mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev
This commit is contained in:
commit
16de7fa1b7
112
testssl.sh
112
testssl.sh
@ -720,19 +720,13 @@ fileout_json_finding() {
|
|||||||
if [[ $SERVER_COUNTER -gt 1 ]]; then
|
if [[ $SERVER_COUNTER -gt 1 ]]; then
|
||||||
echo " ," >> "$JSONFILE"
|
echo " ," >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
if "$CHILD_MASS_TESTING" && ! "$JSONHEADER"; then
|
target="$NODE"
|
||||||
target="$NODE"
|
$do_mx_all_ips && target="$URI"
|
||||||
$do_mx_all_ips && target="$URI"
|
echo -e " {
|
||||||
echo -e " {
|
|
||||||
\"target host\" : \"$target\",
|
\"target host\" : \"$target\",
|
||||||
|
\"ip\" : \"$NODEIP\",
|
||||||
\"port\" : \"$PORT\",
|
\"port\" : \"$PORT\",
|
||||||
\"service\" : \"$finding\",
|
\"service\" : \"$finding\"," >> "$JSONFILE"
|
||||||
\"ip\" : \"$NODEIP\"," >> "$JSONFILE"
|
|
||||||
else
|
|
||||||
echo -e " {
|
|
||||||
\"service\" : \"$finding\",
|
|
||||||
\"ip\" : \"$NODEIP\"," >> "$JSONFILE"
|
|
||||||
fi
|
|
||||||
$do_mx_all_ips && echo -e " \"hostname\" : \"$NODE\"," >> "$JSONFILE"
|
$do_mx_all_ips && echo -e " \"hostname\" : \"$NODE\"," >> "$JSONFILE"
|
||||||
else
|
else
|
||||||
("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE"
|
("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE"
|
||||||
@ -753,28 +747,19 @@ fileout_json_finding() {
|
|||||||
fileout_pretty_json_banner() {
|
fileout_pretty_json_banner() {
|
||||||
local target
|
local target
|
||||||
|
|
||||||
if "$do_mass_testing"; then
|
if ! "$do_mass_testing"; then
|
||||||
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
|
||||||
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
|
|
||||||
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
|
|
||||||
\"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\",
|
|
||||||
\"startTime\" : \"$START_TIME\",
|
|
||||||
\"scanResult\" : ["
|
|
||||||
else
|
|
||||||
[[ -z "$NODE" ]] && parse_hn_port "${URI}"
|
[[ -z "$NODE" ]] && parse_hn_port "${URI}"
|
||||||
# NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place
|
# NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place
|
||||||
target="$NODE"
|
target="$NODE"
|
||||||
$do_mx_all_ips && target="$URI"
|
$do_mx_all_ips && target="$URI"
|
||||||
|
fi
|
||||||
|
|
||||||
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
||||||
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
|
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
|
||||||
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
|
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
|
||||||
\"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\",
|
\"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\",
|
||||||
\"target host\" : \"$target\",
|
|
||||||
\"port\" : \"$PORT\",
|
|
||||||
\"startTime\" : \"$START_TIME\",
|
\"startTime\" : \"$START_TIME\",
|
||||||
\"scanResult\" : ["
|
\"scanResult\" : ["
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_banner() {
|
fileout_banner() {
|
||||||
@ -5033,7 +5018,7 @@ read_dhbits_from_file() {
|
|||||||
|
|
||||||
|
|
||||||
# arg1: ID or empty. if empty resumption by ticket will be tested
|
# arg1: ID or empty. if empty resumption by ticket will be tested
|
||||||
# return: 0: it has resumption, 1:nope, 2: can't tell
|
# return: 0: it has resumption, 1:nope, 2: nope (OpenSSL 1.1.1), 6: CLIENT_AUTH --> problem for resumption, 7: can't tell
|
||||||
sub_session_resumption() {
|
sub_session_resumption() {
|
||||||
local ret ret1 ret2
|
local ret ret1 ret2
|
||||||
local tmpfile=$(mktemp $TEMPDIR/session_resumption.$NODEIP.XXXXXX)
|
local tmpfile=$(mktemp $TEMPDIR/session_resumption.$NODEIP.XXXXXX)
|
||||||
@ -5047,39 +5032,44 @@ sub_session_resumption() {
|
|||||||
local byID=false
|
local byID=false
|
||||||
local addcmd=""
|
local addcmd=""
|
||||||
fi
|
fi
|
||||||
"$CLIENT_AUTH" && return 2
|
"$CLIENT_AUTH" && return 3
|
||||||
"$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO"
|
"$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO"
|
||||||
|
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
|
||||||
ret1=$?
