mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Merge pull request #2088 from drwetter/starttls_ldap
Add prototype for STARTTLS+ LDAP via sockets
This commit is contained in:
commit
0d97b93131
@ -82,7 +82,7 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able
|
|||||||
.P
|
.P
|
||||||
\fB\-\-reqheader <header>\fR This can be used to add additional HTTP request headers in the correct format \fBHeadername: headercontent\fR\. This parameter can be called multiple times if required\. For example: \fB\-\-reqheader 'Proxy\-Authorization: Basic dGVzdHNzbDpydWxlcw==' \-\-reqheader 'ClientID: 0xDEADBEAF'\fR\. REQHEADER is the corresponding environment variable\.
|
\fB\-\-reqheader <header>\fR This can be used to add additional HTTP request headers in the correct format \fBHeadername: headercontent\fR\. This parameter can be called multiple times if required\. For example: \fB\-\-reqheader 'Proxy\-Authorization: Basic dGVzdHNzbDpydWxlcw==' \-\-reqheader 'ClientID: 0xDEADBEAF'\fR\. REQHEADER is the corresponding environment variable\.
|
||||||
.SS "SPECIAL INVOCATIONS"
|
.SS "SPECIAL INVOCATIONS"
|
||||||
\fB\-t <protocol>, \-\-starttls <protocol>\fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBsieve\fR, \fBxmpp\-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR is WIP\.
|
\fB\-t <protocol>, \-\-starttls <protocol>\fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBsieve\fR, \fBxmpp\-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn't offer a STARTTLS connection, IRC currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR are WIP\.
|
||||||
.P
|
.P
|
||||||
\fB\-\-xmpphost <jabber_domain>\fR is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter\. This is only needed if the domain is different from the URI supplied\.
|
\fB\-\-xmpphost <jabber_domain>\fR is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter\. This is only needed if the domain is different from the URI supplied\.
|
||||||
.P
|
.P
|
||||||
@ -478,9 +478,11 @@ Please note that for plain TLS\-encrypted ports you must not specify the protoco
|
|||||||
.IP "\[ci]" 4
|
.IP "\[ci]" 4
|
||||||
RFC 2246: The TLS Protocol Version 1\.0
|
RFC 2246: The TLS Protocol Version 1\.0
|
||||||
.IP "\[ci]" 4
|
.IP "\[ci]" 4
|
||||||
|
RFC 2595: Using TLS with IMAP, POP3 and ACAP
|
||||||
|
.IP "\[ci]" 4
|
||||||
RFC 2818: HTTP Over TLS
|
RFC 2818: HTTP Over TLS
|
||||||
.IP "\[ci]" 4
|
.IP "\[ci]" 4
|
||||||
RFC 2595: Using TLS with IMAP, POP3 and ACAP
|
RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
|
||||||
.IP "\[ci]" 4
|
.IP "\[ci]" 4
|
||||||
RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
|
RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
|
||||||
.IP "\[ci]" 4
|
.IP "\[ci]" 4
|
||||||
@ -502,6 +504,8 @@ RFC 5321: Simple Mail Transfer Protocol
|
|||||||
.IP "\[ci]" 4
|
.IP "\[ci]" 4
|
||||||
RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension
|
RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension
|
||||||
.IP "\[ci]" 4
|
.IP "\[ci]" 4
|
||||||
|
RFC 5804: A Protocol for Remotely Managing Sieve Scripts
|
||||||
|
.IP "\[ci]" 4
|
||||||
RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions
|
RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions
|
||||||
.IP "\[ci]" 4
|
.IP "\[ci]" 4
|
||||||
RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3\.0
|
RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3\.0
|
||||||
|
@ -194,7 +194,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
|
|||||||
|
|
||||||
<h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
|
<h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
|
||||||
|
|
||||||
<p><code>-t <protocol>, --starttls <protocol></code> does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>, <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>sieve</code>, <code>xmpp-server</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>
|
