mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-10-31 05:45:26 +01:00
renamed pr_litegreen to pr_done_good
This commit is contained in:
Thomas Martens
74
testssl.sh
74
testssl.sh
@@ -339,8 +339,8 @@ pr_litegrey() { [[ "$COLOR" -eq 2 ]] && out "\033[0;37m$1" || out "$1"; pr_off
|
|||||||
pr_grey() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m$1" || out "$1"; pr_off; }
|
pr_grey() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m$1" || out "$1"; pr_off; }
|
||||||
pr_greyln() { pr_grey "$1"; outln; }
|
pr_greyln() { pr_grey "$1"; outln; }
|
||||||
|
|
||||||
pr_litegreen() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # This is good
|
pr_done_good() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # This is good
|
||||||
pr_litegreenln() { pr_litegreen "$1"; outln; }
|
pr_done_goodln() { pr_done_good "$1"; outln; }
|
||||||
pr_green() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # This is the best
|
pr_green() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # This is the best
|
||||||
pr_greenln() { pr_green "$1"; outln; }
|
pr_greenln() { pr_green "$1"; outln; }
|
||||||
|
|
||||||
@@ -845,7 +845,7 @@ run_http_date() {
|
|||||||
|
|
||||||
includeSubDomains() {
|
includeSubDomains() {
|
||||||
if grep -aiqw includeSubDomains "$1"; then
|
if grep -aiqw includeSubDomains "$1"; then
|
||||||
pr_litegreen ", includeSubDomains"
|
pr_done_good ", includeSubDomains"
|
||||||
return 1
|
return 1
|
||||||
else
|
else
|
||||||
pr_litecyan ", just this domain"
|
pr_litecyan ", just this domain"
|
||||||
@@ -855,7 +855,7 @@ includeSubDomains() {
|
|||||||
|
|
||||||
preload() {
|
preload() {
|
||||||
if grep -aiqw preload "$1"; then
|
if grep -aiqw preload "$1"; then
|
||||||
pr_litegreen ", preload"
|
pr_done_good ", preload"
|
||||||
return 1
|
return 1
|
||||||
else
|
else
|
||||||
return 0
|
return 0
|
||||||
@@ -879,7 +879,7 @@ run_hsts() {
|
|||||||
#FIXME: test for number!
|
#FIXME: test for number!
|
||||||
hsts_age_days=$(( hsts_age_sec / 86400))
|
hsts_age_days=$(( hsts_age_sec / 86400))
|
||||||
if [[ $hsts_age_days -gt $HSTS_MIN ]]; then
|
if [[ $hsts_age_days -gt $HSTS_MIN ]]; then
|
||||||
pr_litegreen "$hsts_age_days days" ; out "=$hsts_age_sec s"
|
pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
|
||||||
fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days"
|
fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days"
|
||||||
else
|
else
|
||||||
out "$hsts_age_sec s = "
|
out "$hsts_age_sec s = "
|
||||||
@@ -966,7 +966,7 @@ run_hpkp() {
|
|||||||
hpkp_age_sec=$(awk -F= '/max-age/{max_age=$2; print max_age}' $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
hpkp_age_sec=$(awk -F= '/max-age/{max_age=$2; print max_age}' $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
||||||
hpkp_age_days=$((hpkp_age_sec / 86400))
|
hpkp_age_days=$((hpkp_age_sec / 86400))
|
||||||
if [[ $hpkp_age_days -ge $HPKP_MIN ]]; then
|
if [[ $hpkp_age_days -ge $HPKP_MIN ]]; then
|
||||||
pr_litegreen "$hpkp_age_days days" ; out "=$hpkp_age_sec s"
|
pr_done_good "$hpkp_age_days days" ; out "=$hpkp_age_sec s"
|
||||||
fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)"
|
fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)"
|
||||||
else
|
else
|
||||||
out "$hpkp_age_sec s = "
|
out "$hpkp_age_sec s = "
|
||||||
@@ -995,7 +995,7 @@ run_hpkp() {
|
|||||||
while read hpkp_key; do
|
while read hpkp_key; do
|
||||||
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
|
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
|
||||||
out "\n$spaces matching host key: "
|
out "\n$spaces matching host key: "
|
||||||
pr_litegreen "$hpkp_key"
|
pr_done_good "$hpkp_key"
|
||||||
fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header"
|
fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header"
|
||||||
key_found=true
