mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Merge pull request #560 from sdann/2.9dev
Add support for testing postgres protocol over TLS/SSL
This commit is contained in:
commit
156af69dc2
45
testssl.sh
45
testssl.sh
@ -226,6 +226,7 @@ HAS_SPDY=false
|
||||
HAS_FALLBACK_SCSV=false
|
||||
HAS_PROXY=false
|
||||
HAS_XMPP=false
|
||||
HAS_POSTGRES=false
|
||||
ADD_RFC_STR="rfc" # display RFC ciphernames
|
||||
PORT=443 # unless otherwise auto-determined, see below
|
||||
NODE=""
|
||||
@ -6227,6 +6228,16 @@ starttls_nntp_dialog() {
|
||||
return $ret
|
||||
}
|
||||
|
||||
starttls_postgres_dialog() {
|
||||
debugme echo "=== starting postgres STARTTLS dialog ==="
|
||||
local reINITTLS="\x00\x00\x00\x08\x04\xD2\x16\x2F"
|
||||
starttls_just_send "${reINITTLS}" && debugme echo "initiated STARTTLS" &&
|
||||
starttls_full_read '' '' 'S' && debugme echo "received ack for STARTTLS"
|
||||
local ret=$?
|
||||
debugme echo "=== finished postgres STARTTLS dialog with ${ret} ==="
|
||||
return $ret
|
||||
}
|
||||
|
||||
# arg for a fd doesn't work here
|
||||
fd_socket() {
|
||||
local jabber=""
|
||||
@ -6301,6 +6312,9 @@ EOF
|
||||
starttls_line "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" "proceed"
|
||||
# BTW: https://xmpp.net !
|
||||
;;
|
||||
postgres|postgress) # Postgres SQL, see http://www.postgresql.org/docs/devel/static/protocol-message-formats.html
|
||||
starttls_postgres_dialog
|
||||
;;
|
||||
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
|
||||
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not yet supported" -4
|
||||
esac
|
||||
@ -9315,6 +9329,7 @@ test_openssl_suffix() {
|
||||
|
||||
find_openssl_binary() {
|
||||
local s_client_has=$TEMPDIR/s_client_has.txt
|
||||
local s_client_starttls_has=$TEMPDIR/s_client_starttls_has.txt
|
||||
|
||||
# 0. check environment variable whether it's executable
|
||||
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
||||
@ -9371,6 +9386,8 @@ find_openssl_binary() {
|
||||
|
||||
$OPENSSL s_client -help 2>$s_client_has
|
||||
|
||||
$OPENSSL s_client -starttls foo 2>$s_client_starttls_has
|
||||
|
||||
grep -qw '\-alpn' $s_client_has && \
|
||||
HAS_ALPN=true
|
||||
|
||||
@ -9386,6 +9403,9 @@ find_openssl_binary() {
|
||||
grep -q '\-xmpp' $s_client_has && \
|
||||
HAS_XMPP=true
|
||||
|
||||
grep -q 'postgres' $s_client_starttls_has && \
|
||||
HAS_POSTGRES=true
|
||||
|
||||
if [[ "$OPENSSL_TIMEOUT" != "" ]]; then
|
||||
if which timeout >&2 2>/dev/null ; then
|
||||
# there are different "timeout". Check whether --preserve-status is supported
|
||||
@ -9467,7 +9487,7 @@ help() {
|
||||
"$PROG_NAME <options> URI", where <options> is:
|
||||
|
||||
-t, --starttls <protocol> does a default run against a STARTTLS enabled <protocol,
|
||||
protocol is <ftp|smtp|pop3|imap|xmpp|telnet|ldap> (latter two require supplied openssl)
|
||||
protocol is <ftp|smtp|pop3|imap|xmpp|telnet|ldap|postgres> (latter three require supplied openssl)
|
||||
--xmpphost <to_domain> for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
|
||||
--mx <domain/host> tests MX records from high to low priority (STARTTLS, port 25)
|
||||
--file <fname> mass testing option: Reads command lines from <fname>, one line per instance.
|
||||
@ -9600,6 +9620,7 @@ HAS_ALPN: $HAS_ALPN
|
||||
HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV
|
||||
HAS_PROXY: $HAS_PROXY
|
||||
HAS_XMPP: $HAS_XMPP
|
||||
HAS_POSTGRES: $HAS_POSTGRES
|
||||
|
||||
PATH: $PATH
|
||||
PROG_NAME: $PROG_NAME
|
||||
@ -10230,7 +10251,7 @@ determine_optimal_proto() {
|
||||
}
|
||||
|
||||
|
||||
# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap (maybe with trailing s)
|
||||
# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap, postgres (maybe with trailing s)
|
||||
determine_service() {
|
||||
local ua
|
||||
local protocol
|
||||
@ -10257,9 +10278,13 @@ determine_service() {
|
||||
service_detection $OPTIMAL_PROTO
|
||||
else
|
||||
# STARTTLS
|
||||
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
|
||||
if [[ "$1" == postgres ]]; then
|
||||
protocol="postgres"
|
||||
else
|
||||
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
|
||||
fi
|
||||
case "$protocol" in
|
||||
ftp|smtp|pop3|imap|xmpp|telnet|ldap)
|
||||
ftp|smtp|pop3|imap|xmpp|telnet|ldap|postgres)
|
||||
STARTTLS="-starttls $protocol"
|
||||
SNI=""
|
||||
if [[ "$protocol" == xmpp ]]; then
|
||||
@ -10273,6 +10298,12 @@ determine_service() {
|
||||
# see http://xmpp.org/rfcs/rfc3920.html
|
||||
fi
|
||||
fi
|
||||
if [[ "$protocol" == postgres ]]; then
|
||||
# Check if openssl version supports postgres.
|
||||
if ! "$HAS_POSTGRES"; then
|
||||
fatal "Your $OPENSSL does not support the \"-starttls postgres\" option" -5
|
||||
fi
|
||||
fi
|
||||
$OPENSSL s_client -connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS 2>$ERRFILE >$TMPFILE </dev/null
|
||||
if [[ $? -ne 0 ]]; then
|
||||
debugme cat $TMPFILE
|
||||
@ -10286,7 +10317,7 @@ determine_service() {
|
||||
outln
|
||||
;;
|
||||
*) outln
|
||||
fatal "momentarily only ftp, smtp, pop3, imap, xmpp, telnet and ldap allowed" -4
|
||||
fatal "momentarily only ftp, smtp, pop3, imap, xmpp, telnet, ldap and postgres allowed" -4
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@ -10598,8 +10629,8 @@ parse_cmd_line() {
|
||||
STARTTLS_PROTOCOL=$(parse_opt_equal_sign "$1" "$2")
|
||||
[[ $? -eq 0 ]] && shift
|
||||
case $STARTTLS_PROTOCOL in
|
||||
ftp|smtp|pop3|imap|xmpp|telnet|ldap|nntp) ;;
|
||||
ftps|smtps|pop3s|imaps|xmpps|telnets|ldaps|nntps) ;;
|
||||
ftp|smtp|pop3|imap|xmpp|telnet|ldap|nntp|postgres) ;;
|
||||
ftps|smtps|pop3s|imaps|xmpps|telnets|ldaps|nntps|postgress) ;;
|
||||
*) pr_magentaln "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2
|
||||
help 1 ;;
|
||||
esac
|
||||
|
Loading…
Reference in New Issue
Block a user