Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rename add_tls_offered --> add_proto_offered

Browse Source 
... last but not least SSLv2 and SSLv3 are no TLS protocols
This commit is contained in:
Dirk Wetter 2020-04-27 17:12:25 +02:00
parent 8938c21703
commit 1e0ef23c81
1 changed files with 94 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

188
testssl.sh
View File

@ -4077,7 +4077,7 @@ ciphers_by_strength() {
if "$using_sockets"; then if "$using_sockets"; then
sslv2_sockets "${sslv2_ciphers:2}" "true" sslv2_sockets "${sslv2_ciphers:2}" "true"
if [[ $? -eq 3 ]] ; then if [[ $? -eq 3 ]] ; then
add_tls_offered ssl2 yes add_proto_offered ssl2 yes
if [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then if [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")" supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
"$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")" "$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")"
@ -4091,14 +4091,14 @@ ciphers_by_strength() {
outln " protocol supported with no cipher " outln " protocol supported with no cipher "
fi fi
else else
add_tls_offered ssl2 no add_proto_offered ssl2 no
"$wide" && outln " - " "$wide" && outln " - "
fi fi
else else
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? "$TMPFILE" sclient_connect_successful $? "$TMPFILE"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
add_tls_offered ssl2 yes add_proto_offered ssl2 yes
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)" supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
"$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")" "$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
for (( i=0 ; i<nr_ciphers; i++ )); do for (( i=0 ; i<nr_ciphers; i++ )); do
@ -4108,7 +4108,7 @@ ciphers_by_strength() {
fi fi
done done
else else
add_tls_offered ssl2 no add_proto_offered ssl2 no
"$wide" && outln " - " "$wide" && outln " - "
fi fi
fi fi
@ -4270,9 +4270,9 @@ ciphers_by_strength() {
if [[ $proto != -ssl2 ]]; then if [[ $proto != -ssl2 ]]; then
# We handled SSLv2 above already # We handled SSLv2 above already
if [[ -n "$cipher" ]]; then if [[ -n "$cipher" ]]; then
add_tls_offered $proto yes add_proto_offered $proto yes
else else
add_tls_offered $proto no add_proto_offered $proto no
"$wide" && outln " -" "$wide" && outln " -"
fi fi
fi fi
@ -4918,7 +4918,7 @@ run_prototest_openssl() {
# #
# arg1: protocol # arg1: protocol
# arg2: available (yes) or not (no) # arg2: available (yes) or not (no)
add_tls_offered() { add_proto_offered() {
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
# the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2 # the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2
: :
@ -4927,7 +4927,7 @@ add_tls_offered() {
fi fi
} }
# function which checks whether SSLv2 - TLS 1.2 is being offered, see add_tls_offered() # function which checks whether SSLv2 - TLS 1.2 is being offered, see add_proto_offered()
# arg1: protocol string or hex code for TLS protocol # arg1: protocol string or hex code for TLS protocol
# echos: 0 if proto known being offered, 1: known not being offered, 2: we don't know yet whether proto is being offered # echos: 0 if proto known being offered, 1: known not being offered, 2: we don't know yet whether proto is being offered
# return value is always zero # return value is always zero
@ -5014,16 +5014,16 @@ run_protocols() {
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP! 1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
prln_svrty_best "not offered (OK)" prln_svrty_best "not offered (OK)"
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered ssl2 no add_proto_offered ssl2 no
;; ;;
0) # reset 0) # reset
prln_svrty_best "not offered (OK)" prln_svrty_best "not offered (OK)"
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered ssl2 no add_proto_offered ssl2 no
;; ;;
4) out "likely "; pr_svrty_best "not offered (OK), " 4) out "likely "; pr_svrty_best "not offered (OK), "
fileout "$jsonID" "OK" "likely not offered" fileout "$jsonID" "OK" "likely not offered"
add_tls_offered ssl2 no add_proto_offered ssl2 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm" pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}" fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
