mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-09 18:20:59 +01:00
first prototype BEAST | FIX: maketempf in initialize_engine | FIX: exit statements in main w/ more meaning/shorter
This commit is contained in:
parent
d129531371
commit
10ea361b9c
79
testssl.sh
79
testssl.sh
@ -913,7 +913,7 @@ server_preference() {
|
|||||||
|
|
||||||
out " Has server cipher order? "
|
out " Has server cipher order? "
|
||||||
if [[ "$cipher1" != "$cipher2" ]]; then
|
if [[ "$cipher1" != "$cipher2" ]]; then
|
||||||
red "nope (NOT ok)"
|
litered "nope (NOT ok)"
|
||||||
remark4default_cipher=" (limited sense as client will pick)"
|
remark4default_cipher=" (limited sense as client will pick)"
|
||||||
else
|
else
|
||||||
green "yes (OK)"
|
green "yes (OK)"
|
||||||
@ -1683,11 +1683,40 @@ crime() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Browser Exploit Against SSL/TLS
|
||||||
beast(){
|
beast(){
|
||||||
#FIXME: to do
|
local cbc_ciphers
|
||||||
#in a nutshell: don't use CBC Ciphers in TLSv1.0
|
local detected_proto
|
||||||
# need to provide a list with bad ciphers. Not sure though whether
|
local detected_cbc
|
||||||
# it can be fixed in the OpenSSL/NSS/whatsover stack
|
local higher_proto_supported=""
|
||||||
|
#in a nutshell: don't use CBC Ciphers in SSLv3 TLSv1.0
|
||||||
|
#
|
||||||
|
bold " BEAST"; out " (CVE-2011-3389) "
|
||||||
|
|
||||||
|
# 1) support for TLS 1.1+1.2?
|
||||||
|
for proto in tls1_1 tls1_2; do
|
||||||
|
$OPENSSL s_client -state -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null >$TMPFILE </dev/null
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
higher_proto_supported="$higher_proto_supported ""$(grep -w "Protocol" $TMPFILE | sed -e 's/^.*Protocol .*://' -e 's/ //g')"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
[ ! -z "$higher_proto_supported" ] && outln "supports also higher protocols: $higher_proto_supported"
|
||||||
|
|
||||||
|
# 2) test handfull of common CBC ciphers
|
||||||
|
cbc_ciphers=`$OPENSSL ciphers 'ALL:eNULL' | grep CBC`
|
||||||
|
for proto in ssl3 tls1; do
|
||||||
|
$OPENSSL s_client -cipher "$cbc_ciphers" -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI >$TMPFILE 2>/dev/null </dev/null
|
||||||
|
ret=$?
|
||||||
|
if [ $ret -ne 0 ] && [ "$SHOW_EACH_C" -eq 0 ]; then
|
||||||
|
continue # no successful connect AND not verbose displaying each cipher
|
||||||
|
else
|
||||||
|
detected_cbc_cipher=`grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g'`
|
||||||
|
echo "$proto: $detected_cbc_cipher"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
printf "For a full individual test of each CBC cipher suites support by your $OPENSSL run \"$0 -x CBC $NODE\"\n"
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1910,6 +1939,7 @@ initialize_engine(){
|
|||||||
if [ ! -z "$OPENSSL_CONF" ]; then
|
if [ ! -z "$OPENSSL_CONF" ]; then
|
||||||
litemagenta "For now I am providing the config file in to have GOST support"; outln
|
litemagenta "For now I am providing the config file in to have GOST support"; outln
|
||||||
else
|
else
|
||||||
|
[ -z "$TEMPDIR" ] && maketempf
|
||||||
OPENSSL_CONF=$TEMPDIR/gost.conf || exit 6
|
OPENSSL_CONF=$TEMPDIR/gost.conf || exit 6
|
||||||
# see https://www.mail-archive.com/openssl-users@openssl.org/msg65395.html
|
# see https://www.mail-archive.com/openssl-users@openssl.org/msg65395.html
|
||||||
cat >$OPENSSL_CONF << EOF
|
cat >$OPENSSL_CONF << EOF
|
||||||
@ -2118,26 +2148,22 @@ case "$1" in
|
|||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$3"
|
parse_hn_port "$3"
|
||||||
test_just_one $2
|
test_just_one $2
|
||||||
ret=$?
