mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Fix calls to $OPENSSL ciphers
This commit fixes testssl.sh's calls to the "$OPENSSL ciphers" command. The main issue it fixes is when actually_supported_osslciphers() is called to get a list of non-SSLv2 ciphers supported by $OPENSSL. With OpenSSL 1.0.2, the "-tls1" option needs to be used to exclude SSLv2 ciphers. With LibreSSL, the "-tls1" option may be provided, but it has no effect. With OpenSSL 1.1.1 and newer, the "-tls1" option causes TLSv1.2-only ciphers (e.g., AES256-SHA256) to be excluded (when the "-s" option is also used). This commit fixes the problem by allowing "-no_ssl2" to be provided as an option to actually_supported_osslciphers(). For versions of $OPENSSL that support SSLv2, "-no_ssl2" is replaced by "-tls1". For versions of $OPENSSL that do not support SSLv2, "-no_ssl2" is simply removed. This commit also changes openssl2hexcode() to include the "-tls1" option when $OPENSSL supports SSLv2, since openssl2hexcode() should only return a non-SSLv2 cipher.
This commit is contained in:
parent
54e5469411
commit
1e0c1a8134
30
testssl.sh
30
testssl.sh
@ -924,15 +924,23 @@ join_by() {
|
|||||||
actually_supported_osslciphers() {
|
actually_supported_osslciphers() {
|
||||||
local ciphers="$1"
|
local ciphers="$1"
|
||||||
local tls13_ciphers="$TLS13_OSSL_CIPHERS"
|
local tls13_ciphers="$TLS13_OSSL_CIPHERS"
|
||||||
|
local options="$3 "
|
||||||
|
|
||||||
[[ "$2" != ALL ]] && tls13_ciphers="$2"
|
[[ "$2" != ALL ]] && tls13_ciphers="$2"
|
||||||
"$HAS_SECLEVEL" && [[ -n "$ciphers" ]] && ciphers="@SECLEVEL=0:$1"
|
"$HAS_SECLEVEL" && [[ -n "$ciphers" ]] && ciphers="@SECLEVEL=0:$1"
|
||||||
if "$HAS_CIPHERSUITES"; then
|
# With OpenSSL 1.0.2 the only way to exclude SSLv2 ciphers is to use the -tls1 option.
|
||||||
$OPENSSL ciphers $3 $OSSL_CIPHERS_S -ciphersuites "$tls13_ciphers" "$ciphers" 2>/dev/null || echo ""
|
# However, with newer versions of OpenSSL, the -tls1 option excludes TLSv1.2 ciphers.
|
||||||
elif [[ -n "$tls13_ciphers" ]]; then
|
if "$HAS_SSL2"; then
|
||||||
$OPENSSL ciphers $3 $OSSL_CIPHERS_S "$tls13_ciphers:$ciphers" 2>/dev/null || echo ""
|
options="${options//-no_ssl2 /-tls1 }"
|
||||||
else
|
else
|
||||||
$OPENSSL ciphers $OSSL_CIPHERS_S $3 "$ciphers" 2>/dev/null || echo ""
|
options="${options//-no_ssl2 /}"
|
||||||
|
fi
|
||||||
|
if "$HAS_CIPHERSUITES"; then
|
||||||
|
$OPENSSL ciphers $options $OSSL_CIPHERS_S -ciphersuites "$tls13_ciphers" "$ciphers" 2>/dev/null || echo ""
|
||||||
|
elif [[ -n "$tls13_ciphers" ]]; then
|
||||||
|
$OPENSSL ciphers $options $OSSL_CIPHERS_S "$tls13_ciphers:$ciphers" 2>/dev/null || echo ""
|
||||||
|
else
|
||||||
|
$OPENSSL ciphers $OSSL_CIPHERS_S $options "$ciphers" 2>/dev/null || echo ""
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3473,6 +3481,8 @@ openssl2hexcode() {
|
|||||||
if [[ $TLS_NR_CIPHERS -eq 0 ]]; then
|
if [[ $TLS_NR_CIPHERS -eq 0 ]]; then
|
||||||
if "$HAS_CIPHERSUITES"; then
|
if "$HAS_CIPHERSUITES"; then
|
||||||
hexc="$($OPENSSL ciphers -V -ciphersuites "$TLS13_OSSL_CIPHERS" 'ALL:COMPLEMENTOFALL:@STRENGTH' | awk '/ '"$1"' / { print $1 }')"