<p><code>-t <protocol>, --starttls <protocol></code> does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>, <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>sieve</code>, <code>xmpp-server</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, IRC currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> are WIP.</p>
|
||||||
|
|
||||||
<p><code>--xmpphost <jabber_domain></code> is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.</p>
|
<p><code>--xmpphost <jabber_domain></code> is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.</p>
|
||||||
|
|
||||||
@ -580,8 +580,9 @@ This is to prevent giving out a misleading or wrong grade.</p>
|
|||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>RFC 2246: The TLS Protocol Version 1.0</li>
|
<li>RFC 2246: The TLS Protocol Version 1.0</li>
|
||||||
<li>RFC 2818: HTTP Over TLS</li>
|
|
||||||
<li>RFC 2595: Using TLS with IMAP, POP3 and ACAP</li>
|
<li>RFC 2595: Using TLS with IMAP, POP3 and ACAP</li>
|
||||||
|
<li>RFC 2818: HTTP Over TLS</li>
|
||||||
|
<li>RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security</li>
|
||||||
<li>RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security</li>
|
<li>RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security</li>
|
||||||
<li>RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1</li>
|
<li>RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1</li>
|
||||||
<li>RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1</li>
|
<li>RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1</li>
|
||||||
@ -592,6 +593,7 @@ This is to prevent giving out a misleading or wrong grade.</p>
|
|||||||
<li>RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</li>
|
<li>RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</li>
|
||||||
<li>RFC 5321: Simple Mail Transfer Protocol</li>
|
<li>RFC 5321: Simple Mail Transfer Protocol</li>
|
||||||
<li>RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension</li>
|
<li>RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension</li>
|
||||||
|
<li>RFC 5804: A Protocol for Remotely Managing Sieve Scripts</li>
|
||||||
<li>RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions</li>
|
<li>RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions</li>
|
||||||
<li>RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0</li>
|
<li>RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0</li>
|
||||||
<li>RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core</li>
|
<li>RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core</li>
|
||||||
|
@ -115,7 +115,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
|
|||||||
|
|
||||||
### SPECIAL INVOCATIONS
|
### SPECIAL INVOCATIONS
|
||||||
|
|
||||||
`-t <protocol>, --starttls <protocol>` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `sieve`, `xmpp-server`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP.
|
`-t <protocol>, --starttls <protocol>` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `sieve`, `xmpp-server`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, IRC currently only works with `--ssl-native`. `telnet` and `irc` are WIP.
|
||||||
|
|
||||||
`--xmpphost <jabber_domain>` is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.
|
`--xmpphost <jabber_domain>` is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.
|
||||||
|
|
||||||
@ -473,8 +473,9 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
|
|||||||
## RFCs and other standards
|
## RFCs and other standards
|
||||||
|
|
||||||
* RFC 2246: The TLS Protocol Version 1.0
|
* RFC 2246: The TLS Protocol Version 1.0
|
||||||
* RFC 2818: HTTP Over TLS
|
|
||||||
* RFC 2595: Using TLS with IMAP, POP3 and ACAP
|
* RFC 2595: Using TLS with IMAP, POP3 and ACAP
|
||||||
|
* RFC 2818: HTTP Over TLS
|
||||||
|
* RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
|
||||||
* RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
|
* RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
|
||||||
* RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
|
* RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
|
||||||
* RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
|
* RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
|
||||||
@ -485,6 +486,7 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
|
|||||||
* RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
|
* RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
|
||||||
* RFC 5321: Simple Mail Transfer Protocol
|
* RFC 5321: Simple Mail Transfer Protocol
|
||||||
* RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension
|
* RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension
|
||||||
|
* RFC 5804: A Protocol for Remotely Managing Sieve Scripts
|
||||||
* RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions
|
* RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions
|
||||||
* RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
|
* RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
|
||||||
* RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core
|
* RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core
|
||||||
|
@ -60,14 +60,11 @@ $socket_out = `./testssl.sh $check2run -t pop3 $uri 2>&1`;
|
|||||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||||
$tests++;
|
$tests++;
|
||||||
|
|
||||||
# commented out, bc of travis' limits
|
printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
|
||||||
#
|
$openssl_out = `./testssl.sh --ssl-native $check2run -t pop3 $uri 2>&1`;
|
||||||
#printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
|
|
||||||
# unlink "tmp.json";
|
|
||||||
#$openssl_out = `./testssl.sh --ssl-native $check2run -t pop3 $uri 2>&1`;
|
|
||||||
# $openssl_json = json('tmp.json');
|
# $openssl_json = json('tmp.json');
|
||||||
#unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||||
#$tests++;
|
$tests++;
|
||||||
|
|
||||||
|
|
||||||
$uri="imap.gmx.net:143";
|
$uri="imap.gmx.net:143";
|
||||||
@ -146,6 +143,12 @@ $tests++;
|
|||||||
# https://ldapwiki.com/wiki/Public%20LDAP%20Servers
|
# https://ldapwiki.com/wiki/Public%20LDAP%20Servers
|
||||||
$uri="db.debian.org:389";
|
$uri="db.debian.org:389";
|
||||||
|
|
||||||
|
printf "\n%s\n", "STARTTLS LDAP unit tests via sockets --> $uri ...";
|
||||||
|
$socket_out = `./testssl.sh $check2run -t ldap $uri 2>&1`;
|
||||||
|
# $socket_json = json('tmp.json');
|
||||||
|
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||||
|
$tests++;
|
||||||
|
|
||||||
printf "\n%s\n", "STARTTLS LDAP unit tests via OpenSSL --> $uri ...";
|
printf "\n%s\n", "STARTTLS LDAP unit tests via OpenSSL --> $uri ...";
|
||||||
$openssl_out = `./testssl.sh --ssl-native $check2run -t ldap $uri 2>&1`;
|
$openssl_out = `./testssl.sh --ssl-native $check2run -t ldap $uri 2>&1`;
|
||||||
# $openssl_json = json('tmp.json');
|
# $openssl_json = json('tmp.json');
|
||||||
@ -153,6 +156,7 @@ unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
|||||||
$tests++;
|
$tests++;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
$uri="140.238.219.117:119";
|
$uri="140.238.219.117:119";
|
||||||
|
|
||||||
# unlink "tmp.json";
|
# unlink "tmp.json";
|
||||||
|
91
testssl.sh
91
testssl.sh
@ -4728,7 +4728,7 @@ client_simulation_sockets() {
|
|||||||
socksend_clienthello "${data}"
|
socksend_clienthello "${data}"
|
||||||
sleep $USLEEP_SND
|
sleep $USLEEP_SND
|
||||||
|
|
||||||
sockread_serverhello 32768
|
sockread 32768
|
||||||
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}"
|
tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}"
|
||||||
|
|
||||||
@ -4758,7 +4758,7 @@ client_simulation_sockets() {
|
|||||||
|
|
||||||
debugme echo -n "requesting more server hello data... "
|
debugme echo -n "requesting more server hello data... "
|
||||||
socksend "" $USLEEP_SND
|
socksend "" $USLEEP_SND
|
||||||
sockread_serverhello 32768
|
sockread 32768
|
||||||
|
|
||||||
next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
next_packet="${next_packet%%[!0-9A-F]*}"
|
next_packet="${next_packet%%[!0-9A-F]*}"
|
||||||
@ -7512,7 +7512,7 @@ tls_time() {
|
|||||||
|
|
||||||