@ -5031,7 +5031,7 @@ run_protocols() {
[[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) " [[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) "
if [[ "$lines" -gt 1 ]]; then if [[ "$lines" -gt 1 ]]; then
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
add_tls_offered ssl2 yes add_proto_offered ssl2 yes
if [[ 0 -eq "$nr_ciphers_detected" ]]; then if [[ 0 -eq "$nr_ciphers_detected" ]]; then
prln_svrty_high "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 "; prln_svrty_high "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310" fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310"
@ -5052,15 +5052,15 @@ run_protocols() {
case $? in case $? in
0) prln_svrty_critical "offered (NOT ok)" 0) prln_svrty_critical "offered (NOT ok)"
fileout "$jsonID" "CRITICAL" "offered" fileout "$jsonID" "CRITICAL" "offered"
add_tls_offered ssl2 yes add_proto_offered ssl2 yes
;; ;;
1) prln_svrty_best "not offered (OK)" 1) prln_svrty_best "not offered (OK)"
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered ssl2 no add_proto_offered ssl2 no
;; ;;
5) prln_svrty_high "CVE-2015-3197: $supported_no_ciph2"; 5) prln_svrty_high "CVE-2015-3197: $supported_no_ciph2";
fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310" fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310"
add_tls_offered ssl2 yes add_proto_offered ssl2 yes
;; ;;
7) prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\"" 7) prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\""
fileout "$jsonID" "INFO" "not tested due to lack of local support" fileout "$jsonID" "INFO" "not tested due to lack of local support"
@ -5087,11 +5087,11 @@ run_protocols() {
latest_supported="0300" latest_supported="0300"
latest_supported_string="SSLv3" latest_supported_string="SSLv3"
fi fi
add_tls_offered ssl3 yes add_proto_offered ssl3 yes
;; ;;
1) prln_svrty_best "not offered (OK)" 1) prln_svrty_best "not offered (OK)"
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered ssl3 no add_proto_offered ssl3 no
;; ;;
2) if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then 2) if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
@ -5110,19 +5110,19 @@ run_protocols() {
;; ;;
3) pr_svrty_best "not offered (OK), " 3) pr_svrty_best "not offered (OK), "
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered ssl3 no add_proto_offered ssl3 no
pr_warning "SSL downgraded to STARTTLS plaintext"; outln pr_warning "SSL downgraded to STARTTLS plaintext"; outln
fileout "$jsonID" "WARN" "SSL downgraded to STARTTLS plaintext" fileout "$jsonID" "WARN" "SSL downgraded to STARTTLS plaintext"
;; ;;
4) out "likely "; pr_svrty_best "not offered (OK), " 4) out "likely "; pr_svrty_best "not offered (OK), "
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered ssl3 no add_proto_offered ssl3 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm" pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}" fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) pr_svrty_high "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl 5) pr_svrty_high "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "HIGH" "$supported_no_ciph1" fileout "$jsonID" "HIGH" "$supported_no_ciph1"
add_tls_offered ssl3 yes add_proto_offered ssl3 yes
;; ;;
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
@ -5153,10 +5153,10 @@ run_protocols() {
fileout "$jsonID" "LOW" "offered (deprecated)" fileout "$jsonID" "LOW" "offered (deprecated)"
latest_supported="0301" latest_supported="0301"
latest_supported_string="TLSv1.0" latest_supported_string="TLSv1.0"
add_tls_offered tls1 yes add_proto_offered tls1 yes
;; # nothing wrong with it -- per se ;; # nothing wrong with it -- per se
1) out "not offered" 1) out "not offered"
add_tls_offered tls1 no add_proto_offered tls1 no
if [[ -z $latest_supported ]]; then if [[ -z $latest_supported ]]; then
outln outln
fileout "$jsonID" "INFO" "not offered" # neither good or bad fileout "$jsonID" "INFO" "not offered" # neither good or bad
@ -5166,7 +5166,7 @@ run_protocols() {
fi fi
;; ;;
2) pr_svrty_medium "not offered" 2) pr_svrty_medium "not offered"
add_tls_offered tls1 no add_proto_offered tls1 no
if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