|
ret1=$?
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
|
if "$byID" && [[ $OSSL_VER_MINOR == "1.1" ]] && [[ $OSSL_VER_MAJOR == "1" ]] && [[ ! -s "$sess_data" ]]; then
|
||||||
ret2=$?
|
# it seems OpenSSL indicates no Session ID resumption by just not generating ouput
|
||||||
debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]"
|
debugme echo -n "No session resumption byID (empty file)"
|
||||||
# now get the line and compare the numbers read" and "writen" as a second criteria.
|
ret=2
|
||||||
rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )"
|
|
||||||
rw_line=($rw_line)
|
|
||||||
if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then
|
|
||||||
new_sid2=true
|
|
||||||
else
|
else
|
||||||
new_sid2=false
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
|
||||||
|
ret2=$?
|
||||||
|
debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]"
|
||||||
|
# now get the line and compare the numbers read" and "written" as a second criteria.
|
||||||
|
rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )"
|
||||||
|
rw_line=($rw_line)
|
||||||
|
if [[ "${rw_line[0]}" -gt "${rw_line[1]}" ]]; then
|
||||||
|
new_sid2=true
|
||||||
|
else
|
||||||
|
new_sid2=false
|
||||||
|
fi
|
||||||
|
debugme echo "${rw_line[0]}, ${rw_line[1]}"
|
||||||
|
# grep -aq "^New" "$tmpfile" && new_sid=true || new_sid=false
|
||||||
|
grep -aq "^Reused" "$tmpfile" && new_sid=false || new_sid=true
|
||||||
|
if "$new_sid2" && "$new_sid"; then
|
||||||
|
debugme echo -n "No session resumption "
|
||||||
|
ret=1
|
||||||
|
elif ! "$new_sid2" && ! "$new_sid"; then
|
||||||
|
debugme echo -n "Session resumption "
|
||||||
|
ret=0
|
||||||
|
else
|
||||||
|
debugme echo -n "unclear status: $ret1, $ret2, $new_sid, $new_sid2 -- "
|
||||||
|
ret=7
|
||||||
|
fi
|
||||||
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
|
"$byID" && echo "byID" || echo "by ticket"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
debugme echo "${rw_line[0]}, ${rw_line[1]}"
|
|
||||||
# grep -aq "^New" "$tmpfile" && new_sid=true || new_sid=false
|
|
||||||
grep -aq "^Reused" "$tmpfile" && new_sid=false || new_sid=true
|
|
||||||
if "$new_sid2" && "$new_sid"; then
|
|
||||||
debugme echo -n "No session resumption "
|
|
||||||
ret=1
|
|
||||||
elif ! "$new_sid2" && ! "$new_sid"; then
|
|
||||||
debugme echo -n "Session resumption "
|
|
||||||
ret=0
|
|
||||||
else
|
|
||||||
debugme echo -n "unclear status: $ret1, $ret2, $new_sid, $new_sid2 -- "
|
|
||||||
ret=7
|
|
||||||
fi
|
|
||||||
if [[ $DEBUG -ge 2 ]]; then
|
|
||||||
"$byID" && echo "byID" || echo "by ticket"
|
|
||||||
fi
|
|
||||||
|
|
||||||
"$byID" && \
|
"$byID" && \
|
||||||
tmpfile_handle $FUNCNAME.byID.log $tmpfile || \
|
tmpfile_handle $FUNCNAME.byID.log $tmpfile || \
|
||||||
tmpfile_handle $FUNCNAME.byticket.log $tmpfile
|
tmpfile_handle $FUNCNAME.byticket.log $tmpfile
|
||||||
@ -7200,7 +7190,7 @@ run_server_defaults() {
|
|||||||
out "Tickets no, "
|
out "Tickets no, "
|
||||||
fileout "session_resumption_ticket" "INFO" "Session resumption via Session Tickets is not supported"