pr_bold " TLS clock skew" ; out "$spaces"
|
pr_bold " TLS clock skew" ; out "$spaces"
|
||||||
|
|
||||||
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -7872,7 +7872,7 @@ get_server_certificate() {
|
|||||||
success=$?
|
success=$?
|
||||||
else
|
else
|
||||||
# For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
# For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
||||||
if [[ "$STARTTLS" =~ ldap ]] || [[ "$STARTTLS" =~ irc ]]; then
|
if [[ "$STARTTLS" =~ irc ]]; then
|
||||||
return 1
|
return 1
|
||||||
elif [[ "$1" =~ tls1_3_RSA ]]; then
|
elif [[ "$1" =~ tls1_3_RSA ]]; then
|
||||||
tls_sockets "04" "$TLS13_CIPHER" "all+" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01"
|
tls_sockets "04" "$TLS13_CIPHER" "all+" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01"
|
||||||
@ -11094,6 +11094,36 @@ starttls_postgres_dialog() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# RFC 2830
|
||||||
|
starttls_ldap_dialog() {
|
||||||
|
local debugpad=" > "
|
||||||
|
local -i ret=0
|
||||||
|
local result=""
|
||||||
|
local starttls_init=",
|
||||||
|
x30, x1d, x02, x01, # LDAP extendedReq
|
||||||
|
x01, # messageID: 1
|
||||||
|
x77, x18, x80, x16, x31, x2e, x33, x2e, x36, x2e, # ProtocolOP: extendedReq
|
||||||
|
x31, x2e, x34, x2e, x31, x2e, x31, x34, x36, x36, x2e, x32, x30, x30, x33, x37" # OID for STATRTTLS = "1.3.6.1.4.1.1466.20037"
|
||||||
|
|
||||||
|
debugme echo "=== starting LDAP STARTTLS dialog ==="
|
||||||
|
socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" &&
|
||||||
|
result=$(sockread_fast 256)
|
||||||
|
[[ $DEBUG -ge 6 ]] && safe_echo "$debugpad $result\n"
|
||||||
|
|
||||||
|
# response is typically 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
|
||||||
|
# ^^ == success! [9] is checked below
|
||||||
|
if [[ ${result:18:2} == 00 ]]; then
|
||||||
|
ret=0
|
||||||
|
elif [[ ${result:18:2} == 01 ]]; then
|
||||||
|
ret=1
|
||||||
|
else
|
||||||
|
ret=127
|
||||||
|
fi
|
||||||
|
debugme echo "=== finished LDAP STARTTLS dialog with ${ret} ==="
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
starttls_mysql_dialog() {
|
starttls_mysql_dialog() {
|
||||||
local debugpad=" > "
|
local debugpad=" > "
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
@ -11214,8 +11244,10 @@ fd_socket() {
|
|||||||
irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html
|
irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html
|
||||||
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
|
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
|
||||||
;;
|
;;
|
||||||
ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
|
ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830#section-2.1, https://tools.ietf.org/html/rfc4511
|
||||||
fatal "FIXME: LDAP+STARTTLS over sockets not supported yet (try \"--ssl-native\")" $ERR_NOSUPPORT
|
# https://ldap.com/ldapv3-wire-protocol-reference-extended/
|
||||||
|
#fatal "FIXME: LDAP+STARTTLS over sockets not supported yet (try \"--ssl-native\")" $ERR_NOSUPPORT
|
||||||
|
starttls_ldap_dialog
|
||||||
;;
|
;;
|
||||||
acap|acaps) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595
|
acap|acaps) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595
|
||||||
fatal "ACAP Easteregg: not implemented -- probably never will" $ERR_NOSUPPORT
|
fatal "ACAP Easteregg: not implemented -- probably never will" $ERR_NOSUPPORT
|
||||||
@ -11231,7 +11263,7 @@ fd_socket() {
|
|||||||
starttls_mysql_dialog
|
starttls_mysql_dialog
|
||||||
;;
|
;;
|
||||||
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
|
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
|
||||||
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not yet supported" $ERR_NOSUPPORT
|
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not supported yet" $ERR_NOSUPPORT
|
||||||
esac
|
esac
|
||||||
ret=$?
|
ret=$?
|
||||||
case $ret in
|
case $ret in
|
||||||
@ -11321,9 +11353,11 @@ socksend() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# for SSLv2 to TLS 1.2:
