mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
Merge branch 'nodns-935' into 2.9dev
This commit is contained in:
commit
2a4de68c59
@ -149,7 +149,7 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri
|
|||||||
\fB\-\-assuming\-http\fR testssl\.sh does upfront an application protocol detection\. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option\. It tells testssl\.sh not to skip HTTP specific tests and to run the client simulation with browsers\. Sometimes also the severity depends on the application protocol, e\.g\. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server\.
|
\fB\-\-assuming\-http\fR testssl\.sh does upfront an application protocol detection\. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option\. It tells testssl\.sh not to skip HTTP specific tests and to run the client simulation with browsers\. Sometimes also the severity depends on the application protocol, e\.g\. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server\.
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
\fB\-n, \-\-no\-dns\fR instructs testssl\.sh to not do any DNS lookups\. This is useful if you either can\'t or are not willing to perform DNS lookups\. The latter applies e\.g\. to some pentests, the former could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS=true\fR has the same effect\.
|
\fB\-n, \-\-nodns <min|none>\fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip`` or have the IP address in /etc/hosts\. The use of the switch is only useful if you either can\'t or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentestsi\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\.\fRNODNS` is the enviroment variable for this\.
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
\fB\-\-sneaky\fR as a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
|
\fB\-\-sneaky\fR as a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
|
||||||
|
@ -197,7 +197,9 @@ host.example.com:631
|
|||||||
<p><code>--assuming-http</code> testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.</p>
|
<p><code>--assuming-http</code> testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.</p>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li><p><code>-n, --no-dns</code> instructs testssl.sh to not do any DNS lookups. This is useful if you either can't or are not willing to perform DNS lookups. The latter applies e.g. to some pentests, the former could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS=true</code> has the same effect.</p></li>
|
<li><p><code>-n, --nodns <min|none></code> tells testssl.sh which DNS lookups should be performed. <code>min</code> uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. <code>none</code> performs no
|
||||||
|
DNS lookups at all. For the latter you either have to supply the IP address as a target, to use <code>--ip`` or have the IP address
|
||||||
|
in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups.</code>NODNS` is the enviroment variable for this.</p></li>
|
||||||
<li><p><code>--sneaky</code> as a friendly feature for the server side testssl.sh uses a HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p></li>
|
<li><p><code>--sneaky</code> as a friendly feature for the server side testssl.sh uses a HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
@ -120,7 +120,9 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r
|
|||||||
`--assuming-http` testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
|
`--assuming-http` testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
|
||||||
|
|
||||||
|
|
||||||
* `-n, --no-dns` instructs testssl.sh to not do any DNS lookups. This is useful if you either can't or are not willing to perform DNS lookups. The latter applies e.g. to some pentests, the former could e.g. help you to avoid timeouts by DNS lookups. `NODNS=true` has the same effect.
|
* `-n, --nodns <min|none>` tells testssl.sh which DNS lookups should be performed. `min` uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. `none` performs no
|
||||||
|
DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip`` or have the IP address
|
||||||
|
in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the enviroment variable for this.
|
||||||
|
|
||||||
* `--sneaky` as a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
|
* `--sneaky` as a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
|
||||||
|
|
||||||
|
37
testssl.sh
37
testssl.sh
@ -207,7 +207,7 @@ HTMLFILE="${HTMLFILE:-""}" # HTML if used
|
|||||||
FNAME=${FNAME:-""} # file name to read commands from
|
FNAME=${FNAME:-""} # file name to read commands from
|
||||||
FNAME_PREFIX=${FNAME_PREFIX:-""} # output filename prefix, see --outprefix
|
FNAME_PREFIX=${FNAME_PREFIX:-""} # output filename prefix, see --outprefix
|
||||||
APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it
|
APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it
|
||||||
NODNS=${NODNS:-false} # always do DNS lookups per default. For some pentests it might save time to set this to true
|
# NODNS=${NODNS:-"no"} # if unset it does all DNS lookups per default. "min" only for hosts or "none" at all
|
||||||
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
||||||
ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs?
|
ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs?
