions. For run_heartbleed(), only the heartbeat extension needs to be detected.
# For run_server_defaults(), the status request and NPN would already be detected by
# get_server_certificate(), if they are supported. In the case of the status extension,
# since including a status request extension in a ClientHello does not work for GOST
# only servers. In the case of NPN, since a server will not include both the NPN and
# ALPN extensions in the same ServerHello.
determine_tls_extensions() {
local addcmd
local -i success
local line params="" tls_extensions=""
local alpn_proto alpn="" alpn_list_len_hex alpn_extn_len_hex
local -i alpn_list_len alpn_extn_len
local using_sockets=true
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && return 0
"$SSL_NATIVE" && using_sockets=false
if "$using_sockets"; then
if [[ -z $STARTTLS ]]; then
for alpn_proto in $ALPN_PROTOs; do
alpn+=",$(printf "%02x" ${#alpn_proto}),$(string_to_asciihex "$alpn_proto")"
done
alpn_list_len=${#alpn}/3
alpn_list_len_hex=$(printf "%04x" $alpn_list_len)
alpn_extn_len=$alpn_list_len+2
alpn_extn_len_hex=$(printf "%04x" $alpn_extn_len)
tls_sockets "03" "$TLS12_CIPHER" "all" "00,01,00,01,02, 00,02,00,00, 00,04,00,00, 00,12,00,00, 00,16,00,00, 00,17,00,00, 00,10,${alpn_extn_len_hex:0:2},${alpn_extn_len_hex:2:2},${alpn_list_len_hex:0:2},${alpn_list_len_hex:2:2}$alpn"
else
tls_sockets "03" "$TLS12_CIPHER" "all" "00,01,00,01,02, 00,02,00,00, 00,04,00,00, 00,12,00,00, 00,16,00,00, 00,17,00,00"
fi
success=$?
[[ $success -eq 2 ]] && success=0
[[ $success -eq 0 ]] && tls_extensions="$(grep -a 'TLS Extensions: ' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" | sed 's/TLS Extensions: //' )"
if [[ -r "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" ]]; then
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
tmpfile_handle $FUNCNAME.txt
fi
else
if "$HAS_ALPN" && [[ -z $STARTTLS ]]; then
params="-alpn \"${ALPN_PROTOs// /,}\"" # we need to replace " " by ","
elif "$HAS_SPDY" && [[ -z $STARTTLS ]]; then
params="-nextprotoneg \"$NPN_PROTOs\""
fi
success=1
addcmd=""
if [[ -z "$OPTIMAL_PROTO" ]] && [[ -z "$SNI" ]] && "$HAS_NO_SSL2"; then
addcmd="-no_ssl2"
elif [[ ! "$OPTIMAL_PROTO" =~ ssl ]]; then
addcmd="$SNI"
fi
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $addcmd $OPTIMAL_PROTO -tlsextdebug $params </dev/null 2>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE
if [[ $? -eq 0 ]]; then
success=0
tls_extensions=$(grep -a 'TLS server extension ' $TMPFILE | sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' -e 's/,.*$/,/g' -e 's/),$/\"/g')
tls_extensions=$(echo $tls_extensions) # into one line
fi
tmpfile_handle $FUNCNAME.txt
fi
if [[ -n "$tls_extensions" ]]; then
# check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS
while read -d "\"" -r line; do
if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then
TLS_EXTENSIONS+=" \"${line}\""
fi
done <<<$tls_extensions
[[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}"
fi
return $success
}
# arg1 is "-cipher <OpenSSL cipher>" or empty # arg1 is "-cipher <OpenSSL cipher>" or empty
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried) # arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
determine_tls_extensions() { get_server_certificate() {
local proto addcmd local protocols_to_try proto addcmd
local success local success
local npn_params="" alpn_params="" local npn_params="" tls_extensions line
local savedir local savedir
local nrsaved local nrsaved
$HAS_SPDY && [[ -z $STARTTLS ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\"" $HAS_SPDY && [[ -z $STARTTLS ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
$HAS_ALPN && [[ -z $STARTTLS ]] && alpn_params="-alpn \"${ALPN_PROTOs// /,}\"" # we need to replace " " by ","
if [[ -n "$2" ]]; then if [[ -n "$2" ]]; then
protocols_to_try="$2" protocols_to_try="$2"
@ -4744,20 +4816,10 @@ determine_tls_extensions() {
fi fi
for proto in $protocols_to_try; do for proto in $protocols_to_try; do
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
addcmd="" addcmd=""
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI" [[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $alpn_params -status </dev/null 2>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then
success=0
grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext-alpn.txt
fi
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $npn_params -status </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $npn_params -status </dev/null 2>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE ; then sclient_connect_successful $? $TMPFILE && success=0 && break
success=0
grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext-npn.txt
