From 9981d768799342585d336a0c37f0eec659a3ff6c Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 25 Dec 2017 17:42:27 +0100 Subject: [PATCH 1/5] Move target host + port to different JSON (pretty) object For JSON pretty the host specific parameters target host + port could be better placed in the scanResult object. It is still under discussion as logically the parent object is deduced the command line. --- testssl.sh | 31 ++++++++----------------------- 1 file changed, 8 insertions(+), 23 deletions(-) diff --git a/testssl.sh b/testssl.sh index 10b91e6..01e2261 100755 --- a/testssl.sh +++ b/testssl.sh @@ -720,19 +720,13 @@ fileout_json_finding() { if [[ $SERVER_COUNTER -gt 1 ]]; then echo " ," >> "$JSONFILE" fi - if "$CHILD_MASS_TESTING" && ! "$JSONHEADER"; then - target="$NODE" - $do_mx_all_ips && target="$URI" - echo -e " { + target="$NODE" + $do_mx_all_ips && target="$URI" + echo -e " { \"target host\" : \"$target\", + \"ip\" : \"$NODEIP\", \"port\" : \"$PORT\", - \"service\" : \"$finding\", - \"ip\" : \"$NODEIP\"," >> "$JSONFILE" - else - echo -e " { - \"service\" : \"$finding\", - \"ip\" : \"$NODEIP\"," >> "$JSONFILE" - fi + \"service\" : \"$finding\"," >> "$JSONFILE" $do_mx_all_ips && echo -e " \"hostname\" : \"$NODE\"," >> "$JSONFILE" else ("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE" @@ -753,28 +747,19 @@ fileout_json_finding() { fileout_pretty_json_banner() { local target - if "$do_mass_testing"; then - echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\", - \"at\" : \"$HNAME:$OPENSSL_LOCATION\", - \"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\", - \"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\", - \"startTime\" : \"$START_TIME\", - \"scanResult\" : [" - else + if ! "$do_mass_testing"; then [[ -z "$NODE" ]] && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place target="$NODE" $do_mx_all_ips && target="$URI" + fi - echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\", + echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\", \"at\" : \"$HNAME:$OPENSSL_LOCATION\", \"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\", \"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\", - \"target host\" : \"$target\", - \"port\" : \"$PORT\", \"startTime\" : \"$START_TIME\", \"scanResult\" : [" - fi } fileout_banner() { From c4c8ff443476926452c4981df3cf817ce4f04b5b Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 29 Dec 2017 23:14:14 +0100 Subject: [PATCH 2/5] fix needed answer "YES" in protocol section --- testssl.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index ef6e697..be44b43 100755 --- a/testssl.sh +++ b/testssl.sh @@ -14591,7 +14591,15 @@ ignore_no_or_lame() { [[ "$WARNINGS" == batch ]] && return 1 tm_warning "$1 --> " read a - if [[ "$a" == "$(tolower "$2")" ]]; then + if [[ "$2" == "$(toupper "$2")" ]]; then + # all uppercase requested + if [[ "$a" == "$2" ]]; then + return 0 + else + return 1 + fi + elif [[ "$2" == "$(tolower "$a")" ]]; then + # we normalize the word to continue return 0 else return 1 From 75e9add0f1a090480b9857154c024a06c30c90cb Mon Sep 17 00:00:00 2001 From: Dirk Date: Sun, 31 Dec 2017 09:12:16 +0100 Subject: [PATCH 3/5] make ID for session_resumption_id common (allo lowercase) --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index be44b43..f5b2cb9 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7213,11 +7213,11 @@ run_server_defaults() { 2) SESS_RESUMPTION[1]="ID=clientauth" [[ ${SESS_RESUMPTION[2]} =~ clientauth ]] || pr_warning "Client Auth: " prln_warning "ID resumption resumption test not supported" - fileout "session_resumption_ID" "WARN" "resumption test via Session ID couldn't be performed because client authentication is missing" + fileout "session_resumption_id" "WARN" "resumption test via Session ID couldn't be performed because client authentication is missing" ;; 7) SESS_RESUMPTION[1]="ID=noclue" prln_warning "ID resumption test failed, pls report" - fileout "session_resumption_ID" "WARN" "resumption test via Session ID failed, pls report" + fileout "session_resumption_id" "WARN" "resumption test via Session ID failed, pls report" ;; esac fi From 0964cbc5d35bcb98591cf982249d6c22037c94d6 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sun, 31 Dec 2017 11:49:25 +0100 Subject: [PATCH 4/5] OpenSSL 1.1.1 seems to have changed the behaviour regarding Session ID support. If the server doesn't supply an session identifier the file is just empty. This commit fixes that by adding a separate case for OpenSSL 1.1.1 and an empty file. It is deliberately only changing this as this was tested to work. It is prelimary and a save-the-work-patch as it might be better to catch this earlier. --- testssl.sh | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index f5b2cb9..8da140c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5018,7 +5018,7 @@ read_dhbits_from_file() { # arg1: ID or empty. if empty resumption by ticket will be tested -# return: 0: it has resumption, 1:nope, 2: can't tell +# return: 0: it has resumption, 1:nope, 2: nope (OpenSSL 1.1.1), 6: CLIENT_AUTH --> problem for resumption, 7: can't tell sub_session_resumption() { local ret ret1 ret2 local tmpfile=$(mktemp $TEMPDIR/session_resumption.