mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
save also 1x connect for heartbleed() by reusing a previoulsy identified protocol
This commit is contained in:
parent
de79bd6b0e
commit
2469603a7f
39
testssl.sh
39
testssl.sh
@ -161,6 +161,7 @@ TERM_CURRPOS=0 # custom line wrappi
|
|||||||
# 0 means (normally) true here. Some of the variables are also accessible with a command line switch, see --help
|
# 0 means (normally) true here. Some of the variables are also accessible with a command line switch, see --help
|
||||||
|
|
||||||
declare -x OPENSSL OPENSSL_TIMEOUT
|
declare -x OPENSSL OPENSSL_TIMEOUT
|
||||||
|
FAST_SOCKET=${FAST_SOCKET:-false} # EXPERIMENTAL feature to accelerate sockets -- DO NOT USE it for production
|
||||||
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
||||||
COLORBLIND=${COLORBLIND:-false} # if true, swap blue and green in the output
|
COLORBLIND=${COLORBLIND:-false} # if true, swap blue and green in the output
|
||||||
SHOW_EACH_C=${SHOW_EACH_C:-false} # where individual ciphers are tested show just the positively ones tested
|
SHOW_EACH_C=${SHOW_EACH_C:-false} # where individual ciphers are tested show just the positively ones tested
|
||||||
@ -3422,7 +3423,6 @@ client_simulation_sockets() {
|
|||||||
sleep $USLEEP_SND
|
sleep $USLEEP_SND
|
||||||
|
|
||||||
sockread_serverhello 32768
|
sockread_serverhello 32768
|
||||||
|
|
||||||
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}"
|
tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}"
|
||||||
|
|
||||||
@ -8653,16 +8653,25 @@ run_heartbleed(){
|
|||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# determine TLS versions offered <-- needs to come from another place
|
if $(has_server_protocol "tls1"); then
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -tlsextdebug >$TMPFILE 2>$ERRFILE </dev/null
|
tls_hexcode="x03, x01"
|
||||||
|
elif $(has_server_protocol "tls1_1"); then
|
||||||
tls_proto_offered=$(get_protocol $TMPFILE)
|
tls_hexcode="x03, x02"
|
||||||
#FIXME: for SSLv3 only we need to set tls_hexcode and the record layer TLS version correctly
|
elif $(has_server_protocol "tls1_2"); then
|
||||||
case $tls_proto_offered in
|
tls_hexcode="x03, x03"
|
||||||
12) tls_hexcode="x03, x03" ;;
|
elif $(has_server_protocol "ssl3"); then
|
||||||
11) tls_hexcode="x03, x02" ;;
|
tls_hexcode="x03, x00"
|
||||||
*) tls_hexcode="x03, x01" ;;
|
else # no protcol for some reason defined, determine TLS versions offered with a new handshake
|
||||||
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
|
case "$(get_protocol $TMPFILE)" in
|
||||||
|
*1.2) tls_hexcode="x03, x03" ;;
|
||||||
|
*1.1) tls_hexcode="x03, x02" ;;
|
||||||
|
TLSv1) tls_hexcode="x03, x01" ;;
|
||||||
|
SSLv3) tls_hexcode="x03, x00" ;;
|
||||||
esac
|
esac
|
||||||
|
fi
|
||||||
|
debugme echo "using protocol $tls_hexcode"
|
||||||
|
|
||||||
heartbleed_payload=", x18, $tls_hexcode, x00, x03, x01, x40, x00"
|
heartbleed_payload=", x18, $tls_hexcode, x00, x03, x01, x40, x00"
|
||||||
|
|
||||||
client_hello="
|
client_hello="
|
||||||
@ -8813,11 +8822,11 @@ run_ccs_injection(){
|
|||||||
tls_hexcode="x03, x03"
|
tls_hexcode="x03, x03"
|
||||||
elif $(has_server_protocol "ssl3"); then
|
elif $(has_server_protocol "ssl3"); then
|
||||||
tls_hexcode="x03, x00"
|
tls_hexcode="x03, x00"
|
||||||
else # no protcol for some reason defined, determine TLS versions offered with another handshake
|
else # no protcol for some reason defined, determine TLS versions offered with a new handshake
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
case "$(get_protocol $TMPFILE)" in
|
case "$(get_protocol $TMPFILE)" in
|
||||||
1.2) tls_hexcode="x03, x03" ;;
|
*1.2) tls_hexcode="x03, x03" ;;
|
||||||
1.1) tls_hexcode="x03, x02" ;;
|
*1.1) tls_hexcode="x03, x02" ;;
|
||||||
TLSv1) tls_hexcode="x03, x01" ;;
|
TLSv1) tls_hexcode="x03, x01" ;;
|
||||||
SSLv3) tls_hexcode="x03, x00" ;;
|
SSLv3) tls_hexcode="x03, x00" ;;
|
||||||
esac
|
esac
|
||||||
@ -8987,7 +8996,7 @@ run_ticketbleed() {
|
|||||||
tls_hexcode="x03, x03"
|
tls_hexcode="x03, x03"
|
||||||
elif $(has_server_protocol "ssl3"); then
|
elif $(has_server_protocol "ssl3"); then
|
||||||
tls_hexcode="x03, x00"
|
tls_hexcode="x03, x00"
|
||||||
else # no protocol for some reason defined, determine TLS versions offered with another handshake
|
else # no protocol for some reason defined, determine TLS versions offered with a new handshake
|
||||||
$OPENSSL s_client $BUGS $OPTIMAL_PROTO -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $BUGS $OPTIMAL_PROTO -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
case "$(get_protocol $TMPFILE)" in
|
case "$(get_protocol $TMPFILE)" in
|
||||||
*1.2) tls_hexcode="x03, x03" ;;
|
*1.2) tls_hexcode="x03, x03" ;;
|
||||||
@ -9085,7 +9094,7 @@ run_ticketbleed() {
|
|||||||
socksend "$client_hello" 0
|
socksend "$client_hello" 0
|
||||||
|
|
||||||
debugme tmln_out "\nreading server hello (ticketbleed reply)"
|
debugme tmln_out "\nreading server hello (ticketbleed reply)"
|
||||||
if [[ "$FAST_SOCKET" ]]; then
|
if "$FAST_SOCKET"; then
|
||||||
tls_hello_ascii=$(sockread_fast 32768)
|
tls_hello_ascii=$(sockread_fast 32768)
|
||||||
else
|
else
|
||||||
sockread_serverhello 32768 $CCS_MAX_WAITSOCK
|
sockread_serverhello 32768 $CCS_MAX_WAITSOCK
|
||||||
|
Loading…
Reference in New Issue
Block a user