diff --git a/CREDITS.md b/CREDITS.md index d5af372..00a613a 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -12,6 +12,9 @@ - Fix for HSTS + subdomains - LibreSSL patch +* Rechi + - initial MX stuff + * @nvsofts (NV) - LibreSSL patch for GOST diff --git a/Readme.md b/Readme.md index 6d78bd8..746855d 100644 --- a/Readme.md +++ b/Readme.md @@ -18,6 +18,6 @@ New features in this release are / will be * debug file handling (ongoing) * BEAST (works, need some polishing for the output) -Contributions, feedback, also bug reports are welcome. +Contributions, feedback, also bug reports are welcome. For contributions please note: One patch per feature -- bug fix/improvement. diff --git a/testssl.sh b/testssl.sh index 45ac47b..7acc47c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -367,24 +367,6 @@ runs_HTTP() { return $ret } -# Padding Oracle On Downgraded Legacy Encryption -poodle() { - pr_bold " POODLE "; out "(CVE-2014-3566), experimental " -# w/o downgrade check as of now https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 | TLS_FALLBACK_SCSV - $OPENSSL s_client -ssl3 $STARTTLS -connect $NODEIP:$PORT $SNI 2>$TMPFILE >/dev/null /dev/null ("level" c ".crt")} /---END CERTIFICATE-----/{inc=0}' - nrsaved=`ls $TEMPDIR/level?.crt | wc -w` + nrsaved=`ls $TEMPDIR/level?.crt 2>/dev/null | wc -w` outln " # of certificates provided $nrsaved" cd $savedir @@ -1309,6 +1290,7 @@ pfs() { } +# new ietf rfc is very strict: https://tools.ietf.org/html/rfc7465 rc4() { # shopt -s lastpipe # otherwise it's more tricky to access variables in a while loop outln @@ -2176,7 +2158,40 @@ crime() { return $ret } +# for appliance which use padding, no fallack needed +tls_poodle() { + pr_bold " POODLE, SSL"; out " CVE-2014-8730), experimental " + #FIXME + echo "#FIXME" + return 7 +} + +# Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3 +ssl_poodle() { + local ret + local cbc_ciphers + + pr_bold " POODLE, SSL"; out " (CVE-2014-3566), experimental " + cbc_ciphers=`$OPENSSL ciphers -v 'ALL:eNULL' | grep CBC | awk '{ print $1 }' | tr '\n' ':'` + debugme echo $cbc_ciphers + $OPENSSL s_client -ssl3 $STARTTLS -cipher $cbc_ciphers -connect $NODEIP:$PORT $SNI &>$TMPFILE $TMPFILE 2>&1 ret=$? if [ $ret -ne 0 ]; then - pr_bold "Problem: $OPENSSL couldn't estabilish STARTTLS via $protocol"; outln + pr_bold "Problem: $OPENSSL couldn't establish STARTTLS via $protocol"; outln cat $TMPFILE return 3 else @@ -2327,7 +2341,7 @@ starttls() { # ccs_injection ; ret=`expr $? + $ret` renego ; ret=`expr $? + $ret` crime ; ret=`expr $? + $ret` - poodle ; ret=`expr $? + $ret` + ssl_poodle ; ret=`expr $? + $ret` beast ; ret=`expr $? + $ret` rc4 ; ret=`expr $? + $ret` @@ -2374,13 +2388,14 @@ $PRG URI <-R|--renegotiation> tests only for renegotiation vulnerability <-C|--compression|--crime> tests only for CRIME vulnerability <-T|--breach> tests only for BREACH vulnerability - <-0|--poodle> tests only for POODLE vulnerability + <-O|--poodle> tests only for POODLE vulnerability <-A|--beast> tests only for BEAST vulnerability <-s|--pfs|--fs|--nsa> checks (perfect) forward secrecy settings <-4|--rc4|--appelbaum> which RC4 ciphers are being offered? <-H|--header|--headers> check for HSTS, HPKP and server/application banner string <-t|--starttls> protocol does a default run against a STARTTLS enabled service + <--mx> tests MX records from high to low priority (STARTTLS, port 25) partly mandatory parameters: @@ -2489,7 +2504,10 @@ cleanup () { # for now only GOST engine initialize_engine(){ - if uname -s | grep -q BSD || ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then + if ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then + pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln "\n" + return 1 + elif $OPENSSL engine gost -vvvv -t -c 2>&1 | grep -iq "No such" ; then pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln "\n" return 1 elif echo $osslver | grep -q LibreSSL; then @@ -2589,6 +2607,8 @@ parse_hn_port() { datebanner "Testing" [[ -z "$2" ]] && runs_HTTP # for starttls we don't check the protocol as it is supplied on the cmd line initialize_engine + + return 0 } @@ -2675,6 +2695,31 @@ datebanner() { } +mx_allentries() { + if which dig &> /dev/null; then + MXs=$(dig +short -t MX $1) + elif which host &> /dev/null; then + MXs=$(host -t MX $1 | grep 'handled by' | sed -e 's/^.*by //' -e 's/\.$//') + elif which nslookup &> /dev/null; then + MXs=$(nslookup -type=MX $1 2> /dev/null | grep 'mail exchanger = ' | sed 's/^.*mail exchanger = //g') + else + pr_magentaln 'No dig, host or nslookup' + exit 3 + fi + + # test first higher priority servers + MXs=$(echo "$MXs" | sort -n | sed -e 's/^.* //' -e 's/\.$//') + + if [ -n "$MXs" ] ; then + for MX in $MXs; do + parse_hn_port "$MX:25" 'smtp' && starttls 'smtp' + done + else + pr_boldln "$1 has no mail server(s)" + fi +} + + ################# main: ################# @@ -2704,6 +2749,10 @@ case "$1" in -b|--banner|-banner|-v|--version|-version) exit 0 ;; + --mx) + mx_allentries $2 + exit $? + ;; -V|--local) initialize_engine # GOST support prettyprint_local "$2" @@ -2791,11 +2840,11 @@ case "$1" in fi ret=`expr $? + $ret` exit $ret ;; - -0|--poodle) + -O|--ssl_poodle|poodle) maketempf parse_hn_port "$2" - outln; pr_blue "--> Testing for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability"; outln "\n" - poodle + outln; pr_blue "--> Testing for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, SSLv3"; outln "\n" + ssl_poodle exit $? ;; -4|--rc4|--appelbaum) maketempf @@ -2860,7 +2909,7 @@ case "$1" in renego ; ret=`expr $? + $ret` crime ; ret=`expr $? + $ret` [[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=`expr $? + $ret` - poodle ; ret=`expr $? + $ret` + ssl_poodle ; ret=`expr $? + $ret` beast ; ret=`expr $? + $ret` rc4 ; ret=`expr $? + $ret` @@ -2868,6 +2917,6 @@ case "$1" in exit $ret ;; esac -# $Id: testssl.sh,v 1.194 2015/02/22 22:05:39 dirkw Exp $ +# $Id: testssl.sh,v 1.198 2015/03/03 06:21:20 dirkw Exp $ # vim:ts=5:sw=5