|
key_found=true
|
||||||
fi
|
fi
|
||||||
@@ -1169,7 +1169,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path
|
|||||||
nr_secure=$(grep -iac secure $TMPFILE)
|
nr_secure=$(grep -iac secure $TMPFILE)
|
||||||
case $nr_secure in
|
case $nr_secure in
|
||||||
0) pr_brown "$negative_word" ;;
|
0) pr_brown "$negative_word" ;;
|
||||||
[123456789]) pr_litegreen "$nr_secure/$nr_cookies";;
|
[123456789]) pr_done_good "$nr_secure/$nr_cookies";;
|
||||||
esac
|
esac
|
||||||
out " secure, "
|
out " secure, "
|
||||||
if [[ $nr_cookies == $nr_secure ]]; then
|
if [[ $nr_cookies == $nr_secure ]]; then
|
||||||
@@ -1180,7 +1180,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path
|
|||||||
nr_httponly=$(grep -cai httponly $TMPFILE)
|
nr_httponly=$(grep -cai httponly $TMPFILE)
|
||||||
case $nr_httponly in
|
case $nr_httponly in
|
||||||
0) pr_brown "$negative_word" ;;
|
0) pr_brown "$negative_word" ;;
|
||||||
[123456789]) pr_litegreen "$nr_httponly/$nr_cookies";;
|
[123456789]) pr_done_good "$nr_httponly/$nr_cookies";;
|
||||||
esac
|
esac
|
||||||
out " HttpOnly"
|
out " HttpOnly"
|
||||||
if [[ $nr_cookies == $nr_httponly ]]; then
|
if [[ $nr_cookies == $nr_httponly ]]; then
|
||||||
@@ -1231,8 +1231,8 @@ run_more_flags() {
|
|||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
# extract and print key(=flag) in green:
|
# extract and print key(=flag) in green:
|
||||||
pr_litegreen "${result_str%%:*}:"
|
pr_done_good "${result_str%%:*}:"
|
||||||
#pr_litegreen "$(sed 's/:.*$/:/' <<< "$result_str")"
|
#pr_done_good "$(sed 's/:.*$/:/' <<< "$result_str")"
|
||||||
# print value in plain text:
|
# print value in plain text:
|
||||||
outln "${result_str#*:}"
|
outln "${result_str#*:}"
|
||||||
fileout "${result_str%%:*}" "OK" "${result_str%%:*}: ${result_str#*:}"
|
fileout "${result_str%%:*}" "OK" "${result_str%%:*}: ${result_str#*:}"
|
||||||
@@ -1376,7 +1376,7 @@ std_cipherlists() {
|
|||||||
pr_svrty_highln "offered (NOT ok)"
|
pr_svrty_highln "offered (NOT ok)"
|
||||||
fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - bad"
|
fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - bad"
|
||||||
else
|
else
|
||||||
pr_litegreenln "not offered (OK)"
|
pr_done_goodln "not offered (OK)"
|
||||||
fileout "std_$4" "OK" "$2 not offered (OK)"
|
fileout "std_$4" "OK" "$2 not offered (OK)"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@@ -2334,7 +2334,7 @@ read_dhbits_from_file() {
|
|||||||
elif [[ "$bits" -le 1280 ]]; then
|
elif [[ "$bits" -le 1280 ]]; then
|
||||||
pr_brown "$bits $add"
|
pr_brown "$bits $add"
|
||||||
elif [[ "$bits" -ge 2048 ]]; then
|
elif [[ "$bits" -ge 2048 ]]; then
|
||||||
pr_litegreen "$bits $add"
|
pr_done_good "$bits $add"
|
||||||
else
|
else
|
||||||
out "$bits $add"
|
out "$bits $add"
|
||||||
fi
|
fi
|
||||||
@@ -2346,7 +2346,7 @@ read_dhbits_from_file() {
|
|||||||
elif [[ "$bits" -le 163 ]]; then
|
elif [[ "$bits" -le 163 ]]; then
|
||||||
pr_svrty_high "$bits $add"
|
pr_svrty_high "$bits $add"
|
||||||
elif [[ "$bits" -ge 224 ]]; then
|
elif [[ "$bits" -ge 224 ]]; then
|
||||||
pr_litegreen "$bits $add"
|
pr_done_good "$bits $add"
|
||||||
else
|
else
|
||||||
out "$bits $add"
|
out "$bits $add"
|
||||||
fi
|
fi
|
||||||
@@ -2428,7 +2428,7 @@ run_server_preference() {
|
|||||||
fileout "order_proto" "OK" "Default protocol TLS1.2 (OK)"
|
fileout "order_proto" "OK" "Default protocol TLS1.2 (OK)"
|
||||||
;;
|
;;
|
||||||
*TLSv1.1)
|
*TLSv1.1)
|
||||||
pr_litegreenln $default_proto
|
pr_done_goodln $default_proto
|
||||||
fileout "order_proto" "OK" "Default protocol TLS1.1 (OK)"
|
fileout "order_proto" "OK" "Default protocol TLS1.1 (OK)"
|
||||||
;;
|
;;
|
||||||
*TLSv1)
|
*TLSv1)
|
||||||
@@ -2708,7 +2708,7 @@ determine_trust() {
|
|||||||
if [[ ${verify_retcode[i]} -eq 0 ]]; then
|
if [[ ${verify_retcode[i]} -eq 0 ]]; then
