Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 18:50:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

add drill support

Browse Source
This commit is contained in:
Konstantin Shalygin 2015-11-21 16:45:07 +06:00
parent 3d869920d0
commit 07ef4537bf
1 changed files with 144 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

279
testssl.sh
View File

@ -3,7 +3,7 @@
# vim:ts=5:sw=5:expandtab
# we have a spaces softtab, that ensures readability with other editors too
[ -z "$BASH_VERSINFO" ] && printf "\n\033[1;35m Please make sure you're using \"bash\"! Bye...\033[m\n\n" >&2 && exit 245
[ -z "$BASH_VERSINFO" ] && printf "\n\033[1;35m Please make sure you're using \"bash\"! Bye...\033[m\n\n" >&2 && exit 245
[ $(kill -l | grep -c SIG) -eq 0 ] && printf "\n\033[1;35m Please make sure you're calling me without leading \"sh\"! Bye...\033[m\n\n" >&2 && exit 245
# testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some
@ -25,17 +25,17 @@
# USAGE WITHOUT ANY WARRANTY, THE SOFTWARE IS PROVIDED "AS IS". USE IT AT
# your OWN RISK!
# HISTORY:
# HISTORY:
# Back in 2006 it all started with a few openssl commands...
# That's because openssl is a such a good swiss army knife (see e.g.
# wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist
# wrapping some shell commands around it, which I used for my pen tests. This is how
# That's because openssl is a such a good swiss army knife (see e.g.
# wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist
# wrapping some shell commands around it, which I used for my pen tests. This is how
# everything started.
# Now it has grown up, it has bash socket support for some features which basically replacing
# more and more functions of OpenSSL and will serve as some kind of library in the future.
# The socket checks in bash may sound cool and unique -- they are -- but probably you
# can achieve e.g. the same result with my favorite interactive shell: zsh (zmodload zsh/net/socket
# -- checkout zsh/net/tcp) too!
# -- checkout zsh/net/tcp) too!
# /bin/bash though is way more often used within Linux and it's perfect
# for cross platform support, see MacOS X and also under Windows the MSYS2 extension or Cygwin.
# Cross-platform is one of the three main goals of this script. Second: Ease of installation.
@ -49,8 +49,8 @@
# internet. And those examples above 4) are 3rd parties. If these restrictions are all fine
# with you and you need a management compatible rating -- go ahead and use those.
# But also if your fine with those restrictions: testssl.sh is meant as a tool in your hand
# and it's way more flexible.
# But also if your fine with those restrictions: testssl.sh is meant as a tool in your hand
# and it's way more flexible.
#
# Oh, and did I mention testssl.sh is open source?
@ -59,7 +59,7 @@
# are disabled as they'll impact security otherwise. For security
# testing though we need all broken features. testssl.sh will
# over time replace those checks with bash sockets -- however it's
# still recommended to use the supplied binaries or cook your own, see
# still recommended to use the supplied binaries or cook your own, see
# https://github.com/drwetter/testssl.sh/blob/master/bin/Readme.md .
# Don't worry if feature X is not available you'll get a warning about
# this missing feature! The idea is if this script can't tell something
@ -86,7 +86,7 @@ MAPPING_FILE_RFC=""
which git &>/dev/null && readonly GIT_REL=$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')
readonly CVS_REL=$(tail -5 "$0" | awk '/dirkw Exp/ { print $4" "$5" "$6}')
readonly CVS_REL_SHORT=$(tail -5 "$0" | awk '/dirkw Exp/ { print $4 }')
readonly SYSTEM=$(uname -s)
readonly SYSTEM=$(uname -s)
date --help >/dev/null 2>&1 && \
readonly HAS_GNUDATE=true || \
readonly HAS_GNUDATE=false
@ -112,14 +112,14 @@ TERM_CURRPOS=0 # custom line wrapping ne
declare -x OPENSSL
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
SHOW_EACH_C=${SHOW_EACH_C:-0} # where individual ciphers are tested show just the positively ones tested #FIXME: upside down value
SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual?
SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual?
QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
ASSUMING_HTTP=${ASSUMING_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5
DEBUG=${DEBUG:-0} # 1.: the temp files won't be erased.
DEBUG=${DEBUG:-0} # 1.: the temp files won't be erased.
# 2: list more what's going on (formerly: eq VERBOSE=1, VERBERR=true), lists some errors of connections
# 3: slight hexdumps + other info,
# 3: slight hexdumps + other info,
# 4: display bytes sent via sockets, 5: display bytes received via sockets, 6: whole 9 yards
WIDE=${WIDE:-false} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc.
LOGFILE=${LOGILE-""} # logfile if used
@ -271,7 +271,7 @@ readonly SSLv2_CLIENT_HELLO="
###### output functions ######
# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest.
# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest.
out() { /usr/bin/printf -- "${1//%/%%}"; }
outln() { out "$1\n"; }
#TODO: Still no shell injection safe but if just run it from the cmd line: that's fine
@ -304,10 +304,10 @@ pr_greyln() { pr_grey "$1"; outln; }
pr_litegreen() { [[ "$COLOR" -eq 2 ]] && out "\033[0;32m$1" || out "$1"; pr_off; } # This is good
pr_litegreenln() { pr_litegreen "$1"; outln; }
pr_green() { [[ "$COLOR" -eq 2 ]] && out "\033[1;32m$1" || out "$1"; pr_off; } # This is the best
pr_green() { [[ "$COLOR" -eq 2 ]] && out "\033[1;32m$1" || out "$1"; pr_off; } # This is the best
pr_greenln() { pr_green "$1"; outln; }
pr_yellow() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem
pr_yellow() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem
pr_yellowln() { pr_yellow "$1"; outln; }
pr_brown() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this
pr_brownln() { pr_brown "$1"; outln; }
@ -317,7 +317,7 @@ pr_brownln() { pr_brown "$1"; outln; }
pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m\c"; }
pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; }
pr_boldln() { pr_bold "$1" ; outln; }
pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; }
pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; }
pr_underline() { [[ "$COLOR" -ne 0 ]] && out "\033[4m$1" || out "$1"; pr_off; }
pr_reverse() { [[ "$COLOR" -ne 0 ]] && out "\033[7m$1" || out "$1"; pr_off; }
pr_reverse_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[7m\033[1m$1" || out "$1"; pr_off; }
@ -475,7 +475,7 @@ is_ipv6addr() {
#check on chars allowed:
[[ -n "$(tr -d '0-9:a-fA-F ' <<< "$1" | sed -e '/^$/d')" ]] && \
return 1
return 0
return 0
}
@ -596,7 +596,7 @@ run_http_header() {
if [[ $? -eq 0 ]]; then
# we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it
# again in the foreground ito get an ccurate header time!
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE
NOW_TIME=$(date "+%s")
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
HAD_SLEPT=0
@ -630,7 +630,7 @@ run_http_header() {
pr_bold " HTTP Status Code "
[[ -z "$status_code" ]] && pr_litemagentaln "No status code" && return 3
out " $status_code$msg_thereafter"
out " $status_code$msg_thereafter"
case $status_code in
301|302|307|308) out ", redirecting to \"$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')\"" ;;
200) ;;
@ -639,7 +639,7 @@ run_http_header() {
401) grep -aq "^WWW-Authenticate" $HEADERFILE && out " "; strip_lf "$(grep -a "^WWW-Authenticate" $HEADERFILE)"
;;
403) ;;
404) out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" ;;
404) out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" ;;
405) ;;
*) pr_litemagenta ". Oh, didn't expect a $status_code$msg_thereafter";;
esac
@ -657,7 +657,7 @@ detect_ipv4() {
local result
local first=true
local spaces=" "
if [[ ! -s $HEADERFILE ]]; then
run_http_header "$1" || return 3
fi
@ -665,7 +665,7 @@ detect_ipv4() {
# remove pagespeed header as it is mistakenly identified as ipv4 address https://github.com/drwetter/testssl.sh/issues/158
# also facebook has a CSP rule for 127.0.0.1
if egrep -vi "pagespeed|page-speed|Content-Security-Policy" $HEADERFILE | grep -iqE "$ipv4address"; then
pr_bold " IPv4 address in header "
pr_bold " IPv4 address in header "
while read line; do
result="$(grep -E "$ipv4address" <<< "$line")"
result=$(strip_lf "$result")
@ -681,7 +681,7 @@ detect_ipv4() {
fi
done < $HEADERFILE
fi
}
}
run_http_date() {
@ -914,7 +914,7 @@ run_rp_banner() {
run_http_header "$1" || return 3
fi
pr_bold " Reverse Proxy banner "
egrep -ai '^Via:|^X-Cache|^X-Squid|^X-Varnish:|^X-Server-Name:|^X-Server-Port:|^x-forwarded' $HEADERFILE >$TMPFILE
egrep -ai '^Via:|^X-Cache|^X-Squid|^X-Varnish:|^X-Server-Name:|^X-Server-Port:|^x-forwarded' $HEADERFILE >$TMPFILE
if [[ $? -ne 0 ]]; then
outln "--"
else
@ -965,7 +965,7 @@ run_application_banner() {
run_cookie_flags() { # ARG1: Path, ARG2: path
local -i nr_cookies
local nr_httponly nr_secure
local negative_word
local negative_word
if [[ ! -s $HEADERFILE ]]; then
run_http_header "$1" || return 3
@ -1015,7 +1015,7 @@ run_more_flags() {
fi
pr_bold " Security headers "
# convert spaces to | (for egrep)
egrep_pattern=$(echo "$good_flags2test $other_flags2test"| sed -e 's/ /|\^/g' -e 's/^/\^/g')
egrep_pattern=$(echo "$good_flags2test $other_flags2test"| sed -e 's/ /|\^/g' -e 's/^/\^/g')
egrep -ai "$egrep_pattern" $HEADERFILE >$TMPFILE
if [[ $? -ne 0 ]]; then
outln "--"
@ -1161,7 +1161,7 @@ std_cipherlists() {
[[ $sclient_success -eq 0 ]] && \
pr_literedln "offered (NOT ok)" || \
pr_litegreenln "not offered (OK)" ;;
3) # not totally bad
3) # not totally bad
[[ $sclient_success -eq 0 ]] && \
pr_brownln "offered (NOT ok)" || \
outln "not offered (OK)" ;;
@ -1278,7 +1278,7 @@ test_just_one(){
normalize_ciphercode $hexcode
# is argument a number?
if [[ $arg =~ $re ]]; then
neat_list $HEXC $ciph $kx $enc | grep -qai "$arg"
neat_list $HEXC $ciph $kx $enc | grep -qai "$arg"
else
neat_list $HEXC $ciph $kx $enc | grep -qwai "$arg"
fi
@ -1406,7 +1406,7 @@ locally_supported() {
}
# the protocol check needs to be revamped. It sucks.
# the protocol check needs to be revamped. It sucks.
# 1) we need to have a variable where the resulta are being stored so that every other test doesn't have to do this again.
