mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-23 08:59:31 +01:00
- partly FIX for #87 (removed SNI helps. Doesn't make sense anyway)
- changed order of Secure Renegotiation/Secure Client-Initiated Renegotiation - readability improvements in renego
This commit is contained in:
parent
254cb24a64
commit
31e781d229
55
testssl.sh
55
testssl.sh
@ -2213,46 +2213,49 @@ ccs_injection(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
renego() {
|
renego() {
|
||||||
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for Renegotiation vulnerability" && outln "\n"
|
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
|
||||||
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
|
local legacycmd=""
|
||||||
|
local insecure_renogo_str
|
||||||
|
local sec_renego sec_client_renego
|
||||||
|
|
||||||
ADDCMD=""
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for Renegotiation vulnerability" && outln "\n"
|
||||||
|
|
||||||
|
pr_bold " Secure Renegotiation "; out "(CVE 2009-3555) " # and RFC5746, OSVDB 59968-59974
|
||||||
|
insecure_renogo_str="Secure Renegotiation IS NOT"
|
||||||
|
echo "HEAD / HTTP/1.0" | $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT 2>&1 | grep -iaq "$insecure_renogo_str"
|
||||||
|
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
|
||||||
|
case $sec_renego in
|
||||||
|
0) pr_redln "VULNERABLE (NOT ok)" ;;
|
||||||
|
1) pr_greenln "not vulnerable (OK)" ;;
|
||||||
|
*) outln "FIXME: $sec_renego" ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
|
||||||
case "$OSSL_VER" in
|
case "$OSSL_VER" in
|
||||||
0.9.8*) # we need this for Mac OSX unfortunately
|
0.9.8*) # we need this for Mac OSX unfortunately
|
||||||
case "$OSSL_VER_APPENDIX" in
|
case "$OSSL_VER_APPENDIX" in
|
||||||
[a-l])
|
[a-l]) pr_magenta "Your $OPENSSL $OSSL_VER cannot test the secure renegotiation vulnerability"
|
||||||
pr_magenta "Your $OPENSSL $OSSL_VER cannot test the secure renegotiation vulnerability"
|
return 3 ;;
|
||||||
return 3 ;;
|
[m-z]) # all ok ;;
|
||||||
[m-z]) # all ok
|
|
||||||
;;
|
|
||||||
esac ;;
|
esac ;;
|
||||||
1.0.1*|1.0.2*)
|
1.0.1*|1.0.2*) legacycmd="-legacy_renegotiation" ;;
|
||||||
ADDCMD="-legacy_renegotiation" ;;
|
0.9.9*|1.0*) # all ok
|
||||||
0.9.9*|1.0*)
|
|
||||||
# all ok
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE
|
# http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html, head/get doesn't seem to be needed though
|
||||||
reneg_ok=$? # 0=client is renegotiating and does not get an error: vuln to DoS via client initiated renegotiation
|
echo R | $OPENSSL s_client $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT &>$TMPFILE # msg enables us to look deeper into it while debugging
|
||||||
case $reneg_ok in
|
sec_client_renego=$? # 0=client is renegotiating and does not get an error: vuln to DoS via client initiated renegotiation
|
||||||
|
case $sec_client_renego in
|
||||||
0) pr_litered "VULNERABLE (NOT ok)"; outln ", DoS threat" ;;
|
0) pr_litered "VULNERABLE (NOT ok)"; outln ", DoS threat" ;;
|
||||||
1) pr_litegreenln "not vulnerable (OK)" ;;
|
1) pr_litegreenln "not vulnerable (OK)" ;;
|
||||||
*) outln "FIXME: $reneg_ok" ;;
|
*) outln "FIXME: $sec_client_renego" ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
pr_bold " Renegotiation "; out "(CVE 2009-3555) " # and RFC5746, OSVDB 59968-59974
|
#FIXME Insecure Client-Initiated Renegotiation is missing
|
||||||
NEG_STR="Secure Renegotiation IS NOT"
|
|
||||||
echo "R" | $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 | grep -iaq "$NEG_STR"
|
|
||||||
secreg=$? # 0= Secure Renegotiation IS NOT supported
|
|
||||||
case $secreg in
|
|
||||||
0) pr_redln "VULNERABLE (NOT ok)" ;;
|
|
||||||
1) pr_greenln "not vulnerable (OK)" ;;
|
|
||||||
*) outln "FIXME: $secreg" ;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $secreg
|
return $(($sec_renego + $sec_client_renego))
|
||||||
# https://community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
|
# https://community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user