|
||||||
trust[i]=true
|
trust[i]=true
|
||||||
some_ok=true
|
some_ok=true
|
||||||
debugme pr_litegreen "Ok "
|
debugme pr_done_good "Ok "
|
||||||
debugme outln "${verify_retcode[i]}"
|
debugme outln "${verify_retcode[i]}"
|
||||||
else
|
else
|
||||||
trust[i]=false
|
trust[i]=false
|
||||||
@@ -2722,7 +2722,7 @@ determine_trust() {
|
|||||||
debugme out " "
|
debugme out " "
|
||||||
if $all_ok; then
|
if $all_ok; then
|
||||||
# all stores ok
|
# all stores ok
|
||||||
pr_litegreen "Ok "; pr_litemagenta "$addtl_warning"
|
pr_done_good "Ok "; pr_litemagenta "$addtl_warning"
|
||||||
fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning"
|
fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning"
|
||||||
else
|
else
|
||||||
# at least one failed
|
# at least one failed
|
||||||
@@ -2752,7 +2752,7 @@ determine_trust() {
|
|||||||
outln
|
outln
|
||||||
# lf + green ones
|
# lf + green ones
|
||||||
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
||||||
pr_litegreen "OK: $ok_was"
|
pr_done_good "OK: $ok_was"
|
||||||
fi
|
fi
|
||||||
fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
||||||
fi
|
fi
|
||||||
@@ -2927,19 +2927,19 @@ certificate_info() {
|
|||||||
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
|
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
|
||||||
;;
|
;;
|
||||||
sha256WithRSAEncryption)
|
sha256WithRSAEncryption)
|
||||||
pr_litegreenln "SHA256 with RSA"
|
pr_done_goodln "SHA256 with RSA"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
|
||||||
;;
|
;;
|
||||||
sha384WithRSAEncryption)
|
sha384WithRSAEncryption)
|
||||||
pr_litegreenln "SHA384 with RSA"
|
pr_done_goodln "SHA384 with RSA"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
|
||||||
;;
|
;;
|
||||||
sha512WithRSAEncryption)
|
sha512WithRSAEncryption)
|
||||||
pr_litegreenln "SHA512 with RSA"
|
pr_done_goodln "SHA512 with RSA"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
|
||||||
;;
|
;;
|
||||||
ecdsa-with-SHA256)
|
ecdsa-with-SHA256)
|
||||||
pr_litegreenln "ECDSA with SHA256"
|
pr_done_goodln "ECDSA with SHA256"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
|
||||||
;;
|
;;
|
||||||
md5*)
|
md5*)
|
||||||
@@ -2978,7 +2978,7 @@ certificate_info() {
|
|||||||
out "$keysize"
|
out "$keysize"
|
||||||
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits"
|
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits"
|
||||||
elif [[ "$keysize" -le 533 ]]; then
|
elif [[ "$keysize" -le 533 ]]; then
|
||||||
pr_litegreen "$keysize"
|
pr_done_good "$keysize"
|
||||||
fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)"
|
fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)"
|
||||||
else
|
else
|
||||||
out "keysize: $keysize (not expected, FIXME)"
|
out "keysize: $keysize (not expected, FIXME)"
|
||||||
@@ -3002,7 +3002,7 @@ certificate_info() {
|
|||||||
outln "$keysize bits"
|
outln "$keysize bits"
|
||||||
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits"
|
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits"
|
||||||
elif [[ "$keysize" -le 4096 ]]; then
|
elif [[ "$keysize" -le 4096 ]]; then
|
||||||
pr_litegreen "$keysize"
|
pr_done_good "$keysize"
|
||||||
fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)"
|
fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
else
|
else
|
||||||
@@ -3184,7 +3184,7 @@ certificate_info() {
|
|||||||
secs2warn=$((24 * 60 * 60 * DAYS2WARN1))
|
secs2warn=$((24 * 60 * 60 * DAYS2WARN1))
|
||||||
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $secs2warn 2>>$ERRFILE)
|
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $secs2warn 2>>$ERRFILE)
|
||||||
if echo "$expire" | grep -qw not; then
|
if echo "$expire" | grep -qw not; then
|
||||||
pr_litegreen "$days2expire >= $DAYS2WARN1 days"
|
pr_done_good "$days2expire >= $DAYS2WARN1 days"
