Merge pull request #1390 from dcooper16/fix_indentation
Fix indentation
This commit is contained in:
commit
32da607acb
408
testssl.sh
408
testssl.sh
|
@ -444,35 +444,35 @@ CRITICAL=4
|
||||||
SEVERITY_LEVEL=0
|
SEVERITY_LEVEL=0
|
||||||
|
|
||||||
set_severity_level() {
|
set_severity_level() {
|
||||||
local severity=$1
|
local severity=$1
|
||||||
|
|
||||||
if [[ "$severity" == LOW ]]; then
|
if [[ "$severity" == LOW ]]; then
|
||||||
SEVERITY_LEVEL=$LOW
|
SEVERITY_LEVEL=$LOW
|
||||||
elif [[ "$severity" == MEDIUM ]]; then
|
elif [[ "$severity" == MEDIUM ]]; then
|
||||||
SEVERITY_LEVEL=$MEDIUM
|
SEVERITY_LEVEL=$MEDIUM
|
||||||
elif [[ "$severity" == HIGH ]]; then
|
elif [[ "$severity" == HIGH ]]; then
|
||||||
SEVERITY_LEVEL=$HIGH
|
SEVERITY_LEVEL=$HIGH
|
||||||
elif [[ "$severity" == CRITICAL ]]; then
|
elif [[ "$severity" == CRITICAL ]]; then
|
||||||
SEVERITY_LEVEL=$CRITICAL
|
SEVERITY_LEVEL=$CRITICAL
|
||||||
else
|
else
|
||||||
# WARN and FATAL will always be logged as the represent scanning problems
|
# WARN and FATAL will always be logged as the represent scanning problems
|
||||||
echo "Supported severity levels are LOW, MEDIUM, HIGH, CRITICAL!"
|
echo "Supported severity levels are LOW, MEDIUM, HIGH, CRITICAL!"
|
||||||
help 1
|
help 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
show_finding() {
|
show_finding() {
|
||||||
local severity=$1
|
local severity=$1
|
||||||
|
|
||||||
( [[ "$severity" == DEBUG ]] ) ||
|
( [[ "$severity" == DEBUG ]] ) ||
|
||||||
( [[ "$severity" == INFO ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
|
( [[ "$severity" == INFO ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
|
||||||
( [[ "$severity" == OK ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
|
( [[ "$severity" == OK ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
|
||||||
( [[ "$severity" == LOW ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
|
( [[ "$severity" == LOW ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
|
||||||
( [[ "$severity" == MEDIUM ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
|
( [[ "$severity" == MEDIUM ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
|
||||||
( [[ "$severity" == HIGH ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
|
( [[ "$severity" == HIGH ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
|
||||||
( [[ "$severity" == CRITICAL ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] ) ||
|
( [[ "$severity" == CRITICAL ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] ) ||
|
||||||
( [[ "$severity" == WARN ]] ) ||
|
( [[ "$severity" == WARN ]] ) ||
|
||||||
( [[ "$severity" == FATAL ]] )
|
( [[ "$severity" == FATAL ]] )
|
||||||
}
|
}
|
||||||
|
|
||||||
########### Output functions
|
########### Output functions
|
||||||
|
@ -771,10 +771,10 @@ fileout_json_section() {
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_section_header() {
|
fileout_section_header() {
|
||||||
local str=""
|
local str=""
|
||||||
"$2" && str="$(fileout_section_footer false)"
|
"$2" && str="$(fileout_section_footer false)"
|
||||||
"$do_pretty_json" && FIRST_FINDING=true && (printf "%s%s\n" "$str" "$(fileout_json_section "$1")") >> "$JSONFILE"
|
"$do_pretty_json" && FIRST_FINDING=true && (printf "%s%s\n" "$str" "$(fileout_json_section "$1")") >> "$JSONFILE"
|
||||||
SECTION_FOOTER_NEEDED=true
|
SECTION_FOOTER_NEEDED=true
|
||||||
}
|
}
|
||||||
|
|
||||||
# arg1: whether to end object too
|
# arg1: whether to end object too
|
||||||
|
@ -792,8 +792,8 @@ fileout_json_print_parameter() {
|
||||||
local spaces=""
|
local spaces=""
|
||||||
|
|
||||||
"$do_json" && \
|
"$do_json" && \
|
||||||
spaces=" " || \
|
spaces=" " || \
|
||||||
spaces=" "
|
spaces=" "
|
||||||
if [[ -n "$value" ]] || [[ "$parameter" == finding ]]; then
|
if [[ -n "$value" ]] || [[ "$parameter" == finding ]]; then
|
||||||
printf "%s%s%s%s" "$spaces" "\"$parameter\"" "$filler" ": \"$value\"" >> "$JSONFILE"
