From 93204937c55061bf3a5635495c0679f5696d04b2 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 19:42:26 +0200 Subject: [PATCH 1/2] FIX #376 --- testssl.sh | 69 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 41 insertions(+), 28 deletions(-) diff --git a/testssl.sh b/testssl.sh index ffeb15f..d05af23 100755 --- a/testssl.sh +++ b/testssl.sh @@ -125,9 +125,9 @@ tty -s && \ readonly INTERACTIVE=false if ! tput cols &>/dev/null || ! $INTERACTIVE; then # Prevent tput errors if running non interactive - TERM_DWITH=${COLUMNS:-80} + TERM_WIDTH=${COLUMNS:-80} else - TERM_DWITH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes + TERM_WIDTH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes fi TERM_CURRPOS=0 # custom line wrapping needs alter the current horizontal cursor pos @@ -6174,7 +6174,7 @@ MAPPING_FILE_RFC: $MAPPING_FILE_RFC CAPATH: $CAPATH COLOR: $COLOR COLORBLIND: $COLORBLIND -TERM_DWITH: $TERM_DWITH +TERM_WIDTH: $TERM_WIDTH INTERACTIVE: $INTERACTIVE HAS_GNUDATE: $HAS_GNUDATE HAS_FREEBSDDATE: $HAS_FREEBSDDATE @@ -6331,7 +6331,6 @@ ignore_no_or_lame() { } # arg1: URI -# arg2: protocol parse_hn_port() { local tmp_port @@ -6364,13 +6363,27 @@ parse_hn_port() { debugme echo $NODE:$PORT SNI="-servername $NODE" - # now do logging if instructed + URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port + URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> / + [[ -z "$URL_PATH" ]] && URL_PATH="/" + debugme echo $URL_PATH + return 0 # NODE, URL_PATH, PORT is set now +} + + +# now do logging if instructed +# arg1: for testing mx records name we put a name of logfile in here, otherwise we get strange file names +prepare_logging() { + local fname_prefix="$1" + + [[ -z "$fname_prefix" ]] && fname_prefix="$NODE" + if "$do_logging"; then if [[ -z "$LOGFILE" ]]; then - LOGFILE=$NODE-$(date +"%Y%m%d-%H%M".log) + LOGFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".log) elif [[ -d "$LOGFILE" ]]; then # actually we were instructed to place all files in a DIR instead of the current working dir - LOGFILE=$LOGFILE/$NODE-$(date +"%Y%m%d-%H%M".log) + LOGFILE=$LOGFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".log) else : # just for clarity: a log file was specified, no need to do anything else fi @@ -6384,32 +6397,26 @@ parse_hn_port() { if "$do_json"; then if [[ -z "$JSONFILE" ]]; then - JSONFILE=$NODE-$(date +"%Y%m%d-%H%M".json) + JSONFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".json) elif [[ -d "$JSONFILE" ]]; then # actually we were instructed to place all files in a DIR instead of the current working dir - JSONFILE=$JSONFILE/$NODE-$(date +"%Y%m%d-%H%M".json) + JSONFILE=$JSONFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".json) fi fi - if "$do_csv"; then if [[ -z "$CSVFILE" ]]; then - CSVFILE=$NODE-$(date +"%Y%m%d-%H%M".csv) + CSVFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".csv) elif [[ -d "$CSVFILE" ]]; then # actually we were instructed to place all files in a DIR instead of the current working dir - CSVFILE=$CSVFILE/$NODE-$(date +"%Y%m%d-%H%M".csv) + CSVFILE=$CSVFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".csv) fi fi - fileout_header # write out any CSV/JSON header line - URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port - URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> / - [[ -z "$URL_PATH" ]] && URL_PATH="/" - debugme echo $URL_PATH - return 0 # NODE, URL_PATH, PORT is set now + return 0 } - + # args: string containing ip addresses filter_ip6_address() { local a @@ -6845,7 +6852,7 @@ draw_line() { } -mx_all_ips() { +run_mx_all_ips() { local mxs mx local mxport local -i ret=0 @@ -6855,12 +6862,17 @@ mx_all_ips() { # test first higher priority servers mxs=$(get_mx_record "$1" | sort -n | sed -e 's/^.