Merge branch '2.9dev' into rename_ephemeral_DH_ciphers
This commit is contained in:
commit
1079a05d42
104
testssl.sh
104
testssl.sh
|
@ -595,8 +595,8 @@ pr_done_goodln() { pr_done_good "$1"; outln; }
|
||||||
pr_done_best() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # green (blue), This is the best
|
pr_done_best() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # green (blue), This is the best
|
||||||
pr_done_bestln() { pr_done_best "$1"; outln; }
|
pr_done_bestln() { pr_done_best "$1"; outln; }
|
||||||
|
|
||||||
pr_svrty_minor() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # yellow brown | academic or minor problem
|
pr_svrty_low() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # yellow brown | academic or minor problem
|
||||||
pr_svrty_minorln() { pr_svrty_minor "$1"; outln; }
|
pr_svrty_lowln() { pr_svrty_low "$1"; outln; }
|
||||||
pr_svrty_medium() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # brown | it is not a bad problem but you shouldn't do this
|
pr_svrty_medium() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # brown | it is not a bad problem but you shouldn't do this
|
||||||
pr_svrty_mediumln() { pr_svrty_medium "$1"; outln; }
|
pr_svrty_mediumln() { pr_svrty_medium "$1"; outln; }
|
||||||
|
|
||||||
|
@ -892,6 +892,14 @@ fileout() { # ID, SEVERITY, FINDING, CVE, CWE, HINT
|
||||||
|
|
||||||
###### helper function definitions ######
|
###### helper function definitions ######
|
||||||
|
|
||||||
|
if [[ $(uname) == "Linux" ]] ; then
|
||||||
|
toupper() { echo -n "${1^^}" ; }
|
||||||
|
tolower() { echo -n "${1,,}" ; }
|
||||||
|
else
|
||||||
|
toupper() { echo -n "$1" | tr 'a-z' 'A-Z'; }
|
||||||
|
tolower() { echo -n "$1" | tr 'A-Z' 'a-z' ; }
|
||||||
|
fi
|
||||||
|
|
||||||
debugme() {
|
debugme() {
|
||||||
[[ "$DEBUG" -ge 2 ]] && "$@"
|
[[ "$DEBUG" -ge 2 ]] && "$@"
|
||||||
return 0
|
return 0
|
||||||
|
@ -950,13 +958,17 @@ trim_trailing_space() {
|
||||||
echo "${1%%*( )}"
|
echo "${1%%*( )}"
|
||||||
}
|
}
|
||||||
|
|
||||||
if [[ $(uname) == "Linux" ]] ; then
|
# prints out multiple lines in $1, left aligned by spaces in $2
|
||||||
toupper() { echo -n "${1^^}" ; }
|
out_row_aligned() {
|
||||||
tolower() { echo -n "${1,,}" ; }
|
local first=true
|
||||||
else
|
|
||||||
toupper() { echo -n "$1" | tr 'a-z' 'A-Z'; }
|
echo "$1" | while read line; do
|
||||||
tolower() { echo -n "$1" | tr 'A-Z' 'a-z' ; }
|
"$first" && \
|
||||||
fi
|
first=false || \
|
||||||
|
out "$2"
|
||||||
|
outln "$line"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
is_number() {
|
is_number() {
|
||||||
[[ "$1" =~ ^[1-9][0-9]*$ ]] && \
|
[[ "$1" =~ ^[1-9][0-9]*$ ]] && \
|
||||||
|
@ -990,22 +1002,6 @@ is_ipv6addr() {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# prints out multiple lines in $1, left aligned by spaces in $2
|
|
||||||
out_row_aligned() {
|
|
||||||
local first=true
|
|
||||||
|
|
||||||
echo "$1" | while read line; do
|
|
||||||
if $first; then
|
|
||||||
first=false
|
|
||||||
else
|
|
||||||
out "$2"
|
|
||||||
fi
|
|
||||||
outln "$line"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
tmpfile_handle() {
|
tmpfile_handle() {
|
||||||
mv $TMPFILE "$TEMPDIR/$NODEIP.$1" 2>/dev/null
|
mv $TMPFILE "$TEMPDIR/$NODEIP.$1" 2>/dev/null
|
||||||
[[ $ERRFILE =~ dev.null ]] && return 0 || \
|
[[ $ERRFILE =~ dev.null ]] && return 0 || \
|
||||||
|
@ -4589,7 +4585,7 @@ read_dhbits_from_file() {
