Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev

This commit is contained in:
Dirk 2018-01-03 21:43:38 +01:00
commit 16de7fa1b7

View File

@ -720,19 +720,13 @@ fileout_json_finding() {
if [[ $SERVER_COUNTER -gt 1 ]]; then if [[ $SERVER_COUNTER -gt 1 ]]; then
echo " ," >> "$JSONFILE" echo " ," >> "$JSONFILE"
fi fi
if "$CHILD_MASS_TESTING" && ! "$JSONHEADER"; then
target="$NODE" target="$NODE"
$do_mx_all_ips && target="$URI" $do_mx_all_ips && target="$URI"
echo -e " { echo -e " {
\"target host\" : \"$target\", \"target host\" : \"$target\",
\"ip\" : \"$NODEIP\",
\"port\" : \"$PORT\", \"port\" : \"$PORT\",
\"service\" : \"$finding\", \"service\" : \"$finding\"," >> "$JSONFILE"
\"ip\" : \"$NODEIP\"," >> "$JSONFILE"
else
echo -e " {
\"service\" : \"$finding\",
\"ip\" : \"$NODEIP\"," >> "$JSONFILE"
fi
$do_mx_all_ips && echo -e " \"hostname\" : \"$NODE\"," >> "$JSONFILE" $do_mx_all_ips && echo -e " \"hostname\" : \"$NODE\"," >> "$JSONFILE"
else else
("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE" ("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE"
@ -753,28 +747,19 @@ fileout_json_finding() {
fileout_pretty_json_banner() { fileout_pretty_json_banner() {
local target local target
if "$do_mass_testing"; then if ! "$do_mass_testing"; then
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
\"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\",
\"startTime\" : \"$START_TIME\",
\"scanResult\" : ["
else
[[ -z "$NODE" ]] && parse_hn_port "${URI}" [[ -z "$NODE" ]] && parse_hn_port "${URI}"
# NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place
target="$NODE" target="$NODE"
$do_mx_all_ips && target="$URI" $do_mx_all_ips && target="$URI"
fi
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\", echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
\"at\" : \"$HNAME:$OPENSSL_LOCATION\", \"at\" : \"$HNAME:$OPENSSL_LOCATION\",
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\", \"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
\"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\", \"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\",
\"target host\" : \"$target\",
\"port\" : \"$PORT\",
\"startTime\" : \"$START_TIME\", \"startTime\" : \"$START_TIME\",
\"scanResult\" : [" \"scanResult\" : ["
fi
} }
fileout_banner() { fileout_banner() {
@ -5033,7 +5018,7 @@ read_dhbits_from_file() {
# arg1: ID or empty. if empty resumption by ticket will be tested # arg1: ID or empty. if empty resumption by ticket will be tested
# return: 0: it has resumption, 1:nope, 2: can't tell # return: 0: it has resumption, 1:nope, 2: nope (OpenSSL 1.1.1), 6: CLIENT_AUTH --> problem for resumption, 7: can't tell
sub_session_resumption() { sub_session_resumption() {
local ret ret1 ret2 local ret ret1 ret2
local tmpfile=$(mktemp $TEMPDIR/session_resumption.$NODEIP.XXXXXX) local tmpfile=$(mktemp $TEMPDIR/session_resumption.$NODEIP.XXXXXX)
@ -5047,15 +5032,20 @@ sub_session_resumption() {
local byID=false local byID=false
local addcmd="" local addcmd=""
fi fi
"$CLIENT_AUTH" && return 2 "$CLIENT_AUTH" && return 3
"$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO" "$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO"
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
ret1=$? ret1=$?
if "$byID" && [[ $OSSL_VER_MINOR == "1.1" ]] && [[ $OSSL_VER_MAJOR == "1" ]] && [[ ! -s "$sess_data" ]]; then
# it seems OpenSSL indicates no Session ID resumption by just not generating ouput
debugme echo -n "No session resumption byID (empty file)"
ret=2
else
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
ret2=$? ret2=$?
debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]" debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]"
# now get the line and compare the numbers read" and "writen" as a second criteria. # now get the line and compare the numbers read" and "written" as a second criteria.
rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )" rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )"
rw_line=($rw_line) rw_line=($rw_line)
if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then
@ -5079,7 +5069,7 @@ sub_session_resumption() {
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
"$byID" && echo "byID" || echo "by ticket" "$byID" && echo "byID" || echo "by ticket"
fi fi
fi
"$byID" && \ "$byID" && \
tmpfile_handle $FUNCNAME.byID.log $tmpfile || \ tmpfile_handle $FUNCNAME.byID.log $tmpfile || \
tmpfile_handle $FUNCNAME.byticket.log $tmpfile tmpfile_handle $FUNCNAME.byticket.log $tmpfile
@ -7200,7 +7190,7 @@ run_server_defaults() {
out "Tickets no, " out "Tickets no, "
fileout "session_resumption_ticket" "INFO" "Session resumption via Session Tickets is not supported" fileout "session_resumption_ticket" "INFO" "Session resumption via Session Tickets is not supported"
;; ;;
2) SESS_RESUMPTION[2]="ticket=clientauth" 6) SESS_RESUMPTION[2]="ticket=clientauth"
pr_warning "Client Auth: Ticket resumption test not supported / " pr_warning "Client Auth: Ticket resumption test not supported / "
fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets couldn't be performed because client authentication is missing" fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets couldn't be performed because client authentication is missing"
;; ;;
@ -7221,18 +7211,18 @@ run_server_defaults() {
outln "ID: yes" outln "ID: yes"
fileout "session_resumption_id" "INFO" "Session resumption via Session ID supported" fileout "session_resumption_id" "INFO" "Session resumption via Session ID supported"
;; ;;
1) SESS_RESUMPTION[1]="ID=no" 1|2) SESS_RESUMPTION[1]="ID=no"
outln "ID: no" outln "ID: no"
fileout "session_resumption_id" "INFO" "Session resumption via Session ID is not supported" fileout "session_resumption_id" "INFO" "Session resumption via Session ID is not supported"
;; ;;
2) SESS_RESUMPTION[1]="ID=clientauth" 6) SESS_RESUMPTION[1]="ID=clientauth"
[[ ${SESS_RESUMPTION[2]} =~ clientauth ]] || pr_warning "Client Auth: " [[ ${SESS_RESUMPTION[2]} =~ clientauth ]] || pr_warning "Client Auth: "
prln_warning "ID resumption resumption test not supported" prln_warning "ID resumption resumption test not supported"
fileout "session_resumption_ID" "WARN" "resumption test via Session ID couldn't be performed because client authentication is missing" fileout "session_resumption_id" "WARN" "resumption test via Session ID couldn't be performed because client authentication is missing"
;; ;;
7) SESS_RESUMPTION[1]="ID=noclue" 7) SESS_RESUMPTION[1]="ID=noclue"
prln_warning "ID resumption test failed, pls report" prln_warning "ID resumption test failed, pls report"
fileout "session_resumption_ID" "WARN" "resumption test via Session ID failed, pls report" fileout "session_resumption_id" "WARN" "resumption test via Session ID failed, pls report"
;; ;;
esac esac
fi fi
@ -14606,7 +14596,15 @@ ignore_no_or_lame() {
[[ "$WARNINGS" == batch ]] && return 1 [[ "$WARNINGS" == batch ]] && return 1
tm_warning "$1 --> " tm_warning "$1 --> "
read a read a
if [[ "$a" == "$(tolower "$2")" ]]; then if [[ "$2" == "$(toupper "$2")" ]]; then
# all uppercase requested
if [[ "$a" == "$2" ]]; then
return 0
else
return 1
fi
elif [[ "$2" == "$(tolower "$a")" ]]; then
# we normalize the word to continue
return 0 return 0
else else
return 1 return 1