# 2) the code is too old and one can do that way better
# 3) HAS_SSL3/2 does already exist
@ -1429,7 +1429,7 @@ run_prototest_openssl() {
# SSLv3 doesn't have SNI (openssl doesn't complain though -- yet)
$OPENSSL s_client -state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $sni >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE
ret=$?
ret=$?
[[ $DEBUG -eq 2 ]] && egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
fi
@ -1446,8 +1446,8 @@ run_prototest_openssl() {
# the protocol check needs to be revamped. It sucks, see above
run_protocols() {
local using_sockets=true
local supported_no_ciph1="supported but couldn't detect a cipher (may need debugging)"
local supported_no_ciph2="supported but couldn't detect a cipher"
local supported_no_ciph1="supported but couldn't detect a cipher (may need debugging)"
local supported_no_ciph2="supported but couldn't detect a cipher"
outln; pr_headline " Testing protocols "
@ -1475,7 +1475,7 @@ run_protocols() {
case $? in
0) pr_redln "offered (NOT ok)" ;;
1) pr_greenln "not offered (OK)" ;;
5) pr_litered "$supported_no_ciph2";
5) pr_litered "$supported_no_ciph2";
outln " (may need further attention)" ;; # protocol ok, but no cipher
7) ;; # no local support
esac
@ -1491,7 +1491,7 @@ run_protocols() {
0) pr_literedln "offered (NOT ok)" ;;
1) pr_greenln "not offered (OK)" ;;
2) pr_litemagentaln "#FIXME: downgraded. still missing a test case here" ;;
5) pr_litered "$supported_no_ciph2";
5) pr_litered "$supported_no_ciph2";
outln "(may need debugging)" ;; # protocol ok, but no cipher
7) ;; # no local support
esac
@ -1517,12 +1517,12 @@ run_protocols() {
tls_sockets "02" "$TLS_CIPHER"
else
run_prototest_openssl "-tls1_1"
fi
fi
case $? in
0) outln "offered" ;; # nothing wrong with it
1) outln "not offered" ;; # neither good or bad
2) out "not offered"
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
2) out "not offered"
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
outln ;;
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
7) ;; # no local support
@ -1533,7 +1533,7 @@ run_protocols() {
tls_sockets "03" "$TLS12_CIPHER"
else
run_prototest_openssl "-tls1_2"
fi
fi
case $? in
0) pr_greenln "offered (OK)" ;; # GCM cipher in TLS 1.2: very good!
1) pr_brownln "not offered (NOT ok)" ;; # no GCM, penalty
@ -1627,7 +1627,7 @@ read_dhbits_from_file() {
run_server_preference() {
local cipher1 cipher2
local default_cipher default_proto
local remark4default_cipher
local remark4default_cipher
local -a cipher proto
local p i
local -i ret=0
@ -1635,7 +1635,7 @@ run_server_preference() {
# now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 :
local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA"
local has_cipher_order=true
outln
pr_headlineln " Testing server preferences "
outln
@ -1651,7 +1651,7 @@ run_server_preference() {
# now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188
# workaround is to connect with a protocol
debugme out "(workaround #188) "
determine_optimal_proto $STARTTLS_PROTOCOL
determine_optimal_proto $STARTTLS_PROTOCOL
$OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
if ! sclient_connect_successful $? $TMPFILE; then
pr_litemagenta "no matching cipher in this list found (pls report this): "
@ -1691,7 +1691,7 @@ run_server_preference() {
*TLSv1) outln $default_proto ;;
*SSLv2) pr_redln $default_proto ;;
*SSLv3) pr_redln $default_proto ;;
"") pr_litemagenta "default proto empty"; [[ $OSSL_VER == 1.0.2* ]] && outln " (Hint: if IIS6 give OpenSSL 1.01 a try)" ;;
"") pr_litemagenta "default proto empty"; [[ $OSSL_VER == 1.0.2* ]] && outln " (Hint: if IIS6 give OpenSSL 1.01 a try)" ;;
*) pr_litemagenta "FIXME line $LINENO: $default_proto" ;;
esac
@ -1849,7 +1849,7 @@ get_all_certs() {
pr_litemagenta "problem getting all certs"
savedir=$(pwd); cd $TEMPDIR
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
awk -v n=-1 '/-----BEGIN CERTIFICATE-----/{ inc=1; n++ }
awk -v n=-1 '/-----BEGIN CERTIFICATE-----/{ inc=1; n++ }
inc { print > ("level" n ".crt") }
/---END CERTIFICATE-----/{ inc=0 }' $TEMPDIR/allcerts.txt
nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
@ -1880,7 +1880,7 @@ verify_retcode_helper() {