|
||||||
elif [[ "$bits" -le 163 ]]; then
|
elif [[ "$bits" -le 163 ]]; then
|
||||||
pr_svrty_medium "$bits $add"
|
pr_svrty_medium "$bits $add"
|
||||||
elif [[ "$bits" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok
|
elif [[ "$bits" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok
|
||||||
pr_svrty_minor "$bits $add" # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416
|
pr_svrty_low "$bits $add" # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416
|
||||||
elif [[ "$bits" -le 224 ]]; then
|
elif [[ "$bits" -le 224 ]]; then
|
||||||
out "$bits $add"
|
out "$bits $add"
|
||||||
elif [[ "$bits" -gt 224 ]]; then
|
elif [[ "$bits" -gt 224 ]]; then
|
||||||
|
@ -4750,7 +4746,7 @@ run_server_preference() {
|
||||||
fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
||||||
;; # best ones
|
;; # best ones
|
||||||
ECDHE*AES*)
|
ECDHE*AES*)
|
||||||
pr_svrty_minor "$default_cipher"
|
pr_svrty_low "$default_cipher"
|
||||||
fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher"
|
fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher"
|
||||||
;; # it's CBC. --> lucky13
|
;; # it's CBC. --> lucky13
|
||||||
"")
|
"")
|
||||||
|
@ -5453,7 +5449,7 @@ get_server_certificate() {
|
||||||
local savedir
|
local savedir
|
||||||
local nrsaved
|
local nrsaved
|
||||||
|
|
||||||
$HAS_SPDY && [[ -z $STARTTLS ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
|
"$HAS_SPDY" && [[ -z $STARTTLS ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
|
||||||
|
|
||||||
if [[ -n "$2" ]]; then
|
if [[ -n "$2" ]]; then
|
||||||
protocols_to_try="$2"
|
protocols_to_try="$2"
|
||||||
|
@ -5525,6 +5521,7 @@ get_server_certificate() {
|
||||||
# check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS
|
# check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS
|
||||||
while read -d "\"" -r line; do
|
while read -d "\"" -r line; do
|
||||||
if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then
|
if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then
|
||||||
|
#FIXME: This is a string of quoted strings, so this seems to deterime the output format already. Better e.g. would be an array
|
||||||
TLS_EXTENSIONS+=" \"${line}\""
|
TLS_EXTENSIONS+=" \"${line}\""
|
||||||
fi
|
fi
|
||||||
done <<<$tls_extensions
|
done <<<$tls_extensions
|
||||||
|
@ -6224,7 +6221,7 @@ certificate_info() {
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP stapling "
|
out "$indent"; pr_bold " OCSP stapling "
|
||||||
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
||||||
pr_svrty_minor "--"
|
pr_svrty_low "--"
|
||||||
fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered"
|
fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered"
|
||||||
else
|
else
|
||||||
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
||||||
|
@ -6251,7 +6248,7 @@ certificate_info() {
|
||||||
pr_done_good "OK"; out " (" ; pr_italic "$caa"; out ")"
|
pr_done_good "OK"; out " (" ; pr_italic "$caa"; out ")"
|
||||||
fileout "${json_prefix}CAA_record" "OK" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : offered"
|
fileout "${json_prefix}CAA_record" "OK" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : offered"
|
||||||
else
|
else
|
||||||
pr_svrty_minor "--"
|
pr_svrty_low "--"
|
||||||
fileout "${json_prefix}CAA_record" "LOW" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : not offered"
|