|
fileout "session_resumption_ticket" "INFO" "Session resumption via Session Tickets is not supported"
|
||||||
;;
|
;;
|
||||||
2) SESS_RESUMPTION[2]="ticket=clientauth"
|
6) SESS_RESUMPTION[2]="ticket=clientauth"
|
||||||
pr_warning "Client Auth: Ticket resumption test not supported / "
|
pr_warning "Client Auth: Ticket resumption test not supported / "
|
||||||
fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets couldn't be performed because client authentication is missing"
|
fileout "session_resumption_ticket" "WARN" "resumption test for TLS Session Tickets couldn't be performed because client authentication is missing"
|
||||||
;;
|
;;
|
||||||
@ -7221,18 +7211,18 @@ run_server_defaults() {
|
|||||||
outln "ID: yes"
|
outln "ID: yes"
|
||||||
fileout "session_resumption_id" "INFO" "Session resumption via Session ID supported"
|
fileout "session_resumption_id" "INFO" "Session resumption via Session ID supported"
|
||||||
;;
|
;;
|
||||||
1) SESS_RESUMPTION[1]="ID=no"
|
1|2) SESS_RESUMPTION[1]="ID=no"
|
||||||
outln "ID: no"
|
outln "ID: no"
|
||||||
fileout "session_resumption_id" "INFO" "Session resumption via Session ID is not supported"
|
fileout "session_resumption_id" "INFO" "Session resumption via Session ID is not supported"
|
||||||
;;
|
;;
|
||||||
2) SESS_RESUMPTION[1]="ID=clientauth"
|
6) SESS_RESUMPTION[1]="ID=clientauth"
|
||||||
[[ ${SESS_RESUMPTION[2]} =~ clientauth ]] || pr_warning "Client Auth: "
|
[[ ${SESS_RESUMPTION[2]} =~ clientauth ]] || pr_warning "Client Auth: "
|
||||||
prln_warning "ID resumption resumption test not supported"
|
prln_warning "ID resumption resumption test not supported"
|
||||||
fileout "session_resumption_ID" "WARN" "resumption test via Session ID couldn't be performed because client authentication is missing"
|
fileout "session_resumption_id" "WARN" "resumption test via Session ID couldn't be performed because client authentication is missing"
|
||||||
;;
|
;;
|
||||||
7) SESS_RESUMPTION[1]="ID=noclue"
|
7) SESS_RESUMPTION[1]="ID=noclue"
|
||||||
prln_warning "ID resumption test failed, pls report"
|
prln_warning "ID resumption test failed, pls report"
|
||||||
fileout "session_resumption_ID" "WARN" "resumption test via Session ID failed, pls report"
|
fileout "session_resumption_id" "WARN" "resumption test via Session ID failed, pls report"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
@ -14606,7 +14596,15 @@ ignore_no_or_lame() {
|
|||||||
[[ "$WARNINGS" == batch ]] && return 1
|
[[ "$WARNINGS" == batch ]] && return 1
|
||||||
tm_warning "$1 --> "
|
tm_warning "$1 --> "
|
||||||
read a
|
read a
|
||||||
if [[ "$a" == "$(tolower "$2")" ]]; then
|
if [[ "$2" == "$(toupper "$2")" ]]; then
|
||||||
|
# all uppercase requested
|
||||||
|
if [[ "$a" == "$2" ]]; then
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
elif [[ "$2" == "$(tolower "$a")" ]]; then
|
||||||
|
# we normalize the word to continue
|
||||||
return 0
|
return 0
|
||||||
else
|
else
|
||||||
return 1
|
return 1
|
||||||
|
Loading…
Reference in New Issue
Block a user