From 8aa8254c2d63f224d4c3a3c4080afb4fe4a38791 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 23 Feb 2015 10:40:10 +0100 Subject: [PATCH 01/10] - FIX #62 (CentOS 7/RHEL: engine failure), was not usable b4 --- testssl.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 45ac47b..a45e99f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2489,7 +2489,10 @@ cleanup () { # for now only GOST engine initialize_engine(){ - if uname -s | grep -q BSD || ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then + if ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then + pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln "\n" + return 1 + elif $OPENSSL engine gost -vvvv -t -c 2>&1 | grep -iq "No such" ; then pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln "\n" return 1 elif echo $osslver | grep -q LibreSSL; then @@ -2868,6 +2871,6 @@ case "$1" in exit $ret ;; esac -# $Id: testssl.sh,v 1.194 2015/02/22 22:05:39 dirkw Exp $ +# $Id: testssl.sh,v 1.195 2015/02/23 09:40:09 dirkw Exp $ # vim:ts=5:sw=5 From 5440b24b925f5bb5a19e62186c25974c41250d3c Mon Sep 17 00:00:00 2001 From: Peter Mosmans Date: Tue, 24 Feb 2015 14:57:43 +1000 Subject: [PATCH 02/10] FIX: minor spelling issue --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 45ac47b..fe795ad 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2308,7 +2308,7 @@ starttls() { $OPENSSL s_client -connect $NODEIP:$PORT $SNI -starttls $protocol $TMPFILE 2>&1 ret=$? if [ $ret -ne 0 ]; then - pr_bold "Problem: $OPENSSL couldn't estabilish STARTTLS via $protocol"; outln + pr_bold "Problem: $OPENSSL couldn't establish STARTTLS via $protocol"; outln cat $TMPFILE return 3 else From 274ee394e899a89e1807dd4d2d1ffc3217c73eec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=BCtz?= Date: Tue, 24 Feb 2015 18:10:28 +0100 Subject: [PATCH 03/10] Don't let error message slip through when no certs have been downloaded --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index dc57005..2ea445d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1192,7 +1192,7 @@ server_defaults() { savedir=`pwd`; cd $TEMPDIR $OPENSSL s_client -showcerts $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null ("level" c ".crt")} /---END CERTIFICATE-----/{inc=0}' - nrsaved=`ls $TEMPDIR/level?.crt | wc -w` + nrsaved=`ls $TEMPDIR/level?.crt 2>/dev/null | wc -w` outln " # of certificates provided $nrsaved" cd $savedir From 29214c7a1fa2d8a968746b031a51e3e8d5346e93 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 27 Feb 2015 21:21:39 +0100 Subject: [PATCH 04/10] - better detection for ssl poodle - change of shorticut from zero to letter o --- testssl.sh | 67 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 27 deletions(-) diff --git a/testssl.sh b/testssl.sh index 2ea445d..43ffaca 100755 --- a/testssl.sh +++ b/testssl.sh @@ -367,24 +367,6 @@ runs_HTTP() { return $ret } -# Padding Oracle On Downgraded Legacy Encryption -poodle() { - pr_bold " POODLE "; out "(CVE-2014-3566), experimental " -# w/o downgrade check as of now https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 | TLS_FALLBACK_SCSV - $OPENSSL s_client -ssl3 $STARTTLS -connect $NODEIP:$PORT $SNI 2>$TMPFILE >/dev/null $TMPFILE URI <-R|--renegotiation> tests only for renegotiation vulnerability <-C|--compression|--crime> tests only for CRIME vulnerability <-T|--breach> tests only for BREACH vulnerability - <-0|--poodle> tests only for POODLE vulnerability + <-O|--poodle> tests only for POODLE vulnerability <-A|--beast> tests only for BEAST vulnerability <-s|--pfs|--fs|--nsa> checks (perfect) forward secrecy settings <-4|--rc4|--appelbaum> which RC4 ciphers are being offered? @@ -2794,11 +2807,11 @@ case "$1" in fi ret=`expr $? + $ret` exit $ret ;; - -0|--poodle) + -O|--ssl_poodle|poodle) maketempf parse_hn_port "$2" - outln; pr_blue "--> Testing for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability"; outln "\n" - poodle + outln; pr_blue "--> Testing for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, SSLv3"; outln "\n" + ssl_poodle exit $? ;; -4|--rc4|--appelbaum) maketempf @@ -2863,7 +2876,7 @@ case "$1" in renego ; ret=`expr $? + $ret` crime ; ret=`expr $? + $ret` [[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=`expr $? + $ret` - poodle ; ret=`expr $? + $ret` + ssl_poodle ; ret=`expr $? + $ret` beast ; ret=`expr $? + $ret` rc4 ; ret=`expr $? + $ret` @@ -2871,6 +2884,6 @@ case "$1" in exit $ret ;; esac -# $Id: testssl.sh,v 1.195 2015/02/23 09:40:09 dirkw Exp $ +# $Id: testssl.sh,v 1.196 2015/02/27 20:21:37 dirkw Exp $ # vim:ts=5:sw=5 From 81afa4375533d7ce6413d0af67052ec3c88b2625 Mon Sep 17 00:00:00 2001 From: Rechi Date: Tue, 24 Feb 2015 21:22:59 +0100 Subject: [PATCH 05/10] Check MX Records (#41) --- testssl.sh | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 43ffaca..8cb7936 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2588,7 +2588,7 @@ parse_hn_port() { # check if we can connect to port if ! fd_socket; then ignore_no_or_lame "Ignore? " - [ $? -ne 0 ] && exit 3 + [ $? -ne 0 ] && return 3 fi close_socket @@ -2609,6 +2609,7 @@ parse_hn_port() { get_dns_entries() { + IP4=''; IP6='' test4iponly=`printf $NODE | sed -e 's/[0-9]//g' -e 's/\.//g'` if [ "x$test4iponly" == "x" ]; then # only an IPv4 address was supplied IP4=$NODE @@ -2691,6 +2692,32 @@ datebanner() { } +mx_allentries() { + + HOST=$1 + if which dig &> /dev/null; then + MXs=$(dig +short -t MX $HOST | grep '\d ') + elif which host &> /dev/null; then + MXs=$(host -t MX $HOST | grep 'handled by' | sed -e 's/^.*by //' -e 's/\.$//') + elif which nslookup &> /dev/null; then + MXs=$(nslookup -type=MX $HOST 2> /dev/null | grep 'mail exchanger = ' | awk '$5 ~ /[0-9]+/ {print $5 " " $NF}') + else + pr_redln 'No dig, host or nslookup' + exit -1 + fi + + MXs=$(echo "$MXs" | sort -n | sed -e 's/^.* //' -e 's/\.$//') + + if [ -n "$MXs" ] ; then + for MX in $MXs; do + parse_hn_port "$MX:25" 'smtp' && starttls 'smtp' + done + else + pr_magentaln "$HOST has no Mail Server(s)" + fi +} + + ################# main: ################# @@ -2720,6 +2747,10 @@ case "$1" in -b|--banner|-banner|-v|--version|-version) exit 0 ;; + --mx) + mx_allentries $2 + exit $? + ;; -V|--local) initialize_engine # GOST support prettyprint_local "$2" From 3f55de14836051e4e9244b4410cc11fcdb85acb9 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 2 Mar 2015 13:59:45 +0100 Subject: [PATCH 06/10] Update Readme.md --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 6d78bd8..746855d 100644 --- a/Readme.md +++ b/Readme.md @@ -18,6 +18,6 @@ New features in this release are / will be * debug file handling (ongoing) * BEAST (works, need some polishing for the output) -Contributions, feedback, also bug reports are welcome. +Contributions, feedback, also bug reports are welcome. For contributions please note: One patch per feature -- bug fix/improvement. From 37fa44cecf203b3adbbb92029dabe08109f26475 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 2 Mar 2015 14:09:34 +0100 Subject: [PATCH 07/10] - remark about rc4 rfc --- testssl.