fileout "${json_prefix}CAA_record" "LOW" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : not offered"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -6411,6 +6408,7 @@ run_server_defaults() {
|
||||||
outln "(none)"
|
outln "(none)"
|
||||||
fileout "tls_extensions" "INFO" "TLS server extensions (std): (none)"
|
fileout "tls_extensions" "INFO" "TLS server extensions (std): (none)"
|
||||||
else
|
else
|
||||||
|
#FIXME: we rather want to have the chance to print each ext in italcs or another format. Atm is a string of quoted strings -- that needs to be fixed at the root
|
||||||
outln "$TLS_EXTENSIONS"
|
outln "$TLS_EXTENSIONS"
|
||||||
fileout "tls_extensions" "INFO" "TLS server extensions (std): $TLS_EXTENSIONS"
|
fileout "tls_extensions" "INFO" "TLS server extensions (std): $TLS_EXTENSIONS"
|
||||||
fi
|
fi
|
||||||
|
@ -6423,7 +6421,7 @@ run_server_defaults() {
|
||||||
lifetime=$(echo $sessticket_str | grep -a lifetime | sed 's/[A-Za-z:() ]//g')
|
lifetime=$(echo $sessticket_str | grep -a lifetime | sed 's/[A-Za-z:() ]//g')
|
||||||
unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g')
|
unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g')
|
||||||
out "$lifetime $unit "
|
out "$lifetime $unit "
|
||||||
pr_svrty_minorln "(PFS requires session ticket keys to be rotated <= daily)"
|
pr_svrty_lowln "(PFS requires session ticket keys to be rotated <= daily)"
|
||||||
fileout "session_ticket" "LOW" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)"
|
fileout "session_ticket" "LOW" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -6725,7 +6723,7 @@ run_pfs() {
|
||||||
if [[ "${bits[i]}" -le 163 ]]; then
|
if [[ "${bits[i]}" -le 163 ]]; then
|
||||||
curves_offered_text+="$(pr_svrty_medium "${curves_ossl[i]}") "
|
curves_offered_text+="$(pr_svrty_medium "${curves_ossl[i]}") "
|
||||||
elif [[ "${bits[i]}" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok
|
elif [[ "${bits[i]}" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok
|
||||||
curves_offered_text+="$(pr_svrty_minor "${curves_ossl[i]}") " # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416
|
curves_offered_text+="$(pr_svrty_low "${curves_ossl[i]}") " # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416
|
||||||
elif [[ "${bits[i]}" -le 224 ]]; then
|
elif [[ "${bits[i]}" -le 224 ]]; then
|
||||||
curves_offered_text+="${curves_ossl[i]} "
|
curves_offered_text+="${curves_ossl[i]} "
|
||||||
else
|
else
|
||||||
|
@ -9526,7 +9524,7 @@ run_sweet32() {
|
||||||
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
fi
|
fi
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_svrty_minor "VULNERABLE"; out ", uses 64 bit block ciphers"
|
pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers"
|
||||||
fileout "sweet32" "LOW" "SWEET32, uses 64 bit block ciphers" "$cve" "$cwe" "$hint"
|
fileout "sweet32" "LOW" "SWEET32, uses 64 bit block ciphers" "$cve" "$cwe" "$hint"
|
||||||
else
|
else
|
||||||
pr_done_best "not vulnerable (OK)";
|
pr_done_best "not vulnerable (OK)";
|
||||||
|
@ -9619,7 +9617,7 @@ run_tls_fallback_scsv() {
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
|
|
||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for TLS_FALLBACK_SCSV Protection " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for TLS_FALLBACK_SCSV Protection " && outln
|
||||||
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507), "
|
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507) "
