Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #920 from dcooper16/client_auth_and_assume_http

Browse Source 
HTTP-related checks and certificate based client authentication
This commit is contained in:
Dirk Wetter 2017-12-01 21:19:23 +01:00 committed by GitHub
commit 137f2fa3c3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
testssl.sh
View File

@ -3945,14 +3945,14 @@ run_client_simulation() {
if [[ $SERVICE != "" ]]; then if [[ $SERVICE != "" ]]; then
client_service="$SERVICE" client_service="$SERVICE"
else elif [[ -n "$STARTTLS_PROTOCOL" ]]; then
# Can we take the service from STARTTLS? # Can we take the service from STARTTLS?
if [[ -n "$STARTTLS_PROTOCOL" ]]; then client_service=$(toupper "${STARTTLS_PROTOCOL%s}") # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
client_service=$(toupper "${STARTTLS_PROTOCOL%s}") # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc elif "$ASSUME_HTTP"; then
else client_service="HTTP"
outln "Could not determine the protocol, only simulating generic clients." else
client_service="undetermined" outln "Could not determine the protocol, only simulating generic clients."
fi client_service="undetermined"
fi fi
outln outln
@ -6237,7 +6237,7 @@ certificate_transparency() {
fi fi
fi fi
if [[ $SERVICE != "HTTP" ]]; then if [[ $SERVICE != "HTTP" ]] && ! "$CLIENT_AUTH"; then
# At the moment Certificate Transparency only applies to HTTPS. # At the moment Certificate Transparency only applies to HTTPS.
tm_out "N/A" tm_out "N/A"
else else
@ -6299,7 +6299,7 @@ certificate_info() {
case $cert_sig_algo in case $cert_sig_algo in
sha1WithRSAEncryption) sha1WithRSAEncryption)
pr_svrty_medium "SHA1 with RSA" pr_svrty_medium "SHA1 with RSA"
if [[ "$SERVICE" == HTTP ]]; then if [[ "$SERVICE" == HTTP ]] || "$ASSUME_HTTP"; then
out " -- besides: users will receive a "; pr_svrty_high "strong browser WARNING" out " -- besides: users will receive a "; pr_svrty_high "strong browser WARNING"
fi fi
outln outln
@ -6547,7 +6547,7 @@ certificate_info() {
prln_italic "$(out_row_aligned_max_width "$all_san" "$indent " $TERM_WIDTH)" prln_italic "$(out_row_aligned_max_width "$all_san" "$indent " $TERM_WIDTH)"
fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $all_san" fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $all_san"
else else
if [[ $SERVICE == "HTTP" ]]; then if [[ $SERVICE == "HTTP" ]] || "$ASSUME_HTTP"; then
pr_svrty_high "missing (NOT ok)"; outln " -- Browsers are complaining" pr_svrty_high "missing (NOT ok)"; outln " -- Browsers are complaining"
fileout "${json_prefix}san" "HIGH" "subjectAltName (SAN) : -- Browsers are complaining" fileout "${json_prefix}san" "HIGH" "subjectAltName (SAN) : -- Browsers are complaining"
else else
@ -6639,7 +6639,7 @@ certificate_info() {
pr_svrty_high "$trustfinding" pr_svrty_high "$trustfinding"
trust_sni_finding="HIGH" trust_sni_finding="HIGH"
elif ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then elif ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then
if [[ $SERVICE == "HTTP" ]]; then if [[ $SERVICE == "HTTP" ]] || "$ASSUME_HTTP"; then
# https://bugs.chromium.org/p/chromium/issues/detail?id=308330 # https://bugs.chromium.org/p/chromium/issues/detail?id=308330
# https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 # https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
# https://www.chromestatus.com/feature/4981025180483584 # https://www.chromestatus.com/feature/4981025180483584
@ -6704,7 +6704,7 @@ certificate_info() {
fi fi
if [[ -n "$sni_used" ]] || [[ $trust_nosni -eq 0 ]] || ( [[ $trust_nosni -ne 4 ]] && [[ $trust_nosni -ne 8 ]] ); then if [[ -n "$sni_used" ]] || [[ $trust_nosni -eq 0 ]] || ( [[ $trust_nosni -ne 4 ]] && [[ $trust_nosni -ne 8 ]] ); then
outln "$trustfinding_nosni" outln "$trustfinding_nosni"
elif [[ $SERVICE == "HTTP" ]]; then elif [[ $SERVICE == "HTTP" ]] || "$ASSUME_HTTP"; then
prln_svrty_high "$trustfinding_nosni" prln_svrty_high "$trustfinding_nosni"
else else
prln_svrty_medium "$trustfinding_nosni" prln_svrty_medium "$trustfinding_nosni"
@ -11096,7 +11096,7 @@ run_crime() {
fi fi
ret=0 ret=0
else else
if [[ $SERVICE == "HTTP" ]]; then if [[ $SERVICE == "HTTP" ]] || "$CLIENT_AUTH"; then
pr_svrty_high "VULNERABLE (NOT ok)" pr_svrty_high "VULNERABLE (NOT ok)"
fileout "crime" "HIGH" "CRIME, TLS: VULNERABLE" "$cve" "$cwe" "$hint" fileout "crime" "HIGH" "CRIME, TLS: VULNERABLE" "$cve" "$cwe" "$hint"
else else