determine_trust() {
local i=1
local bundle_fname
local -a certificate_file verify_retcode trust
local -a certificate_file verify_retcode trust
local ok_was=""
local notok_was=""
local code
@ -1897,7 +1897,7 @@ determine_trust() {
for bundle_fname in $ca_bundles; do
certificate_file[i]=$(basename $bundle_fname | sed 's/\.pem//')
if [[ ! -r $bundle_fname ]]; then
pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable"
pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable"
return 7
fi
debugme printf -- " %-12s" "${certificate_file[i]}"
@ -1917,10 +1917,10 @@ determine_trust() {
debugme out " "
# all stores ok
if ${trust[1]} && ${trust[2]} && ${trust[3]} && ${trust[4]}; then
pr_litegreen "Ok "
pr_litegreen "Ok "
# at least one failed
else
pr_litered "NOT ok"
pr_litered "NOT ok"
# all failed (we assume with the same issue)
if ! ${trust[1]} && ! ${trust[2]} && ! ${trust[3]} && ! ${trust[4]}; then
verify_retcode_helper "${verify_retcode[2]}"
@ -1985,7 +1985,7 @@ tls_time() {
sclient_connect_successful() {
[[ $1 -eq 0 ]] && return 0
[[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0
# second check saved like
# second check saved like
# fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1
# what's left now is: master key empty and Session-ID not empty ==> probably client based auth with x509 certificate
return 1
@ -2045,7 +2045,7 @@ run_server_defaults() {
if [[ -z "$TLS_EXTENSIONS" ]]; then
outln "(none)"
else
#echo $extensions | sed 's/ /,/g'
#echo $extensions | sed 's/ /,/g'
outln "$TLS_EXTENSIONS"
fi
@ -2062,7 +2062,7 @@ run_server_defaults() {
out "$lifetime $unit "
pr_yellowln "(PFS requires session ticket keys to be rotated <= daily)"
fi
pr_bold " SSL Session ID support "
if $NO_SSL_SESSIONID; then
outln "no"
@ -2194,7 +2194,7 @@ run_server_defaults() {
out " ("
pr_dquoted "$issuer_O"
if [[ -n "$issuer_C" ]]; then
out " from "
out " from "
pr_dquoted "$issuer_C"
fi
outln ")"
@ -2210,14 +2210,14 @@ run_server_defaults() {
[[ 2.16.578.1.26.1.3.3 == "$policy_oid" ]] || \
[[ 1.3.6.1.4.1.17326.10.14.2.1.2 == "$policy_oid" ]] || \
[[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
out "yes "
else
out "no "
fi
debugme echo "($(newline_to_spaces "$policy_oid"))"
outln
#TODO: use browser OIDs:
#TODO: use browser OIDs:
# https://mxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp
# http://src.chromium.org/chrome/trunk/src/net/cert/ev_root_ca_metadata.cc
# https://certs.opera.com/03/ev-oids.xml
@ -2264,7 +2264,7 @@ run_server_defaults() {
if [[ $(count_lines "$crl") -eq 1 ]]; then
outln "$crl"
else # more than one CRL
out_row_aligned "$crl" "$spaces"
out_row_aligned "$crl" "$spaces"
fi
else
pr_litemagentaln "no parsable output \"$url\", pls report"
@ -2293,7 +2293,7 @@ run_server_defaults() {
fi
outln
# if we call tls_time before tmpfile_handle it throws an error because the function tls_sockets removed $TMPFILE
# if we call tls_time before tmpfile_handle it throws an error because the function tls_sockets removed $TMPFILE
# already -- and that was a different one -- means that would get overwritten anyway
tmpfile_handle $FUNCNAME.txt
@ -2429,7 +2429,7 @@ run_spdy() {
else
# now comes a strange thing: "Protocols advertised by server:" is empty but connection succeeded
if echo $tmpstr | egrep -aq "spdy|http" ; then
out "$tmpstr"
out "$tmpstr"
outln " (advertised)"
ret=0
else
@ -2451,7 +2451,7 @@ starttls_line() {
debugme echo -e "\n=== sending \"$1\" ..."
echo -e "$1" >&5
# we don't know how much to read and it's blocking! So we just put a cat into the
# we don't know how much to read and it's blocking! So we just put a cat into the
# background and read until $STARTTLS_SLEEP and: cross our fingers
cat <&5 >$TMPFILE &
wait_kill $! $STARTTLS_SLEEP
@ -2461,7 +2461,7 @@ starttls_line() {
if egrep -q "$2" $TMPFILE; then
debugme echo "---> reply matched \"$2\""
else
# slow down for exim and friends who need a proper handshake:, see
# slow down for exim and friends who need a proper handshake:, see
# https://github.com/drwetter/testssl.sh/issues/218
FAST_STARTTLS=false
debugme echo -e "\n=== sending with automated FAST_STARTTLS=false \"$1\" ..."