|
||||||
|
|
||||||
@ -7420,8 +7420,8 @@ certificate_info() {
|
|||||||
all_caa=${all_caa%, } # strip trailing comma
|
all_caa=${all_caa%, } # strip trailing comma
|
||||||
pr_italic "$(out_row_aligned_max_width "$all_caa" "$indent " $TERM_WIDTH)"
|
pr_italic "$(out_row_aligned_max_width "$all_caa" "$indent " $TERM_WIDTH)"
|
||||||
fileout "${jsonID}${json_postfix}" "OK" "$all_caa"
|
fileout "${jsonID}${json_postfix}" "OK" "$all_caa"
|
||||||
elif "$NODNS"; then
|
elif [[ -n "$NODNS" ]]; then
|
||||||
pr_warning "(was instructed to not use DNS)"
|
pr_warning "(instructed to minimize DNS queries)"
|
||||||
fileout "${jsonID}${json_postfix}" "WARN" "check skipped as instructed"
|
fileout "${jsonID}${json_postfix}" "WARN" "check skipped as instructed"
|
||||||
else
|
else
|
||||||
pr_svrty_low "not offered"
|
pr_svrty_low "not offered"
|
||||||
@ -14945,7 +14945,7 @@ tuning / connect options (most also can be preset via environment variables):
|
|||||||
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
|
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
|
||||||
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
||||||
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
||||||
-n, --nodns do not try any DNS lookup
|
-n, --nodns [min|none] if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
|
||||||
--sneaky leave less traces in target logs: user agent, referer
|
--sneaky leave less traces in target logs: user agent, referer
|
||||||
|
|
||||||
output options (can also be preset via environment variables):
|
output options (can also be preset via environment variables):
|
||||||
@ -15450,7 +15450,7 @@ get_a_record() {
|
|||||||
local ip4=""
|
local ip4=""
|
||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
|
|
||||||
"$NODNS" && return 0 # if no DNS lookup was instructed, leave here
|
[[ "$NODNS" == none ]] && return 0 # if no DNS lookup was instructed, leave here
|
||||||
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
check_resolver_bins
|
check_resolver_bins
|
||||||
if [[ "$NODE" == *.local ]]; then
|
if [[ "$NODE" == *.local ]]; then
|
||||||
@ -15490,7 +15490,7 @@ get_aaaa_record() {
|
|||||||
local ip6=""
|
local ip6=""
|
||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
|
|
||||||
"$NODNS" && return 0 # if no DNS lookup was instructed, leave here
|
[[ "$NODNS" == none ]] && return 0 # if no DNS lookup was instructed, leave here
|
||||||
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
check_resolver_bins
|
check_resolver_bins
|
||||||
if [[ -z "$ip6" ]]; then
|
if [[ -z "$ip6" ]]; then
|
||||||
@ -15527,7 +15527,7 @@ get_caa_rr_record() {
|
|||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
local all_caa=""
|
local all_caa=""
|
||||||
|
|
||||||
"$NODNS" && return 0 # if no DNS lookup was instructed, leave here
|
[[ -n "$NODNS" ]] && return 0 # if minimum DNS lookup was instructed, leave here
|
||||||
# if there's a type257 record there are two output formats here, mostly depending on age of distribution
|
# if there's a type257 record there are two output formats here, mostly depending on age of distribution
|
||||||
# roughly that's the difference between text and binary format
|
# roughly that's the difference between text and binary format
|
||||||
# 1) 'google.com has CAA record 0 issue "symantec.com"'
|
# 1) 'google.com has CAA record 0 issue "symantec.com"'
|
||||||
@ -15689,9 +15689,10 @@ determine_ip_addresses() {
|
|||||||
|
|
||||||
determine_rdns() {
|
determine_rdns() {
|
||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
local nodeip="$(tr -d '[]' <<< $NODEIP)" # for DNS we do not need the square brackets of IPv6 addresses
|
local nodeip=""
|
||||||
|
|
||||||
"$NODNS" && rDNS="--" && return 0
|
[[ -n "$NODNS" ]] && rDNS="(instructed to minimize DNS queries)" && return 0 # PTR records were not asked for