[[ $DEBUG -ge 1 ]] && tm_out " -- downgraded" [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded"
outln outln
@ -5187,19 +5187,19 @@ run_protocols() {
;; ;;
3) out "not offered, " 3) out "not offered, "
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered tls1 no add_proto_offered tls1 no
pr_warning "TLS downgraded to STARTTLS plaintext"; outln pr_warning "TLS downgraded to STARTTLS plaintext"; outln
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext" fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
;; ;;
4) out "likely not offered, " 4) out "likely not offered, "
fileout "$jsonID" "INFO" "likely not offered" fileout "$jsonID" "INFO" "likely not offered"
add_tls_offered tls1 no add_proto_offered tls1 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm" pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}" fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl 5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "INFO" "$supported_no_ciph1" fileout "$jsonID" "INFO" "$supported_no_ciph1"
add_tls_offered tls1 yes add_proto_offered tls1 yes
;; ;;
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
@ -5231,10 +5231,10 @@ run_protocols() {
fileout "$jsonID" "LOW" "offered (deprecated)" fileout "$jsonID" "LOW" "offered (deprecated)"
latest_supported="0302" latest_supported="0302"
latest_supported_string="TLSv1.1" latest_supported_string="TLSv1.1"
add_tls_offered tls1_1 yes add_proto_offered tls1_1 yes
;; # nothing wrong with it ;; # nothing wrong with it
1) out "not offered" 1) out "not offered"
add_tls_offered tls1_1 no add_proto_offered tls1_1 no
if [[ -z $latest_supported ]]; then if [[ -z $latest_supported ]]; then
outln outln
fileout "$jsonID" "INFO" "is not offered" # neither good or bad fileout "$jsonID" "INFO" "is not offered" # neither good or bad
@ -5244,7 +5244,7 @@ run_protocols() {
fi fi
;; ;;
2) out "not offered" 2) out "not offered"
add_tls_offered tls1_1 no add_proto_offered tls1_1 no
if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
[[ $DEBUG -ge 1 ]] && tm_out " -- downgraded" [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded"
outln outln
@ -5268,19 +5268,19 @@ run_protocols() {
;; ;;
3) out "not offered, " 3) out "not offered, "
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered tls1_1 no add_proto_offered tls1_1 no
pr_warning "TLS downgraded to STARTTLS plaintext"; outln pr_warning "TLS downgraded to STARTTLS plaintext"; outln
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext" fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
;; ;;
4) out "likely not offered, " 4) out "likely not offered, "
fileout "$jsonID" "INFO" "is not offered" fileout "$jsonID" "INFO" "is not offered"
add_tls_offered tls1_1 no add_proto_offered tls1_1 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm" pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}" fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl 5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "INFO" "$supported_no_ciph1" fileout "$jsonID" "INFO" "$supported_no_ciph1"
add_tls_offered tls1_1 yes add_proto_offered tls1_1 yes
;; ;;
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
@ -5342,9 +5342,9 @@ run_protocols() {
fileout "$jsonID" "OK" "offered" fileout "$jsonID" "OK" "offered"
latest_supported="0303" latest_supported="0303"
latest_supported_string="TLSv1.2" latest_supported_string="TLSv1.2"
add_tls_offered tls1_2 yes add_proto_offered tls1_2 yes
;; # GCM cipher in TLS 1.2: very good! ;; # GCM cipher in TLS 1.2: very good!
1) add_tls_offered tls1_2 no 1) add_proto_offered tls1_2 no
if "$offers_tls13"; then if "$offers_tls13"; then
out "not offered" out "not offered"
else else
@ -5362,7 +5362,7 @@ run_protocols() {
fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string" fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string"
fi fi
;; ;;
2) add_tls_offered tls1_2 no 2) add_proto_offered tls1_2 no
pr_svrty_medium "not offered and downgraded to a weaker protocol" pr_svrty_medium "not offered and downgraded to a weaker protocol"
if [[ "$tls12_detected_version" == 0300 ]]; then if [[ "$tls12_detected_version" == 0300 ]]; then
detected_version_string="SSLv3" detected_version_string="SSLv3"