@ -2547,7 +2547,7 @@ fd_socket() {
;;
smtp|smtps) # SMTP, see https://tools.ietf.org/html/rfc4217
$FAST_STARTTLS || starttls_just_read
$FAST_STARTTLS || starttls_line "EHLO testssl.sh" "220|250" && starttls_just_send "EHLO testssl.sh"
$FAST_STARTTLS || starttls_line "EHLO testssl.sh" "220|250" && starttls_just_send "EHLO testssl.sh"
starttls_line "STARTTLS" "220"
;;
pop3|pop3s) # POP, see https://tools.ietf.org/html/rfc2595
@ -2575,9 +2575,9 @@ fd_socket() {
[[ -z $XMPP_HOST ]] && XMPP_HOST="$NODE"
jabber=$(cat <<EOF
<?xml version='1.0' ?>
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:client'
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:client'
to='$XMPP_HOST'
xml:lang='en'
version='1.0'>
@ -2715,7 +2715,7 @@ parse_tls_serverhello() {
[[ "$DEBUG" -eq 5 ]] && echo $tls_hello_ascii # one line without any blanks
if [[ -z "$tls_hello_ascii" ]]; then
debugme echo "server hello empty, TCP connection closed"
debugme echo "server hello empty, TCP connection closed"
return 1 # no server hello received
fi
@ -2733,14 +2733,14 @@ parse_tls_serverhello() {
if [[ $tls_content_type == "15" ]]; then # TLS ALERT
tls_err_level=${tls_hello_ascii:10:2} # 1: warning, 2: fatal
tls_err_descr=${tls_hello_ascii:12:2} # 112/0x70: Unrecognized name, 111/0x6F: certificate_unobtainable,
tls_err_descr=${tls_hello_ascii:12:2} # 112/0x70: Unrecognized name, 111/0x6F: certificate_unobtainable,
# 113/0x71: bad_certificate_status_response, #114/0x72: bad_certificate_hash_value
if [[ $DEBUG -ge 2 ]]; then
echo "tls_protocol (reclyr): 0x$tls_protocol"
echo "tls_content_type: 0x$tls_content_type"
echo "tls_len_all: $tls_len_all"
echo "tls_err_descr: 0x${tls_err_descr} / = $(hex2dec ${tls_err_descr})"
echo "tls_err_level: ${tls_err_level} (warning:1, fatal:2)"
echo "tls_err_level: ${tls_err_level} (warning:1, fatal:2)"
fi
# now, here comes a strange thing... -- on the first glance
# IF an apache 2.2/2.4 server e.g. has a default servername configured but we send SNI <myhostname>
@ -2847,7 +2847,7 @@ socksend_tls_clienthello() {
local len_sni_listlen len_sni_ext len_extension_hex
local cipher_suites len_ciph_suites len_ciph_suites_word
local len_client_hello_word len_all_word
#len_servername=$(echo ${#NODE})
len_servername=${#NODE}
hexdump_format_str="$len_servername/1 \"%02x,\""
@ -2937,10 +2937,10 @@ socksend_tls_clienthello() {
extension_signature_algorithms="
00, 0d, # Type: signature_algorithms , see RFC 5246
00, 20, # len
00,1e, 06,01, 06,02, 06,03, 05,01, 05,02, 05,03,
00,1e, 06,01, 06,02, 06,03, 05,01, 05,02, 05,03,
04,01, 04,02, 04,03, 03,01, 03,02, 03,03, 02,01, 02,02, 02,03"
# Extension: Haertbeat 00 0f
# Extension: Haertbeat 00 0f
# len 00 01
# peer allowed to send requests 01
@ -2968,7 +2968,7 @@ socksend_tls_clienthello() {
return 0
}
# arg1: TLS version low byte
# arg1: TLS version low byte
# (00: SSLv3, 01: TLS 1.0, 02: TLS 1.1, 03: TLS 1.2)
tls_sockets() {
local -i ret=0
@ -3233,7 +3233,7 @@ run_ccs_injection(){
if [[ $DEBUG -ge 3 ]]; then
outln "\n1st reply: "
out "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
# ok: 15 | 0301 | 02 | 02 | 0a
# ok: 15 | 0301 | 02 | 02 | 0a
# ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a)
# or just timed out
outln
@ -3247,7 +3247,7 @@ run_ccs_injection(){
if [[ $DEBUG -ge 3 ]]; then
outln "\n2nd reply: "
printf -- "$SOCKREPLY" | "${HEXDUMPVIEW[@]}"
# not ok: 15 | 0301 | 02 | 02 | 15
# not ok: 15 | 0301 | 02 | 02 | 15
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
# ok: 0a or nothing: ==> RST
outln
@ -3297,7 +3297,7 @@ run_renego() {
*) pr_litemagentaln "FIXME (bug): $sec_renego" ;;
esac
else
pr_litemagentaln "handshake didn't succeed"
pr_litemagentaln "handshake didn't succeed"
fi
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746
@ -3320,7 +3320,7 @@ run_renego() {
else
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
# msg enables us to look deeper into it while debugging
echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE &
echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP
if [[ $? -eq 3 ]]; then
pr_litegreen "likely not vulnerable (OK)"; outln " (timed out)" # it hung
@ -3353,7 +3353,7 @@ run_crime() {
# means anyway "game over", w/wo CRIME
# www.h-online.com/security/news/item/Vulnerability-in-SSL-encryption-is-barely-exploitable-1708604.html
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln
pr_bold " CRIME, TLS " ; out "(CVE-2012-4929) "
# first we need to test whether OpenSSL binary has zlib support
@ -3363,11 +3363,11 @@ run_crime() {
return 7
fi
[[ "$OSSL_VER" == "*0.9.8*" ]] && addcmd="-no_ssl2"
[[ "$OSSL_VER" == "*0.9.8*" ]] && addcmd="-no_ssl2"
$OPENSSL s_client $OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI </dev/null &>$TMPFILE
if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
pr_litegreen "not vulnerable (OK)"
if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then
if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then
out " (not using HTTP anyway)"
fi
ret=0
@ -3573,7 +3573,7 @@ run_freak() {
local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5"
local addtl_warning=""
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for FREAK attack " && outln
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for FREAK attack " && outln
pr_bold " FREAK"; out " (CVE-2015-0204) "
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportrsa_cipher_list))
@ -3615,7 +3615,7 @@ run_logjam() {
local -i nr_supported_ciphers=0
local addtl_warning=""
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln
pr_bold " LOGJAM"; out " (CVE-2015-4000), experimental "
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list))
@ -3639,7 +3639,7 @@ run_logjam() {
$HAS_DH_BITS && addtl_warning="$addtl_warning See below for any DH ciphers + bit size"
fi
fi
if [[ $sclient_success -eq 0 ]]; then
pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked."
