From 217f2fb91adc49df73cc93a0e7b8864f44a58dae Mon Sep 17 00:00:00 2001 From: Thomas Alexander Frederiksen Date: Wed, 19 Oct 2016 10:54:37 +0200 Subject: [PATCH 1/8] Apple ATS9 client test --- testssl.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/testssl.sh b/testssl.sh index 2c5b51e..f4a2692 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2822,6 +2822,24 @@ run_client_simulation() { minEcdsaBits+=(-1) requiresSha2+=(false) + names+=("Apple ATS 9 iOS 9 ") + short+=("safari_9_osx1011") + protos+=("-no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1") + ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA") + tlsvers+=("-tls1_2") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030100b9010000b50303282275d1356ba8ceec8897786197b80f96d83a06d9205200a677f850c4b822f2000018c02cc02bc024c023c00ac009c030c02fc028c027c01300ff0201000073000b000403000102000a003a0038000e000d0019001c000b000c001b00180009000a001a00160017000800060007001400150004000500120013000100020003000f0010001100230000000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101") + lowest_protocol+=("0x0303") + highest_protocol+=("0x0303") + service+=("HTTP") + minDhBits+=(768) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(8192) + minEcdsaBits+=(-1) + requiresSha2+=(false) + outln if "$using_sockets"; then pr_headlineln " Running browser simulations via sockets (experimental) " From 63ec369f34f50a7e6adde0ba8047dcc847bd709e Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Sat, 29 Oct 2016 15:37:30 +0200 Subject: [PATCH 2/8] output polish --- testssl.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index d6d07f4..459bb56 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2965,7 +2965,7 @@ run_client_simulation() { minEcdsaBits+=(-1) requiresSha2+=(false) - names+=("Apple ATS 9 iOS 9 ") + names+=("Apple ATS 9 iOS 9 ") short+=("safari_9_osx1011") protos+=("-no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1") ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA") @@ -5143,7 +5143,7 @@ run_pfs() { local curve_found curve_used outln - pr_headlineln " Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here " + pr_headlineln " Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 " if ! "$HAS_DH_BITS" && "$WIDE"; then pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)" fi @@ -9061,4 +9061,4 @@ fi exit $? -# $Id: testssl.sh,v 1.559 2016/10/15 20:55:22 dirkw Exp $ +# $Id: testssl.sh,v 1.561 2016/10/29 13:37:29 dirkw Exp $ From f18a398ce3abe4ae047f2d0989ed0032bed6857b Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 4 Nov 2016 08:39:14 +0100 Subject: [PATCH 3/8] handle better missing ca_hashes.txt --- testssl.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 459bb56..f3af95e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1168,7 +1168,7 @@ run_hpkp() { # we compare now against a precompiled list of SPKIs against the ROOT CAs we have in $ca_hashes if ! "$certificate_found"; then - hpkp_matches=$(grep -h "$hpkp_spki" $ca_hashes | sort -u) + hpkp_matches=$(grep -h "$hpkp_spki" $ca_hashes 2>/dev/null | sort -u) if [[ -n $hpkp_matches ]]; then certificate_found=true # root CA found spki_match=true @@ -1230,6 +1230,11 @@ run_hpkp() { outln "$spaces_indented ${backup_spki[i]}" fi done + if [[ ! -f "$ca_hashes" ]] && "$spki_match"; then + out "$spaces " + pr_warningln "Attribution of further hashes couldn't be done as $ca_hashes could not be found" + fileout "hpkp_spkimatch" "WARN" "Attribution of further hashes couldn't be done as $ca_hashes could not be found" + fi # If all else fails... if ! "$spki_match"; then From 72ac0734d1cda5e26b243d6b956dac238b19bd10 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 5 Nov 2016 14:55:30 +0100 Subject: [PATCH 4/8] tolower --- testssl.