@ -5390,19 +5390,19 @@ run_protocols() {
;; ;;
3) out "not offered, " 3) out "not offered, "
fileout "$jsonID" "INFO" "not offered" fileout "$jsonID" "INFO" "not offered"
add_tls_offered tls1_2 no add_proto_offered tls1_2 no
pr_warning "TLS downgraded to STARTTLS plaintext"; outln pr_warning "TLS downgraded to STARTTLS plaintext"; outln
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext" fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
;; ;;
4) out "likely "; pr_svrty_medium "not offered, " 4) out "likely "; pr_svrty_medium "not offered, "
fileout "$jsonID" "MEDIUM" "not offered" fileout "$jsonID" "MEDIUM" "not offered"
add_tls_offered tls1_2 no add_proto_offered tls1_2 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm" pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}" fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) outln "$supported_no_ciph1" # protocol detected, but no cipher --> comes from run_prototest_openssl 5) outln "$supported_no_ciph1" # protocol detected, but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "INFO" "$supported_no_ciph1" fileout "$jsonID" "INFO" "$supported_no_ciph1"
add_tls_offered tls1_2 yes add_proto_offered tls1_2 yes
;; ;;
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
@ -5496,7 +5496,7 @@ run_protocols() {
fi fi
latest_supported="0304" latest_supported="0304"
latest_supported_string="TLSv1.3" latest_supported_string="TLSv1.3"
add_tls_offered tls1_3 yes add_proto_offered tls1_3 yes
;; ;;
1) pr_svrty_low "not offered" 1) pr_svrty_low "not offered"
if [[ -z $latest_supported ]]; then if [[ -z $latest_supported ]]; then
@ -5506,7 +5506,7 @@ run_protocols() {
prln_svrty_critical " -- connection failed rather than downgrading to $latest_supported_string" prln_svrty_critical " -- connection failed rather than downgrading to $latest_supported_string"
fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string" fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string"
fi fi
add_tls_offered tls1_3 no add_proto_offered tls1_3 no
;; ;;
2) if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then 2) if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
detected_version_string="SSLv3" detected_version_string="SSLv3"
@ -5529,23 +5529,23 @@ run_protocols() {
prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fi fi
add_tls_offered tls1_3 no add_proto_offered tls1_3 no
;; ;;
3) out "not offered " 3) out "not offered "
fileout "$jsonID" "INFO" "not offered" fileout "$jsonID" "INFO" "not offered"
add_tls_offered tls1_3 no add_proto_offered tls1_3 no
pr_warning "TLS downgraded to STARTTLS plaintext"; outln pr_warning "TLS downgraded to STARTTLS plaintext"; outln
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext" fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
;; ;;
4) out "likely not offered, " 4) out "likely not offered, "
fileout "$jsonID" "INFO" "not offered" fileout "$jsonID" "INFO" "not offered"
add_tls_offered tls1_3 no add_proto_offered tls1_3 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm" pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}" fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl 5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "INFO" "$supported_no_ciph1" fileout "$jsonID" "INFO" "$supported_no_ciph1"
add_tls_offered tls1_3 yes add_proto_offered tls1_3 yes
;; ;;
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
@ -6330,14 +6330,14 @@ run_server_preference() {
"ephemeralkey" "ephemeralkey"
sclient_success=$? sclient_success=$?
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
add_tls_offered tls1_3 yes add_proto_offered tls1_3 yes
elif [[ $sclient_success -eq 2 ]]; then elif [[ $sclient_success -eq 2 ]]; then
sclient_success=0 # 2: downgraded sclient_success=0 # 2: downgraded
case $DETECTED_TLS_VERSION in case $DETECTED_TLS_VERSION in
0303) add_tls_offered tls1_2 yes ;; 0303) add_proto_offered tls1_2 yes ;;
0302) add_tls_offered tls1_1 yes ;; 0302) add_proto_offered tls1_1 yes ;;
0301) add_tls_offered tls1 yes ;; 0301) add_proto_offered tls1 yes ;;
0300) add_tls_offered ssl3 yes ;; 0300) add_proto_offered ssl3 yes ;;
esac esac
fi fi
if [[ $sclient_success -eq 0 ]] ; then if [[ $sclient_success -eq 0 ]] ; then
