From b1c80512e684140af2608ac9d3e5a4d7cd3d91d4 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 18 Jan 2017 12:44:15 +0100 Subject: [PATCH 1/5] first bunch of common primes, see #589 + #576 + #120. License of nmap is also GPLv2: no conflicts --- etc/common-primes.txt | 112 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 etc/common-primes.txt diff --git a/etc/common-primes.txt b/etc/common-primes.txt new file mode 100644 index 0000000..94727b2 --- /dev/null +++ b/etc/common-primes.txt @@ -0,0 +1,112 @@ + +## taken from https://svn.nmap.org/nmap/scripts/ssl-dh-params.nse + +# "mod_ssl 2.0.x/512-bit MODP group with safe prime modulus" +D4BCD5206F69B3994B88D5DB8968C8157F6D8F3363EE5772F1F05AB2D6B51459F241E5CC31FF00A4BC7148976F7795094E1E790359F5A824B + +# "mod_ssl 2.2.x/512-bit MODP group with safe prime modulus" +E6969D3495BE327CF180CBDD479891B781851BB0552A206494A79A77FA15A25CBD523AA6EF09C3048D5A2F971F320129B4000E6ED061CBC03E371D74E5327D611EBBB1BAC9B56044CF03D76E05EA9BAD91B13A63974E9EF839EB5D125136F262E56A871538DD823C655085E210DD5C86 + +# "mod_ssl 2.2.x/512-bit MODP group with safe prime modulus" +9FDB8B8004544F045F173D0BA2E0274CDF19F58821FB43531A16E37471FD19DD8F37C3BF863FD0E3E30080A30306E4C375D08F70EAA87103 + +# "mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus" +D67DE44CBBBDC136D693D4AFD0AD0C84D23A45F520B88174C98BCE95849F912639C72F13B4B4D177E16D5AC179B420B2A2FE324A47A635E8FF590137BEDDCF33168A41AAD3B7DAE886078045B0A7DBCA774087D110EA9FC9DDD33007DD62D88AEAA77DE0F4DE2BD68BE7393E024218EB3 + +# "nginx/1024-bit MODP group with safe prime modulus" +BBBC2DCD8467497C43FCF80E9CFDD958A3F68B42D408EED4E0FB35046C03027E7108005CCBBAA922614CBEECA56A5FDF1D87A2BC09BE677860E91A9A757E308F68B07F7D36CCF29BA5D81DC2CA25ECE6670CC9A535D8CECEF9EA024A63AB158FAFD488D0F65146757D071DF04CFE16B9B + +# "sun.security.provider/512-bit DSA group with 160-bit prime order subgroup" +FCA682C8E12CAB26EFCCF110E526B078B05DECBCD1B4A208FAE1617A01F35B9A47E6DF3413C5E2ED0899CD132AC50D9915BDC43EE37592E17 + +# "sun.security.provider/768-bit DSA group with 160-bit prime order subgroup" +E9E64259D355F3C97FFD367120B825C9CD4E927B3A670FBECD89014122D2C3BAD2480037998691E846AA49FAB0A26D2CE622219D40BCE7D77D4A21FE9C270B7F60700F3CEF833694CF4EE3688C1A8C56A127A3DAF + +# "sun.security.provider/1024-bit DSA group with 160-bit prime order subgroup" +FD7F5381D7512252DF4A92EECE4EF611B753CEF440C31E3F8B651266455D40251FB5938D58FABC5F5BA3F6CB9B56CD7813801D346F26660B6B9950AA49F9FE047B102C24FBBAD7FEB7C1BF83B5E7C6A8A150F04F83F6D3C1EC302354135A19132F67F3AE2B6D72AEFF2203199D14801C7 + +# "openssl/512-bit MODP group with safe prime modulus" +DA583C1D985228D0E4AF76F4CCA9DD4BE53B804FB0ED94EF98A4403E574650D6999DB2D776276A2D3D41E218F4D1E084CFD8003E74774E833 + +# "openssl/1024-bit MODP group with safe prime modulus" +97F6426CAB505D2828E131D68B6DDBD0F31047F40E56DA58C13B8A1B2B783A46D59D5F2AFC6CF3D693F7B23D4F360A95023EFAF7A5E1AD5A5E55431828DA839FF2D94DEE9568FADAEA036ADDF171FE63520AF47064603C2E059F54650AD8F0CF7012C74799D587132B9B999BBB787E8AB + +# "openssl/2048-bit MODP group with safe prime modulus" +ED92893824555C3BFBA275A69046BF21F3A53D2CD2DAFF7811152F10C1E255B686F68053B92262FE49A31F65CC5328ABDBDB49EDDA71266CFD2104718F07FDF75851172827B2A9341812FCB21C6D92AE4B6A829C27A3CB0C5F2E5F0AA4598A2BDAD4F0B3ADFE08135ED983B3CAEEAEB6E6A9576B9F128A3F2280D0BA6F67939B810F85A90ECCCA6F65F7AC011A1EF0F2DB60806228B0EDB8928E0CA83D69469166533C53613B02BAD48287A1C729E435FCC27E951DE685FC19976600F3F86BB3C520E29C07E8901CCCC001B6ADC3A308B33AAFD88C89D01DBAC4DD7F0BD6F38C3 + +# "openssl/2048-bit MODP group with safe prime modulus" +AED037CBDF33FAEEDC439B70A2087B77017E9B92EB0F8061CD4B5A59723C793FDA9F9F274490F50647285BE05921C4F2C05A4EE75A36613F382DBD44DE8A4A322122EC730A833E4800EBD6F854A518171BA54523C843FAC175FFAF49C440D446D846C1C345149EFA82F5C48A47BAC7F67EE00011AA9ED8101B36A5C39AAFEC54A3FF97C1B7F406DCB2DC092ABAA0625EFEB3FA12B42692E8F3EFB3F7B4C302A24CAA4213D45035CEA8ADD31816616F9E21A5C50805978980AD6814E3585B79E684491527552B72BC78D8D6993A7368486B3088B8F1B7E896688BD3F13DC517D4B + +# "openssl/4096-bit MODP group with safe prime modulus" +FEEAD19BEAF90F1CFCA105D69DB0839A2A26AEF248ABD7531BB3E4627DCECEFCEDCBBBF56549E95153058188C3D72941666AABA0A5CC85559125503180E9034C7F39CA3452F342EE72A7DFFC74528DB6D76D9C64F55D0839CDE74FE7424136947661D2670F2F6D59FFD7C3BDDED41E2B2CCDD9E12F1056AB88C44D7F9BA7651ED1A4D407A2D71895F77AB6C763CC00EF1C30B2E7944697E74BC7B8431B5011AF5A1515E63C1DE83C802ECE7FC71FBD179F8E4D7F1B43BA75D5AC3B11D41B0B5A088A9AACCCC105126DC841E41693E8591E31E2F5AFDAEDE1221277FC20BE4D251137A58E961EACF27D4C7E239190DD6AB27ECE5BD664C79B16C2D208D63A4B7F8DAE63DBE2C886BA10778A8DF5CE214A4B3D03C9175FBA578146CE5EC0177574481AD86F485465F5DA4B67F88260CE0BC0ACD157A377F10091AD0B6889303ECA33CDB61BA8CE32A87AF5D8B7F26734D209679232D70ADEF4A51D888BC57D2A638E014D66936776FFF355FEDF52201FA0CB8DB3FB54949951A70104AD49D71B74D09CAA8C05E833A2291D697F918F255C769BDE4BB72A4A1AFE60BBAD183EACC7B54AF4084F1CCB2B9AE576DAE2D1A8F43D27741DB19EDC3B815E569645F8C3363 + +# "RFC2409/Oakley Group 1" +FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA63A362FFFFFFFFFFFFFFF + +# "RFC2409/Oakley Group 2" +FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE6538FFFFFFFFFFFFFFF + +# "RFC3526/Oakley Group 5" +FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE45B3C2007CBA163BF098DA4831C55D3969163FAFD24CF583655D2DCA3AD91C62F35208552B9ED52907096966670C3544ABC980F1746C0CA23732FFFFFFFFFFFFFFF + +# "RFC3526/Oakley Group 14" +FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE45B3C2007CBA163BF098DA4831C55D3969163FAFD24CF583655D2DCA3AD91C62F35208552B9ED52907096966670C3544ABC980F1746C0CA1821732905E42E36CE3E39E772180E8609B2783AEC07A28B5C55DF6F4C52CDE2BCBF95581713995497EA956AE15D226198FA05115728E58AACAA6FFFFFFFFFFFFFFF + +# "RFC3526/Oakley Group 15" +FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE45B3C2007CBA163BF098DA4831C55D3969163FAFD24CF583655D2DCA3AD91C62F35208552B9ED52907096966670C3544ABC980F1746C0CA1821732905E42E36CE3E39E772180E8609B2783AEC07A28B5C55DF6F4C52CDE2BCBF95581713995497EA956AE15D226198FA05115728E58AAAC42AD3317004507A3A85521ADF1CBA6ECFB85058DBEF08AEA7155D060C7B3970F8A6E1E4CABF5AE8DB0933D1E8C94E4A25619CEE3D221AD2EE6F12FFA0D98A086D8760273EC86A6521F2B1177B200BBE11757A615D6770988CBAD946E08E24FA74E5AB343DB5BFE0FD1084B82D12A93AD2CFFFFFFFFFFFFFFF + +# "RFC3526/Oakley Group 16" +FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE45B3C2007CBA163BF098DA4831C55D3969163FAFD24CF583655D2DCA3AD91C62F35208552B9ED52907096966670C3544ABC980F1746C0CA1821732905E42E36CE3E39E772180E8609B2783AEC07A28B5C55DF6F4C52CDE2BCBF95581713995497EA956AE15D226198FA05115728E58AAAC42AD3317004507A3A85521ADF1CBA6ECFB85058DBEF08AEA7155D060C7B3970F8A6E1E4CABF5AE8DB0933D1E8C94E4A25619CEE3D221AD2EE6F12FFA0D98A086D8760273EC86A6521F2B1177B200BBE11757A615D6770988CBAD946E08E24FA74E5AB343DB5BFE0FD1084B82D12A9210801A723C1A787E6D88719A1BDBA5B299C32716AF4E231A94683B6150BD2583E9C2AD44CEDBBBC2D04DE8EF2E8EFC11FBECAA287C5944E6BC0599B2964A090C3A233BA18515BE7E1F61297CEE2D7AB81BDD72170481D006912D5B05AA93B4EA98D8FDDC86FFB7D90A6C084DF435C3406319FFFFFFFFFFFFFFF + +# "RFC5114/1024-bit DSA group with 160-bit prime order subgroup" +B10B8F9A080E01DE92DE5AE5D54E52C99FBFB06A3C9A6A9DC52D23B66073E2875A23D19838EF12EE652C13ECB4AA90611224975C3D49B83BACCBDD790C4BD798488E9219A7374EFFD6FE564473FAA31A4F55BCCCA151AF50DC8B4B45BF37D365C1A6E68CFDA6D4DA70DF1FB2B2E4A4371 + +# "RFC5114/2048-bit DSA group with 224-bit prime order subgroup" +AD107E19123A9DD660FAA9559C51A20D64E683B9FDB54B159B61D0A7E6FA141F95A56DAF9A3C47BA1DF1EB3D688309C1801DE6B851274A0A6D3F815AD6AC219037C9EEFDA4DFD91E8FE55B73947AD5B7DB6C1220C9F98D1ED34DBFC6BA0B28BBC27B6A00E0AB9C4970B3BF8A370918838128613BC8985D1602E71415D933278273CDE31EFD7310F711FD5A0715987D9DC0A486CDF93AC4432838315D75E98C641A80CD86AB9E587EBE60E69C928B2BC52172E13042E923F10B016E7976C9B53DC4BA80A2E3FB73C6B8E75B7EF363EFFA31F7CF9DE534E71B810AC4DFF0C10E64F + +# "RFC5114/2048-bit DSA group with 256-bit prime order subgroup" +87A8E61B4B6663FFBBD1965195998CEEF60660DD0F5D2CEED435E3B0E00DF8FD61957DFAF7DF461B2AA316C3D9134096FA3BF4296830E9A7209E0C697517AB5A8A9D36BCF67E91F9E675B4758C22E0B1E4275BF76C5BFC1D45F908B941F54B1E59BBBC39A0B12307F54FDB70C81B23F7B63ACAECAA6B792D5252635488A0F13C6D951BFA4A3AD834796524D8F6A167BA41825D67E144E14056421CCACB8E6B486FB3CA3F77150602C0B857F8996285DED4010BD0BE62C3A396054E710C75F2637D701410A4B5433C198AF16116D226E11715693877FD7EF09CDB094AE1E1A1597 + +# "weakdh.org/1024-bit MODP group with non-safe prime modulus" +D6C094A57F537468D58C7096872D45CEE1F2664E054421E1DE3C8E98C3F0A6A8F92F193FEF933B99B9C9A055D5596E42574005A68D47040FF00A5596EBA4B9F64CBA1004E451611C9B27438A70A2060C238D0CFAFFBBA48B9DAC4B450DC58B0320A017E2A3144A0278C657FB00CBEC11D + +# "weakdh.org/1024-bit MODP group with safe prime modulus" +C9BBF5F74A82970F97CDD3A3468C117B6BF99A13D91F5DAC47B2241F95EFB132855DFDF898B3F9188E24DF326DD8C76CC853728352D46F193129C69364D8C7202EABBEBC85C1F53907FD0B7EB40AD0BC928968680C46AB0BF7CDD9D425E6F25592EB258A065D75E93B671746A349E721B + +"weakdh.org/1024-bit MODP group with safe prime modulus" +829FEBFE3EE043862D336A62BDE765F0C743A53B55291414FAE5E86D34B16DBCC952B15EB443B154B3B4662E811E1D8BC7334018A5A7B5B6A720D84B28B7482C5AF24C04E5BB5DABF8FFA5ED7B46688D6CB82F8AF188A4563ED62D2EACF6BDFD47337884DFA0F0A3D6975E3580E3AE9593 + +# "weakdh.org/1024-bit MODP group with safe prime modulus" +9240243C3A12E4D3730D878CADFA8E2F5B5A956BFFDB8E5653E9695E3E32506FEB912FA77D22E1BB54C880893B8AD1BCF37F7F779D3FB96881D9BA17034ABF1F97B314CF3203663E8190B7E0906C4C5EEA0E57EC74D3E84D9E72E6C7DA6AE12DF297131854FF21AC4E79C23BB60B4F753 + +# "weakdh.org/1024-bit MODP group with safe prime modulus" +A9A3481446C7B6A29FF997C2181EFAAAD13CCDE245755D42F2E700AF86779D58A7C07C5DE423361117D05773F249C331AFA1B08EF360A14D4046F2762DA36A47D9FDE92B8815598C3A9546E7ED95D22EC9119F5B22CC41B0AF220F47BDE1B8334AD281DDC5E923F11CDDD3B22949DC41B + +# "weakdh.org/1024-bit MODP group with safe prime modulus" +CA6B8566DC21767605DACE801FAD59845384AF126CCC765E081014F293546ABDDE5C67C32D5B005B1BBF4C5DBFA253ADB3205B7D867DF98CBCE81C713F9FC215F1C33F953AB3CE8B7FEE3951FB31314074D5489BB17C6879A2EAF8195A8DE0A165E4B752077B167A00A5629FD5A9A25F3 + +# "weakdh.org/1024-bit MODP group with safe prime modulus" +EB373E9AB618DF20D233E93E3EBC319BDAC0994C1D003986A9FAFFF754151CCE06413192698B4496F5FDFAF1289679D8BC1580D7D1CD83F8529C7953D58EC62E0E87FD008C13E3E5861B2D3A024D372CE4F220FE2C9039A997664AEBB75446AA69EBE0EF3C6F91C2632B54EC3A970A7BB + +# "weakdh.org/1024-bit MODP group with safe prime modulus" +80A68AD5327E05AAD07C464B8ADE908432A9651B23F47A7A8F84D568DFDAFAB6621C0C28450F155F7D4AECE383F7D6055ADF60C4B37DCC1EB8374E3995179239FDC3BB428511C8B4A9FFCE4DD5AA23F992647C39CE4D8BB2E773F4EB786CE4CD0C3D4C31D75D1CF9E970C45EE8ECDABAB + +# "weakdh.org/1024-bit MODP group with safe prime modulus" +C0EB5F34CB30A9FE3786E4C0381469B52035AD49F5EFD8CAA31A69B273CC9F5B4B8F802C5FB683913B612042D2EBD533815E59769C9E97BD488DB335581320DD4AF9CE4A4EBE9118C6828E5B3989C26720B4FDC210C288B174D77E0AAD9C117EA5ED7CF971BB19A8718E52982591CA14B + +# "weakdh.org/1024-bit MODP group with safe prime modulus" +8FC0E1E0574D6A3C76DDE64524C276446B698E5B6B2614F969A5061D99034DB819780E8EE28A466B5C4EA634E47F9C981AEC4908E1B83A41813165A0AB6BDCD325718AC49399541C16F960F9D6B9C51EC85AD0BBFE3890118F0CD665D4B1B1C72395B83217FB3EBF878160E827911754B + +# "haproxy 1.5 builtin" +EC86F87A03316E051A735CD1F8BF29E4D2C52DDC228DB5389FB5CA4EB2DACE65074A684D4B1D3B82BF31E9A72D071E781D8B595235F430B6F1DB07B086B1B2EE4DCC90E43A01DF438CEBEBE90B5154B927B647645DD42EAC29EAE54359C779C503C0ED73045F14C762D8F8CFF3440D1B4261846423904F68B262D55ED1B77591E0C69C1315DB7B442CE845801E660CC449EFD408675DFA7768F01187E99F97DC4B745520D4A412F4421AC1F9717492376B2F87E1CA0A899227D565A71C56377E39D05E7E5D8F821BCE9C293082F9FC9AE49DD054B4D754DFA0B8D6384B71F77F + +# "postfix builtin" +B0FEB4CD45507ECC885901726C50A54A9228178DA8AA4C130BF5D2F9BC96B85009D0C075ADFD3B17E7143F9154144B83021CEBDF79C4CF180D683F98EA4FB78918B291690019668C5384E273D9E75A7AAD5ECE27FAED011C278255065C39FCD4954AC1B1EA4F953D0D6DAFD49E7BAAE9B + +# "IronPort SMTPbuiltin" +F8D5CCE7A3961BF5CBC8340C5185E0E6FA65AB283178C86761CA46CA7D7FA3BAF75B833C69937D36920FE39A653E8F0725A6E2D297537558E27E7844B549BEB558927A30C8BD1DACDCA93027B5CE1BC1770AF7DEE81149AD7D632DB80A639CEBCC7A619CCF3288EA3D2328774B04E6FB3 + + +## taken from https://github.com/cryptosense/diffie-hellman-groups/blob/master/gen/common.json +# to be continueed + From 4433345b16c754d46ea04ae1421dd332603c269b Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 18 Jan 2017 15:53:01 +0100 Subject: [PATCH 2/5] - first implementation (draft) of LOGJAM common primes, see #589, #120 - output polishing of run_drown() - polishing of run_logjam() - decrease severity to high for LOGJAM, see CVE rating --- testssl.sh | 58 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 41 insertions(+), 17 deletions(-) diff --git a/testssl.sh b/testssl.sh index f7aa549..49a1508 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9526,6 +9526,7 @@ run_logjam() { local -i sclient_success=0 local exportdhe_cipher_list="EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA" local exportdhe_cipher_list_hex="00,63, 00,65, 00,14, 00,11" + local all_dhe_ciphers="cc,15, 00,b3, 00,91, c0,97, 00,a3, 00,9f, cc,aa, c0,a3, c0,9f, 00,6b, 00,6a, 00,39, 00,38, 00,c4, 00,c3, 00,88, 00,87, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, 00,ab, cc,ad, c0,a7, c0,43, c0,45, c0,47, c0,53, c0,57, c0,5b, c0,67, c0,6d, c0,7d, c0,81, c0,85, c0,91, 00,a2, 00,9e, c0,a2, c0,9e, 00,aa, c0,a6, 00,67, 00,40, 00,33, 00,32, 00,be, 00,bd, 00,9a, 00,99, 00,45, 00,44, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, 00,b2, 00,90, c0,96, c0,42, c0,44, c0,46, c0,52, c0,56, c0,5a, c0,66, c0,6c, c0,7c, c0,80, c0,84, c0,90, 00,66, 00,18, 00,8e, 00,16, 00,13, 00,1b, 00,8f, 00,63, 00,15, 00,12, 00,1a, 00,65, 00,14, 00,11, 00,19, 00,17, 00,b5, 00,b4, 00,2d" local -i i nr_supported_ciphers=0 server_key_exchange_len=0 ephemeral_pub_len=0 local addtl_warning="" hexc local cve="CVE-2015-4000" @@ -9533,6 +9534,7 @@ run_logjam() { local hint="" local server_key_exchange ephemeral_pub key_bitstring="" dh_p local using_sockets=true + local spaces=" " "$SSL_NATIVE" && using_sockets=false @@ -9546,8 +9548,7 @@ run_logjam() { fi case $nr_supported_ciphers in - 0) - local_problem_ln "$OPENSSL doesn't have any DHE EXPORT ciphers configured" + 0) local_problem_ln "$OPENSSL doesn't have any DHE EXPORT ciphers configured" fileout "logjam" "WARN" "LOGJAM: Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured" "$cve" "$cwe" return 3 ;; @@ -9565,23 +9566,14 @@ run_logjam() { sclient_success=$? debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" fi - addtl_warning="$addtl_warning, common primes not checked." - if "$HAS_DH_BITS" || ( ! "$SSL_NATIVE" && ! "$FAST" && [[ $TLS_NR_CIPHERS -ne 0 ]] ); then - if ! "$do_allciphers" && ! "$do_cipher_per_proto"; then - addtl_warning="$addtl_warning \"$PROG_NAME -E/-e\" spots candidates" - else - addtl_warning="$addtl_warning See below for any DH ciphers + bit size" - fi - fi if [[ $sclient_success -eq 0 ]]; then - pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked." - fileout "logjam" "CRITICAL" "LOGJAM: VULNERABLE, uses DHE EXPORT ciphers, common primes not checked." "$cve" "$cwe" "$hint" + pr_svrty_high "VULNERABLE (NOT ok):"; out " uses DHE EXPORT ciphers," + fileout "logjam" "HIGH" "LOGJAM: VULNERABLE, uses DHE EXPORT ciphers" "$cve" "$cwe" "$hint" else - pr_done_best "not vulnerable (OK)"; out "$addtl_warning" - fileout "logjam" "OK" "LOGJAM: not vulnerable $addtl_warning" "$cve" "$cwe" + pr_done_good "not vulnerable (OK):"; out " no DHE EXPORT ciphers,"; out "$addtl_warning" + fileout "logjam" "OK" "LOGJAM: not vulnerable (no DHE EXPORT ciphers) $addtl_warning" "$cve" "$cwe" fi - outln if [[ $DEBUG -ge 2 ]]; then if "$using_sockets"; then @@ -9601,7 +9593,7 @@ run_logjam() { # Try all ciphers that use an ephemeral DH key. If successful, check whether the key uses a weak prime. if "$using_sockets"; then - tls_sockets "03" "cc,15, 00,b3, 00,91, c0,97, 00,a3, 00,9f, cc,aa, c0,a3, c0,9f, 00,6b, 00,6a, 00,39, 00,38, 00,c4, 00,c3, 00,88, 00,87, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, 00,ab, cc,ad, c0,a7, c0,43, c0,45, c0,47, c0,53, c0,57, c0,5b, c0,67, c0,6d, c0,7d, c0,81, c0,85, c0,91, 00,a2, 00,9e, c0,a2, c0,9e, 00,aa, c0,a6, 00,67, 00,40, 00,33, 00,32, 00,be, 00,bd, 00,9a, 00,99, 00,45, 00,44, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, 00,b2, 00,90, c0,96, c0,42, c0,44, c0,46, c0,52, c0,56, c0,5a, c0,66, c0,6c, c0,7c, c0,80, c0,84, c0,90, 00,66, 00,18, 00,8e, 00,16, 00,13, 00,1b, 00,8f, 00,63, 00,15, 00,12, 00,1a, 00,65, 00,14, 00,11, 00,19, 00,17, 00,b5, 00,b4, 00,2d" "ephemeralkey" + tls_sockets "03" "$all_dhe_ciphers" "ephemeralkey" sclient_success=$? if [[ $sclient_success -eq 0 ]] || [[ $sclient_success -eq 2 ]]; then cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE @@ -9625,13 +9617,45 @@ run_logjam() { dh_p="$($OPENSSL pkey -pubin -text -noout <<< "$key_bitstring" | awk '/prime:/,/generator:/' | tail -n +2 | head -n -1)" dh_p="$(strip_spaces "$(colon_to_spaces "$(newline_to_spaces "$dh_p")")")" [[ "${dh_p:0:2}" == "00" ]] && dh_p="${dh_p:2}" - # At this point the DH key's prime has been extracted into $dh_p. Compare is against known weak primes. + debugme outln "dh_p: $dh_p" + echo "$dh_p" > $TEMPDIR/dh_p.txt + common_primes_test $dh_p + else + outln " no DH key detected" + fileout "LOGJAM_common primes" "OK" "no DH key detected" fi + outln tmpfile_handle $FUNCNAME.txt return $sclient_success } +# takes one arg and compares against a predefined set in $TESTSSL_INSTALL_DIR +common_primes_test() { + local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" + local -i lineno_matched=0 + local comment="" + + if [[ ! -s "$common_primes_file" ]]; then + pr_warningln "couldn't read common primes file $common_primes_file" + fileout "LOGJAM_common primes" "WARN" "couldn't read common primes file $common_primes_file" + return 1 + else + lineno_matched=$(grep -n "$dh_p" "$common_primes_file" 2>/dev/null) + if [[ "$lineno_matched" -ne 0 ]]; then + # get comment + comment="$(awk "NR == $lineno_matched-1" "$common_primes_file" | awk -F'"' '{ print $2 }')" +#FiXME: probably the high groups/bit sizes whould get a different rating, see paper + pr_svrty_high "common prime $comment detected" + fileout "LOGJAM_common primes" "HIGH" "common prime $comment detected" + else + pr_done_good " no common primes detected" + fileout "LOGJAM_common primes" "OK" "no common primes detected" + fi + fi + return 0 +} + run_drown() { local nr_ciphers_detected ret From 8bf7b6b31b1140d001af3649c8ba28d5f4e48c4f Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 18 Jan 2017 16:23:18 +0100 Subject: [PATCH 3/5] forgot to save work, followup to 4433345b16c754d46ea04ae1421dd332603c269b , #120, #589 --- testssl.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index 49a1508..38f39f4 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9619,9 +9619,9 @@ run_logjam() { [[ "${dh_p:0:2}" == "00" ]] && dh_p="${dh_p:2}" debugme outln "dh_p: $dh_p" echo "$dh_p" > $TEMPDIR/dh_p.txt - common_primes_test $dh_p + common_primes_test $dh_p "$spaces" else - outln " no DH key detected" + out " no DH key detected" fileout "LOGJAM_common primes" "OK" "no DH key detected" fi outln @@ -9631,13 +9631,15 @@ run_logjam() { } # takes one arg and compares against a predefined set in $TESTSSL_INSTALL_DIR +# spaces to indent common_primes_test() { local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" local -i lineno_matched=0 local comment="" if [[ ! -s "$common_primes_file" ]]; then - pr_warningln "couldn't read common primes file $common_primes_file" + outln + pr_warning "${2}couldn't read common primes file $common_primes_file" fileout "LOGJAM_common primes" "WARN" "couldn't read common primes file $common_primes_file" return 1 else @@ -9671,7 +9673,7 @@ run_drown() { outln fi # if we want to use OPENSSL: check for < openssl 1.0.2g, openssl 1.0.1s if native openssl - pr_bold " DROWN"; out " ($cve) " + pr_bold " DROWN"; out " ($cve) " sslv2_sockets case $? in @@ -9715,7 +9717,11 @@ run_drown() { # not advertising it as it after 5 tries and account is needed cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /} outln "$spaces https://censys.io/ipv4?q=$cert_fingerprint_sha2 could help you to find out" + fileout "drown" "INFO" "make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://censys.io/ipv4?q=$cert_fingerprint_sha2" fi + else + outln "$spaces no RSA certificate, thus certificate can't be used with SSLv2 elsewhere" + fileout "drown" "INFO" "no RSA certificate, thus certificate can't be used with SSLv2 elsewhere" fi ret=0 ;; From 61b16a078abd151296bfe1379a7e0f4198358fc3 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 18 Jan 2017 16:38:09 +0100 Subject: [PATCH 4/5] - file etc/common-primes was not edited correctly! --- testssl.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 38f39f4..64a3513 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9619,7 +9619,8 @@ run_logjam() { [[ "${dh_p:0:2}" == "00" ]] && dh_p="${dh_p:2}" debugme outln "dh_p: $dh_p" echo "$dh_p" > $TEMPDIR/dh_p.txt - common_primes_test $dh_p "$spaces" +# attention: file etc/common-primes.txt is not correct! + # common_primes_test $dh_p "$spaces" else out " no DH key detected" fileout "LOGJAM_common primes" "OK" "no DH key detected" @@ -9643,7 +9644,7 @@ common_primes_test() { fileout "LOGJAM_common primes" "WARN" "couldn't read common primes file $common_primes_file" return 1 else - lineno_matched=$(grep -n "$dh_p" "$common_primes_file" 2>/dev/null) + lineno_matched=$(grep -ni "$dh_p" "$common_primes_file" 2>/dev/null) if [[ "$lineno_matched" -ne 0 ]]; then # get comment comment="$(awk "NR == $lineno_matched-1" "$common_primes_file" | awk -F'"' '{ print $2 }')" From 05d27ff1be056122471b01fa3c643c430dcb88f3 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 18 Jan 2017 18:09:39 +0100 Subject: [PATCH 5/5] - FIX for the last mess submitted ;-) --- etc/common-primes.txt | 74 +++++++++++++++++++++---------------------- testssl.sh | 20 ++++++++---- 2 files changed, 50 insertions(+), 44 deletions(-) diff --git a/etc/common-primes.txt b/etc/common-primes.txt index 94727b2..e5fb6c5 100644 --- a/etc/common-primes.txt +++ b/etc/common-primes.txt @@ -2,111 +2,111 @@ ## taken from https://svn.nmap.org/nmap/scripts/ssl-dh-params.nse # "mod_ssl 2.0.x/512-bit MODP group with safe prime