diff --git a/testssl.sh b/testssl.sh index 0e9fa3b..b165abb 100755 --- a/testssl.sh +++ b/testssl.sh @@ -339,8 +339,8 @@ pr_litegrey() { [[ "$COLOR" -eq 2 ]] && out "\033[0;37m$1" || out "$1"; pr_off pr_grey() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m$1" || out "$1"; pr_off; } pr_greyln() { pr_grey "$1"; outln; } -pr_litegreen() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # This is good -pr_litegreenln() { pr_litegreen "$1"; outln; } +pr_done_good() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # This is good +pr_done_goodln() { pr_done_good "$1"; outln; } pr_green() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # This is the best pr_greenln() { pr_green "$1"; outln; } @@ -845,7 +845,7 @@ run_http_date() { includeSubDomains() { if grep -aiqw includeSubDomains "$1"; then - pr_litegreen ", includeSubDomains" + pr_done_good ", includeSubDomains" return 1 else pr_litecyan ", just this domain" @@ -855,7 +855,7 @@ includeSubDomains() { preload() { if grep -aiqw preload "$1"; then - pr_litegreen ", preload" + pr_done_good ", preload" return 1 else return 0 @@ -879,7 +879,7 @@ run_hsts() { #FIXME: test for number! hsts_age_days=$(( hsts_age_sec / 86400)) if [[ $hsts_age_days -gt $HSTS_MIN ]]; then - pr_litegreen "$hsts_age_days days" ; out "=$hsts_age_sec s" + pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s" fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days" else out "$hsts_age_sec s = " @@ -966,7 +966,7 @@ run_hpkp() { hpkp_age_sec=$(awk -F= '/max-age/{max_age=$2; print max_age}' $TMPFILE | sed -E 's/[^[:digit:]]//g') hpkp_age_days=$((hpkp_age_sec / 86400)) if [[ $hpkp_age_days -ge $HPKP_MIN ]]; then - pr_litegreen "$hpkp_age_days days" ; out "=$hpkp_age_sec s" + pr_done_good "$hpkp_age_days days" ; out "=$hpkp_age_sec s" fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)" else out "$hpkp_age_sec s = " @@ -995,7 +995,7 @@ run_hpkp() { while read hpkp_key; do if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then out "\n$spaces matching host key: " - pr_litegreen "$hpkp_key" + pr_done_good "$hpkp_key" fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header" key_found=true fi @@ -1169,7 +1169,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path nr_secure=$(grep -iac secure $TMPFILE) case $nr_secure in 0) pr_brown "$negative_word" ;; - [123456789]) pr_litegreen "$nr_secure/$nr_cookies";; + [123456789]) pr_done_good "$nr_secure/$nr_cookies";; esac out " secure, " if [[ $nr_cookies == $nr_secure ]]; then @@ -1180,7 +1180,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path nr_httponly=$(grep -cai httponly $TMPFILE) case $nr_httponly in 0) pr_brown "$negative_word" ;; - [123456789]) pr_litegreen "$nr_httponly/$nr_cookies";; + [123456789]) pr_done_good "$nr_httponly/$nr_cookies";; esac out " HttpOnly" if [[ $nr_cookies == $nr_httponly ]]; then @@ -1231,8 +1231,8 @@ run_more_flags() { first=false fi # extract and print key(=flag) in green: - pr_litegreen "${result_str%%:*}:" - #pr_litegreen "$(sed 's/:.*$/:/' <<< "$result_str")" + pr_done_good "${result_str%%:*}:" + #pr_done_good "$(sed 's/:.*$/:/' <<< "$result_str")" # print value in plain text: outln "${result_str#*:}" fileout "${result_str%%:*}" "OK" "${result_str%%:*}: ${result_str#*:}" @@ -1376,7 +1376,7 @@ std_cipherlists() { pr_svrty_highln "offered (NOT ok)" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - bad" else - pr_litegreenln "not offered (OK)" + pr_done_goodln "not offered (OK)" fileout "std_$4" "OK" "$2 not offered (OK)" fi ;; @@ -2334,7 +2334,7 @@ read_dhbits_from_file() { elif [[ "$bits" -le 1280 ]]; then pr_brown "$bits $add" elif [[ "$bits" -ge 2048 ]]; then - pr_litegreen "$bits $add" + pr_done_good "$bits $add" else out "$bits $add" fi @@ -2346,7 +2346,7 @@ read_dhbits_from_file() { elif [[ "$bits" -le 163 ]]; then pr_svrty_high "$bits $add" elif [[ "$bits" -ge 224 ]]; then - pr_litegreen "$bits $add" + pr_done_good "$bits $add" else out "$bits $add" fi @@ -2428,7 +2428,7 @@ run_server_preference() { fileout "order_proto" "OK" "Default protocol TLS1.2 (OK)" ;; *TLSv1.1) - pr_litegreenln $default_proto + pr_done_goodln $default_proto fileout "order_proto" "OK" "Default protocol TLS1.1 (OK)" ;; *TLSv1) @@ -2708,7 +2708,7 @@ determine_trust() { if [[ ${verify_retcode[i]} -eq 0 ]]; then trust[i]=true some_ok=true - debugme