|
||||||
expfinding+="$days2expire >= $DAYS2WARN1 days"
|
expfinding+="$days2expire >= $DAYS2WARN1 days"
|
||||||
else
|
else
|
||||||
pr_brown "expires < $DAYS2WARN1 days ($days2expire)"
|
pr_brown "expires < $DAYS2WARN1 days ($days2expire)"
|
||||||
@@ -3242,7 +3242,7 @@ certificate_info() {
|
|||||||
fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
||||||
else
|
else
|
||||||
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
||||||
pr_litegreen "offered"
|
pr_done_good "offered"
|
||||||
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
|
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
|
||||||
else
|
else
|
||||||
if $GOST_STATUS_PROBLEM; then
|
if $GOST_STATUS_PROBLEM; then
|
||||||
@@ -3438,7 +3438,7 @@ run_pfs() {
|
|||||||
else
|
else
|
||||||
pfs_offered=true
|
pfs_offered=true
|
||||||
pfs_ciphers=""
|
pfs_ciphers=""
|
||||||
pr_litegreen " PFS is offered (OK)"
|
pr_done_good " PFS is offered (OK)"
|
||||||
fileout "pfs" "OK" "(Perfect) Forward Secrecy : PFS is offered (OK)"
|
fileout "pfs" "OK" "(Perfect) Forward Secrecy : PFS is offered (OK)"
|
||||||
if $WIDE; then
|
if $WIDE; then
|
||||||
outln ", ciphers follow (client/browser support is important here) \n"
|
outln ", ciphers follow (client/browser support is important here) \n"
|
||||||
@@ -4548,7 +4548,7 @@ run_renego() {
|
|||||||
echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE &
|
echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
if [[ $? -eq 3 ]]; then
|
if [[ $? -eq 3 ]]; then
|
||||||
pr_litegreen "likely not vulnerable (OK)"; outln " (timed out)" # it hung
|
pr_done_good "likely not vulnerable (OK)"; outln " (timed out)" # it hung
|
||||||
fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : likely not vulnerable (OK) (timed out)"
|
fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : likely not vulnerable (OK) (timed out)"
|
||||||
sec_client_renego=1
|
sec_client_renego=1
|
||||||
else
|
else
|
||||||
@@ -4561,7 +4561,7 @@ run_renego() {
|
|||||||
fileout "sec_client_renego" "NOT OK" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat"
|
fileout "sec_client_renego" "NOT OK" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat"
|
||||||
;;
|
;;
|
||||||
1)
|
1)
|
||||||
pr_litegreenln "not vulnerable (OK)"
|
pr_done_goodln "not vulnerable (OK)"
|
||||||
fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : not vulnerable (OK)"
|
fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : not vulnerable (OK)"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@@ -4602,7 +4602,7 @@ run_crime() {
|
|||||||
[[ "$OSSL_VER" == "0.9.8"* ]] && addcmd="-no_ssl2"
|
[[ "$OSSL_VER" == "0.9.8"* ]] && addcmd="-no_ssl2"
|
||||||
$OPENSSL s_client $OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI </dev/null &>$TMPFILE
|
$OPENSSL s_client $OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI </dev/null &>$TMPFILE
|
||||||
if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
|
if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
|
||||||
pr_litegreen "not vulnerable (OK)"
|
pr_done_good "not vulnerable (OK)"
|
||||||
if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then
|
if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then
|
||||||
out " (not using HTTP anyway)"
|
out " (not using HTTP anyway)"
|
||||||
fileout "crime" "OK" "CRIME, TLS (CVE-2012-4929) : Not vulnerable (OK) (not using HTTP anyway)"
|
fileout "crime" "OK" "CRIME, TLS (CVE-2012-4929) : Not vulnerable (OK) (not using HTTP anyway)"
|
||||||
@@ -4782,7 +4782,7 @@ run_tls_fallback_scsv() {
|
|||||||
# first: make sure we have tls1_2:
|
# first: make sure we have tls1_2:
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
pr_litegreen "No fallback possible, TLS 1.2 is the only protocol (OK)"
|
pr_done_good "No fallback possible, TLS 1.2 is the only protocol (OK)"
