Merge branch '2.9dev' into run_pfs_sockets
This commit is contained in:
commit
276731082f
80
testssl.sh
80
testssl.sh
|
@ -226,6 +226,7 @@ HAS_SPDY=false
|
||||||
HAS_FALLBACK_SCSV=false
|
HAS_FALLBACK_SCSV=false
|
||||||
HAS_PROXY=false
|
HAS_PROXY=false
|
||||||
HAS_XMPP=false
|
HAS_XMPP=false
|
||||||
|
HAS_POSTGRES=false
|
||||||
ADD_RFC_STR="rfc" # display RFC ciphernames
|
ADD_RFC_STR="rfc" # display RFC ciphernames
|
||||||
PORT=443 # unless otherwise auto-determined, see below
|
PORT=443 # unless otherwise auto-determined, see below
|
||||||
NODE=""
|
NODE=""
|
||||||
|
@ -6410,6 +6411,16 @@ starttls_nntp_dialog() {
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
starttls_postgres_dialog() {
|
||||||
|
debugme echo "=== starting postgres STARTTLS dialog ==="
|
||||||
|
local reINITTLS="\x00\x00\x00\x08\x04\xD2\x16\x2F"
|
||||||
|
starttls_just_send "${reINITTLS}" && debugme echo "initiated STARTTLS" &&
|
||||||
|
starttls_full_read '' '' 'S' && debugme echo "received ack for STARTTLS"
|
||||||
|
local ret=$?
|
||||||
|
debugme echo "=== finished postgres STARTTLS dialog with ${ret} ==="
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
# arg for a fd doesn't work here
|
# arg for a fd doesn't work here
|
||||||
fd_socket() {
|
fd_socket() {
|
||||||
local jabber=""
|
local jabber=""
|
||||||
|
@ -6484,6 +6495,9 @@ EOF
|
||||||
starttls_line "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" "proceed"
|
starttls_line "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" "proceed"
|
||||||
# BTW: https://xmpp.net !
|
# BTW: https://xmpp.net !
|
||||||
;;
|
;;
|
||||||
|
postgres|postgress) # Postgres SQL, see http://www.postgresql.org/docs/devel/static/protocol-message-formats.html
|
||||||
|
starttls_postgres_dialog
|
||||||
|
;;
|
||||||
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
|
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
|
||||||
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not yet supported" -4
|
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not yet supported" -4
|
||||||
esac
|
esac
|
||||||
|
@ -6659,14 +6673,17 @@ parse_sslv2_serverhello() {
|
||||||
# [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY!
|
# [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY!
|
||||||
|
|
||||||
local ret=3
|
local ret=3
|
||||||
|
local parse_complete="false"
|
||||||
|
|
||||||
if [[ "$2" == "true" ]]; then
|
if [[ "$2" == "true" ]]; then
|
||||||
echo "======================================" > $TMPFILE
|
parse_complete=true
|
||||||
fi
|
fi
|
||||||
|
"$parse_complete" && echo "======================================" > $TMPFILE
|
||||||
|
|
||||||
v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
|
v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
|
||||||
[[ "$DEBUG" -ge 5 ]] && echo "$v2_hello_ascii"
|
[[ "$DEBUG" -ge 5 ]] && echo "$v2_hello_ascii"
|
||||||
if [[ -z "$v2_hello_ascii" ]]; then
|
if [[ -z "$v2_hello_ascii" ]]; then
|
||||||
ret=0 # 1 line without any blanks: no server hello received
|
ret=0 # 1 line without any blanks: no server hello received
|
||||||
debugme echo "server hello empty"
|
debugme echo "server hello empty"
|
||||||
else
|
else
|
||||||
# now scrape two bytes out of the reply per byte
|
# now scrape two bytes out of the reply per byte
|
||||||
|
@ -6697,20 +6714,22 @@ parse_sslv2_serverhello() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
certificate_len=2*$(hex2dec "$v2_hello_cert_length")
|
"$parse_complete" || return $ret
|
||||||
[[ -e $HOSTCERT ]] && rm $HOSTCERT
|
|
||||||
[[ -e $TEMPDIR/intermediatecerts.pem ]] && rm $TEMPDIR/intermediatecerts.pem
|
|
||||||
if [[ "$2" == "true" ]] && [[ "$v2_cert_type" == "01" ]] && [[ "$v2_hello_cert_length" != "00" ]]; then
|
|
||||||
tmp_der_certfile=$(mktemp $TEMPDIR/der_cert.XXXXXX) || return $ret
|
|
||||||
