Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2

This commit is contained in:
David Cooper 2016-07-11 10:44:37 -04:00
commit 197bee8658
2 changed files with 84 additions and 16 deletions

View File

@ -3349,7 +3349,7 @@ run_server_preference() {
[[ -n "$PROXY" ]] && arg=" SPDY/NPN is"
[[ -n "$STARTTLS" ]] && arg=" "
if spdy_pre " $arg" ; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" </dev/null 2>>$ERRFILE >$TMPFILE
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" $SNI </dev/null 2>>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then
proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g')
if [[ -z "${proto[i]}" ]]; then
@ -3524,16 +3524,16 @@ cipher_pref_check() {
if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS?
outln
else
npn_protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
npn_protos=$($OPENSSL s_client $BUGS -nextprotoneg \"\" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
for p in $npn_protos; do
order=""
$OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
$OPENSSL s_client $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
printf " %-10s %s " "$p:" "$cipher"
tested_cipher="-"$cipher
order="$cipher"
while true; do
$OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
$OPENSSL s_client -cipher "ALL:$tested_cipher" $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE || break
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
out "$cipher "
@ -3836,7 +3836,7 @@ compare_server_name_to_cert()
# Check whether any of the DNS names in the certificate match the servername
dns_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
sed -e 's/,/\n/g' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
tr '.' '\n' grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
for san in $dns_sans; do
[[ "$san" == "$servername" ]] && return 0
# If $san is a wildcard name, then do a wildcard match
@ -3848,7 +3848,7 @@ compare_server_name_to_cert()
# Check whether any of the IP addresses in the certificate match the serername
ip_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
sed -e 's/,/\n/g' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
for san in $ip_sans; do
[[ "$san" == "$servername" ]] && return 0
done
@ -4148,9 +4148,9 @@ certificate_info() {
fileout "${json_prefix}cn" "$cnok" "$cnfinding"
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | \
egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \
sed -e 's/ *DNS://g' -e 's/ *IP Address://g' -e 's/ *email://g' -e 's/ *URI://g' -e 's/ *DirName://g' \
-e 's/ *Registered ID://g' -e 's/,/\n/g' \
-e 's/ *Registered ID://g' \
-e 's/ *othername:<unsupported>//g' -e 's/ *X400Name:<unsupported>//g' -e 's/ *EdiPartyName:<unsupported>//g')
# ^^^ CACert
out "$indent"; pr_bold " subjectAltName (SAN) "
@ -8293,4 +8293,4 @@ fi
exit $?
# $Id: testssl.sh,v 1.522 2016/07/08 09:25:39 dirkw Exp $
# $Id: testssl.sh,v 1.523 2016/07/11 14:20:35 dirkw Exp $

View File

@ -4,23 +4,91 @@
# x448 and x25519 are missing, others are not supported
# License see testssl.sh
readonly RUN_DIR=$(dirname "$0")
test_openssl_suffix() {
local naming_ext="$(uname).$(uname -m)"
local uname_arch="$(uname -m)"
local myarch_suffix=""
[[ $uname_arch =~ 64 ]] && myarch_suffix=64 || myarch_suffix=32
if [[ -f "$1/openssl" ]] && [[ -x "$1/openssl" ]]; then
OPENSSL="$1/openssl"
return 0
elif [[ -f "$1/openssl.$naming_ext" ]] && [[ -x "$1/openssl.$naming_ext" ]]; then
OPENSSL="$1/openssl.$naming_ext"
return 0
fi
return 1
}
find_openssl_binary() {
# 0. check environment variable whether it's executable
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary."
outln " Looking some place else ..."
elif [[ -x "$OPENSSL" ]]; then
: # 1. all ok supplied $OPENSSL was found and has excutable bit set -- testrun comes below
elif test_openssl_suffix $RUN_DIR; then
: # 2. otherwise try openssl in path of testssl.sh
elif test_openssl_suffix ../$RUN_DIR; then
: # 2. otherwise try openssl in path of testssl.sh
elif test_openssl_suffix ../$RUN_DIR/bin; then
: # 3. otherwise here, this is supposed to be the standard --platform independed path in the future!!!
elif test_openssl_suffix "$(dirname "$(which openssl)")"; then
: # 5. we tried hard and failed, so now we use the system binaries
fi
# no ERRFILE initialized yet, thus we use /dev/null for stderr directly
$OPENSSL version -a 2>/dev/null >/dev/null
if [[ $? -ne 0 ]] || [[ ! -x "$OPENSSL" ]]; then
echo "\ncannot exec or find any openssl binary"
exit 1
fi
echo
echo "using $OPENSSL"
echo
}
VERBOSE=false
if [[ $1 == "-v" ]]; then
VERBOSE=true
shift
fi
HN="$1"
[ -z "$HN" ] && HN=testssl.sh
for curve in $(bin/openssl.Linux.x86_64 ecparam -list_curves | awk -F':' '/:/ { print $1 }'); do
printf "$curve: "
find_openssl_binary
ERRFILE=$(mktemp /tmp/curve_tester.R.XXXXXX) || exit -6
TMPFILE=$(mktemp /tmp/curve_tester.T.XXXXXX) || exit -6
for curve in $($OPENSSL ecparam -list_curves | awk -F':' '/:/ { print $1 }'); do
#if bin/openssl.Linux.x86_64 s_client -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep -q "BEGIN CERTIFICATE" ; then
# echo 'YES'
#else
# echo '--'
#fi
if bin/openssl.Linux.x86_64 s_client -cipher ECDH -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep "Server Temp Key:" ; then
:
$OPENSSL s_client -cipher ECDH -curves $curve -connect $HN:443 -servername $HN </dev/null 2>$ERRFILE | grep "Server Temp Key:" >$TMPFILE
if [[ $? -eq 0 ]]; then
printf "$curve: "
cat $TMPFILE | sed 's/^.*Server Temp Key: //'
else
echo '--'
if grep -q 'Error with' $ERRFILE; then
if "$VERBOSE"; then
echo "$curve: no client support"
fi
else
echo "$curve: --"
fi
fi
done
# vim:ts=5:sw=5:expandtab
# $Id: curves.bash,v 1.2 2016/07/08 09:39:27 dirkw Exp $
rm -f $ERRFILE $TMPFILE
# vim:ts=5:sw=5:expandtab
# $Id: curves.bash,v 1.3 2016/07/09 12:22:13 dirkw Exp $