break
fi
done # this loop is needed for IIS6 and others which have a handshake size limitations done # this loop is needed for IIS6 and others which have a handshake size limitations
if [[ $success -eq 7 ]]; then if [[ $success -eq 7 ]]; then
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then: # "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
@ -4772,13 +4834,21 @@ determine_tls_extensions() {
GOST_STATUS_PROBLEM=true GOST_STATUS_PROBLEM=true
fi fi
fi fi
#TLS_EXTENSIONS=$(awk -F'"' '/TLS server extension / { printf "\""$2"\" " }' $TMPFILE) #tls_extensions=$(awk -F'"' '/TLS server extension / { printf "\""$2"\" " }' $TMPFILE)
# #
# this is not beautiful (grep+sed) # this is not beautiful (grep+sed)
# but maybe we should just get the ids and do a private matching, according to # but maybe we should just get the ids and do a private matching, according to
# https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
TLS_EXTENSIONS=$(cat $TEMPDIR/tlsext-alpn.txt $TEMPDIR/tlsext-npn.txt | sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' -e 's/,.*$/,/g' -e 's/),$/\"/g') tls_extensions=$(grep -a 'TLS server extension ' $TMPFILE | sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' -e 's/,.*$/,/g' -e 's/),$/\"/g')
TLS_EXTENSIONS=$(echo $TLS_EXTENSIONS) # into one line tls_extensions=$(echo $tls_extensions) # into one line
# check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS
while read -d "\"" -r line; do
if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then
TLS_EXTENSIONS+=" \"${line}\""
fi
done <<<$tls_extensions
[[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}"
# Place the server's certificate in $HOSTCERT and any intermediate # Place the server's certificate in $HOSTCERT and any intermediate
# certificates that were provided in $TEMPDIR/intermediatecerts.pem # certificates that were provided in $TEMPDIR/intermediatecerts.pem
@ -5499,7 +5569,6 @@ run_server_defaults() {
local lifetime unit local lifetime unit
local line local line
local -i i n local -i i n
local all_tls_extensions=""
local -i certs_found=0 local -i certs_found=0
local -a previous_hostcert previous_intermediates keysize cipher local -a previous_hostcert previous_intermediates keysize cipher
local -a ocsp_response ocsp_response_status sni_used local -a ocsp_response ocsp_response_status sni_used
@ -5547,22 +5616,15 @@ run_server_defaults() {
if [[ $n -ge 8 ]]; then if [[ $n -ge 8 ]]; then
sni="$SNI" sni="$SNI"
SNI="" SNI=""
determine_tls_extensions "-cipher ${ciphers_to_test[n]}" "tls1_1" get_server_certificate "-cipher ${ciphers_to_test[n]}" "tls1_1"
success[n]=$? success[n]=$?
SNI="$sni" SNI="$sni"
else else
determine_tls_extensions "-cipher ${ciphers_to_test[n]}" get_server_certificate "-cipher ${ciphers_to_test[n]}"
success[n]=$? success[n]=$?
fi fi
if [[ ${success[n]} -eq 0 ]]; then if [[ ${success[n]} -eq 0 ]]; then
# check to see if any new TLS extensions were returned and add any new ones to all_tls_extensions cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE
while read -d "\"" -r line; do
if [[ $line != "" ]] && ! grep -q "$line" <<< "$all_tls_extensions"; then
all_tls_extensions="${all_tls_extensions} \"${line}\""
fi
done <<<$TLS_EXTENSIONS
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
>$ERRFILE >$ERRFILE
if [[ -z "$sessticket_str" ]]; then if [[ -z "$sessticket_str" ]]; then
sessticket_str=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime) sessticket_str=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime)
@ -5631,49 +5693,25 @@ run_server_defaults() {
fi fi
done done
if [[ $certs_found -eq 0 ]]; then determine_tls_extensions
[[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions
[[ -n "$TLS_EXTENSIONS" ]] && all_tls_extensions=" $TLS_EXTENSIONS"
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
>$ERRFILE >$ERRFILE
sessticket_str=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime) [[ -z "$sessticket_str" ]] && sessticket_str=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime)
fi
# Use TLS sockets to check whether server supports certain extensions that aren't supported by $OPENSSL
for alpn_proto in $ALPN_PROTOs; do
alpn+=",$(printf "%02x" ${#alpn_proto}),$(string_to_asciihex "$alpn_proto")"
done
alpn_list_len=${#alpn}/3
alpn_list_len_hex=$(printf "%04x" $alpn_list_len)
alpn_extn_len=$alpn_list_len+2
alpn_extn_len_hex=$(printf "%04x" $alpn_extn_len)
tls_sockets "03" "$TLS12_CIPHER" "all" "00,01,00,01,02, 00,02,00,00, 00,04,00,00, 00,12,00,00, 00,16,00,00, 00,17,00,00, 00,10,${alpn_extn_len_hex:0:2},${alpn_extn_len_hex:2:2},${alpn_list_len_hex:0:2},${alpn_list_len_hex:2:2}$alpn"
success=$?
