Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 02:30:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Server side cipher preference

Browse Source
This commit is contained in:
Frank Breedijk 2015-12-11 14:05:35 +01:00
parent 73c80b7484
commit 08aeb650e4
1 changed files with 85 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
testssl.sh
View File

@ -1899,6 +1899,7 @@ run_server_preference() {
# now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 : # now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 :
local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA" local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA"
local has_cipher_order=true local has_cipher_order=true
local isok
outln outln
pr_headlineln " Testing server preferences " pr_headlineln " Testing server preferences "
@ -1911,6 +1912,7 @@ run_server_preference() {
outln "$list_fwd . " outln "$list_fwd . "
has_cipher_order=false has_cipher_order=false
ret=6 ret=6
output_finding "order_bug" "$NODEIP" "$PORT" "WARN" "Could not determine server cipher order, no matching cipher in this list found (pls report this): $list_fwd"
elif [[ -n "$STARTTLS_PROTOCOL" ]]; then elif [[ -n "$STARTTLS_PROTOCOL" ]]; then
# now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188 # now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188
# workaround is to connect with a protocol # workaround is to connect with a protocol
@ -1922,6 +1924,7 @@ run_server_preference() {
outln "$list_fwd . " outln "$list_fwd . "
has_cipher_order=false has_cipher_order=false
ret=6 ret=6
output_finding "order_bug" "$NODEIP" "$PORT" "WARN" "Could not determine server cipher order, no matching cipher in this list found (pls report this): $list_fwd"
fi fi
fi fi
@ -1934,9 +1937,11 @@ run_server_preference() {
if [[ "$cipher1" != "$cipher2" ]]; then if [[ "$cipher1" != "$cipher2" ]]; then
pr_litered "nope (NOT ok)" pr_litered "nope (NOT ok)"
remark4default_cipher=" (limited sense as client will pick)" remark4default_cipher=" (limited sense as client will pick)"
output_finding "order" "$NODEIP" "$PORT" "NOT OK" "Server does NOT set a cipher order (NOT ok)"
else else
pr_green "yes (OK)" pr_green "yes (OK)"
remark4default_cipher="" remark4default_cipher=""
output_finding "order" "$NODEIP" "$PORT" "OK" "Server sets a cipher order (ok)"
fi fi
[[ $DEBUG -ge 2 ]] && out " $cipher1 | $cipher2" [[ $DEBUG -ge 2 ]] && out " $cipher1 | $cipher2"
outln outln
@ -1950,26 +1955,78 @@ run_server_preference() {
fi fi
default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
case "$default_proto" in case "$default_proto" in
*TLSv1.2) pr_greenln $default_proto ;; *TLSv1.2)
*TLSv1.1) pr_litegreenln $default_proto ;; pr_greenln $default_proto
*TLSv1) outln $default_proto ;; output_finding "order_proto" "$NODEIP" "$PORT" "OK" "Default protocol TLS1.2 (OK)"
*SSLv2) pr_redln $default_proto ;; ;;
*SSLv3) pr_redln $default_proto ;; *TLSv1.1)
"") pr_litemagenta "default proto empty"; [[ $OSSL_VER == 1.0.2* ]] && outln " (Hint: if IIS6 give OpenSSL 1.01 a try)" ;; pr_litegreenln $default_proto
*) pr_litemagenta "FIXME line $LINENO: $default_proto" ;; output_finding "order_proto" "$NODEIP" "$PORT" "OK" "Default protocol TLS1.1 (OK)"
;;
*TLSv1)
outln $default_proto
output_finding "order_proto" "$NODEIP" "$PORT" "INFO" "Default protocol TLS1.0"
;;
*SSLv2)
pr_redln $default_proto
output_finding "order_proto" "$NODEIP" "$PORT" "NOT OK" "Default protocol SSLv2"
;;
*SSLv3)
pr_redln $default_proto
output_finding "order_proto" "$NODEIP" "$PORT" "NOT OK" "Default protocol SSLv3"
;;
"")
pr_litemagenta "default proto empty"
if [[ $OSSL_VER == 1.0.2* ]]; then
outln " (Hint: if IIS6 give OpenSSL 1.01 a try)"
output_finding "order_proto" "$NODEIP" "$PORT" "WARN" "Default protocol empty (Hint: if IIS6 give OpenSSL 1.01 a try)"
else
output_finding "order_proto" "$NODEIP" "$PORT" "WARN" "Default protocol empty"
fi
;;
*)
pr_litemagenta "FIXME line $LINENO: $default_proto"
output_finding "order_proto" "$NODEIP" "$PORT" "WARN" "FIXME line $LINENO: $default_proto"
;;
esac esac
pr_bold " Negotiated cipher " pr_bold " Negotiated cipher "
default_cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') default_cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
case "$default_cipher" in case "$default_cipher" in
*NULL*|*EXP*) pr_red "$default_cipher" ;; *NULL*|*EXP*)
*RC4*) pr_litered "$default_cipher" ;; pr_red "$default_cipher"
*CBC*) pr_brown "$default_cipher" ;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