* //' -e 's/\.$//' | tr '\n' ' ') mxport=${2:-25} + if [[ -n "$LOGFILE" ]]; then + prepare_logging + else + prepare_logging "mx-$1" + fi if [[ -n "$mxs" ]] && [[ "$mxs" != ' ' ]]; then [[ $mxport == "465" ]] && \ STARTTLS_PROTOCOL="" # no starttls for Port 465, on all other ports we speak starttls pr_bold "Testing now all MX records (on port $mxport): "; outln "$mxs" for mx in $mxs; do - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln parse_hn_port "$mx:$mxport" determine_ip_addresses || continue @@ -6876,7 +6888,7 @@ mx_all_ips() { fi ret=$(($? + ret)) done - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln pr_bold "Done testing now all MX records (on port $mxport): "; outln "$mxs" else @@ -6902,7 +6914,7 @@ run_mass_testing_parallel() { [[ -z "$cmdline" ]] && continue [[ "$cmdline" == "EOF" ]] && break cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" - draw_line "=" $((TERM_DWITH / 2)); outln; + draw_line "=" $((TERM_WIDTH / 2)); outln; determine_logfile outln "$cmdline" $cmdline >$LOGFILE & @@ -6927,7 +6939,7 @@ run_mass_testing() { [[ -z "$cmdline" ]] && continue [[ "$cmdline" == "EOF" ]] && break cmdline="$0 $global_cmdline --warnings=batch -q --append $cmdline" - draw_line "=" $((TERM_DWITH / 2)); outln; + draw_line "=" $((TERM_WIDTH / 2)); outln; outln "$cmdline" $cmdline done < "${FNAME}" @@ -7482,10 +7494,11 @@ fi if $do_mx_all_ips; then query_globals # if we have just 1x "do_*" --> we do a standard run -- otherwise just the one specified [[ $? -eq 1 ]] && set_scanning_defaults - mx_all_ips "${URI}" $PORT + run_mx_all_ips "${URI}" $PORT # we should reduce run_mx_all_ips to the stuff neccessary as ~15 lines later we have sililar code ret=$? else parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now + prepare_logging if ! determine_ip_addresses && [[ -z "$CMDLINE_IP" ]]; then fatal "No IP address could be determined" fi @@ -7499,13 +7512,13 @@ else if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" for ip in $IPADDRs; do - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln NODEIP="$ip" lets_roll "${STARTTLS_PROTOCOL}" ret=$(($? + ret)) done - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs" else # we need just one ip4v to check @@ -7519,4 +7532,4 @@ fi exit $? -# $Id: testssl.sh,v 1.505 2016/06/23 12:33:25 dirkw Exp $ +# $Id: testssl.sh,v 1.506 2016/06/23 17:42:25 dirkw Exp $ From 5cb4b722b4ac0b1d31738c38023dae5c8fc35591 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 24 Jun 2016 19:01:00 +0200 Subject: [PATCH 2/2] in client simulation it should be TLSv1.0 instead of TLSv1.0 --- testssl.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index d05af23..cb91233 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2178,6 +2178,7 @@ run_client_simulation() { else #FIXME: awk proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') + [[ "$proto" == TLSv1 ]] && proto="TLSv1.0" if [[ "$proto" == TLSv1.2 ]]; then # OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is... for tls in ${tlsvers[i]}; do @@ -7532,4 +7533,4 @@ fi exit $? -# $Id: testssl.sh,v 1.506 2016/06/23 17:42:25 dirkw Exp $ +# $Id: testssl.sh,v 1.507 2016/06/24 17:00:58 dirkw Exp $