|
exit $? ;;
|
||||||
exit $ret ;;
|
|
||||||
-t|--starttls)
|
-t|--starttls)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$3" "$2" # here comes protocol to signal starttls and hostname:port
|
parse_hn_port "$3" "$2" # here comes protocol to signal starttls and hostname:port
|
||||||
starttls "$2" # protocol
|
starttls "$2" # protocol
|
||||||
ret=$?
|
exit $? ;;
|
||||||
exit $ret ;;
|
|
||||||
-e|--each-cipher)
|
-e|--each-cipher)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
allciphers
|
allciphers
|
||||||
ret=$?
|
exit $? ;;
|
||||||
exit $ret ;;
|
|
||||||
-E|-ee|--cipher-per-proto)
|
-E|-ee|--cipher-per-proto)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
cipher_per_proto
|
cipher_per_proto
|
||||||
ret=$?
|
exit $? ;;
|
||||||
exit $ret ;;
|
|
||||||
-p|--protocols)
|
-p|--protocols)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
@ -2148,53 +2174,45 @@ case "$1" in
|
|||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
run_std_cipherlists
|
run_std_cipherlists
|
||||||
ret=$?
|
exit $? ;;
|
||||||
exit $ret ;;
|
|
||||||
-S|--server_defaults)
|
-S|--server_defaults)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
server_defaults
|
server_defaults
|
||||||
ret=$?
|
exit $? ;;
|
||||||
exit $ret ;;
|
|
||||||
-P|--server_preference)
|
-P|--server_preference)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
server_preference
|
server_preference
|
||||||
ret=$?
|
exit $? ;;
|
||||||
exit $ret ;;
|
|
||||||
-y|--spdy|--google)
|
-y|--spdy|--google)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
spdy
|
spdy
|
||||||
ret=$?
|
|
||||||
exit $? ;;
|
exit $? ;;
|
||||||
-B|--heartbleet)
|
-B|--heartbleet)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
outln; blue "--> Testing for heartbleed vulnerability"; outln "\n"
|
outln; blue "--> Testing for heartbleed vulnerability"; outln "\n"
|
||||||
heartbleed
|
heartbleed
|
||||||
ret=$?
|
|
||||||
exit $? ;;
|
exit $? ;;
|
||||||
-I|--ccs|--ccs_injection)
|
-I|--ccs|--ccs_injection)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
outln; blue "--> Testing for CCS injection vulnerability"; outln "\n"
|
outln; blue "--> Testing for CCS injection vulnerability"; outln "\n"
|
||||||
ccs_injection
|
ccs_injection
|
||||||
ret=$?
|
|
||||||
exit $? ;;
|
exit $? ;;
|
||||||
-R|--renegotiation)
|
-R|--renegotiation)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
outln; blue "--> Testing for Renegotiation vulnerability"; outln "\n"
|
outln; blue "--> Testing for Renegotiation vulnerability"; outln "\n"
|
||||||
renego
|
renego
|
||||||
ret=$?
|
|
||||||
exit $? ;;
|
exit $? ;;
|
||||||
-C|--compression|--crime)
|
-C|--compression|--crime)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
outln; blue "--> Testing for CRIME vulnerability"; outln "\n"
|
outln; blue "--> Testing for CRIME vulnerability"; outln "\n"
|
||||||
crime
|
crime
|
||||||
ret=$?
|
|
||||||
exit $? ;;
|
exit $? ;;
|
||||||
-T|--breach)
|
-T|--breach)
|
||||||
maketempf
|
maketempf
|
||||||
@ -2214,21 +2232,22 @@ case "$1" in
|
|||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
outln; blue "--> Testing for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability"; outln "\n"
|
outln; blue "--> Testing for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability"; outln "\n"
|
||||||
poodle
|
poodle
|
||||||
ret=$?
|
exit $? ;;
|
||||||
ret=`expr $? + $ret`
|
|
||||||
exit $ret ;;
|
|
||||||
-4|--rc4|--appelbaum)
|
-4|--rc4|--appelbaum)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
rc4
|
rc4
|
||||||
ret=$?
|
|
||||||
exit $? ;;
|
exit $? ;;
|
||||||
-s|--pfs|--fs|--nsa)
|
-s|--pfs|--fs|--nsa)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
pfs
|
pfs
|
||||||
ret=$?
|
exit $? ;;
|
||||||
exit $ret ;;
|
-q|--beast)
|
||||||
|
maketempf
|
||||||
|
parse_hn_port "$2"
|
||||||
|
beast
|
||||||
|
exit $? ;;
|
||||||
-H|--header|--headers)
|
-H|--header|--headers)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
|
Loading…
Reference in New Issue
Block a user