|
# Reads from socket. Uses SOCK_REPLY_FILE global to save socket reply
|
||||||
|
# Not blocking, polling
|
||||||
# ARG1: blocksize for reading
|
# ARG1: blocksize for reading
|
||||||
sockread_serverhello() {
|
#
|
||||||
|
sockread() {
|
||||||
[[ -z "$2" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
|
[[ -z "$2" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
|
||||||
SOCK_REPLY_FILE=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
|
SOCK_REPLY_FILE=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
|
||||||
dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null &
|
dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null &
|
||||||
@ -11331,8 +11365,10 @@ sockread_serverhello() {
|
|||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
#trying a faster version
|
# Reads from socket. Utilises a pipe. Output is ASCII.
|
||||||
|
# Faster as previous, blocks however when socket stream is empty
|
||||||
# ARG1: blocksize for reading
|
# ARG1: blocksize for reading
|
||||||
|
#
|
||||||
sockread_fast() {
|
sockread_fast() {
|
||||||
dd bs=$1 count=1 <&5 2>/dev/null | hexdump -v -e '16/1 "%02X"'
|
dd bs=$1 count=1 <&5 2>/dev/null | hexdump -v -e '16/1 "%02X"'
|
||||||
}
|
}
|
||||||
@ -14718,7 +14754,7 @@ sslv2_sockets() {
|
|||||||
debugme echo -n "sending client hello... "
|
debugme echo -n "sending client hello... "
|
||||||
socksend_clienthello "$client_hello"
|
socksend_clienthello "$client_hello"
|
||||||
|
|
||||||
sockread_serverhello 32768
|
sockread 32768
|
||||||
if "$parse_complete"; then
|
if "$parse_complete"; then
|
||||||
if [[ -s "$SOCK_REPLY_FILE" ]]; then
|
if [[ -s "$SOCK_REPLY_FILE" ]]; then
|
||||||
server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
@ -14731,7 +14767,7 @@ sslv2_sockets() {
|
|||||||
|
|
||||||
debugme echo -n "requesting more server hello data... "
|
debugme echo -n "requesting more server hello data... "
|
||||||
socksend "" $USLEEP_SND
|
socksend "" $USLEEP_SND
|
||||||
sockread_serverhello 32768
|
sockread 32768
|
||||||
|
|
||||||
[[ ! -s "$SOCK_REPLY_FILE" ]] && break
|
[[ ! -s "$SOCK_REPLY_FILE" ]] && break
|
||||||
cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2"
|
cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2"
|
||||||
@ -15451,7 +15487,7 @@ resend_if_hello_retry_request() {
|
|||||||
done
|
done
|
||||||
debugme echo -n "sending client hello... "
|
debugme echo -n "sending client hello... "
|
||||||
socksend_clienthello "$data" $USLEEP_SND
|
socksend_clienthello "$data" $USLEEP_SND
|
||||||
sockread_serverhello 32768
|
sockread 32768
|
||||||
return 2
|
return 2
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -15506,7 +15542,7 @@ tls_sockets() {
|
|||||||
# if sending didn't succeed we don't bother
|
# if sending didn't succeed we don't bother
|
||||||
if [[ $ret -eq 0 ]]; then
|
if [[ $ret -eq 0 ]]; then
|
||||||
clienthello1="$TLS_CLIENT_HELLO"
|
clienthello1="$TLS_CLIENT_HELLO"
|
||||||
sockread_serverhello 32768
|
sockread 32768
|
||||||
"$TLS_DIFFTIME_SET" && TLS_NOW=$(LC_ALL=C date "+%s")
|
"$TLS_DIFFTIME_SET" && TLS_NOW=$(LC_ALL=C date "+%s")
|
||||||
|
|
||||||
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
@ -15546,7 +15582,7 @@ tls_sockets() {
|
|||||||
|
|
||||||
debugme echo -n "requesting more server hello data... "
|
debugme echo -n "requesting more server hello data... "
|
||||||
socksend "" $USLEEP_SND
|
socksend "" $USLEEP_SND
|
||||||
sockread_serverhello 32768
|
sockread 32768
|
||||||
|
|
||||||
next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
next_packet="${next_packet%%[!0-9A-F]*}"
|
next_packet="${next_packet%%[!0-9A-F]*}"
|
||||||
@ -15760,7 +15796,7 @@ receive_app_data() {
|
|||||||
if "$FAST_SOCKET"; then
|
if "$FAST_SOCKET"; then
|
||||||
res="$(sockread_fast 32768)"
|
res="$(sockread_fast 32768)"
|
||||||
else
|
else
|
||||||
sockread_serverhello 32768
|
sockread 32768
|
||||||
res="$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")"
|
res="$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")"
|
||||||
fi
|
fi
|
||||||
res="${res%%[!0-9A-F]*}"
|
res="${res%%[!0-9A-F]*}"
|
||||||
@ -15816,7 +15852,7 @@ run_heartbleed(){
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
||||||
pr_bold " Heartbleed"; out " ($cve) "
|
pr_bold " Heartbleed"; out " ($cve) "
|
||||||
|
|
||||||
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -15853,7 +15889,7 @@ run_heartbleed(){
|
|||||||
|
|
||||||
[[ $DEBUG -ge 4 ]] && tmln_out "\nsending payload with TLS version $tls_hexcode:"
|
[[ $DEBUG -ge 4 ]] && tmln_out "\nsending payload with TLS version $tls_hexcode:"
|
||||||
socksend "$heartbleed_payload" 1
|
socksend "$heartbleed_payload" 1
|
||||||
sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK
|
sockread 16384 $HEARTBLEED_MAX_WAITSOCK
|
||||||
if [[ $? -eq 3 ]]; then
|
if [[ $? -eq 3 ]]; then
|
||||||
append=", timed out"
|
append=", timed out"
|
||||||
pr_svrty_best "not vulnerable (OK)"; out "$append"
|
pr_svrty_best "not vulnerable (OK)"; out "$append"
|
||||||
@ -15926,7 +15962,7 @@ run_ccs_injection(){
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
|
||||||
pr_bold " CCS"; out " ($cve) "
|
pr_bold " CCS"; out " ($cve) "
|
||||||
|
|
||||||
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -15990,7 +16026,7 @@ run_ccs_injection(){
|
|||||||
socksend "$client_hello" 1
|
socksend "$client_hello" 1
|
||||||
|
|
||||||
debugme echo "reading server hello... "
|
debugme echo "reading server hello... "
|
||||||
sockread_serverhello 32768
|
sockread 32768
|
||||||
if [[ $DEBUG -ge 4 ]]; then
|
if [[ $DEBUG -ge 4 ]]; then
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
||||||
tmln_out "[...]"