else
@ -3725,7 +3725,7 @@ run_beast(){
if [[ $sclient_success -eq 0 ]]; then
[[ -n "$higher_proto_supported" ]] && \
pr_yellowln "available" || \
pr_brownln "available"
pr_brownln "available"
else
outln "not a/v"
@ -3882,10 +3882,10 @@ get_install_dir() {
#INSTALL_DIR=$(cd "$(dirname "$0")" && pwd)/$(basename "$0")
INSTALL_DIR=$(dirname ${BASH_SOURCE[0]})
[[ -r "$RUN_DIR/etc/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/etc/mapping-rfc.txt"
[[ -r "$RUN_DIR/etc/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/etc/mapping-rfc.txt"
[[ -r "$INSTALL_DIR/etc/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$INSTALL_DIR/etc/mapping-rfc.txt"
# those will disapper:
[[ -r "$RUN_DIR/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/mapping-rfc.txt"
[[ -r "$RUN_DIR/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/mapping-rfc.txt"
[[ -r "$INSTALL_DIR/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$INSTALL_DIR/mapping-rfc.txt"
# we haven't found the mapping file yet...
@ -3934,7 +3934,7 @@ test_openssl_suffix() {
fi
return 1
}
find_openssl_binary() {
# 0. check environment variable whether it's executable
@ -4065,7 +4065,7 @@ $PROG_NAME <options> URI ("$PROG_NAME URI" does everything except -E)
-t, --starttls <protocol> does a default run against a STARTTLS enabled <protocol>
--xmpphost <to_domain> for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
--mx <domain/host> tests MX records from high to low priority (STARTTLS, port 25)
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
--file <fname> mass testing option: Reads command lines from <fname>, one line per instance.
Comments via # allowed, EOF signals end of <fname>. Implicitly turns on "--warnings batch"
@ -4108,7 +4108,7 @@ maketempf() {
TEMPDIR=$(mktemp -d /tmp/ssltester.XXXXXX) || exit -6
TMPFILE=$TEMPDIR/tempfile.txt || exit -6
if [[ "$DEBUG" -eq 0 ]]; then
ERRFILE="/dev/null"
ERRFILE="/dev/null"
else
ERRFILE=$TEMPDIR/errorfile.txt || exit -6
fi
@ -4205,8 +4205,8 @@ mybanner() {
$PROG_NAME $VERSION from $SWURL
($idtag)
This program is free software. Distribution and
modification under GPLv2 permitted.
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
@ -4223,9 +4223,9 @@ EOF
cwd=$(/bin/pwd) || \
cwd=$RUN_DIR
if [[ "$openssl_location" =~ $(/bin/pwd)/bin ]]; then
echo "\$PWD/bin/$(basename "$openssl_location")"
echo "\$PWD/bin/$(basename "$openssl_location")"
elif [[ "$openssl_location" =~ $cwd ]] && [[ "$cwd" != '.' ]]; then
echo "${openssl_location%%$cwd}"
echo "${openssl_location%%$cwd}"
else
echo "$openssl_location"
fi
@ -4235,7 +4235,7 @@ EOF
cleanup () {
if [[ "$DEBUG" -ge 1 ]]; then
outln
outln
pr_underline "DEBUG (level $DEBUG): see files in $TEMPDIR"
outln
else
@ -4393,7 +4393,7 @@ filter_ip4_address() {
get_local_aaaa() {
local ip6=""
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
ip6=$(grep -wh "$NODE" $etchosts 2>/dev/null | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
if is_ipv6addr "$ip6"; then
@ -4406,7 +4406,7 @@ get_local_aaaa() {
get_local_a() {
local ip4=""
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
ip4=$(grep -wh "$1" $etchosts 2>/dev/null | egrep -v ':|^#' | egrep "[[:space:]]$1" | awk '{ print $1 }')
if is_ipv4addr "$ip4"; then
@ -4417,8 +4417,8 @@ get_local_a() {
}
check_resolver_bins() {
if ! which dig &> /dev/null && ! which host &> /dev/null && ! which nslookup &>/dev/null; then
fatal "Neither \"dig\", \"host\" or \"nslookup\" is present" "-3"
if ! which dig &> /dev/null && ! which drill &> /dev/null && ! which host &> /dev/null && ! which nslookup &>/dev/null; then
fatal "Neither \"dig\", \"drill\", \"host\" or \"nslookup\" is present" "-3"
fi
return 0
}
@ -4446,6 +4446,10 @@ get_a_record() {
which host &> /dev/null && \
ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | grep -v alias | sed 's/^.*address //'))
fi
if [[ -z "$ip4" ]]; then
which drill &> /dev/null && \
ip4=$(filter_ip4_address $(drill a "$1" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d'))
fi
if [[ -z "$ip4" ]]; then
if which nslookup &>/dev/null; then
# filtering from Name to EOF, remove iline with 'Name', the filter out non-numbers and ".'", and empty lines
@ -4475,8 +4479,9 @@ get_aaaa_record() {
ip6=$(filter_ip6_address $(host -t aaaa "$NODE" | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //'))
elif which dig &> /dev/null; then
ip6=$(filter_ip6_address $(dig +short -t aaaa "$NODE" 2>/dev/null))
elif which drill &> /dev/null; then
ip6=$(filter_ip6_address $(drill aaaa "$NODE" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/^\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d'))