|
||||||
ret=7
|
ret=7
|
||||||
else
|
else
|
||||||
# ...and do the test (we need to parse the error here!)
|
# ...and do the test (we need to parse the error here!)
|
||||||
@@ -4793,7 +4793,7 @@ run_tls_fallback_scsv() {
|
|||||||
fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
|
fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
|
||||||
ret=1
|
ret=1
|
||||||
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
|
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
|
||||||
pr_litegreen "Downgrade attack prevention supported (OK)"
|
pr_done_good "Downgrade attack prevention supported (OK)"
|
||||||
fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported (OK)"
|
fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported (OK)"
|
||||||
ret=0
|
ret=0
|
||||||
elif grep -qa "alert handshake failure" "$TMPFILE"; then
|
elif grep -qa "alert handshake failure" "$TMPFILE"; then
|
||||||
@@ -4963,7 +4963,7 @@ run_beast(){
|
|||||||
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
||||||
if "$continued"; then # second round: we hit TLS1
|
if "$continued"; then # second round: we hit TLS1
|
||||||
pr_litegreenln "no SSL3 or TLS1 (OK)"
|
pr_done_goodln "no SSL3 or TLS1 (OK)"
|
||||||
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
|
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
|
||||||
return 0
|
return 0
|
||||||
else # protocol not succeeded but it's the first time
|
else # protocol not succeeded but it's the first time
|
||||||
@@ -5031,12 +5031,12 @@ run_beast(){
|
|||||||
first=false
|
first=false
|
||||||
else
|
else
|
||||||
[[ $proto == "tls1" ]] && ! $first && echo -n "$spaces "
|
[[ $proto == "tls1" ]] && ! $first && echo -n "$spaces "
|
||||||
pr_litegreenln "no CBC ciphers for $(toupper $proto) (OK)"
|
pr_done_goodln "no CBC ciphers for $(toupper $proto) (OK)"
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if ! "$vuln_beast" ; then
|
if ! "$vuln_beast" ; then
|
||||||
pr_litegreenln " no CBC ciphers for $(toupper $proto) (OK)"
|
pr_done_goodln " no CBC ciphers for $(toupper $proto) (OK)"
|
||||||
fileout "cbc_$proto" "OK" "BEAST (CVE-2011-3389) : No CBC ciphers for $(toupper $proto) (OK)"
|
fileout "cbc_$proto" "OK" "BEAST (CVE-2011-3389) : No CBC ciphers for $(toupper $proto) (OK)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@@ -5066,7 +5066,7 @@ run_beast(){
|
|||||||
fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
|
fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
"$first" && ! "$vuln_beast" && pr_litegreenln "no CBC ciphers found for any protocol (OK)"
|
"$first" && ! "$vuln_beast" && pr_done_goodln "no CBC ciphers found for any protocol (OK)"
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return 0
|
return 0
|
||||||
@@ -5140,7 +5140,7 @@ run_rc4() {
|
|||||||
"$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)"
|
"$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)"
|
||||||
fileout "rc4" "NOT OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected"
|
fileout "rc4" "NOT OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected"
|
||||||
else
|
else
|
||||||
pr_litegreenln "no RC4 ciphers detected (OK)"
|
pr_done_goodln "no RC4 ciphers detected (OK)"
|
||||||
fileout "rc4" "OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : not vulnerable (OK)"
|
fileout "rc4" "OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : not vulnerable (OK)"
|
||||||
rc4_offered=0
|
rc4_offered=0
|
||||||
fi
|
fi
|
||||||
|
|||||||
Reference in New Issue
Block a user