|
printf "%s%s%s%s" "$spaces" "\"$parameter\"" "$filler" ": \"$value\"" >> "$JSONFILE"
|
||||||
"$not_last" && printf ",\n" >> "$JSONFILE"
|
"$not_last" && printf ",\n" >> "$JSONFILE"
|
||||||
|
@ -819,33 +819,33 @@ fileout_json_finding() {
|
||||||
"$GIVE_HINTS" && fileout_json_print_parameter "hint" " " "$hint" true
|
"$GIVE_HINTS" && fileout_json_print_parameter "hint" " " "$hint" true
|
||||||
fileout_json_print_parameter "finding" " " "$finding" false
|
fileout_json_print_parameter "finding" " " "$finding" false
|
||||||
echo -e "\n }" >> "$JSONFILE"
|
echo -e "\n }" >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
if "$do_pretty_json"; then
|
if "$do_pretty_json"; then
|
||||||
if [[ "$1" == service ]]; then
|
if [[ "$1" == service ]]; then
|
||||||
if [[ $SERVER_COUNTER -gt 1 ]]; then
|
if [[ $SERVER_COUNTER -gt 1 ]]; then
|
||||||
echo " ," >> "$JSONFILE"
|
echo " ," >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
target="$NODE"
|
target="$NODE"
|
||||||
$do_mx_all_ips && target="$URI"
|
$do_mx_all_ips && target="$URI"
|
||||||
echo -e " {
|
echo -e " {
|
||||||
\"targetHost\" : \"$target\",
|
\"targetHost\" : \"$target\",
|
||||||
\"ip\" : \"$NODEIP\",
|
\"ip\" : \"$NODEIP\",
|
||||||
\"port\" : \"$PORT\",
|
\"port\" : \"$PORT\",
|
||||||
\"rDNS\" : \"$rDNS\",
|
\"rDNS\" : \"$rDNS\",
|
||||||
\"service\" : \"$finding\"," >> "$JSONFILE"
|
\"service\" : \"$finding\"," >> "$JSONFILE"
|
||||||
$do_mx_all_ips && echo -e " \"hostname\" : \"$NODE\"," >> "$JSONFILE"
|
$do_mx_all_ips && echo -e " \"hostname\" : \"$NODE\"," >> "$JSONFILE"
|
||||||
else
|
else
|
||||||
("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE"
|
("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE"
|
||||||
echo -e -n "\n" >> "$JSONFILE"
|
echo -e -n "\n" >> "$JSONFILE"
|
||||||
fileout_json_print_parameter "id" " " "$1" true
|
fileout_json_print_parameter "id" " " "$1" true
|
||||||
fileout_json_print_parameter "severity" " " "$2" true
|
fileout_json_print_parameter "severity" " " "$2" true
|
||||||
fileout_json_print_parameter "cve" " " "$cve" true
|
fileout_json_print_parameter "cve" " " "$cve" true
|
||||||
fileout_json_print_parameter "cwe" " " "$cwe" true
|
fileout_json_print_parameter "cwe" " " "$cwe" true
|
||||||
"$GIVE_HINTS" && fileout_json_print_parameter "hint" " " "$hint" true
|
"$GIVE_HINTS" && fileout_json_print_parameter "hint" " " "$hint" true
|
||||||
fileout_json_print_parameter "finding" " " "$finding" false
|
fileout_json_print_parameter "finding" " " "$finding" false
|
||||||
echo -e -n "\n }" >> "$JSONFILE"
|
echo -e -n "\n }" >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
##################### FILE FORMATTING #########################
|
##################### FILE FORMATTING #########################
|
||||||
|
@ -854,10 +854,10 @@ fileout_pretty_json_banner() {
|
||||||
local target
|
local target
|
||||||
|
|
||||||
if ! "$do_mass_testing"; then
|
if ! "$do_mass_testing"; then
|
||||||
[[ -z "$NODE" ]] && parse_hn_port "${URI}"
|
[[ -z "$NODE" ]] && parse_hn_port "${URI}"
|
||||||
# NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place
|
# NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place
|
||||||
target="$NODE"
|
target="$NODE"
|
||||||
$do_mx_all_ips && target="$URI"
|
$do_mx_all_ips && target="$URI"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
||||||
|
@ -937,11 +937,11 @@ fileout() {
|
||||||
local hint="$6"
|
local hint="$6"
|
||||||
|
|
||||||
if ( "$do_pretty_json" && [[ "$1" == service ]] ) || show_finding "$severity"; then
|
if ( "$do_pretty_json" && [[ "$1" == service ]] ) || show_finding "$severity"; then
|
||||||
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") # additional quotes will mess up screen output
|
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") # additional quotes will mess up screen output
|
||||||