elif which nslookup &>/dev/null; then
# same as above. Only we're using grep -A instead of awk
ip6=$(filter_ip6_address $(nslookup -type=aaaa "$NODE" 2>/dev/null | grep -A10 Name | grep -v Name))
fi
fi
@ -4485,7 +4490,7 @@ get_aaaa_record() {
}
# now get all IP addresses
# now get all IP addresses
determine_ip_addresses() {
local ip4=""
local ip6=""
@ -4501,7 +4506,7 @@ determine_ip_addresses() {
else
LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl
fi
# same now for ipv6
# same now for ipv6
ip6=$(get_local_aaaa $NODE)
if [[ -z $ip6 ]]; then
check_resolver_bins
@ -4544,6 +4549,8 @@ determine_rdns() {
rDNS=$(dig -x $NODEIP +noall +answer | awk '/PTR/ { print $NF }') # +short returns also CNAME, e.g. openssl.org
elif which host &> /dev/null; then
rDNS=$(host -t PTR $NODEIP 2>/dev/null | awk '/pointer/ { print $NF }')
elif which drill &> /dev/null; then
rDNS=$(drill -x ptr $NODEIP 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')
elif which nslookup &> /dev/null; then
rDNS=$(nslookup -type=PTR $NODEIP 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
fi
@ -4563,10 +4570,12 @@ get_mx_record() {
mxs=$(host -t MX "$1" 2>/dev/null | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//')
elif which dig &> /dev/null; then
mxs=$(dig +short -t MX "$1" 2>/dev/null)
elif which drill &> /dev/null; then
mxs=$(drill mx "$1" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')
elif which nslookup &> /dev/null; then
mxs=$(nslookup -type=MX "$1" 2>/dev/null | grep 'mail exchanger = ' | sed 's/^.*mail exchanger = //g')
else
fatal "No dig, host or nslookup" -3
fatal "No dig, drill, host or nslookup" -3
fi
OPENSSL_CONF="$saved_openssl_conf"
echo "$mxs"
@ -4605,10 +4614,10 @@ sclient_auth() {
[[ $1 -eq 0 ]] && return 0 # no client auth (CLIENT_AUTH=false is preset globally)
if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then # connect succeeded
if grep -q '^<<< .*CertificateRequest' "$2"; then # CertificateRequest message in -msg
CLIENT_AUTH=true
CLIENT_AUTH=true
return 0
fi
if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session
if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session
if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then # do another sanity check to be sure
CLIENT_AUTH=false
NO_SSL_SESSIONID=true # NO_SSL_SESSIONI is preset globally to false for all other cases
@ -4621,7 +4630,7 @@ sclient_auth() {
}
# this function determines OPTIMAL_PROTO. It is a workaround function as under certain circumstances
# this function determines OPTIMAL_PROTO. It is a workaround function as under certain circumstances
# (e.g. IIS6.0 and openssl 1.0.2 as opposed to 1.0.1) needs a protocol otherwise s_client -connect will fail!
# Circumstances observed so far: 1.) IIS 6 2.) starttls + dovecot imap
# The first try in the loop is empty as we prefer not to specify always a protocol if it works w/o.
@ -4678,7 +4687,7 @@ determine_optimal_proto() {
# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap (maybe with trailing s)
determine_service() {
local ua
local ua
local protocol
if ! fd_socket; then # check if we can connect to $NODEIP:$PORT
@ -4690,8 +4699,8 @@ determine_service() {
datebanner " Start"
outln
if [[ -z "$1" ]]; then
# no STARTTLS.
if [[ -z "$1" ]]; then
# no STARTTLS.
determine_optimal_proto "$1"
$SNEAKY && \
ua="$UA_SNEAKY" || \
@ -4701,7 +4710,7 @@ determine_service() {
GET_REQ10="GET $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n"
HEAD_REQ10="HEAD $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n"
runs_HTTP $OPTIMAL_PROTO
else
else
# STARTTLS
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
case "$protocol" in
@ -4787,7 +4796,7 @@ draw_line() {
mx_all_ips() {
local mxs mx
local mxport
local mxport
local -i ret=0
STARTTLS_PROTOCOL="smtp"
@ -4802,7 +4811,7 @@ mx_all_ips() {
for mx in $mxs; do
draw_line "-" $((TERM_DWITH * 2 / 3))
outln
parse_hn_port "$mx:$mxport"
parse_hn_port "$mx:$mxport"
determine_ip_addresses || continue
if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
@ -4845,7 +4854,7 @@ run_mass_testing() {
# This initializes boolean global do_* variables. They keep track of what to do
# This initializes boolean global do_* variables. They keep track of what to do
# -- as the name insinuates
initialize_globals() {
do_allciphers=false
@ -4932,7 +4941,7 @@ debug_globals() {
# arg1+2 are just the options
parse_opt_equal_sign() {
if [[ "$1" == *=* ]]; then
echo "$1" | awk -F'=' '{ print $2 }'
echo "$1" | awk -F'=' '{ print $2 }'
return 1 # = means we don't need to shift args!