asciihex_to_binary_file "${v2_hello_ascii:26:certificate_len}" "$tmp_der_certfile"
|
|
||||||
$OPENSSL x509 -inform DER -in $tmp_der_certfile -outform PEM -out $HOSTCERT
|
|
||||||
rm $tmp_der_certfile
|
|
||||||
get_pub_key_size
|
|
||||||
echo "======================================" >> $TMPFILE
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Output list of supported ciphers
|
rm -f $HOSTCERT $TEMPDIR/intermediatecerts.pem
|
||||||
if [[ "$2" == "true" ]]; then
|
if [[ $ret -eq 3 ]]; then
|
||||||
|
certificate_len=2*$(hex2dec "$v2_hello_cert_length")
|
||||||
|
|
||||||
|
if [[ "$v2_cert_type" == "01" ]] && [[ "$v2_hello_cert_length" != "00" ]]; then
|
||||||
|
tmp_der_certfile=$(mktemp $TEMPDIR/der_cert.XXXXXX) || return $ret
|
||||||
|
asciihex_to_binary_file "${v2_hello_ascii:26:certificate_len}" "$tmp_der_certfile"
|
||||||
|
$OPENSSL x509 -inform DER -in $tmp_der_certfile -outform PEM -out $HOSTCERT
|
||||||
|
rm $tmp_der_certfile
|
||||||
|
get_pub_key_size
|
||||||
|
echo "======================================" >> $TMPFILE
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Output list of supported ciphers
|
||||||
let offset=26+$certificate_len
|
let offset=26+$certificate_len
|
||||||
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
||||||
for (( i=0 ; i<nr_ciphers_detected; i++ )); do
|
for (( i=0 ; i<nr_ciphers_detected; i++ )); do
|
||||||
|
@ -9498,6 +9517,7 @@ test_openssl_suffix() {
|
||||||
|
|
||||||
find_openssl_binary() {
|
find_openssl_binary() {
|
||||||
local s_client_has=$TEMPDIR/s_client_has.txt
|
local s_client_has=$TEMPDIR/s_client_has.txt
|
||||||
|
local s_client_starttls_has=$TEMPDIR/s_client_starttls_has.txt
|
||||||
|
|
||||||
# 0. check environment variable whether it's executable
|
# 0. check environment variable whether it's executable
|
||||||
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
||||||
|
@ -9554,6 +9574,8 @@ find_openssl_binary() {
|
||||||
|
|
||||||
$OPENSSL s_client -help 2>$s_client_has
|
$OPENSSL s_client -help 2>$s_client_has
|
||||||
|
|
||||||
|
$OPENSSL s_client -starttls foo 2>$s_client_starttls_has
|
||||||
|
|
||||||
grep -qw '\-alpn' $s_client_has && \
|
grep -qw '\-alpn' $s_client_has && \
|
||||||
HAS_ALPN=true
|
HAS_ALPN=true
|
||||||
|
|
||||||
|
@ -9569,6 +9591,9 @@ find_openssl_binary() {
|
||||||
grep -q '\-xmpp' $s_client_has && \
|
grep -q '\-xmpp' $s_client_has && \
|
||||||
HAS_XMPP=true
|
HAS_XMPP=true
|
||||||
|
|
||||||
|
grep -q 'postgres' $s_client_starttls_has && \
|
||||||
|
HAS_POSTGRES=true
|
||||||
|
|
||||||
if [[ "$OPENSSL_TIMEOUT" != "" ]]; then
|
if [[ "$OPENSSL_TIMEOUT" != "" ]]; then
|
||||||
if which timeout >&2 2>/dev/null ; then
|
if which timeout >&2 2>/dev/null ; then
|
||||||
# there are different "timeout". Check whether --preserve-status is supported
|
# there are different "timeout". Check whether --preserve-status is supported
|
||||||
|
@ -9650,7 +9675,7 @@ help() {
|
||||||
"$PROG_NAME <options> URI", where <options> is:
|
"$PROG_NAME <options> URI", where <options> is:
|
||||||
|
|
||||||
-t, --starttls <protocol> does a default run against a STARTTLS enabled <protocol,
|
-t, --starttls <protocol> does a default run against a STARTTLS enabled <protocol,
|
||||||
protocol is <ftp|smtp|pop3|imap|xmpp|telnet|ldap> (latter two require supplied openssl)
|
protocol is <ftp|smtp|pop3|imap|xmpp|telnet|ldap|postgres> (latter three require supplied openssl)
|
||||||
--xmpphost <to_domain> for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
|
--xmpphost <to_domain> for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
|
||||||
--mx <domain/host> tests MX records from high to low priority (STARTTLS, port 25)
|
--mx <domain/host> tests MX records from high to low priority (STARTTLS, port 25)
|
||||||
--file <fname> mass testing option: Reads command lines from <fname>, one line per instance.