[[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
|
[[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
|
||||||
"$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \
|
"$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \
|
||||||
fileout_csv_finding "$1" "$NODE/$NODEIP" "$PORT" "$severity" "$finding" "$cve" "$cwe" "$hint"
|
fileout_csv_finding "$1" "$NODE/$NODEIP" "$PORT" "$severity" "$finding" "$cve" "$cwe" "$hint"
|
||||||
"$FIRST_FINDING" && FIRST_FINDING=false
|
"$FIRST_FINDING" && FIRST_FINDING=false
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1465,13 +1465,13 @@ out_row_aligned_max_width_by_entry() {
|
||||||
|
|
||||||
resp="$(out_row_aligned_max_width "$text" "$spaces" "$max_width")"
|
resp="$(out_row_aligned_max_width "$text" "$spaces" "$max_width")"
|
||||||
while read -d " " entry; do
|
while read -d " " entry; do
|
||||||
if [[ -n "$entry" ]]; then
|
if [[ -n "$entry" ]]; then
|
||||||
$print_function "$entry"
|
$print_function "$entry"
|
||||||
elif [[ -n "$prev_entry" ]]; then
|
elif [[ -n "$prev_entry" ]]; then
|
||||||
outln; out " "
|
outln; out " "
|
||||||
fi
|
fi
|
||||||
out " "
|
out " "
|
||||||
prev_entry="$entry"
|
prev_entry="$entry"
|
||||||
done <<< "$resp"
|
done <<< "$resp"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1609,7 +1609,7 @@ http_get_header() {
|
||||||
# assume the GET protocol we query is using http -- http_proxy is the $ENV not for the connection TO
|
# assume the GET protocol we query is using http -- http_proxy is the $ENV not for the connection TO
|
||||||
# the proxy, but for the protocol we query THROUGH the proxy
|
# the proxy, but for the protocol we query THROUGH the proxy
|
||||||
if [[ -z "$PROXY" ]]; then
|
if [[ -z "$PROXY" ]]; then
|
||||||
headers="$(wget --no-proxy -q -S -U $''"$useragent"'' -O /dev/null "$1" 2>&1)"
|
headers="$(wget --no-proxy -q -S -U $''"$useragent"'' -O /dev/null "$1" 2>&1)"
|
||||||
else
|
else
|
||||||
if [[ -z "$http_proxy" ]]; then
|
if [[ -z "$http_proxy" ]]; then
|
||||||
headers="$(http_proxy=http://$PROXYIP:$PROXYPORT wget -q -S -U $''"$useragent"'' -O /dev/null "$1" 2>&1)"
|
headers="$(http_proxy=http://$PROXYIP:$PROXYPORT wget -q -S -U $''"$useragent"'' -O /dev/null "$1" 2>&1)"
|
||||||
|
@ -3636,7 +3636,7 @@ run_cipher_match(){
|
||||||
kx[i]="${kx[i]} $dhlen"
|
kx[i]="${kx[i]} $dhlen"
|
||||||
fi
|
fi
|
||||||
"$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && \
|
"$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && \
|
||||||
sigalg[i]="$(read_sigalg_from_file "$HOSTCERT")"
|
sigalg[i]="$(read_sigalg_from_file "$HOSTCERT")"
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
@ -4860,7 +4860,7 @@ add_tls_offered() {
|
||||||
# the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2
|
# the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2
|
||||||
:
|
:
|
||||||
else
|
else
|
||||||
PROTOS_OFFERED+="${1}:$2 "
|
PROTOS_OFFERED+="${1}:$2 "
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -5325,23 +5325,23 @@ run_protocols() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
3) out "not offered, "
|
3) out "not offered, "
|
||||||
fileout "$jsonID" "INFO" "not offered"
|
fileout "$jsonID" "INFO" "not offered"
|
||||||
add_tls_offered tls1_2 no
|
add_tls_offered tls1_2 no
|
||||||
pr_warning "TLS downgraded to STARTTLS plaintext"; outln
|
pr_warning "TLS downgraded to STARTTLS plaintext"; outln
|
||||||
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
|
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
|
||||||
;;
|
;;
|
||||||
4) out "likely "; pr_svrty_medium "not offered, "
|
4) out "likely "; pr_svrty_medium "not offered, "
|
||||||
fileout "$jsonID" "MEDIUM" "not offered"
|
fileout "$jsonID" "MEDIUM" "not offered"
|
||||||
add_tls_offered tls1_2 no
|
add_tls_offered tls1_2 no
|
||||||
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
|
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
