From 32325d0643c169ce2dc785f231313af1b02db878 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 14 Jul 2015 17:13:58 +0200 Subject: [PATCH] * fix for scanning an IP address only * server_preference: cipher adjusted * some [[ and ]] in loops, hoping to speed up processing a bit * cosmetic stuff --- testssl.sh | 78 +++++++++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/testssl.sh b/testssl.sh index 22d4e43..71010de 100755 --- a/testssl.sh +++ b/testssl.sh @@ -60,7 +60,7 @@ # a better picture. # debugging help: -readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' +readonly PS4='${LINENO}> ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' # make sure that temporary files are cleaned up after use in ANY case trap "cleanup" QUIT EXIT @@ -946,13 +946,13 @@ normalize_ciphercode() { prettyprint_local() { pr_blue "--> Displaying all local ciphers "; - if [ ! -z "$1" ]; then + if [[ -n "$1" ]]; then pr_blue "matching word pattern "\"$1\"" (ignore case)"; fi outln "\n" neat_header - if [ -z "$1" ]; then + if [[ -z "$1" ]]; then $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 normalize_ciphercode $hexcode neat_list $HEXC $ciph $kx $enc @@ -1085,7 +1085,7 @@ neat_list(){ [[ "${#kx}" -eq 19 ]] && kx="$kx " # 19 means DH, colored >=1000. Add another space #echo ${#kx} # should be always 20 fi - if [ -r "$MAP_RFC_FNAME" ]; then + if [[ -r "$MAP_RFC_FNAME" ]]; then printf -- " %-7s %-30s %-10s %-11s%-11s${MAP_RFC_FNAME:+ %-48s}${SHOW_EACH_C:+ }" "$1" "$2" "$kx" "$enc" "$strength" "$(show_rfc_style $HEXC)" else printf -- " %-7s %-30s %-10s %-11s%-11s${SHOW_EACH_C:+ }" "$1" "$2" "$kx" "$enc" "$strength" @@ -1107,10 +1107,10 @@ test_just_one(){ # FIXME: e.g. OpenSSL < 1.0 doesn't understand "-V" --> we can't do anything about it! normalize_ciphercode $hexcode neat_list $HEXC $ciph $kx $enc | grep -qwai "$arg" - if [ $? -eq 0 ]; then # string matches, so we can ssl to it: + if [[ $? -eq 0 ]]; then # string matches, so we can ssl to it: $OPENSSL s_client -cipher $ciph $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE we can't do anything about it! $OPENSSL s_client -cipher $ciph $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE $TMPFILE &1 | grep -aq "unknown option" - if [ $? -eq 0 ]; then + if [[ $? -eq 0 ]]; then pr_magentaln "Local problem: $OPENSSL doesn't support \"s_client $1\"" ret=7 else @@ -1384,7 +1384,7 @@ read_dhbits_from_file() { local old_fart=" (openssl is too old to show DH bits)" if ! $HAS_DH_BITS; then - if [ -z "$2" ]; then + if [[ -z "$2" ]]; then pr_litemagenta "$old_fart" fi return 0 @@ -1394,11 +1394,11 @@ read_dhbits_from_file() { what_dh=$(echo $bits | tr -d '[0-9]') bits=$(echo $bits | tr -d '[DHEC]') - debugme ">$what_dh|$bits<" + debugme echo ">$what_dh|$bits<" - [ -n "$bits" ] && [ -z "$2" ] && out ", " + [[ -n "$bits" ]] && [[ -z "$2" ]] && out ", " if [[ $what_dh == "DH" ]] || [[ $what_dh == "EDH" ]] ; then - [ -z "$2" ] && add="bit DH" + [[ -z "$2" ]] && add="bit DH" if [[ "$bits" -le 600 ]]; then pr_red "$bits $add" elif [[ "$bits" -le 800 ]]; then @@ -1412,7 +1412,7 @@ read_dhbits_from_file() { fi # https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography, http://www.keylength.com/en/compare/ elif [[ $what_dh == "ECDH" ]]; then - [ -z "$2" ] && add="bit ECDH" + [[ -z "$2" ]] && add="bit ECDH" if [[ "$bits" -le 128 ]]; then # has that ever existed? pr_red "$bits $add" elif [[ "$bits" -le 163 ]]; then @@ -1429,8 +1429,8 @@ read_dhbits_from_file() { server_preference() { - local list_fwd="DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:AES256-SHA256" - local list_reverse="AES256-SHA256:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA" # offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 + local list_fwd="DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:AES256-SHA256" + local list_reverse="AES256-SHA256:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA" # offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 outln; pr_blue "--> Testing server preferences"; outln "\n" @@ -1490,7 +1490,7 @@ server_preference() { for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do locally_supported -"$p" || continue $OPENSSL s_client $STARTTLS -"$p" -connect $NODEIP:$PORT $PROXY $SNI /dev/null >$TMPFILE - if [ $? -eq 0 ]; then + if [[ $? -eq 0 ]]; then proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') [[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack! @@ -1506,9 +1506,9 @@ server_preference() { [ -n "$STARTTLS" ] && arg=" " if spdy_pre " $arg"; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg "$NPN_PROTOs" /dev/null >$TMPFILE - if [ $? -eq 0 ]; then + if [[ $? -eq 0 ]]; then proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g') - if [ -z "${proto[i]}" ]; then + if [[ -z "${proto[i]}" ]]; then cipher[i]="" else cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') @@ -1553,7 +1553,7 @@ cipher_pref_check() { for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do $OPENSSL s_client $STARTTLS -"$p" -connect $NODEIP:$PORT $PROXY $SNI /dev/null >$TMPFILE - if [ $? -eq 0 ]; then + if [[ $? -eq 0 ]]; then tested_cipher="" proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') @@ -1563,7 +1563,7 @@ cipher_pref_check() { tested_cipher="-"$cipher while true; do $OPENSSL s_client $STARTTLS -"$p" -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI /dev/null >$TMPFILE - [ $? -ne 0 ] && break + [[ $? -ne 0 ]] && break cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') out "$cipher " tested_cipher="$tested_cipher:-$cipher" @@ -1583,7 +1583,7 @@ cipher_pref_check() { tested_cipher="-"$cipher while true; do $OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT -nextprotoneg "$p" $PROXY /dev/null >$TMPFILE - [ $? -ne 0 ] && break + [[ $? -ne 0 ]] && break cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') out "$cipher " tested_cipher="$tested_cipher:-$cipher" @@ -1904,7 +1904,7 @@ pfs() { fi if $WIDE; then normalize_ciphercode $hexcode - if [ $kx == "Kx=ECDH" ] || [ $kx == "Kx=DH" ] || [ $kx == "Kx=EDH" ]; then + if [[ $kx == "Kx=ECDH" ]] || [[ $kx == "Kx=DH" ]] || [[ $kx == "Kx=EDH" ]]; then dhlen=$(read_dhbits_from_file "$tmpfile" quiet) kx="$kx $dhlen" fi @@ -1925,7 +1925,7 @@ pfs() { # ^^^^^ posix redirect as shopt will either segfault or doesn't work with old bash versions debugme echo $pfs_offered - if [ "$pfs_offered" -eq 1 ] ; then + if [ "$pfs_offered" -eq 1 ]; then pr_brown "no PFS ciphers found" fi fi @@ -3179,7 +3179,7 @@ beast(){ # 2) test handfull of common CBC ciphers for proto in ssl3 tls1; do $OPENSSL s_client -"$proto" $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>/dev/null /dev/null >$TMPFILE