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index f3af95e..4d97e30 100755 --- a/testssl.sh +++ b/testssl.sh @@ -566,9 +566,13 @@ trim_trailing_space() { echo "${1%%*( )}" } -toupper() { - echo -n "$1" | tr 'a-z' 'A-Z' -} +if [[ $(uname) == "Linux" ]] ; then + toupper() { echo -n "${1^^}" ; } + tolower() { echo -n "${1,,}" ; } +else + toupper() { echo -n "$1" | tr 'a-z' 'A-Z'; } + tolower() { echo -n "$1" | tr 'A-Z' 'a-z' ; } +fi is_number() { [[ "$1" =~ ^[1-9][0-9]*$ ]] && \ @@ -1524,7 +1528,7 @@ normalize_ciphercode() { HEXC="$part1$part2$part3" fi #TODO: we should just echo this and avoid the global var HEXC - HEXC=$(echo $HEXC | tr 'A-Z' 'a-z' | sed 's/0x/x/') #tolower + strip leading 0 + HEXC=$(tolower "$HEXC"| sed 's/0x/x/') # strip leading 0 return 0 } @@ -9066,4 +9070,4 @@ fi exit $? -# $Id: testssl.sh,v 1.561 2016/10/29 13:37:29 dirkw Exp $ +# $Id: testssl.sh,v 1.562 2016/11/05 13:55:29 dirkw Exp $ From 65c03a99baa6a3b786f3cab0f6bebe22b5a1ca5f Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 5 Nov 2016 15:02:00 +0100 Subject: [PATCH 5/8] update --- Readme.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/Readme.md b/Readme.md index 8a308ed..f8d4ed1 100644 --- a/Readme.md +++ b/Readme.md @@ -28,11 +28,10 @@ cryptographic flaws. #### Status -_ _Here in the master branch you find the stable version 2.8rc2 of the software, it -superseds 2.6. Version 2.8 is currently being finalized_ _. The 2.9dev branch is the developement --- with new features and maybe some bugs. For the stable version and **a -more thorough description of the command line options** please see -[testssl.sh](https://testssl.sh/ "Go to the site with the stable version +_Here in the master branch you find the stable version 2.8rc3 of the software, it +superseds 2.6. Version 2.8 is currently being finalized_ . 2.9dev is the new +developement branch For the **a more thorough description of the command line options** +please see [testssl.sh](https://testssl.sh/ "Go to the site with the stable version and more documentation") or https://github.com/drwetter/testssl.sh/wiki/Usage-Documentation. #### Compatibility @@ -46,7 +45,7 @@ cygwin) work too. OpenSSL version >= 1 is a must. OpenSSL version >= 1.0.2 is needed for better LOGJAM checks and to display bit strengths for key exchanges. -#### [Features in 2.8 stable](Readme.md#stable) +#### Features in [2.8 stable](Readme.md#stable) Done so far: @@ -61,6 +60,7 @@ Done so far: * HTTP2/ALPN protocol check * Logging to a file / dir * Logging to (flat) JSON + CSV +* HPKP checks now also for Root, intermediate SPKIs * Check for multiple server certificates * Browser cipher simulation: what client will connect with which cipher + protocol * GOST cipher+certificate improvements @@ -75,9 +75,6 @@ Done so far: Update notification here or @ [twitter](https://twitter.com/drwetter). -#### [Features in 2.9dev](Readme.md#devel) -* timeout in OpeenSL connect -* TLS 1.2 protocol check via socket #### Contributions From 4f99d9d6589769a0bcff2bee6724ae0775b3ad01 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 7 Nov 2016 21:03:45 +0100 Subject: [PATCH 6/8] update --- .gitignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitignore b/.gitignore index adad0cf..02eb7e2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,8 @@ .DS_Store tmp.json *.bak +*.json +*.csv +*.log +*.xml +*.iml From 43b35b8cc29eaa7aa4ea0172726393bf9e9e2b68 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 8 Nov 2016 10:10:14 -0500 Subject: [PATCH 7/8] Curve X25519 fixes This PR fixes two issues related to curve X25519. First, while OpenSSL 1.1.0 supports curve X25519, it is not included in the output of `$OPENSSL ecparam -list_curves`. I tried several versions of OpenSSL (and one version of LibreSSL), and every version output either "Error with command" or "unknown option" in response to `$OPENSSL s_client -curves $curve` if it either did not support the `-curves` option or did not support `$curve`. (When the `-curve` option was supported with `$curve`, a "connect" error was output.) The second issue is that the "Server Temp Key" line in the output of `s_client` is different for curve X25519. For other elliptic curves, the output is ``` Server Temp Key: ECDH, P-256, 256 bits ``` For X25519 it is: ``` Server Temp Key: X25519, 253 bits ``` So, `read_dhbits_from_file()` needs to allow for `$what_dh` being "X25519" rather than "ECDH" and `run_pfs()` needs to allow for the possibility that the curve name will be the first field rather than the second. --- testssl.