pr_litegreen "Ok " + debugme pr_done_good "Ok " debugme outln "${verify_retcode[i]}" else trust[i]=false @@ -2722,7 +2722,7 @@ determine_trust() { debugme out " " if $all_ok; then # all stores ok - pr_litegreen "Ok "; pr_litemagenta "$addtl_warning" + pr_done_good "Ok "; pr_litemagenta "$addtl_warning" fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning" else # at least one failed @@ -2752,7 +2752,7 @@ determine_trust() { outln # lf + green ones [[ "$DEBUG" -eq 0 ]] && out "$spaces" - pr_litegreen "OK: $ok_was" + pr_done_good "OK: $ok_was" fi fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" fi @@ -2927,19 +2927,19 @@ certificate_info() { fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)" ;; sha256WithRSAEncryption) - pr_litegreenln "SHA256 with RSA" + pr_done_goodln "SHA256 with RSA" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)" ;; sha384WithRSAEncryption) - pr_litegreenln "SHA384 with RSA" + pr_done_goodln "SHA384 with RSA" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)" ;; sha512WithRSAEncryption) - pr_litegreenln "SHA512 with RSA" + pr_done_goodln "SHA512 with RSA" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)" ;; ecdsa-with-SHA256) - pr_litegreenln "ECDSA with SHA256" + pr_done_goodln "ECDSA with SHA256" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)" ;; md5*) @@ -2978,7 +2978,7 @@ certificate_info() { out "$keysize" fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits" elif [[ "$keysize" -le 533 ]]; then - pr_litegreen "$keysize" + pr_done_good "$keysize" fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)" else out "keysize: $keysize (not expected, FIXME)" @@ -3002,7 +3002,7 @@ certificate_info() { outln "$keysize bits" fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits" elif [[ "$keysize" -le 4096 ]]; then - pr_litegreen "$keysize" + pr_done_good "$keysize" fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)" outln " bits" else @@ -3184,7 +3184,7 @@ certificate_info() { secs2warn=$((24 * 60 * 60 * DAYS2WARN1)) expire=$($OPENSSL x509 -in $HOSTCERT -checkend $secs2warn 2>>$ERRFILE) if echo "$expire" | grep -qw not; then - pr_litegreen "$days2expire >= $DAYS2WARN1 days" + pr_done_good "$days2expire >= $DAYS2WARN1 days" expfinding+="$days2expire >= $DAYS2WARN1 days" else pr_brown "expires < $DAYS2WARN1 days ($days2expire)" @@ -3242,7 +3242,7 @@ certificate_info() { fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered" else if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then - pr_litegreen "offered" + pr_done_good "offered" fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered" else if $GOST_STATUS_PROBLEM; then @@ -3438,7 +3438,7 @@ run_pfs() { else pfs_offered=true pfs_ciphers="" - pr_litegreen " PFS is offered (OK)" + pr_done_good " PFS is offered (OK)" fileout "pfs" "OK" "(Perfect) Forward Secrecy : PFS is offered (OK)" if $WIDE; then outln ", ciphers follow (client/browser support is important here) \n" @@ -4548,7 +4548,7 @@ run_renego() { echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE & wait_kill $! $HEADER_MAXSLEEP if [[ $? -eq 3 ]]; then - pr_litegreen "likely not vulnerable (OK)"; outln " (timed out)" # it hung + pr_done_good "likely not vulnerable (OK)"; outln " (timed out)" # it hung fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : likely not vulnerable (OK) (timed out)" sec_client_renego=1 else @@ -4561,7 +4561,7 @@ run_renego() { fileout "sec_client_renego" "NOT OK" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat" ;; 1) - pr_litegreenln "not vulnerable (OK)" + pr_done_goodln "not vulnerable (OK)" fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : not vulnerable (OK)" ;; *) @@ -4602,7 +4602,7 @@ run_crime() { [[ "$OSSL_VER" == "0.9.8"* ]] && addcmd="-no_ssl2" $OPENSSL s_client $OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $TMPFILE if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then - pr_litegreen "not vulnerable (OK)" + pr_done_good "not vulnerable (OK)" if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then out " (not using HTTP anyway)" fileout "crime" "OK" "CRIME, TLS (CVE-2012-4929) : Not vulnerable (OK) (not using HTTP anyway)" @@ -4782,7 +4782,7 @@ run_tls_fallback_scsv() { # first: make sure we have tls1_2: $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 >$TMPFILE 2>$ERRFILE $TMPFILE 2>>$ERRFILE