|
--file <fname> mass testing option: Reads command lines from <fname>, one line per instance.
|
||||||
|
@ -9783,6 +9808,7 @@ HAS_ALPN: $HAS_ALPN
|
||||||
HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV
|
HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV
|
||||||
HAS_PROXY: $HAS_PROXY
|
HAS_PROXY: $HAS_PROXY
|
||||||
HAS_XMPP: $HAS_XMPP
|
HAS_XMPP: $HAS_XMPP
|
||||||
|
HAS_POSTGRES: $HAS_POSTGRES
|
||||||
|
|
||||||
PATH: $PATH
|
PATH: $PATH
|
||||||
PROG_NAME: $PROG_NAME
|
PROG_NAME: $PROG_NAME
|
||||||
|
@ -10413,7 +10439,7 @@ determine_optimal_proto() {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap (maybe with trailing s)
|
# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap, postgres (maybe with trailing s)
|
||||||
determine_service() {
|
determine_service() {
|
||||||
local ua
|
local ua
|
||||||
local protocol
|
local protocol
|
||||||
|
@ -10440,9 +10466,13 @@ determine_service() {
|
||||||
service_detection $OPTIMAL_PROTO
|
service_detection $OPTIMAL_PROTO
|
||||||
else
|
else
|
||||||
# STARTTLS
|
# STARTTLS
|
||||||
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
|
if [[ "$1" == postgres ]]; then
|
||||||
|
protocol="postgres"
|
||||||
|
else
|
||||||
|
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
|
||||||
|
fi
|
||||||
case "$protocol" in
|
case "$protocol" in
|
||||||
ftp|smtp|pop3|imap|xmpp|telnet|ldap)
|
ftp|smtp|pop3|imap|xmpp|telnet|ldap|postgres)
|
||||||
STARTTLS="-starttls $protocol"
|
STARTTLS="-starttls $protocol"
|
||||||
SNI=""
|
SNI=""
|
||||||
if [[ "$protocol" == xmpp ]]; then
|
if [[ "$protocol" == xmpp ]]; then
|
||||||
|
@ -10456,6 +10486,12 @@ determine_service() {
|
||||||
# see http://xmpp.org/rfcs/rfc3920.html
|
# see http://xmpp.org/rfcs/rfc3920.html
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if [[ "$protocol" == postgres ]]; then
|
||||||
|
# Check if openssl version supports postgres.
|
||||||
|
if ! "$HAS_POSTGRES"; then
|
||||||
|
fatal "Your $OPENSSL does not support the \"-starttls postgres\" option" -5
|
||||||
|
fi
|
||||||
|
fi
|
||||||
$OPENSSL s_client -connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS 2>$ERRFILE >$TMPFILE </dev/null
|
$OPENSSL s_client -connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS 2>$ERRFILE >$TMPFILE </dev/null
|
||||||
if [[ $? -ne 0 ]]; then
|
if [[ $? -ne 0 ]]; then
|
||||||
debugme cat $TMPFILE
|
debugme cat $TMPFILE
|
||||||
|
@ -10469,7 +10505,7 @@ determine_service() {
|
||||||
outln
|
outln
|
||||||
;;
|
;;
|
||||||
*) outln
|
*) outln
|
||||||
fatal "momentarily only ftp, smtp, pop3, imap, xmpp, telnet and ldap allowed" -4
|
fatal "momentarily only ftp, smtp, pop3, imap, xmpp, telnet, ldap and postgres allowed" -4
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
@ -10781,8 +10817,8 @@ parse_cmd_line() {
|
||||||
STARTTLS_PROTOCOL=$(parse_opt_equal_sign "$1" "$2")
|
STARTTLS_PROTOCOL=$(parse_opt_equal_sign "$1" "$2")
|
||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
case $STARTTLS_PROTOCOL in
|
case $STARTTLS_PROTOCOL in
|
||||||
ftp|smtp|pop3|imap|xmpp|telnet|ldap|nntp) ;;
|
ftp|smtp|pop3|imap|xmpp|telnet|ldap|nntp|postgres) ;;
|
||||||
ftps|smtps|pop3s|imaps|xmpps|telnets|ldaps|nntps) ;;
|
ftps|smtps|pop3s|imaps|xmpps|telnets|ldaps|nntps|postgress) ;;
|
||||||
*) pr_magentaln "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2
|
*) pr_magentaln "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2
|
||||||
help 1 ;;
|
help 1 ;;
|
||||||
esac
|
esac
|
||||||
|
|
Loading…
Reference in New Issue