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 4d97e30..4ae4bd7 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3503,6 +3503,10 @@ read_dhbits_from_file() { grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp) bits=$(tr -d ' bits' <<< $bits) + if [[ "$what_dh" == "X25519" ]] || [[ "$what_dh" == "X448" ]]; then + what_dh="ECDH" + fi + debugme echo ">$HAS_DH_BITS|$what_dh|$bits<" [[ -n "$what_dh" ]] && HAS_DH_BITS=true # FIX 190 @@ -5235,8 +5239,8 @@ run_pfs() { # find out what elliptic curves are supported. curves_offered="" for curve in "${curves_ossl[@]}"; do - $OPENSSL ecparam -list_curves | grep -q $curve - [[ $? -eq 0 ]] && nr_curves+=1 && supported_curves+=("$curve") + $OPENSSL s_client -curves $curve 2>&1 | egrep -iaq "Error with command|unknown option" + [[ $? -ne 0 ]] && nr_curves+=1 && supported_curves+=("$curve") done # OpenSSL limits the number of curves that can be specified in the @@ -5262,7 +5266,8 @@ run_pfs() { fi if [[ "$sclient_success" -eq 0 ]]; then temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$tmpfile") - curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)" + curve_found="$(awk -F',' '{ print $1 }' <<< $temp)" + [[ "$curve_found" == "ECDH" ]] && curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)" j=0; curve_used="" for curve in "${curves_ossl[@]}"; do [[ "${curves_ossl_output[j]}" == "$curve_found" ]] && curve_used="${curves_ossl[j]}" && break From 64a96c83887f96c0992f94901c41e3fd73a6ffff Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 8 Nov 2016 10:20:48 -0500 Subject: [PATCH 8/8] Curve X25519 fixes for 2.9dev This PR fixes the same issues as were fixed in PR #513, but also makes two changes to `parse_tls_serverhello()`: * It changes the number of bits for curve X25519 from 256 to 253 to match OpenSSL. * It removes the "ECDH, " from the "Server Temp Key: " line in order to match OpenSSL's output. --- testssl.sh | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8e43164..61581bc 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3683,6 +3683,10 @@ read_dhbits_from_file() { grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp) bits=$(tr -d ' bits' <<< $bits) + if [[ "$what_dh" == "X25519" ]] || [[ "$what_dh" == "X448" ]]; then + what_dh="ECDH" + fi + debugme echo ">$HAS_DH_BITS|$what_dh|$bits<" [[ -n "$what_dh" ]] && HAS_DH_BITS=true # FIX 190 @@ -5415,8 +5419,8 @@ run_pfs() { # find out what elliptic curves are supported. curves_offered="" for curve in "${curves_ossl[@]}"; do - $OPENSSL ecparam -list_curves | grep -q $curve - [[ $? -eq 0 ]] && nr_curves+=1 && supported_curves+=("$curve") + $OPENSSL s_client -curves $curve 2>&1 | egrep -iaq "Error with command|unknown option" + [[ $? -ne 0 ]] && nr_curves+=1 && supported_curves+=("$curve") done # OpenSSL limits the number of curves that can be specified in the @@ -5442,7 +5446,8 @@ run_pfs() { fi if [[ "$sclient_success" -eq 0 ]]; then temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$tmpfile") - curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)" + curve_found="$(awk -F',' '{ print $1 }' <<< $temp)" + [[ "$curve_found" == "ECDH" ]] && curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)" j=0; curve_used="" for curve in "${curves_ossl[@]}"; do [[ "${curves_ossl_output[j]}" == "$curve_found" ]] && curve_used="${curves_ossl[j]}" && break @@ -6534,12 +6539,17 @@ parse_tls_serverhello() { 26) dh_bits=256 ; named_curve_str="brainpoolP256r1" ;; 27) dh_bits=384 ; named_curve_str="brainpoolP384r1" ;; 28) dh_bits=512 ; named_curve_str="brainpoolP512r1" ;; - 29) dh_bits=256 ; named_curve_str="X25519" ;; + 29) dh_bits=253 ; named_curve_str="X25519" ;; 30) dh_bits=448 ; named_curve_str="X448" ;; esac fi - [[ $DEBUG -ge 2 ]] && [[ $dh_bits -ne 0 ]] && echo "dh_bits: ECDH, $named_curve_str, $dh_bits bits" - [[ $dh_bits -ne 0 ]] && echo "Server Temp Key: ECDH, $named_curve_str, $dh_bits bits" >> $TMPFILE + if [[ $dh_bits -ne 0 ]] && [[ $named_curve -ne 29 ]] && [[ $named_curve -ne 30 ]]; then + debugme echo "dh_bits: ECDH, $named_curve_str, $dh_bits bits" + echo "Server Temp Key: ECDH, $named_curve_str, $dh_bits bits" >> $TMPFILE + elif [[ $dh_bits -ne 0 ]]; then + debugme echo "dh_bits: $named_curve_str, $dh_bits bits" + echo "Server Temp Key: $named_curve_str, $dh_bits bits" >> $TMPFILE + fi elif [[ $rfc_cipher_suite =~ "TLS_DHE_" ]] || [[ $rfc_cipher_suite =~ "TLS_DH_anon" ]]; then # For DH ephemeral keys the first field is p, and the length of # p is the same as the length of the public key.