|
||||||
# This isn't a vulnerability check per se, but checks for the existence of
|
# This isn't a vulnerability check per se, but checks for the existence of
|
||||||
# the countermeasure to protect against protocol downgrade attacks.
|
# the countermeasure to protect against protocol downgrade attacks.
|
||||||
|
|
||||||
|
@ -9656,9 +9654,12 @@ run_tls_fallback_scsv() {
|
||||||
fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported"
|
fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported"
|
||||||
ret=0
|
ret=0
|
||||||
elif grep -qa "alert handshake failure" "$TMPFILE"; then
|
elif grep -qa "alert handshake failure" "$TMPFILE"; then
|
||||||
|
pr_done_good "Probably OK. "
|
||||||
|
fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Probably oK"
|
||||||
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
|
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
|
||||||
pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\""
|
# other case reported by Nicolas was F5 and at costumer of mine: the same
|
||||||
fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely: warning)"
|
pr_svrty_medium "But received non-RFC-compliant \"handshake failure\" instead of \"inappropriate fallback\""
|
||||||
|
fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : But received non-RFC-compliant \"handshake failure\" instead of \"inappropriate fallback\""
|
||||||
ret=2
|
ret=2
|
||||||
elif grep -qa "ssl handshake failure" "$TMPFILE"; then
|
elif grep -qa "ssl handshake failure" "$TMPFILE"; then
|
||||||
pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\""
|
pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\""
|
||||||
|
@ -9921,19 +9922,19 @@ run_logjam() {
|
||||||
out "\n${spaces}"
|
out "\n${spaces}"
|
||||||
# now size matters -- i.e. the bit size ;-)
|
# now size matters -- i.e. the bit size ;-)
|
||||||
if [[ $len_dh_p -le 512 ]]; then
|
if [[ $len_dh_p -le 512 ]]; then
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok):"; out " common prime \"$comment\" detected ($len_dh_p bits)"
|
pr_svrty_critical "VULNERABLE (NOT ok):"; out " common prime "; pr_italic "$comment"; out " detected ($len_dh_p bits)"
|
||||||
fileout "LOGJAM_common primes" "CRITICAL" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "CRITICAL" "common prime \"$comment\" detected"
|
||||||
elif [[ $len_dh_p -le 1024 ]]; then
|
elif [[ $len_dh_p -le 1024 ]]; then
|
||||||
pr_svrty_high "VULNERABLE (NOT ok):"; out " common prime \"$comment\" detected ($len_dh_p bits)"
|
pr_svrty_high "VULNERABLE (NOT ok):"; out " common prime "; pr_italic "$comment"; out " detected ($len_dh_p bits)"
|
||||||
fileout "LOGJAM_common primes" "HIGH" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "HIGH" "common prime \"$comment\" detected"
|
||||||
elif [[ $len_dh_p -le 1536 ]]; then
|
elif [[ $len_dh_p -le 1536 ]]; then
|
||||||
pr_svrty_medium "common prime with $len_dh_p bits detected: \"$comment\""
|
pr_svrty_medium "common prime with $len_dh_p bits detected: "; pr_italic "$comment"
|
||||||
fileout "LOGJAM_common primes" "MEDIUM" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "MEDIUM" "common prime \"$comment\" detected"
|
||||||
elif [[ $len_dh_p -le 2048 ]]; then
|
elif [[ $len_dh_p -le 2048 ]]; then
|
||||||
pr_svrty_minor "common prime with $len_dh_p bits detected: \"$comment\""
|
pr_svrty_low "common prime with $len_dh_p bits detected: "; pr_italic "$comment"
|
||||||
fileout "LOGJAM_common primes" "LOW" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "LOW" "common prime \"$comment\" detected"
|
||||||
else
|
else
|
||||||
out "common prime with $len_dh_p bits detected: \"$comment\""
|
out "common prime with $len_dh_p bits detected: "; pr_italic "$comment"
|
||||||
fileout "LOGJAM_common primes" "INFO" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "INFO" "common prime \"$comment\" detected"
|
||||||
fi
|
fi
|
||||||
elif [[ $ret -eq 0 ]]; then
|
elif [[ $ret -eq 0 ]]; then
|
||||||
|
@ -9946,22 +9947,23 @@ run_logjam() {
|
||||||
if [[ $ret -eq 1 ]]; then
|
if [[ $ret -eq 1 ]]; then
|
||||||
# now size matters -- i.e. the bit size ;-)
|
# now size matters -- i.e. the bit size ;-)
|
||||||
if [[ $len_dh_p -le 512 ]]; then
|
if [[ $len_dh_p -le 512 ]]; then
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok):" ; out " uses common prime \"$comment\" ($len_dh_p bits)"