@ -6895,7 +6895,7 @@ cipher_pref_check() {
fi fi
if [[ -n "$order" ]]; then if [[ -n "$order" ]]; then
add_tls_offered "$proto" yes add_proto_offered "$proto" yes
if "$wide"; then if "$wide"; then
for (( i=0 ; i<nr_ciphers_found; i++ )); do for (( i=0 ; i<nr_ciphers_found; i++ )); do
neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${export2[i]}" "true" neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${export2[i]}" "true"
@ -6915,7 +6915,7 @@ cipher_pref_check() {
fileout "cipherorder_${proto_text//./_}" "INFO" "$order" fileout "cipherorder_${proto_text//./_}" "INFO" "$order"
else else
# Order doesn't contain any ciphers, so we can safely unset the protocol and put a dash out # Order doesn't contain any ciphers, so we can safely unset the protocol and put a dash out
add_tls_offered "$proto" no add_proto_offered "$proto" no
outln " -" outln " -"
fi fi
@ -7425,7 +7425,7 @@ get_server_certificate() {
[[ $success -eq 0 ]] || return 1 [[ $success -eq 0 ]] || return 1
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
fi fi
[[ $success -eq 0 ]] && add_tls_offered tls1_3 yes [[ $success -eq 0 ]] && add_proto_offered tls1_3 yes
extract_new_tls_extensions $TMPFILE extract_new_tls_extensions $TMPFILE
tmpfile_handle ${FUNCNAME[0]}.txt tmpfile_handle ${FUNCNAME[0]}.txt
return $success return $success
@ -14881,10 +14881,10 @@ run_heartbleed(){
else # no protocol for some reason defined, determine TLS versions offered with a new handshake else # no protocol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;; *1.2) tls_hexcode="x03, x03" ; add_proto_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;; *1.1) tls_hexcode="x03, x02" ; add_proto_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;; TLSv1) tls_hexcode="x03, x01" ; add_proto_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;; SSLv3) tls_hexcode="x03, x00" ; add_proto_offered ssl3 yes ;;
esac esac
fi fi
debugme echo "using protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
@ -14982,10 +14982,10 @@ run_ccs_injection(){
else # no protocol for some reason defined, determine TLS versions offered with a new handshake else # no protocol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;; *1.2) tls_hexcode="x03, x03" ; add_proto_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;; *1.1) tls_hexcode="x03, x02" ; add_proto_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;; TLSv1) tls_hexcode="x03, x01" ; add_proto_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;; SSLv3) tls_hexcode="x03, x00" ; add_proto_offered ssl3 yes ;;
esac esac
fi fi
debugme echo "using protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
@ -15196,10 +15196,10 @@ run_ticketbleed() {
else # no protocol for some reason defined, determine TLS versions offered with a new handshake else # no protocol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;; *1.2) tls_hexcode="x03, x03" ; add_proto_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;; *1.1) tls_hexcode="x03, x02" ; add_proto_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;; TLSv1) tls_hexcode="x03, x01" ; add_proto_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;; SSLv3) tls_hexcode="x03, x00" ; add_proto_offered ssl3 yes ;;
esac esac
fi fi
debugme echo "using protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
@ -15787,7 +15787,7 @@ run_sweet32() {
sslv2_sockets "$ssl2_sweet32_ciphers_hex" sslv2_sockets "$ssl2_sweet32_ciphers_hex"
case $? in case $? in
3) ssl2_sweet=true 3) ssl2_sweet=true
add_tls_offered ssl2 yes ;; add_proto_offered ssl2 yes ;;
0) ;; # ssl2_sweet=false 0) ;; # ssl2_sweet=false
1|4|6|7) debugme "${FUNCNAME[0]}: test problem we don't handle here" 1|4|6|7) debugme "${FUNCNAME[0]}: test problem we don't handle here"
;; ;;
@ -15827,7 +15827,7 @@ run_sweet32() {
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
ssl2_sweet=true ssl2_sweet=true
add_tls_offered ssl2 yes add_proto_offered ssl2 yes
fi fi
fi fi
else else
@ -16555,7 +16555,7 @@ run_drown() {
3) # vulnerable, [[ -n "$cert_fingerprint_sha2" ]] test is not needed as we should have RSA certificate here 3) # vulnerable, [[ -n "$cert_fingerprint_sha2" ]] test is not needed as we should have RSA certificate here