|
tmln_out "[...]"
|
||||||
@ -15999,7 +16035,7 @@ run_ccs_injection(){
|
|||||||
rm "$SOCK_REPLY_FILE"
|
rm "$SOCK_REPLY_FILE"
|
||||||
# ... and then send the change cipher spec message
|
# ... and then send the change cipher spec message
|
||||||
socksend "$ccs_message" 1 || ok_ids
|
socksend "$ccs_message" 1 || ok_ids
|
||||||
sockread_serverhello 4096 $CCS_MAX_WAITSOCK
|
sockread 4096 $CCS_MAX_WAITSOCK
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
tmln_out "\n1st reply: "
|
tmln_out "\n1st reply: "
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
||||||
@ -16009,7 +16045,7 @@ run_ccs_injection(){
|
|||||||
rm "$SOCK_REPLY_FILE"
|
rm "$SOCK_REPLY_FILE"
|
||||||
|
|
||||||
socksend "$ccs_message" 2 || ok_ids
|
socksend "$ccs_message" 2 || ok_ids
|
||||||
sockread_serverhello 4096 $CCS_MAX_WAITSOCK
|
sockread 4096 $CCS_MAX_WAITSOCK
|
||||||
retval=$?
|
retval=$?
|
||||||
|
|
||||||
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
@ -16282,7 +16318,7 @@ run_ticketbleed() {
|
|||||||
if "$FAST_SOCKET"; then
|
if "$FAST_SOCKET"; then
|
||||||
tls_hello_ascii=$(sockread_fast 32768)
|
tls_hello_ascii=$(sockread_fast 32768)
|
||||||
else
|
else
|
||||||
sockread_serverhello 32768 $CCS_MAX_WAITSOCK
|
sockread 32768 $CCS_MAX_WAITSOCK
|
||||||
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
fi
|
fi
|
||||||
[[ "$DEBUG" -ge 5 ]] && echo "$tls_hello_ascii"
|
[[ "$DEBUG" -ge 5 ]] && echo "$tls_hello_ascii"
|
||||||
@ -17617,7 +17653,7 @@ run_drown() {
|
|||||||
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
|
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -18022,7 +18058,7 @@ run_winshock() {
|
|||||||
outln
|
outln
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -19003,7 +19039,7 @@ run_robot() {
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln
|
||||||
pr_bold " ROBOT "
|
pr_bold " ROBOT "
|
||||||
|
|
||||||
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -19160,7 +19196,7 @@ run_robot() {
|
|||||||
fi
|
fi
|
||||||
debugme echo "reading server error response..."
|
debugme echo "reading server error response..."
|
||||||
start_time=$(LC_ALL=C date "+%s")
|
start_time=$(LC_ALL=C date "+%s")
|
||||||
sockread_serverhello 32768 $robottimeout
|
sockread 32768 $robottimeout
|
||||||
subret=$?
|
subret=$?
|
||||||
if [[ $subret -eq 0 ]]; then
|
if [[ $subret -eq 0 ]]; then
|
||||||
end_time=$(LC_ALL=C date "+%s")
|
end_time=$(LC_ALL=C date "+%s")
|
||||||
@ -21364,7 +21400,6 @@ determine_sizelimitbug() {
|
|||||||
|
|
||||||
# For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
# For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
||||||
# Fixme: find out whether we can't skip this in general for STARTTLS
|
# Fixme: find out whether we can't skip this in general for STARTTLS
|
||||||
[[ "$STARTTLS" =~ ldap ]] && return 0
|
|
||||||
[[ "$STARTTLS" =~ irc ]] && return 0
|
[[ "$STARTTLS" =~ irc ]] && return 0
|
||||||
|
|
||||||
# Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practice. Thus
|
# Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practice. Thus
|
||||||
|
Loading…
Reference in New Issue
Block a user