modulus" -D4BCD5206F69B3994B88D5DB8968C8157F6D8F3363EE5772F1F05AB2D6B51459F241E5CC31FF00A4BC7148976F7795094E1E790359F5A824B +D4BCD52406F69B35994B88DE5DB89682C8157F62D8F33633EE5772F11F05AB22D6B5145B9F241E5ACC31FF090A4BC71148976F76795094E71E7903529F5A824B # "mod_ssl 2.2.x/512-bit MODP group with safe prime modulus" -E6969D3495BE327CF180CBDD479891B781851BB0552A206494A79A77FA15A25CBD523AA6EF09C3048D5A2F971F320129B4000E6ED061CBC03E371D74E5327D611EBBB1BAC9B56044CF03D76E05EA9BAD91B13A63974E9EF839EB5D125136F262E56A871538DD823C655085E210DD5C86 +E6969D3D495BE32C7CF180C3BDD4798E91B7818251BB055E2A2064904A79A770FA15A259CBD523A6A6EF09C43048D5A22F971F3C20129B48000E6EDD061CBC053E371D794E5327DF611EBBBE1BAC9B5C6044CF023D76E05EEA9BAD991B13A63C974E9EF1839EB5DB125136F7262E56A8871538DFD823C6505085E21F0DD5C86B # "mod_ssl 2.2.x/512-bit MODP group with safe prime modulus" -9FDB8B8004544F045F173D0BA2E0274CDF19F58821FB43531A16E37471FD19DD8F37C3BF863FD0E3E30080A30306E4C375D08F70EAA87103 +9FDB8B8A004544F0045F1737D0BA2E0B274CDF1A9F588218FB435316A16E374171FD19D8D8F37C39BF863FD60E3E300680A3030C6E4C3757D08F70E6AA871033 # "mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus" -D67DE44CBBBDC136D693D4AFD0AD0C84D23A45F520B88174C98BCE95849F912639C72F13B4B4D177E16D5AC179B420B2A2FE324A47A635E8FF590137BEDDCF33168A41AAD3B7DAE886078045B0A7DBCA774087D110EA9FC9DDD33007DD62D88AEAA77DE0F4DE2BD68BE7393E024218EB3 +D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68B0E7393E0F24218EB3 # "nginx/1024-bit MODP group with safe prime modulus" -BBBC2DCD8467497C43FCF80E9CFDD958A3F68B42D408EED4E0FB35046C03027E7108005CCBBAA922614CBEECA56A5FDF1D87A2BC09BE677860E91A9A757E308F68B07F7D36CCF29BA5D81DC2CA25ECE6670CC9A535D8CECEF9EA024A63AB158FAFD488D0F65146757D071DF04CFE16B9B +BBBC2DCAD84674907C43FCF580E9CFDBD958A3F568B42D4B08EED4EB0FB3504C6C030276E710800C5CCBBAA8922614C5BEECA565A5FDF1D287A2BC049BE6778060E91A92A757E3048F68B076F7D36CC8F29BA5DF81DC2CA725ECE66270CC9A5035D8CECEEF9EA0274A63AB1E58FAFD4988D0F65D146757DA071DF045CFE16B9B # "sun.security.provider/512-bit DSA group with 160-bit prime order subgroup" -FCA682C8E12CAB26EFCCF110E526B078B05DECBCD1B4A208FAE1617A01F35B9A47E6DF3413C5E2ED0899CD132AC50D9915BDC43EE37592E17 +FCA682CE8E12CABA26EFCCF7110E526DB078B05EDECBCD1EB4A208F3AE1617AE01F35B91A47E6DF63413C5E12ED0899BCD132ACD50D99151BDC43EE737592E17 # "sun.security.provider/768-bit DSA group with 160-bit prime order subgroup" -E9E64259D355F3C97FFD367120B825C9CD4E927B3A670FBECD89014122D2C3BAD2480037998691E846AA49FAB0A26D2CE622219D40BCE7D77D4A21FE9C270B7F60700F3CEF833694CF4EE3688C1A8C56A127A3DAF +E9E642599D355F37C97FFD3567120B8E25C9CD43E927B3A9670FBEC5D890141922D2C3B3AD2480093799869D1E846AAB49FAB0AD26D2CE6A22219D470BCE7D777D4A21FBE9C270B57F607002F3CEF8393694CF45EE3688C11A8C56AB127A3DAF # "sun.security.provider/1024-bit DSA group with 160-bit prime order subgroup" -FD7F5381D7512252DF4A92EECE4EF611B753CEF440C31E3F8B651266455D40251FB5938D58FABC5F5BA3F6CB9B56CD7813801D346F26660B6B9950AA49F9FE047B102C24FBBAD7FEB7C1BF83B5E7C6A8A150F04F83F6D3C1EC302354135A19132F67F3AE2B6D72AEFF2203199D14801C7 +FD7F53811D75122952DF4A9C2EECE4E7F611B7523CEF4400C31E3F80B6512669455D402251FB593D8D58FABFC5F5BA30F6CB9B556CD7813B801D346FF26660B76B9950A5A49F9FE8047B1022C24FBBA9D7FEB7C61BF83B57E7C6A8A6150F04FB83F6D3C51EC3023554135A169132F675F3AE2B61D72AEFF22203199DD14801C7 # "openssl/512-bit MODP group with safe prime modulus" -DA583C1D985228D0E4AF76F4CCA9DD4BE53B804FB0ED94EF98A4403E574650D6999DB2D776276A2D3D41E218F4D1E084CFD8003E74774E833 +DA583C16D9852289D0E4AF756F4CCA92DD4BE533B804FB0FED94EF9C8A4403ED574650D36999DB29D776276BA2D3D412E218F4DD1E084CF6D8003E7C4774E833 # "openssl/1024-bit MODP group with safe prime modulus" -97F6426CAB505D2828E131D68B6DDBD0F31047F40E56DA58C13B8A1B2B783A46D59D5F2AFC6CF3D693F7B23D4F360A95023EFAF7A5E1AD5A5E55431828DA839FF2D94DEE9568FADAEA036ADDF171FE63520AF47064603C2E059F54650AD8F0CF7012C74799D587132B9B999BBB787E8AB +97F64261CAB505DD2828E13F1D68B6D3DBD0F313047F40E856DA58CB13B8A1BF2B783A4C6D59D5F92AFC6CFF3D693F78B23D4F3160A9502E3EFAF7AB5E1AD5A65E554313828DA83B9FF2D941DEE95689FADAEA0936ADDF1971FE635B20AF470364603C2DE059F54B650AD8FA0CF70121C74799D7587132BE9B999BB9B787E8AB # "openssl/2048-bit MODP group with safe prime modulus" -ED92893824555C3BFBA275A69046BF21F3A53D2CD2DAFF7811152F10C1E255B686F68053B92262FE49A31F65CC5328ABDBDB49EDDA71266CFD2104718F07FDF75851172827B2A9341812FCB21C6D92AE4B6A829C27A3CB0C5F2E5F0AA4598A2BDAD4F0B3ADFE08135ED983B3CAEEAEB6E6A9576B9F128A3F2280D0BA6F67939B810F85A90ECCCA6F65F7AC011A1EF0F2DB60806228B0EDB8928E0CA83D69469166533C53613B02BAD48287A1C729E435FCC27E951DE685FC19976600F3F86BB3C520E29C07E8901CCCC001B6ADC3A308B33AAFD88C89D01DBAC4DD7F0BD6F38C3 +ED928935824555CB3BFBA2765A690461BF21F3AB53D2CD21DAFF78191152F10EC1E255BD686F680053B9226A2FE49A341F65CC59328ABDB1DB49EDDFA71266C3FD21047018F07FD6F758511972827B22A934181D2FCB21CF6D92AE43B6A829C727A3CB00C5F2E5FB0AA45985A2BDAD45F0B3ADF9E08135EED983B3CCAEEAEB66E6A95766B9F128A53F2280D70BA6F671939B810EF85A90E6CCCA6F665F7AC0101A1EF0FC2DB6080C6228B0ECDB8928EE0CA83D6594691669533C536013B02BA7D48287AD1C729E4135FCC27CE951DE6185FC199B76600F33F86BB3CA520E29C307E89016CCCC0019B6ADC3A4308B33A1AFD88C8D9D01DBA4C4DD7F0BBD6F38C3 # "openssl/2048-bit MODP group with safe prime modulus" -AED037CBDF33FAEEDC439B70A2087B77017E9B92EB0F8061CD4B5A59723C793FDA9F9F274490F50647285BE05921C4F2C05A4EE75A36613F382DBD44DE8A4A322122EC730A833E4800EBD6F854A518171BA54523C843FAC175FFAF49C440D446D846C1C345149EFA82F5C48A47BAC7F67EE00011AA9ED8101B36A5C39AAFEC54A3FF97C1B7F406DCB2DC092ABAA0625EFEB3FA12B42692E8F3EFB3F7B4C302A24CAA4213D45035CEA8ADD31816616F9E21A5C50805978980AD6814E3585B79E684491527552B72BC78D8D6993A7368486B3088B8F1B7E896688BD3F13DC517D4B +AED037C3BDF33FA2EEDC4390B70A20897B770175E9B92EB20F8061CCD4B5A591723C7934FDA9F9F3274490F8506472835BE059271C4F2C035A4EE756A36613F1382DBD474DE8A4A0322122E8C730A83C3E4800EEBD6F8548A5181711BA545231C843FAC4175FFAF849C440DB446D8462C1C3451B49EFA829F5C48A4C7BAC7F647EE000151AA9ED81101B36AB5C39AAFFEC54A3F8F97C1B7BF406DCB42DC092A5BAA06259EFEB3FAB12B426982E8F3EF4B3F7B4C3302A24C8AA4213D845035CE4A8ADD31F816616F19E21A5C95080597F8980AD6B814E35855B79E6844491527D552B72B7C78D8D6B993A736F8486B30588B8F1B87E89668A8BD3F13DDC517D4B # "openssl/4096-bit MODP group with safe prime modulus" -FEEAD19BEAF90F1CFCA105D69DB0839A2A26AEF248ABD7531BB3E4627DCECEFCEDCBBBF56549E95153058188C3D72941666AABA0A5CC85559125503180E9034C7F39CA3452F342EE72A7DFFC74528DB6D76D9C64F55D0839CDE74FE7424136947661D2670F2F6D59FFD7C3BDDED41E2B2CCDD9E12F1056AB88C44D7F9BA7651ED1A4D407A2D71895F77AB6C763CC00EF1C30B2E7944697E74BC7B8431B5011AF5A1515E63C1DE83C802ECE7FC71FBD179F8E4D7F1B43BA75D5AC3B11D41B0B5A088A9AACCCC105126DC841E41693E8591E31E2F5AFDAEDE1221277FC20BE4D251137A58E961EACF27D4C7E239190DD6AB27ECE5BD664C79B16C2D208D63A4B7F8DAE63DBE2C886BA10778A8DF5CE214A4B3D03C9175FBA578146CE5EC0177574481AD86F485465F5DA4B67F88260CE0BC0ACD157A377F10091AD0B6889303ECA33CDB61BA8CE32A87AF5D8B7F26734D209679232D70ADEF4A51D888BC57D2A638E014D66936776FFF355FEDF52201FA0CB8DB3FB54949951A70104AD49D71B74D09CAA8C05E833A2291D697F918F255C769BDE4BB72A4A1AFE60BBAD183EACC7B54AF4084F1CCB2B9AE576DAE2D1A8F43D27741DB19EDC3B815E569645F8C3363 +FEEAD19DBEAF90F61CFCA1065D69DB08839A2A2B6AEF2488ABD7531FBB3E462E7DCECEFBCEDCBBBDF56549EE951530568188C3D97294166B6AABA0AA5CC8555F9125503A180E90324C7F39C6A3452F3142EE72AB7DFFC74C528DB6DA76D9C644F55D083E9CDE74F7E742413B69476617D2670F2BF6D59FFCD7C3BDDEED41E2BD2CCDD9E612F1056CAB88C441D7F9BA74651ED1A84D407A27D71895F777AB6C7763CC00E6F1C30B2FE79446927E74BC73B8431B53011AF5AD1515E63DC1DE83CC802ECE7DFC71FBDF179F8E41D7F1B43EBA75D5A9C3B11D4F1B0B5A0988A9AACBCCC1051226DC8410E41693EC8591E31EE2F5AFDFAEDE122D1277FC270BE4D25C1137A58BE961EAC9F27D4C71E2391904DD6AB27BECE5BD6C64C79B146C2D208CD63A4B74F8DAE638DBE2C8806BA107738A8DF5CFE214A4B73D03C91275FBA5728146CE5FEC01775B74481ADF86F4854D65F5DA4BB67F882A60CE0BCA0ACD157AA377F10B091AD0B568893039ECA33CDCB61BA8C9E32A87A2F5D8B7FD26734D2F096792352D70ADE9F4A51D8488BC57D32A638E0B14D6693F6776FFFB355FEDF652201FA70CB8DB34FB549490951A701E04AD49D671B74D089CAA8C0E5E833A21291D6978F918F25D5C769BDBE4BB72A84A1AFE6A0BBAD18D3EACC7B454AF408D4F1CCB23B9AE576FDAE2D1A68F43D275741DB19EEDC3B81B5E56964F5F8C3363 # "RFC2409/Oakley Group 1" -FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA63A362FFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF # "RFC2409/Oakley Group 2" -FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE6538FFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF # "RFC3526/Oakley Group 5" -FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE45B3C2007CBA163BF098DA4831C55D3969163FAFD24CF583655D2DCA3AD91C62F35208552B9ED52907096966670C3544ABC980F1746C0CA23732FFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF # "RFC3526/Oakley Group 14" -FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE45B3C2007CBA163BF098DA4831C55D3969163FAFD24CF583655D2DCA3AD91C62F35208552B9ED52907096966670C3544ABC980F1746C0CA1821732905E42E36CE3E39E772180E8609B2783AEC07A28B5C55DF6F4C52CDE2BCBF95581713995497EA956AE15D226198FA05115728E58AACAA6FFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF # "RFC3526/Oakley Group 15" -FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE45B3C2007CBA163BF098DA4831C55D3969163FAFD24CF583655D2DCA3AD91C62F35208552B9ED52907096966670C3544ABC980F1746C0CA1821732905E42E36CE3E39E772180E8609B2783AEC07A28B5C55DF6F4C52CDE2BCBF95581713995497EA956AE15D226198FA05115728E58AAAC42AD3317004507A3A85521ADF1CBA6ECFB85058DBEF08AEA7155D060C7B3970F8A6E1E4CABF5AE8DB0933D1E8C94E4A25619CEE3D221AD2EE6F12FFA0D98A086D8760273EC86A6521F2B1177B200BBE11757A615D6770988CBAD946E08E24FA74E5AB343DB5BFE0FD1084B82D12A93AD2CFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF # "RFC3526/Oakley Group 16" -FFFFFFFFFFFFFFC90FDAA2168C23C4C662880DC1CD29024E08A67CC7020BBEA3B139B2514A0878E3404DEF9519BCD3A431302B0A6F25F1434FE13566D51C24E485B57625E7ECF44C42EA637ED60BFF5CBF406B7EEE386BF5A899FAAE9F2417C4B1FE4928665ECE45B3C2007CBA163BF098DA4831C55D3969163FAFD24CF583655D2DCA3AD91C62F35208552B9ED52907096966670C3544ABC980F1746C0CA1821732905E42E36CE3E39E772180E8609B2783AEC07A28B5C55DF6F4C52CDE2BCBF95581713995497EA956AE15D226198FA05115728E58AAAC42AD3317004507A3A85521ADF1CBA6ECFB85058DBEF08AEA7155D060C7B3970F8A6E1E4CABF5AE8DB0933D1E8C94E4A25619CEE3D221AD2EE6F12FFA0D98A086D8760273EC86A6521F2B1177B200BBE11757A615D6770988CBAD946E08E24FA74E5AB343DB5BFE0FD1084B82D12A9210801A723C1A787E6D88719A1BDBA5B299C32716AF4E231A94683B6150BD2583E9C2AD44CEDBBBC2D04DE8EF2E8EFC11FBECAA287C5944E6BC0599B2964A090C3A233BA18515BE7E1F61297CEE2D7AB81BDD72170481D006912D5B05AA93B4EA98D8FDDC86FFB7D90A6C084DF435C3406319FFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF # "RFC5114/1024-bit DSA group with 160-bit prime order subgroup" -B10B8F9A080E01DE92DE5AE5D54E52C99FBFB06A3C9A6A9DC52D23B66073E2875A23D19838EF12EE652C13ECB4AA90611224975C3D49B83BACCBDD790C4BD798488E9219A7374EFFD6FE564473FAA31A4F55BCCCA151AF50DC8B4B45BF37D365C1A6E68CFDA6D4DA70DF1FB2B2E4A4371 +B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371 # "RFC5114/2048-bit DSA group with 224-bit prime order