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)") lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
debugme tm_out " ($lines lines) " debugme tm_out " ($lines lines) "
add_tls_offered ssl2 yes add_proto_offered ssl2 yes
if [[ "$lines" -gt 1 ]]; then if [[ "$lines" -gt 1 ]]; then
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
if [[ 0 -eq "$nr_ciphers_detected" ]]; then if [[ 0 -eq "$nr_ciphers_detected" ]]; then
@ -16684,7 +16684,7 @@ run_beast(){
$OPENSSL s_client $(s_client_options "-state -"${proto}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") 2>>$ERRFILE >$TMPFILE </dev/null $OPENSSL s_client $(s_client_options "-state -"${proto}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") 2>>$ERRFILE >$TMPFILE </dev/null
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
higher_proto_supported+=" $(get_protocol $TMPFILE)" higher_proto_supported+=" $(get_protocol $TMPFILE)"
add_tls_offered "$proto" yes add_proto_offered "$proto" yes
fi fi
fi fi
done done
@ -16723,7 +16723,7 @@ run_beast(){
continue # protocol not supported, so we do not need to check each cipher with that protocol continue # protocol not supported, so we do not need to check each cipher with that protocol
fi fi
fi # protocol succeeded fi # protocol succeeded
add_tls_offered "$proto" yes add_proto_offered "$proto" yes
# now we test in one shot with the precompiled ciphers # now we test in one shot with the precompiled ciphers
if "$using_sockets"; then if "$using_sockets"; then
@ -19313,16 +19313,16 @@ determine_optimal_sockets_params() {
KEY_SHARE_EXTN_NR="33" KEY_SHARE_EXTN_NR="33"
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0f, 0e, 03,04, 7f,1c, 7f,1b, 7f,1a, 7f,19, 7f,18, 7f,17" tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0f, 0e, 03,04, 7f,1c, 7f,1b, 7f,1a, 7f,19, 7f,18, 7f,17"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
add_tls_offered tls1_3 yes add_proto_offered tls1_3 yes
all_failed=false all_failed=false
else else
KEY_SHARE_EXTN_NR="28" KEY_SHARE_EXTN_NR="28"
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0b, 0a, 7f,16, 7f,15, 7f,14, 7f,13, 7f,12" tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0b, 0a, 7f,16, 7f,15, 7f,14, 7f,13, 7f,12"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
add_tls_offered tls1_3 yes add_proto_offered tls1_3 yes
all_failed=false all_failed=false
else else
add_tls_offered tls1_3 no add_proto_offered tls1_3 no
KEY_SHARE_EXTN_NR="33" KEY_SHARE_EXTN_NR="33"
fi fi
fi fi
@ -19332,11 +19332,11 @@ determine_optimal_sockets_params() {
# drafts 22-28 and the final TLS 1.3 the ProtocolVersion field contains # drafts 22-28 and the final TLS 1.3 the ProtocolVersion field contains
# 0303 and the actual version appears in the supported_versions extension. # 0303 and the actual version appears in the supported_versions extension.
if [[ "${TLS_SERVER_HELLO:8:3}" == 7F1 ]]; then if [[ "${TLS_SERVER_HELLO:8:3}" == 7F1 ]]; then
add_tls_offered tls1_3_draft$(hex2dec "${TLS_SERVER_HELLO:10:2}") yes add_proto_offered tls1_3_draft$(hex2dec "${TLS_SERVER_HELLO:10:2}") yes
elif [[ "$TLS_SERVER_HELLO" =~ 002B00020304 ]]; then elif [[ "$TLS_SERVER_HELLO" =~ 002B00020304 ]]; then
add_tls_offered tls1_3_rfc8446 yes add_proto_offered tls1_3_rfc8446 yes
elif [[ "$TLS_SERVER_HELLO" =~ 002B00027F1[2-9A-C] ]]; then elif [[ "$TLS_SERVER_HELLO" =~ 002B00027F1[2-9A-C] ]]; then
add_tls_offered tls1_3_draft$(hex2dec "${BASH_REMATCH:10:2}") yes add_proto_offered tls1_3_draft$(hex2dec "${BASH_REMATCH:10:2}") yes
fi fi
fi fi
@ -19347,10 +19347,10 @@ determine_optimal_sockets_params() {
ret1=$? ret1=$?
if [[ $ret1 -eq 0 ]] || [[ $ret1 -eq 2 ]]; then if [[ $ret1 -eq 0 ]] || [[ $ret1 -eq 2 ]]; then
case $DETECTED_TLS_VERSION in case $DETECTED_TLS_VERSION in
0303) add_tls_offered tls1_2 yes ;; 0303) add_proto_offered tls1_2 yes ;;
0302) add_tls_offered tls1_1 yes ;; 0302) add_proto_offered tls1_1 yes ;;
0301) add_tls_offered tls1 yes ;; 0301) add_proto_offered tls1 yes ;;
0300) add_tls_offered ssl3 yes ;; 0300) add_proto_offered ssl3 yes ;;
esac esac
all_failed=false all_failed=false
fi fi
@ -19364,17 +19364,17 @@ determine_optimal_sockets_params() {
tls_sockets "03" "$TLS12_CIPHER_2ND_TRY" tls_sockets "03" "$TLS12_CIPHER_2ND_TRY"
ret2=$? ret2=$?