else
echo $2
@ -4948,7 +4957,7 @@ parse_cmd_line() {
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help)
help 0
help 0
;;
-b|--banner|-v|--version)
find_openssl_binary
@ -4962,11 +4971,11 @@ parse_cmd_line() {
;;
--mx465) # doesn't work with major ISPs
do_mx_all_ips=true
PORT=465
PORT=465
;;
--mx587) # doesn't work with major ISPs
do_mx_all_ips=true
PORT=587
PORT=587
;;
--ip|--ip=*)
CMDLINE_IP=$(parse_opt_equal_sign "$1" "$2")
@ -4978,7 +4987,7 @@ parse_cmd_line() {
mybanner
openssl_age
prettyprint_local $(parse_opt_equal_sign "$1" "$2")
exit $?
exit $?
;;
-x|-x=*|--single[-_]cipher|--single[-_]cipher=*)
do_test_just_one=true
@ -5038,15 +5047,15 @@ parse_cmd_line() {
do_logjam=true
do_beast=true
do_rc4=true
VULN_COUNT=10
VULN_COUNT=10
;;
-B|--heartbleed)
do_heartbleed=true
let "VULN_COUNT++"
let "VULN_COUNT++"
;;
-I|--ccs|--ccs[-_]injection)
do_ccs_injection=true
let "VULN_COUNT++"
let "VULN_COUNT++"
;;
-R|--renegotiation)
do_renego=true
@ -5094,16 +5103,16 @@ parse_cmd_line() {
# DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0
# DEBUG=3 ./testssl.sh --devel 00 <host which supports SSLv3>
# DEBUG=3 ./testssl.sh --devel 22 <host which still supports SSLv2>
TLS_LOW_BYTE="$2";
TLS_LOW_BYTE="$2";
if [[ $# -eq 4 ]]; then # protocol AND ciphers specified
HEX_CIPHER="$3"
shift
fi
shift
do_tls_sockets=true
outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}"
outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}"
;;
--wide)
--wide)
WIDE=true
;;
--assuming[_-]http|--assume[-_]http)
@ -5124,27 +5133,27 @@ parse_cmd_line() {
do_mass_testing=true
;;
--warnings|--warnings=*)
WARNINGS=$(parse_opt_equal_sign "$1" "$2")
WARNINGS=$(parse_opt_equal_sign "$1" "$2")
[[ $? -eq 0 ]] && shift
case "$WARNINGS" in
batch|off|false) ;;
*) pr_magentaln "\nwarnings can be either \"batch\", \"off\" or \"false\""
*) pr_magentaln "\nwarnings can be either \"batch\", \"off\" or \"false\""
help 1
esac
;;
--show[-_]each)
SHOW_EACH_C=1 #FIXME: sense is vice versa
;;
;;
--bugs)
BUGS="-bugs"
;;
;;
--debug|--debug=*)
DEBUG=$(parse_opt_equal_sign "$1" "$2")
[[ $? -eq 0 ]] && shift
case $DEBUG in
[0-6]) ;;
*) pr_magentaln "\nunrecognized debug value \"$1\", must be between 0..6" 1>&2
help 1
help 1
esac
;;
--color|--color=*)
@ -5158,14 +5167,14 @@ parse_cmd_line() {
esac
;;
--log|--logging)
do_logging=true
do_logging=true
;; # DEFINITION of LOGFILE if no arg specified via ENV or automagically in parse_hn_ports()
# following does the same but we can specify a log location additionally
--logfile=*)
LOGFILE=$(parse_opt_equal_sign "$1" "$2")
[[ $? -eq 0 ]] && shift
do_logging=true
;;
do_logging=true
;;
--openssl|--openssl=*)
OPENSSL=$(parse_opt_equal_sign "$1" "$2")
[[ $? -eq 0 ]] && shift
@ -5184,12 +5193,12 @@ parse_cmd_line() {
SSL_NATIVE=true
;;
(--) shift
break
break
;;
(-*) pr_magentaln "\n$0: unrecognized option \"$1\"" 1>&2;
help 1
help 1
;;
(*) break
(*) break
;;
esac
shift
@ -5286,7 +5295,7 @@ lets_roll() {
$do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); }
outln
datebanner " Done"
datebanner " Done"
return $ret
}
@ -5318,14 +5327,14 @@ if $do_mx_all_ips; then
[[ $? -eq 1 ]] && set_scanning_defaults
mx_all_ips "${URI}" $PORT
ret=$?
else
else
parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now
if ! determine_ip_addresses && [[ -z "$CMDLINE_IP" ]]; then
fatal "No IP address could be determined"
fi
if [[ -n "$CMDLINE_IP" ]]; then
if [[ -n "$CMDLINE_IP" ]]; then
[[ "$CMDLINE_IP" == "one" ]] && \
CMDLINE_IP=$(echo -n "$IPADDRs" | awk '{ print $1 }')
CMDLINE_IP=$(echo -n "$IPADDRs" | awk '{ print $1 }')
NODEIP="$CMDLINE_IP" # specific ip address for NODE was supplied
lets_roll "${STARTTLS_PROTOCOL}"
ret=$?