|
||||||
|
local nodeip="$(tr -d '[]' <<< $NODEIP)" # for DNS we do not need the square brackets of IPv6 addresses
|
||||||
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
check_resolver_bins
|
check_resolver_bins
|
||||||
if [[ "$NODE" == *.local ]]; then
|
if [[ "$NODE" == *.local ]]; then
|
||||||
@ -15974,7 +15975,7 @@ display_rdns_etc() {
|
|||||||
outln "$PROXYIP:$PROXYPORT "
|
outln "$PROXYIP:$PROXYPORT "
|
||||||
fi
|
fi
|
||||||
if [[ $(count_words "$IP46ADDRs") -gt 1 ]]; then
|
if [[ $(count_words "$IP46ADDRs") -gt 1 ]]; then
|
||||||
out " further IP addresses: $CORRECT_SPACES"
|
out " Further IP addresses: $CORRECT_SPACES"
|
||||||
for ip in $IP46ADDRs; do
|
for ip in $IP46ADDRs; do
|
||||||
if [[ "$ip" == "$NODEIP" ]] || [[ "[$ip]" == "$NODEIP" ]]; then
|
if [[ "$ip" == "$NODEIP" ]] || [[ "[$ip]" == "$NODEIP" ]]; then
|
||||||
continue
|
continue
|
||||||
@ -15989,7 +15990,10 @@ display_rdns_etc() {
|
|||||||
elif [[ -n "$CMDLINE_IP" ]]; then
|
elif [[ -n "$CMDLINE_IP" ]]; then
|
||||||
outln " A record via $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
|
outln " A record via $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
|
||||||
fi
|
fi
|
||||||
if [[ -n "$rDNS" ]]; then
|
if [[ "$rDNS" =~ instructed ]]; then
|
||||||
|
out "$(printf " %-23s %s" "rDNS ($nodeip):")"
|
||||||
|
pr_warning "$rDNS"
|
||||||
|
elif [[ -n "$rDNS" ]]; then
|
||||||
out "$(printf " %-23s %s" "rDNS ($nodeip):")"
|
out "$(printf " %-23s %s" "rDNS ($nodeip):")"
|
||||||
out "$(out_row_aligned_max_width "$rDNS" " $CORRECT_SPACES" $TERM_WIDTH)"
|
out "$(out_row_aligned_max_width "$rDNS" " $CORRECT_SPACES" $TERM_WIDTH)"
|
||||||
fi
|
fi
|
||||||
@ -16662,7 +16666,11 @@ parse_cmd_line() {
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
-n|--nodns)
|
-n|--nodns)
|
||||||
NODNS=true
|
NODNS="$(parse_opt_equal_sign "$1" "$2")"
|
||||||
|
[[ $? -eq 0 ]] && shift
|
||||||
|
if [[ "$NODNS" != none ]] && [[ "$NODNS" != min ]]; then
|
||||||
|
fatal "Value for nodns switch can be either \"min\" or \"none\""
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
-V|-V=*|--local|--local=*) # attention, this could have a value or not!
|
-V|-V=*|--local|--local=*) # attention, this could have a value or not!
|
||||||
do_display_only=true
|
do_display_only=true
|
||||||
@ -17046,7 +17054,7 @@ parse_cmd_line() {
|
|||||||
done
|
done
|
||||||
|
|
||||||
# Show usage if no further options were specified
|
# Show usage if no further options were specified
|
||||||
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! $do_display_only; then
|
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! "$do_display_only"; then
|
||||||
fatal "URI missing" "1"
|
fatal "URI missing" "1"
|
||||||
else
|
else
|
||||||
# left off here is the URI
|
# left off here is the URI
|
||||||
@ -17054,7 +17062,8 @@ parse_cmd_line() {
|
|||||||
# parameter after URI supplied:
|
# parameter after URI supplied:
|
||||||
[[ -n "$2" ]] && fatal "URI comes last" "1"
|
[[ -n "$2" ]] && fatal "URI comes last" "1"
|
||||||
fi
|
fi
|
||||||
[[ $CMDLINE_IP == "one" ]] && "$NODNS" && fatal "\"--ip=one\" and \"--nodns\" doesn't work together"
|
[[ $CMDLINE_IP == one ]] && [[ "$NODNS" == none ]] && fatal "\"--ip=one\" and \"--nodns=none\" don't work together" 2
|
||||||
|
"$do_mx_all_ips" && [[ "$NODNS" == none ]] && fatal "\"--mx\" and \"--nodns=none\" don't work together" 2
|
||||||
ADDITIONAL_CA_FILES="${ADDITIONAL_CA_FILES//,/ }"
|
ADDITIONAL_CA_FILES="${ADDITIONAL_CA_FILES//,/ }"
|
||||||
for fname in $ADDITIONAL_CA_FILES; do
|
for fname in $ADDITIONAL_CA_FILES; do
|
||||||
[[ -s "$fname" ]] || fatal "CA file \"$fname\" does not exist" -2
|
[[ -s "$fname" ]] || fatal "CA file \"$fname\" does not exist" -2
|
||||||
|
Loading…
Reference in New Issue
Block a user