if [[ $ret2 -eq 0 ]]; then if [[ $ret2 -eq 0 ]]; then
add_tls_offered tls1_2 yes add_proto_offered tls1_2 yes
TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY" TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY"
all_failed=false all_failed=false
else else
add_tls_offered tls1_2 no add_proto_offered tls1_2 no
fi fi
if [[ $ret2 -eq 2 ]]; then if [[ $ret2 -eq 2 ]]; then
case $DETECTED_TLS_VERSION in case $DETECTED_TLS_VERSION in
0302) add_tls_offered tls1_1 yes ;; 0302) add_proto_offered tls1_1 yes ;;
0301) add_tls_offered tls1 yes ;; 0301) add_proto_offered tls1 yes ;;
0300) add_tls_offered ssl3 yes ;; 0300) add_proto_offered ssl3 yes ;;
esac esac
[[ $ret1 -ne 2 ]] && TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY" [[ $ret1 -ne 2 ]] && TLS12_CIPHER="$TLS12_CIPHER_2ND_TRY"
all_failed=false all_failed=false
@ -19400,16 +19400,16 @@ determine_optimal_sockets_params() {
ret1=$? ret1=$?
if [[ $ret1 -ne 0 ]]; then if [[ $ret1 -ne 0 ]]; then
case $proto in case $proto in
02) add_tls_offered tls1_1 no ;; 02) add_proto_offered tls1_1 no ;;
01) add_tls_offered tls1 no ;; 01) add_proto_offered tls1 no ;;
00) add_tls_offered ssl3 no ;; 00) add_proto_offered ssl3 no ;;
esac esac
fi fi
if [[ $ret1 -eq 0 ]] || [[ $ret1 -eq 2 ]]; then if [[ $ret1 -eq 0 ]] || [[ $ret1 -eq 2 ]]; then
case $DETECTED_TLS_VERSION in case $DETECTED_TLS_VERSION in
0302) add_tls_offered tls1_1 yes ;; 0302) add_proto_offered tls1_1 yes ;;
0301) add_tls_offered tls1 yes ;; 0301) add_proto_offered tls1 yes ;;
0300) add_tls_offered ssl3 yes ;; 0300) add_proto_offered ssl3 yes ;;
esac esac
OPTIMAL_SOCKETS_PROTO="$proto" OPTIMAL_SOCKETS_PROTO="$proto"
all_failed=false all_failed=false
@ -19419,7 +19419,7 @@ determine_optimal_sockets_params() {
fi fi
if "$all_failed"; then if "$all_failed"; then
sslv2_sockets sslv2_sockets
[[ $? -eq 3 ]] && all_failed=false && add_tls_offered ssl2 yes [[ $? -eq 3 ]] && all_failed=false && add_proto_offered ssl2 yes
fi fi
ALL_FAILED_SOCKETS="$all_failed" ALL_FAILED_SOCKETS="$all_failed"
return 0 return 0
@ -19454,7 +19454,7 @@ determine_optimal_proto() {
$OPENSSL s_client $(s_client_options "$STARTTLS_OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" $PROXY -msg $STARTTLS $SNI") </dev/null >$TMPFILE 2>>$ERRFILE $OPENSSL s_client $(s_client_options "$STARTTLS_OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" $PROXY -msg $STARTTLS $SNI") </dev/null >$TMPFILE 2>>$ERRFILE
if sclient_auth $? $TMPFILE; then if sclient_auth $? $TMPFILE; then
all_failed=false all_failed=false
add_tls_offered "${proto/-/}" yes add_proto_offered "${proto/-/}" yes
break break
fi fi
done done
@ -19479,11 +19479,11 @@ determine_optimal_proto() {
tmp=${tmp/\./_} tmp=${tmp/\./_}
tmp=${tmp/v/} tmp=${tmp/v/}
tmp="$(tolower $tmp)" tmp="$(tolower $tmp)"
add_tls_offered "${tmp}" yes add_proto_offered "${tmp}" yes
debugme echo "one proto determined: $tmp" debugme echo "one proto determined: $tmp"
OPTIMAL_PROTO="" OPTIMAL_PROTO=""
else else
add_tls_offered "${proto/-/}" yes add_proto_offered "${proto/-/}" yes
OPTIMAL_PROTO="$proto" OPTIMAL_PROTO="$proto"
fi fi
all_failed=false all_failed=false