$NODEIP.XXXXXX) @@ -5032,7 +5032,7 @@ sub_session_resumption() { local byID=false local addcmd="" fi - "$CLIENT_AUTH" && return 2 + "$CLIENT_AUTH" && return 3 "$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO" $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") /dev/null @@ -5040,7 +5040,7 @@ sub_session_resumption() { $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") $tmpfile 2>$ERRFILE ret2=$? debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]" - # now get the line and compare the numbers read" and "writen" as a second criteria. + # now get the line and compare the numbers read" and "written" as a second criteria. rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )" rw_line=($rw_line) if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then @@ -5057,6 +5057,10 @@ sub_session_resumption() { elif ! "$new_sid2" && ! "$new_sid"; then debugme echo -n "Session resumption " ret=0 + elif "$byID" && [[ $OSSL_VER_MINOR == "1.1" ]] && [[ $OSSL_VER_MAJOR == "1" ]] && [[ ! -s "$sess_data" ]]; then + # it seems OpenSSL indicates no Session ID resumption by just not generating ouput + debugme echo -n "No session resumption (empty file) " + ret=2 else debugme echo -n "unclear status: $ret1, $ret2, $new_sid, $new_sid2 -- " ret=7 @@ -7185,7 +7189,7 @@ run_server_defaults() { out "Tickets no, " fileout "session_resumption_ticket" "INFO" "Session resumption via Session Tickets is not supported" ;; - 2) SESS_RESUMPTION[2]="ticket=clientauth" + 6) SESS_RESUMPTION[2]="ticket=clientauth" pr_warning "Client Auth: Ticket resumption test not supported / " fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets couldn't be performed because client authentication is missing" ;; @@ -7206,11 +7210,11 @@ run_server_defaults() { outln "ID: yes" fileout "session_resumption_id" "INFO" "Session resumption via Session ID supported" ;; - 1) SESS_RESUMPTION[1]="ID=no" + 1|2) SESS_RESUMPTION[1]="ID=no" outln "ID: no" fileout "session_resumption_id" "INFO" "Session resumption via Session ID is not supported" ;; - 2) SESS_RESUMPTION[1]="ID=clientauth" + 6) SESS_RESUMPTION[1]="ID=clientauth" [[ ${SESS_RESUMPTION[2]} =~ clientauth ]] || pr_warning "Client Auth: " prln_warning "ID resumption resumption test not supported" fileout "session_resumption_id" "WARN" "resumption test via Session ID couldn't be performed because client authentication is missing" From a3b4609d24b3ccc910d27bbe15e84aea4735ed32 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sun, 31 Dec 2017 21:10:41 +0100 Subject: [PATCH 5/5] make 0964cbc5d35bcb98591cf982249d6c22037c94d6 easier in execution (session resumption) --- testssl.sh | 57 +++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8da140c..dfb1e56 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5037,38 +5037,39 @@ sub_session_resumption() { $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") /dev/null ret1=$? - $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") $tmpfile 2>$ERRFILE - ret2=$? - debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]" - # now get the line and compare the numbers read" and "written" as a second criteria. - rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )" - rw_line=($rw_line) - if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then - new_sid2=true - else - new_sid2=false - fi - debugme echo "${rw_line[0]}, ${rw_line[1]}" - # grep -aq "^New" "$tmpfile" && new_sid=true || new_sid=false - grep -aq "^Reused" "$tmpfile" && new_sid=false || new_sid=true - if "$new_sid2" && "$new_sid"; then - debugme echo -n "No session resumption " - ret=1 - elif ! "$new_sid2" && ! "$new_sid"; then - debugme echo -n "Session resumption " - ret=0 - elif "$byID" && [[ $OSSL_VER_MINOR == "1.1" ]] && [[ $OSSL_VER_MAJOR == "1" ]] && [[ ! -s "$sess_data" ]]; then + if "$byID" && [[ $OSSL_VER_MINOR == "1.1" ]] && [[ $OSSL_VER_MAJOR == "1" ]] && [[ ! -s "$sess_data" ]]; then # it seems OpenSSL indicates no Session ID resumption by just not generating ouput - debugme echo -n "No session resumption (empty file) " + debugme echo -n "No session resumption byID (empty file)" ret=2 else - debugme echo -n "unclear status: $ret1, $ret2, $new_sid, $new_sid2 -- " - ret=7 + $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") $tmpfile 2>$ERRFILE + ret2=$? + debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]" + # now get the line and compare the numbers read" and "written" as a second criteria. + rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )" + rw_line=($rw_line) + if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then + new_sid2=true + else + new_sid2=false + fi + debugme echo "${rw_line[0]}, ${rw_line[1]}" + # grep -aq "^New" "$tmpfile" && new_sid=true || new_sid=false + grep -aq "^Reused" "$tmpfile" && new_sid=false || new_sid=true + if "$new_sid2" && "$new_sid"; then + debugme echo -n "No session resumption " + ret=1 + elif ! "$new_sid2" && ! "$new_sid"; then + debugme echo -n "Session resumption " + ret=0 + else + debugme echo -n "unclear status: $ret1, $ret2, $new_sid, $new_sid2 -- " + ret=7 + fi + if [[ $DEBUG -ge 2 ]]; then + "$byID" && echo "byID" || echo "by ticket" + fi fi - if [[ $DEBUG -ge 2 ]]; then - "$byID" && echo "byID" || echo "by ticket" - fi - "$byID" && \ tmpfile_handle $FUNCNAME.byID.log $tmpfile || \ tmpfile_handle $FUNCNAME.byticket.log $tmpfile