Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Deprecate TLS 1.0 and TLS 1.1

Browse Source 
This commit addresses #1251 and gives a slight warning when still
using those protocols as government standards are or are at least
to expect also to deprecate those protocols. PCI DSS requires not
to use TLS 1.0 anymore and browser vendors supposedly will deprecate
TLS 1.0/1.1 next year.

This is a WIP for testing. It was committed already in May
(22ad490ea7b2868a4fd45862ca0bf8a3d8f24ea6) but somehow it was
lost.

Comments would be appeciated.

Open:
- how to treat non-HTTP protocols
- TLS 1.3 only hosts will mark the absence of TLS 1.2 as
  a medium finding
This commit is contained in:
Dirk Wetter 2019-09-14 10:41:54 +02:00
parent 3e4cd58f7b
commit 231a29cdfd
1 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
testssl.sh
View File

@ -1702,9 +1702,9 @@ check_revocation_crl() {
[[ -n "$GOOD_CA_BUNDLE" ]] || return 0 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
scheme="$(tolower "${crl%%://*}")" scheme="$(tolower "${crl%%://*}")"
# The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs. # The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs.
[[ "$scheme" == "http" ]] || [[ "$scheme" == "https" ]] || [[ "$scheme" == "ldap" ]] || return 0 [[ "$scheme" == http ]] || [[ "$scheme" == https ]] || [[ "$scheme" == ldap ]] || return 0
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${crl##*\/} || exit $ERR_FCREATE tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${crl##*\/} || exit $ERR_FCREATE
if [[ "$scheme" == "ldap" ]]; then if [[ "$scheme" == ldap ]]; then
ldap_get "$crl" "$tmpfile" "$jsonID" ldap_get "$crl" "$tmpfile" "$jsonID"
success=$? success=$?
else else
@ -1737,7 +1737,7 @@ check_revocation_crl() {
fileout "$jsonID" "OK" "not revoked" fileout "$jsonID" "OK" "not revoked"
else else
retcode=$(awk '/error [1-9][0-9]? at [0-9]+ depth lookup:/ { if (!found) {print $2; found=1} }' "${tmpfile%%.crl}.err") retcode=$(awk '/error [1-9][0-9]? at [0-9]+ depth lookup:/ { if (!found) {print $2; found=1} }' "${tmpfile%%.crl}.err")
if [[ "$retcode" == "23" ]]; then # see verify_retcode_helper() if [[ "$retcode" == 23 ]]; then # see verify_retcode_helper()
out ", " out ", "
pr_svrty_critical "revoked" pr_svrty_critical "revoked"
fileout "$jsonID" "CRITICAL" "revoked" fileout "$jsonID" "CRITICAL" "revoked"
@ -5027,8 +5027,8 @@ run_protocols() {
run_prototest_openssl "-tls1" run_prototest_openssl "-tls1"
fi fi
case $? in case $? in
0) outln "offered" 0) pr_svrty_low "offered" ; outln " (deprecated)"
fileout "$jsonID" "INFO" "offered" fileout "$jsonID" "LOW" "offered (deprecated)"
latest_supported="0301" latest_supported="0301"
latest_supported_string="TLSv1.0" latest_supported_string="TLSv1.0"
add_tls_offered tls1 yes add_tls_offered tls1 yes
@ -5101,8 +5101,8 @@ run_protocols() {
run_prototest_openssl "-tls1_1" run_prototest_openssl "-tls1_1"
fi fi
case $? in case $? in
0) outln "offered" 0) pr_svrty_low "offered" ; outln " (deprecated)"
fileout "$jsonID" "INFO" "offered" fileout "$jsonID" "LOW" "offered (deprecated)"
latest_supported="0302" latest_supported="0302"
latest_supported_string="TLSv1.1" latest_supported_string="TLSv1.1"
add_tls_offered tls1_1 yes add_tls_offered tls1_1 yes
@ -5375,33 +5375,35 @@ run_protocols() {
latest_supported_string="TLSv1.3" latest_supported_string="TLSv1.3"
add_tls_offered tls1_3 yes add_tls_offered tls1_3 yes
;; ;;
1) out "not offered" 1) pr_svrty_low "not offered"
if ! "$using_sockets" || [[ -z $latest_supported ]]; then if ! "$using_sockets" || [[ -z $latest_supported ]]; then
outln outln
fileout "$jsonID" "INFO" "not offered" fileout "$jsonID" "LOW" "not offered"
else else
prln_svrty_critical " -- connection failed rather than downgrading to $latest_supported_string" prln_svrty_critical " -- connection failed rather than downgrading to $latest_supported_string"
fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string" fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string"
fi fi
add_tls_offered tls1_3 no add_tls_offered tls1_3 no
;; ;;
2) out "not offered" 2) if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
detected_version_string="SSLv3" detected_version_string="SSLv3"
elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
fi fi
if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
[[ $DEBUG -ge 1 ]] && tm_out " -- downgraded" [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded"
outln outln "not offered and downgraded to a weaker protocol"
fileout "$jsonID" "INFO" "not offered and downgraded to a weaker protocol" fileout "$jsonID" "INFO" "not offered + downgraded to weaker protocol"
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then
out "not offered"
prln_svrty_critical " -- server supports $latest_supported_string, but downgraded to $detected_version_string" prln_svrty_critical " -- server supports $latest_supported_string, but downgraded to $detected_version_string"
fileout "$jsonID" "CRITICAL" "not offered, and downgraded to $detected_version_string rather than $latest_supported_string" fileout "$jsonID" "CRITICAL" "not offered, and downgraded to $detected_version_string rather than $latest_supported_string"
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0304 ]]; then elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0304 ]]; then
out "not offered"
prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client" prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client"
fileout "$jsonID" "CRITICAL" "not offered, server responded with higher version number ($detected_version_string) than requested by client" fileout "$jsonID" "CRITICAL" "not offered, server responded with higher version number ($detected_version_string) than requested by client"
else else
out "not offered"
prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fi fi