if [[ $success -eq 0 ]] || [[ $success -eq 2 ]]; then
# check to see if any new TLS extensions were returned and add any new ones to all_tls_extensions
while read -d "\"" -r line; do
if [[ $line != "" ]] && ! grep -q "$line" <<< "$all_tls_extensions"; then
all_tls_extensions="${all_tls_extensions} \"${line}\""
fi
done <<<$TLS_EXTENSIONS
fi
outln outln
pr_headlineln " Testing server defaults (Server Hello) " pr_headlineln " Testing server defaults (Server Hello) "
outln outln
pr_bold " TLS extensions (standard) " pr_bold " TLS extensions (standard) "
if [[ -z "$all_tls_extensions" ]]; then if [[ -z "$TLS_EXTENSIONS" ]]; then
outln "(none)" outln "(none)"
fileout "tls_extensions" "INFO" "TLS server extensions (std): (none)" fileout "tls_extensions" "INFO" "TLS server extensions (std): (none)"
else else
all_tls_extensions="${all_tls_extensions:1}" outln "$TLS_EXTENSIONS"
outln "$all_tls_extensions" fileout "tls_extensions" "INFO" "TLS server extensions (std): $TLS_EXTENSIONS"
fileout "tls_extensions" "INFO" "TLS server extensions (std): $all_tls_extensions"
fi fi
TLS_EXTENSIONS="$all_tls_extensions"
pr_bold " Session Tickets RFC 5077 " pr_bold " Session Tickets RFC 5077 "
if [[ -z "$sessticket_str" ]]; then if [[ -z "$sessticket_str" ]]; then
@ -6899,7 +6937,6 @@ parse_tls_serverhello() {
esac esac
done done
fi fi
[[ "$process_full" == "all" ]] && TLS_EXTENSIONS="${tls_extensions:1}"
if [[ "$tls_protocol2" == "0300" ]]; then if [[ "$tls_protocol2" == "0300" ]]; then
echo "Protocol : SSLv3" >> $TMPFILE echo "Protocol : SSLv3" >> $TMPFILE
@ -6926,6 +6963,7 @@ parse_tls_serverhello() {
esac esac
echo "===============================================================================" >> $TMPFILE echo "===============================================================================" >> $TMPFILE
fi fi
[[ -n "$tls_extensions" ]] && echo "TLS Extensions: ${tls_extensions:1}" >> $TMPFILE
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
echo "TLS server hello message:" echo "TLS server hello message:"
@ -6947,12 +6985,12 @@ parse_tls_serverhello() {
*) echo "(unrecognized compression method)" ;; *) echo "(unrecognized compression method)" ;;
esac esac
fi fi
if [[ "$process_full" == "all" ]]; then if [[ -n "$tls_extensions" ]]; then
echo " tls_extensions: $TLS_EXTENSIONS" echo " tls_extensions: ${tls_extensions:1}"
if [[ "$TLS_EXTENSIONS" =~ "application layer protocol negotiation" ]]; then if [[ "$tls_extensions" =~ "application layer protocol negotiation" ]]; then
echo " ALPN protocol: $(grep "ALPN protocol:" "$TMPFILE" | sed 's/ALPN protocol: //')" echo " ALPN protocol: $(grep "ALPN protocol:" "$TMPFILE" | sed 's/ALPN protocol: //')"
fi fi
if [[ "$TLS_EXTENSIONS" =~ "next protocol" ]]; then if [[ "$tls_extensions" =~ "next protocol" ]]; then
echo " NPN protocols: $(grep "Protocols advertised by server:" "$TMPFILE" | sed 's/Protocols advertised by server: //')" echo " NPN protocols: $(grep "Protocols advertised by server:" "$TMPFILE" | sed 's/Protocols advertised by server: //')"
fi fi
fi fi