|
hexc="$($OPENSSL ciphers -V -ciphersuites "$TLS13_OSSL_CIPHERS" 'ALL:COMPLEMENTOFALL:@STRENGTH' | awk '/ '"$1"' / { print $1 }')"
|
||||||
|
elif "$HAS_SSL2"; then
|
||||||
|
hexc="$($OPENSSL ciphers -V -tls1 'ALL:COMPLEMENTOFALL:@STRENGTH' | awk '/ '"$1"' / { print $1 }')"
|
||||||
else
|
else
|
||||||
hexc="$($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | awk '/ '"$1"' / { print $1 }')"
|
hexc="$($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | awk '/ '"$1"' / { print $1 }')"
|
||||||
fi
|
fi
|
||||||
@ -6706,7 +6716,7 @@ run_server_preference() {
|
|||||||
[[ $DEBUG -ge 4 ]] && echo -e "\n Forward: ${list_fwd}"
|
[[ $DEBUG -ge 4 ]] && echo -e "\n Forward: ${list_fwd}"
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2") </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2") </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
list_fwd="$(actually_supported_osslciphers $list_fwd '' '-tls1')"
|
list_fwd="$(actually_supported_osslciphers $list_fwd '' '-no_ssl2')"
|
||||||
pr_warning "no matching cipher in this list found (pls report this): "
|
pr_warning "no matching cipher in this list found (pls report this): "
|
||||||
outln "$list_fwd . "
|
outln "$list_fwd . "
|
||||||
fileout "$jsonID" "WARN" "Could not determine server cipher order, no matching cipher in list found (pls report this): $list_fwd"
|
fileout "$jsonID" "WARN" "Could not determine server cipher order, no matching cipher in list found (pls report this): $list_fwd"
|
||||||
@ -18492,7 +18502,7 @@ run_rc4() {
|
|||||||
ossl_supported[nr_ciphers]=true
|
ossl_supported[nr_ciphers]=true
|
||||||
nr_ciphers+=1
|
nr_ciphers+=1
|
||||||
fi
|
fi
|
||||||
done < <($OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
|
done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' '' '-V')
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then
|
if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then
|
||||||
@ -20128,11 +20138,7 @@ prepare_arrays() {
|
|||||||
|
|
||||||
if [[ -e "$CIPHERS_BY_STRENGTH_FILE" ]]; then
|
if [[ -e "$CIPHERS_BY_STRENGTH_FILE" ]]; then
|
||||||
"$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
|
"$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
|
||||||
if "$HAS_SSL2"; then
|
ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-no_ssl2 -V")"
|
||||||
ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-tls1 -V")"
|
|
||||||
else
|
|
||||||
ossl_supported_tls="$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "-V")"
|
|
||||||
fi
|
|
||||||
TLS13_OSSL_CIPHERS=""
|
TLS13_OSSL_CIPHERS=""
|
||||||
while read hexc n TLS_CIPHER_OSSL_NAME[i] TLS_CIPHER_RFC_NAME[i] TLS_CIPHER_SSLVERS[i] TLS_CIPHER_KX[i] TLS_CIPHER_AUTH[i] TLS_CIPHER_ENC[i] mac TLS_CIPHER_EXPORT[i]; do
|
while read hexc n TLS_CIPHER_OSSL_NAME[i] TLS_CIPHER_RFC_NAME[i] TLS_CIPHER_SSLVERS[i] TLS_CIPHER_KX[i] TLS_CIPHER_AUTH[i] TLS_CIPHER_ENC[i] mac TLS_CIPHER_EXPORT[i]; do
|
||||||
TLS_CIPHER_HEXCODE[i]="$hexc"
|
TLS_CIPHER_HEXCODE[i]="$hexc"
|
||||||
|
Loading…
Reference in New Issue
Block a user