- partly FIX for #87 (removed SNI helps. Doesn't make sense anyway)

- changed order of Secure Renegotiation/Secure Client-Initiated Renegotiation
- readability improvements in renego
This commit is contained in:
Dirk Wetter 2015-05-01 12:18:43 +02:00
parent d766a0b459
commit 2aa82e5164
1 changed files with 29 additions and 26 deletions

View File

@ -2213,46 +2213,49 @@ ccs_injection(){
}
renego() {
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for Renegotiation vulnerability" && outln "\n"
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
local legacycmd=""
local insecure_renogo_str
local sec_renego sec_client_renego
ADDCMD=""
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for Renegotiation vulnerability" && outln "\n"
pr_bold " Secure Renegotiation "; out "(CVE 2009-3555) " # and RFC5746, OSVDB 59968-59974
insecure_renogo_str="Secure Renegotiation IS NOT"
echo "HEAD / HTTP/1.0" | $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT 2>&1 | grep -iaq "$insecure_renogo_str"
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
case $sec_renego in
0) pr_redln "VULNERABLE (NOT ok)" ;;
1) pr_greenln "not vulnerable (OK)" ;;
*) outln "FIXME: $sec_renego" ;;
esac
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
case "$OSSL_VER" in
0.9.8*) # we need this for Mac OSX unfortunately
case "$OSSL_VER_APPENDIX" in
[a-l])
pr_magenta "Your $OPENSSL $OSSL_VER cannot test the secure renegotiation vulnerability"
return 3 ;;
[m-z]) # all ok
;;
[a-l]) pr_magenta "Your $OPENSSL $OSSL_VER cannot test the secure renegotiation vulnerability"
return 3 ;;
[m-z]) # all ok ;;
esac ;;
1.0.1*|1.0.2*)
ADDCMD="-legacy_renegotiation" ;;
0.9.9*|1.0*)
# all ok
1.0.1*|1.0.2*) legacycmd="-legacy_renegotiation" ;;
0.9.9*|1.0*) # all ok
;;
esac
echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE
reneg_ok=$? # 0=client is renegotiating and does not get an error: vuln to DoS via client initiated renegotiation
case $reneg_ok in
# http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html, head/get doesn't seem to be needed though
echo R | $OPENSSL s_client $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT &>$TMPFILE # msg enables us to look deeper into it while debugging
sec_client_renego=$? # 0=client is renegotiating and does not get an error: vuln to DoS via client initiated renegotiation
case $sec_client_renego in
0) pr_litered "VULNERABLE (NOT ok)"; outln ", DoS threat" ;;
1) pr_litegreenln "not vulnerable (OK)" ;;
*) outln "FIXME: $reneg_ok" ;;
*) outln "FIXME: $sec_client_renego" ;;
esac
pr_bold " Renegotiation "; out "(CVE 2009-3555) " # and RFC5746, OSVDB 59968-59974
NEG_STR="Secure Renegotiation IS NOT"
echo "R" | $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 | grep -iaq "$NEG_STR"
secreg=$? # 0= Secure Renegotiation IS NOT supported
case $secreg in
0) pr_redln "VULNERABLE (NOT ok)" ;;
1) pr_greenln "not vulnerable (OK)" ;;
*) outln "FIXME: $secreg" ;;
esac
#FIXME Insecure Client-Initiated Renegotiation is missing
tmpfile_handle $FUNCNAME.txt
return $secreg
return $(($sec_renego + $sec_client_renego))
# https://community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
}