subgroup" -AD107E19123A9DD660FAA9559C51A20D64E683B9FDB54B159B61D0A7E6FA141F95A56DAF9A3C47BA1DF1EB3D688309C1801DE6B851274A0A6D3F815AD6AC219037C9EEFDA4DFD91E8FE55B73947AD5B7DB6C1220C9F98D1ED34DBFC6BA0B28BBC27B6A00E0AB9C4970B3BF8A370918838128613BC8985D1602E71415D933278273CDE31EFD7310F711FD5A0715987D9DC0A486CDF93AC4432838315D75E98C641A80CD86AB9E587EBE60E69C928B2BC52172E13042E923F10B016E7976C9B53DC4BA80A2E3FB73C6B8E75B7EF363EFFA31F7CF9DE534E71B810AC4DFF0C10E64F +AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC2129037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708B3BF8A317091883681286130BC8985DB1602E714415D9330278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486DCDF93ACC44328387315D75E198C641A480CD86A1B9E587E8BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71CF9DE5384E71B81C0AC4DFFE0C10E64F # "RFC5114/2048-bit DSA group with 256-bit prime order subgroup" -87A8E61B4B6663FFBBD1965195998CEEF60660DD0F5D2CEED435E3B0E00DF8FD61957DFAF7DF461B2AA316C3D9134096FA3BF4296830E9A7209E0C697517AB5A8A9D36BCF67E91F9E675B4758C22E0B1E4275BF76C5BFC1D45F908B941F54B1E59BBBC39A0B12307F54FDB70C81B23F7B63ACAECAA6B792D5252635488A0F13C6D951BFA4A3AD834796524D8F6A167BA41825D67E144E14056421CCACB8E6B486FB3CA3F77150602C0B857F8996285DED4010BD0BE62C3A396054E710C75F2637D701410A4B5433C198AF16116D226E11715693877FD7EF09CDB094AE1E1A1597 +87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597 # "weakdh.org/1024-bit MODP group with non-safe prime modulus" -D6C094A57F537468D58C7096872D45CEE1F2664E054421E1DE3C8E98C3F0A6A8F92F193FEF933B99B9C9A055D5596E42574005A68D47040FF00A5596EBA4B9F64CBA1004E451611C9B27438A70A2060C238D0CFAFFBBA48B9DAC4B450DC58B0320A017E2A3144A0278C657FB00CBEC11D +D6C094AD57F5374F68D58C7B096872D945CEE1F82664E0594421E1D5E3C8E98BC3F0A6AF8F92F19E3FEF9337B99B9C93A055D55A96E425734005A68ED47040FDF00A55936EBA4B93F64CBA1A004E4513611C9B217438A703A2060C2038D0CFAAFFBBA48FB9DAC4B2450DC58CB0320A0317E2A31B44A02787C657FB0C0CBEC11D # "weakdh.org/1024-bit MODP group with safe prime modulus" -C9BBF5F74A82970F97CDD3A3468C117B6BF99A13D91F5DAC47B2241F95EFB132855DFDF898B3F9188E24DF326DD8C76CC853728352D46F193129C69364D8C7202EABBEBC85C1F53907FD0B7EB40AD0BC928968680C46AB0BF7CDD9D425E6F25592EB258A065D75E93B671746A349E721B +C9BBF5F774A8297B0F97CDDA3A3468C7117B6BF799A13D9F1F5DAC487B2241FE95EFB13C2855DFD2F898B3F99188E24EDF326DD68C76CC85537283512D46F1953129C693364D8C71202EABB3EBC85C1DF53907FBD0B7EB490AD0BC99289686800C46AB04BF7CDD9AD425E6FB25592EB6258A0655D75E93B2671746AE349E721B "weakdh.org/1024-bit MODP group with safe prime modulus" -829FEBFE3EE043862D336A62BDE765F0C743A53B55291414FAE5E86D34B16DBCC952B15EB443B154B3B4662E811E1D8BC7334018A5A7B5B6A720D84B28B7482C5AF24C04E5BB5DABF8FFA5ED7B46688D6CB82F8AF188A4563ED62D2EACF6BDFD47337884DFA0F0A3D6975E3580E3AE9593 +829FEBFCE3EE0434862D3364A62BDE7B65F0C74A3A53B555291414FCAE5E86D734B16DBDCC952B1C5EB443B154B3B46662E811E11D8BC73134018A5EA7B5B6A9720D84BC28B74822C5AF24C904E5BB5ADABF8FF2A5ED7B456688D6CAB82F8AF0188A456C3ED62D2FEACF6BD3FD47337D884DFA09F0A3D69675E35806E3AE9593 # "weakdh.org/1024-bit MODP group with safe prime modulus" -9240243C3A12E4D3730D878CADFA8E2F5B5A956BFFDB8E5653E9695E3E32506FEB912FA77D22E1BB54C880893B8AD1BCF37F7F779D3FB96881D9BA17034ABF1F97B314CF3203663E8190B7E0906C4C5EEA0E57EC74D3E84D9E72E6C7DA6AE12DF297131854FF21AC4E79C23BB60B4F753 +92402435C3A12E44D3730D8E78CADFA78E2F5B51A956BFF4DB8E56523E9695E63E32506CFEB912F2A77D22E71BB54C8680893B82AD1BCF337F7F7796D3FB968181D9BA1F7034ABFB1F97B3104CF3203F663E81990B7E090F6C4C5EE1A0E57EC174D3E84AD9E72E6AC7DA6AEA12DF297C131854FBF21AC4E879C23BBC60B4F753 # "weakdh.org/1024-bit MODP group with safe prime modulus" -A9A3481446C7B6A29FF997C2181EFAAAD13CCDE245755D42F2E700AF86779D58A7C07C5DE423361117D05773F249C331AFA1B08EF360A14D4046F2762DA36A47D9FDE92B8815598C3A9546E7ED95D22EC9119F5B22CC41B0AF220F47BDE1B8334AD281DDC5E923F11CDDD3B22949DC41B +A9A34811446C7B69A29FF9997C2181ECFAAAD139CCDE2455755D42F42E700AFD86779D548A7C07CA5DE4233261117D0A5773F2459C331AF1A1B08EF8360A14DE4046F27462DA36AA47D9FDE292B8815D598C3A9C546E7ED395D22EC39119F5B922CC41B30AF220FF47BDE1B88334AD2981DDC5ED923F11C3DDD3B22C949DC41B # "weakdh.org/1024-bit MODP group with safe prime modulus" -CA6B8566DC21767605DACE801FAD59845384AF126CCC765E081014F293546ABDDE5C67C32D5B005B1BBF4C5DBFA253ADB3205B7D867DF98CBCE81C713F9FC215F1C33F953AB3CE8B7FEE3951FB31314074D5489BB17C6879A2EAF8195A8DE0A165E4B752077B167A00A5629FD5A9A25F3 +CA6B85646DC217657605DACFE801FAD7598453834AF126C8CC765E0F81014F2493546AB7DDE5C677C32D5B0605B1BBFA4C5DBFA3253ADB33205B7D8C67DF98C4BCE81C7813F9FC2615F1C332F953AB39CE8B7FE7E3951FB73131407F4D5489B6B17C68759A2EAF8B195A8DE80A165E4EB7520774B167A00FA5629FDC5A9A25F3 # "weakdh.org/1024-bit MODP group with safe prime modulus" -EB373E9AB618DF20D233E93E3EBC319BDAC0994C1D003986A9FAFFF754151CCE06413192698B4496F5FDFAF1289679D8BC1580D7D1CD83F8529C7953D58EC62E0E87FD008C13E3E5861B2D3A024D372CE4F220FE2C9039A997664AEBB75446AA69EBE0EF3C6F91C2632B54EC3A970A7BB +EB373E94AB618DF820D233ED93E3EBCB319BDAC20994C1DF003986A79FAFFF7654151CC9E064131492698B47496F5FDCFAF12892679D8BC31580D7D41CD83F81529C79513D58EC672E0E87FCD008C137E3E5861AB2D3A02F4D372CEE4F220FEB2C9039AC997664A7EBB754446AA69EB3E0EF3C60F91C26392B54EC35A970A7BB # "weakdh.org/1024-bit MODP group with safe prime modulus" -80A68AD5327E05AAD07C464B8ADE908432A9651B23F47A7A8F84D568DFDAFAB6621C0C28450F155F7D4AECE383F7D6055ADF60C4B37DCC1EB8374E3995179239FDC3BB428511C8B4A9FFCE4DD5AA23F992647C39CE4D8BB2E773F4EB786CE4CD0C3D4C31D75D1CF9E970C45EE8ECDABAB +80A68ADC5327E05CAAD07C4464B8ADEA908432AF9651B237F47A7A8BF84D568FDFDAFAB06621C0C428450F1C55F7D4A8ECE383F27D6055ADDF60C4B837DCC1E3B8374E379951792939FDC3BBB4285112C8B4A9F6FCE4DD53AA23F99E2647C394CE4D8BB82E773F41EB786CE84CD0C3DD4C31D755D1CF9E9B70C45EE28ECDABAB # "weakdh.org/1024-bit MODP group with safe prime