*GCM*) pr_green "$default_cipher" ;; # best ones output_finding "order_cipher" "$NODEIP" "$PORT" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok)\n$remark4default_cipher"
*CHACHA20*) pr_green "$default_cipher" ;; # best ones ;;
ECDHE*AES*) pr_yellow "$default_cipher" ;; # it's CBC. --> lucky13 *RC4*)
"") pr_litemagenta "default cipher empty" ; [[ $OSSL_VER == 1.0.2* ]] && out " (Hint: if IIS6 give OpenSSL 1.01 a try)" ;; pr_litered "$default_cipher"
*) out "$default_cipher" ;; output_finding "order_cipher" "$NODEIP" "$PORT" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok)\n$remark4default_cipher"
;;
*CBC*)
pr_brown "$default_cipher"
output_finding "order_cipher" "$NODEIP" "$PORT" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok)\n$remark4default_cipher"
;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
*GCM*|*CHACHA20*)
pr_green "$default_cipher"
output_finding "order_cipher" "$NODEIP" "$PORT" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (OK)\n$remark4default_cipher"
;; # best ones
ECDHE*AES*)
pr_yellow "$default_cipher"
output_finding "order_cipher" "$NODEIP" "$PORT" "WARN" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc)\n$remark4default_cipher"
;; # it's CBC. --> lucky13
"")
pr_litemagenta "default cipher empty" ;
if [[ $OSSL_VER == 1.0.2* ]]; then
out " (Hint: if IIS6 give OpenSSL 1.01 a try)"
output_finding "order_cipher" "$NODEIP" "$PORT" "WARN" "Default cipher empty (Hint: if IIS6 give OpenSSL 1.01 a try)\n$remark4default_cipher"
else
output_finding "order_cipher" "$NODEIP" "$PORT" "WARN" "Default cipher empty\n$remark4default_cipher"
fi
;;
*)
out "$default_cipher"
output_finding "order_cipher" "$NODEIP" "$PORT" "INFO" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE")\n$remark4default_cipher"
;;
esac esac
read_dhbits_from_file "$TMPFILE" read_dhbits_from_file "$TMPFILE"
outln "$remark4default_cipher" outln "$remark4default_cipher"
@ -1978,8 +2035,8 @@ run_server_preference() {
pr_bold " Negotiated cipher per proto"; outln " $remark4default_cipher" pr_bold " Negotiated cipher per proto"; outln " $remark4default_cipher"
i=1 i=1
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
#locally_supported -"$p" " " || continue #locally_supported -"$p" " " || continue
locally_supported -"$p" || continue locally_supported -"$p" || continue
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
@ -2024,6 +2081,7 @@ run_server_preference() {
fi fi
fi fi
fi fi
output_finding "order_${proto[i]}_cipher" "$NODEIP" "$PORT" "INFO" "Default cipher on ${proto[i]}: ${cipher[i]}\n$remark4default_cipher"
done done
fi fi
fi fi
@ -2040,11 +2098,12 @@ run_server_preference() {
cipher_pref_check() { cipher_pref_check() {
local p proto protos local p proto protos
local tested_cipher cipher local tested_cipher cipher order
pr_bold " Cipher order" pr_bold " Cipher order"
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
order=""
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
tested_cipher="" tested_cipher=""
@ -2054,14 +2113,17 @@ cipher_pref_check() {
outln outln
printf " %-10s %s " "$proto:" "$cipher" printf " %-10s %s " "$proto:" "$cipher"
tested_cipher="-"$cipher tested_cipher="-"$cipher
order="$cipher"
while true; do while true; do
$OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE || break sclient_connect_successful $? $TMPFILE || break
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
out "$cipher " out "$cipher "
order+=" $cipher"
tested_cipher="$tested_cipher:-$cipher" tested_cipher="$tested_cipher:-$cipher"
done done
fi fi
[[ -z $order ]] || output_finding "order_$p" "$NODEIP" "$PORT" "INFO" "Default cipher order for protocol $p:\n$order"
done done
outln outln
@ -2070,18 +2132,22 @@ cipher_pref_check() {
else else
protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g') protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
for p in $protos; do for p in $protos; do
order=""
$OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
printf " %-10s %s " "$p:" "$cipher" printf " %-10s %s " "$p:" "$cipher"
tested_cipher="-"$cipher tested_cipher="-"$cipher
order="$cipher"
while true; do while true; do
$OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE || break sclient_connect_successful $? $TMPFILE || break
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
out "$cipher " out "$cipher "
tested_cipher="$tested_cipher:-$cipher" tested_cipher="$tested_cipher:-$cipher"
order+=" $cipher"
done done
outln outln
[[ -z $order ]] || output_finding "order_spdy_$p" "$NODEIP" "$PORT" "INFO" "Default cipher order for SPDY protocol $p:\n$order"
done done
fi fi