|
pr_svrty_critical "VULNERABLE (NOT ok):" ; out " uses common prime "; pr_italic "$comment"; out " ($len_dh_p bits)"
|
||||||
fileout "LOGJAM_common primes" "CRITICAL" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "CRITICAL" "common prime \"$comment\" detected"
|
||||||
elif [[ $len_dh_p -le 1024 ]]; then
|
elif [[ $len_dh_p -le 1024 ]]; then
|
||||||
pr_svrty_high "VULNERABLE (NOT ok):"; out " common prime \"$comment\" detected ($len_dh_p bits)"
|
pr_svrty_high "VULNERABLE (NOT ok):"; out " common prime "; pr_italic "$comment"; out " detected ($len_dh_p bits)"
|
||||||
fileout "LOGJAM_common primes" "HIGH" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "HIGH" "common prime \"$comment\" detected"
|
||||||
elif [[ $len_dh_p -le 1536 ]]; then
|
elif [[ $len_dh_p -le 1536 ]]; then
|
||||||
pr_svrty_medium "Common prime with $len_dh_p bits detected: \"$comment\""
|
pr_svrty_medium "Common prime with $len_dh_p bits detected: "; pr_italic "$comment"
|
||||||
fileout "LOGJAM_common primes" "MEDIUM" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "MEDIUM" "common prime \"$comment\" detected"
|
||||||
elif [[ $len_dh_p -le 2048 ]]; then
|
elif [[ $len_dh_p -le 2048 ]]; then
|
||||||
pr_svrty_minor "Common prime with $len_dh_p bits detected: \"$comment\""
|
pr_svrty_low "Common prime with $len_dh_p bits detected: "; pr_italic "$comment"
|
||||||
fileout "LOGJAM_common primes" "LOW" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "LOW" "common prime \"$comment\" detected"
|
||||||
else
|
else
|
||||||
out "Common prime with $len_dh_p bits detected: \"$comment\""
|
out "Common prime with $len_dh_p bits detected: "; pr_italic "$comment"
|
||||||
fileout "LOGJAM_common primes" "INFO" "common prime \"$comment\" detected"
|
fileout "LOGJAM_common primes" "INFO" "common prime \"$comment\" detected"
|
||||||
fi
|
fi
|
||||||
out ", but no DH EXPORT ciphers${addtl_warning}"
|
outln ","
|
||||||
|
out "${spaces}but no DH EXPORT ciphers${addtl_warning}"
|
||||||
fileout "logjam" "OK" "LOGJAM: not vulnerable, no DH EXPORT ciphers, $addtl_warning" "$cve" "$cwe"
|
fileout "logjam" "OK" "LOGJAM: not vulnerable, no DH EXPORT ciphers, $addtl_warning" "$cve" "$cwe"
|
||||||
elif [[ $ret -eq 3 ]]; then
|
elif [[ $ret -eq 3 ]]; then
|
||||||
pr_done_good "not vulnerable (OK):"; out " no DH EXPORT ciphers${addtl_warning}"
|
pr_done_good "not vulnerable (OK):"; out " no DH EXPORT ciphers${addtl_warning}"
|
||||||
|
@ -10253,7 +10255,7 @@ run_beast(){
|
||||||
if "$SHOW_EACH_C"; then
|
if "$SHOW_EACH_C"; then
|
||||||
if "${ciphers_found[i]}"; then
|
if "${ciphers_found[i]}"; then
|
||||||
if [[ -n "$higher_proto_supported" ]]; then
|
if [[ -n "$higher_proto_supported" ]]; then
|
||||||
pr_svrty_minor "available"
|
pr_svrty_low "available"
|
||||||
else
|
else
|
||||||
pr_svrty_medium "available"
|
pr_svrty_medium "available"
|
||||||
fi
|
fi
|
||||||
|
@ -10277,7 +10279,7 @@ run_beast(){
|
||||||
! "$first" && out "$spaces"
|
! "$first" && out "$spaces"
|
||||||
out "$(toupper $proto):"
|
out "$(toupper $proto):"
|
||||||
[[ -n "$higher_proto_supported" ]] && \
|
[[ -n "$higher_proto_supported" ]] && \
|
||||||
pr_svrty_minorln "$detected_cbc_ciphers" || \
|
pr_svrty_lowln "$detected_cbc_ciphers" || \
|
||||||
pr_svrty_mediumln "$detected_cbc_ciphers"
|
pr_svrty_mediumln "$detected_cbc_ciphers"
|
||||||
detected_cbc_ciphers="" # empty for next round
|
detected_cbc_ciphers="" # empty for next round
|
||||||
first=false
|
first=false
|
||||||
|
@ -10299,11 +10301,11 @@ run_beast(){
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln
|
outln
|
||||||
# NOT ok seems too harsh for me if we have TLS >1.0
|
# NOT ok seems too harsh for me if we have TLS >1.0
|
||||||
pr_svrty_minor "VULNERABLE"
|
pr_svrty_low "VULNERABLE"
|
||||||
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
else
|
else
|
||||||
out "$spaces"
|
out "$spaces"
|
||||||
pr_svrty_minor "VULNERABLE"
|
pr_svrty_low "VULNERABLE"
|
||||||
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
fi
|
fi
|
||||||
fileout "beast" "LOW" "BEAST: VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported" "$cve" "$cwe" "$hint"
|
fileout "beast" "LOW" "BEAST: VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported" "$cve" "$cwe" "$hint"
|
||||||
|
|
Loading…
Reference in New Issue