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/testssl.sh b/testssl.sh index 43ffaca..6c3c351 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1290,6 +1290,7 @@ pfs() { } +# new ietf rfc is very strict: https://tools.ietf.org/html/rfc7465 rc4() { # shopt -s lastpipe # otherwise it's more tricky to access variables in a while loop outln From 55e89082349d4a10db25682c134e77a26902f563 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 2 Mar 2015 14:42:28 +0100 Subject: [PATCH 08/10] - finalize mx records, FIX: #41 --- testssl.sh | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/testssl.sh b/testssl.sh index f00c30a..6484a07 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2395,6 +2395,7 @@ $PRG URI <-H|--header|--headers> check for HSTS, HPKP and server/application banner string <-t|--starttls> protocol does a default run against a STARTTLS enabled service + <--mx> tests MX records from high to low priority (STARTTLS, port 25) partly mandatory parameters: @@ -2589,7 +2590,7 @@ parse_hn_port() { # check if we can connect to port if ! fd_socket; then ignore_no_or_lame "Ignore? " - [ $? -ne 0 ] && return 3 + [ $? -ne 0 ] && exit 3 fi close_socket @@ -2606,11 +2607,12 @@ parse_hn_port() { datebanner "Testing" [[ -z "$2" ]] && runs_HTTP # for starttls we don't check the protocol as it is supplied on the cmd line initialize_engine + + return 0 } get_dns_entries() { - IP4=''; IP6='' test4iponly=`printf $NODE | sed -e 's/[0-9]//g' -e 's/\.//g'` if [ "x$test4iponly" == "x" ]; then # only an IPv4 address was supplied IP4=$NODE @@ -2694,27 +2696,26 @@ datebanner() { mx_allentries() { - - HOST=$1 if which dig &> /dev/null; then - MXs=$(dig +short -t MX $HOST | grep '\d ') + MXs=$(dig +short -t MX $1) elif which host &> /dev/null; then - MXs=$(host -t MX $HOST | grep 'handled by' | sed -e 's/^.*by //' -e 's/\.$//') + MXs=$(host -t MX $1 | grep 'handled by' | sed -e 's/^.*by //' -e 's/\.$//') elif which nslookup &> /dev/null; then - MXs=$(nslookup -type=MX $HOST 2> /dev/null | grep 'mail exchanger = ' | awk '$5 ~ /[0-9]+/ {print $5 " " $NF}') + MXs=$(nslookup -type=MX $1 2> /dev/null | grep 'mail exchanger = ' | sed 's/^.*mail exchanger = //g') else - pr_redln 'No dig, host or nslookup' - exit -1 + pr_magentaln 'No dig, host or nslookup' + exit 3 fi - MXs=$(echo "$MXs" | sort -n | sed -e 's/^.* //' -e 's/\.$//') + # test first higher priority servers + MXs=$(echo "$MXs" | sort -nr | sed -e 's/^.* //' -e 's/\.$//') if [ -n "$MXs" ] ; then for MX in $MXs; do parse_hn_port "$MX:25" 'smtp' && starttls 'smtp' done else - pr_magentaln "$HOST has no Mail Server(s)" + pr_boldln "$1 has no mail server(s)" fi } @@ -2748,7 +2749,7 @@ case "$1" in -b|--banner|-banner|-v|--version|-version) exit 0 ;; - --mx) + --mx) mx_allentries $2 exit $? ;; @@ -2916,6 +2917,6 @@ case "$1" in exit $ret ;; esac -# $Id: testssl.sh,v 1.196 2015/02/27 20:21:37 dirkw Exp $ +# $Id: testssl.sh,v 1.197 2015/03/02 13:42:18 dirkw Exp $ # vim:ts=5:sw=5 From 77ed44207c0bd990b754d09bae41d596b8fcf9d6 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 2 Mar 2015 14:44:02 +0100 Subject: [PATCH 09/10] - see #41 --- CREDITS.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CREDITS.md b/CREDITS.md index d5af372..00a613a 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -12,6 +12,9 @@ - Fix for HSTS + subdomains - LibreSSL patch +* Rechi + - initial MX stuff + * @nvsofts (NV) - LibreSSL patch for GOST From f23904b35fd81323b2695f64c655feebf0f97d3d Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 3 Mar 2015 07:21:30 +0100 Subject: [PATCH 10/10] - MX record: the lower the # the higher the priority (thx, rechi) --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 6484a07..7acc47c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2708,7 +2708,7 @@ mx_allentries() { fi # test first higher priority servers - MXs=$(echo "$MXs" | sort -nr | sed -e 's/^.* //' -e 's/\.$//') + MXs=$(echo "$MXs" | sort -n | sed -e 's/^.* //' -e 's/\.$//') if [ -n "$MXs" ] ; then for MX in $MXs; do @@ -2917,6 +2917,6 @@ case "$1" in exit $ret ;; esac -# $Id: testssl.sh,v 1.197 2015/03/02 13:42:18 dirkw Exp $ +# $Id: testssl.sh,v 1.198 2015/03/03 06:21:20 dirkw Exp $ # vim:ts=5:sw=5