modulus" -C0EB5F34CB30A9FE3786E4C0381469B52035AD49F5EFD8CAA31A69B273CC9F5B4B8F802C5FB683913B612042D2EBD533815E59769C9E97BD488DB335581320DD4AF9CE4A4EBE9118C6828E5B3989C26720B4FDC210C288B174D77E0AAD9C117EA5ED7CF971BB19A8718E52982591CA14B +C0EB5F3A4CB30A9FFE3786E84C03814169B520305AD49F54EFD8CAAC31A69B2973CC9F57B4B8F80D2C5FB68B3913B6172042D2E5BD53381A5E597696C9E97BD6488DB3395581320DDD4AF9CDE4A4EBE29118C68828E5B39289C267280B4FDC2510C288B2174D77EE0AAD9C1E17EA5ED37CF971B6B19A87118E529826591CA14B # "weakdh.org/1024-bit MODP group with safe prime modulus" -8FC0E1E0574D6A3C76DDE64524C276446B698E5B6B2614F969A5061D99034DB819780E8EE28A466B5C4EA634E47F9C981AEC4908E1B83A41813165A0AB6BDCD325718AC49399541C16F960F9D6B9C51EC85AD0BBFE3890118F0CD665D4B1B1C72395B83217FB3EBF878160E827911754B +8FC0E1E20574D6AB3C76DDEA64524C2076446B6798E5B6BD2614F9669A5061D699034DB4819780EC8EE28A4E66B5C4E0A634E47BF9C981A5EC4908EE1B83A410813165AC0AB6BDCFD3257188AC49399D541C16F2960F9D64B9C51EC085AD0BB4FE38901318F0CD6165D4B1B31C723953B83217F8B3EBF8708160E82D7911754B # "haproxy 1.5 builtin" -EC86F87A03316E051A735CD1F8BF29E4D2C52DDC228DB5389FB5CA4EB2DACE65074A684D4B1D3B82BF31E9A72D071E781D8B595235F430B6F1DB07B086B1B2EE4DCC90E43A01DF438CEBEBE90B5154B927B647645DD42EAC29EAE54359C779C503C0ED73045F14C762D8F8CFF3440D1B4261846423904F68B262D55ED1B77591E0C69C1315DB7B442CE845801E660CC449EFD408675DFA7768F01187E99F97DC4B745520D4A412F4421AC1F9717492376B2F87E1CA0A899227D565A71C56377E39D05E7E5D8F821BCE9C293082F9FC9AE49DD054B4D754DFA0B8D6384B71F77F +EC86F870A03316EC051A7359CD1F8BF829E4D2CF52DDC2248DB5389AFB5CA4E4B2DACE665074A6854D4B1D30B82BF310E9A72D0571E781DF8B59523B5F430B68F1DB07BE086B1B23EE4DCC9E0E43A01EDF438CECBEBE90B45154B92F7B64764E5DD42EAEC29EAE514359C7779C503C0EED73045FF14C762AD8F8CFFC3440D1B442618466423904F868B262D755ED1B747591E0C569C1315CDB7B442ECE84580D1E660CC8449EFD4008675DFBA7768F001187E993F97DC4BC745520D44A412F43421AC1F297174927376B2F887E1CA0A1899227D9565A71C156377E3A9D05E7EE5D8F8217BCE9C2933082F9F4C9AE49DBD054B4D9754DFA06B8D63841B71F77F3 # "postfix builtin" -B0FEB4CD45507ECC885901726C50A54A9228178DA8AA4C130BF5D2F9BC96B85009D0C075ADFD3B17E7143F9154144B83021CEBDF79C4CF180D683F98EA4FB78918B291690019668C5384E273D9E75A7AAD5ECE27FAED011C278255065C39FCD4954AC1B1EA4F953D0D6DAFD49E7BAAE9B +B0FEB4CFD45507E7CC88590D1726C50CA54A92238178DA88AA4C1306BF5D2F9EBC96B851009D0C0D75ADFD3BB17E714F3F91541444B830251CEBDF729C4CF1890D683F948EA4FB768918B29116900199668C53814E273D99E75A7AAFD5ECE27EFAED0118C2782559065C39F6CD4954AFC1B1EA4AF953D0DF6DAFD493E7BAAE9B -# "IronPort SMTPbuiltin" -F8D5CCE7A3961BF5CBC8340C5185E0E6FA65AB283178C86761CA46CA7D7FA3BAF75B833C69937D36920FE39A653E8F0725A6E2D297537558E27E7844B549BEB558927A30C8BD1DACDCA93027B5CE1BC1770AF7DEE81149AD7D632DB80A639CEBCC7A619CCF3288EA3D2328774B04E6FB3 +# "IronPort SMTPD builtin" +F8D5CCE87A3961B5F5CBC83440C51856E0E6FA6D5AB2831078C867621CA46CA87D7FA3B1AF75B8343C699374D36920F2E39A653DE8F0725AA6E2D2977537558CE27E784F4B549BEFB558927BA30C8BD81DACDCAE93027B5DCE1BC17670AF7DECE81149ABD7D632D9B80A6397CEBCC7A9619CCF38288EA3D523287743B04E6FB3 ## taken from https://github.com/cryptosense/diffie-hellman-groups/blob/master/gen/common.json -# to be continueed +# to be continued diff --git a/testssl.sh b/testssl.sh index 64a3513..14a7e61 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9568,10 +9568,10 @@ run_logjam() { fi if [[ $sclient_success -eq 0 ]]; then - pr_svrty_high "VULNERABLE (NOT ok):"; out " uses DHE EXPORT ciphers," + pr_svrty_high "VULNERABLE (NOT ok):"; out " uses DHE EXPORT ciphers" fileout "logjam" "HIGH" "LOGJAM: VULNERABLE, uses DHE EXPORT ciphers" "$cve" "$cwe" "$hint" else - pr_done_good "not vulnerable (OK):"; out " no DHE EXPORT ciphers,"; out "$addtl_warning" + pr_done_good "not vulnerable (OK):"; out " no DHE EXPORT ciphers"; out "$addtl_warning" fileout "logjam" "OK" "LOGJAM: not vulnerable (no DHE EXPORT ciphers) $addtl_warning" "$cve" "$cwe" fi @@ -9620,9 +9620,9 @@ run_logjam() { debugme outln "dh_p: $dh_p" echo "$dh_p" > $TEMPDIR/dh_p.txt # attention: file etc/common-primes.txt is not correct! - # common_primes_test $dh_p "$spaces" + common_primes_test $dh_p "$spaces" else - out " no DH key detected" + out ", no DH key detected" fileout "LOGJAM_common primes" "OK" "no DH key detected" fi outln @@ -9637,6 +9637,7 @@ common_primes_test() { local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" local -i lineno_matched=0 local comment="" + local dhp="$1" if [[ ! -s "$common_primes_file" ]]; then outln @@ -9644,14 +9645,19 @@ common_primes_test() { fileout "LOGJAM_common primes" "WARN" "couldn't read common primes file $common_primes_file" return 1 else - lineno_matched=$(grep -ni "$dh_p" "$common_primes_file" 2>/dev/null) + dh_p="$(toupper "$dh_p")" + # the most elegant thing to get the previous line " awk '/regex/ { print x }; { x=$0 }' " doesn't work with GNU grep + # this is bascially the hint we want to echo + lineno_matched=$(grep -n "$dh_p" "$common_primes_file" 2>/dev/null | awk -F':' '{ print $1 }') if [[ "$lineno_matched" -ne 0 ]]; then # get comment comment="$(awk "NR == $lineno_matched-1" "$common_primes_file" | awk -F'"' '{ print $2 }')" #FiXME: probably the high groups/bit sizes whould get a different rating, see paper - pr_svrty_high "common prime $comment detected" - fileout "LOGJAM_common primes" "HIGH" "common prime $comment detected" + out "\n${2}" + pr_svrty_high "common prime \"$comment\" detected" + fileout "LOGJAM_common primes" "HIGH" "common prime \"$comment\" detected" else + out ", " pr_done_good " no common primes detected" fileout "LOGJAM_common primes" "OK" "no common primes detected" fi