|
||||||
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
|
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
|
||||||
;;
|
;;
|
||||||
5) outln "$supported_no_ciph1" # protocol detected, but no cipher --> comes from run_prototest_openssl
|
5) outln "$supported_no_ciph1" # protocol detected, but no cipher --> comes from run_prototest_openssl
|
||||||
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
fileout "$jsonID" "INFO" "$supported_no_ciph1"
|
||||||
add_tls_offered tls1_2 yes
|
add_tls_offered tls1_2 yes
|
||||||
;;
|
;;
|
||||||
7) if "$using_sockets" ; then
|
7) if "$using_sockets" ; then
|
||||||
# can only happen in debug mode
|
# can only happen in debug mode
|
||||||
pr_warning "strange reply, maybe a client side problem with TLS 1.2"; outln "$debug_recomm"
|
pr_warning "strange reply, maybe a client side problem with TLS 1.2"; outln "$debug_recomm"
|
||||||
else
|
else
|
||||||
|
@ -6537,7 +6537,7 @@ run_server_preference() {
|
||||||
|
|
||||||
for i in 1 2 3 4 5 6; do
|
for i in 1 2 3 4 5 6; do
|
||||||
if [[ -n "${cipher[i]}" ]]; then # cipher not empty
|
if [[ -n "${cipher[i]}" ]]; then # cipher not empty
|
||||||
if [[ -z "$prev_cipher" ]] || [[ "$prev_cipher" != "${cipher[i]}" ]]; then
|
if [[ -z "$prev_cipher" ]] || [[ "$prev_cipher" != "${cipher[i]}" ]]; then
|
||||||
[[ -n "$prev_cipher" ]] && outln
|
[[ -n "$prev_cipher" ]] && outln
|
||||||
str_len=${#cipher[i]}
|
str_len=${#cipher[i]}
|
||||||
out " "
|
out " "
|
||||||
|
@ -6633,11 +6633,11 @@ check_tls12_pref() {
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if "$FAST" && [[ $nr_ciphers_found_r2 -ne 1 ]]; then
|
if "$FAST" && [[ $nr_ciphers_found_r2 -ne 1 ]]; then
|
||||||
prln_fixme "something weird happened around line $((LINENO - 14))"
|
prln_fixme "something weird happened around line $((LINENO - 14))"
|
||||||
return 1
|
return 1
|
||||||
elif ! "$FAST" && [[ $nr_ciphers_found_r2 -ne $nr_ciphers_found_r1 ]]; then
|
elif ! "$FAST" && [[ $nr_ciphers_found_r2 -ne $nr_ciphers_found_r1 ]]; then
|
||||||
prln_fixme "something weird happened around line $((LINENO - 16))"
|
prln_fixme "something weird happened around line $((LINENO - 16))"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
tm_out "$order"
|
tm_out "$order"
|
||||||
|
@ -6855,8 +6855,8 @@ get_host_cert() {
|
||||||
return 0
|
return 0
|
||||||
else
|
else
|
||||||
if [[ -z "$1" ]]; then
|
if [[ -z "$1" ]]; then
|
||||||
prln_warning "could not retrieve host certificate!"
|
prln_warning "could not retrieve host certificate!"
|
||||||
fileout "host_certificate_Problem" "WARN" "Could not retrieve host certificate!"
|
fileout "host_certificate_Problem" "WARN" "Could not retrieve host certificate!"
|
||||||
fi
|
fi
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
@ -6910,7 +6910,7 @@ determine_trust() {
|
||||||
|
|
||||||
case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
|
case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
|
||||||
1.0.2|1.1.0|1.1.1|2.[1-9].*|3.*) # 2.x is LibreSSL. 2.1.1 was tested to work, below is not sure
|
1.0.2|1.1.0|1.1.1|2.[1-9].*|3.*) # 2.x is LibreSSL. 2.1.1 was tested to work, below is not sure
|
||||||
:
|
:
|
||||||
;;
|
;;
|
||||||
*) addtl_warning="Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust"
|
*) addtl_warning="Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust"
|
||||||
fileout "${jsonID}${json_postfix}" "WARN" "$addtl_warning"
|
fileout "${jsonID}${json_postfix}" "WARN" "$addtl_warning"
|
||||||
|
@ -7201,42 +7201,42 @@ extract_certificates() {
|
||||||
fi
|
fi
|
||||||
[[ -s level0.crt ]] && nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
|
[[ -s level0.crt ]] && nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
|
||||||
if [[ $nrsaved -eq 0 ]]; then
|
if [[ $nrsaved -eq 0 ]]; then
|
||||||
success=1
|
success=1
|
||||||
else
|
else
|
||||||
success=0
|
success=0
|
||||||
CERTIFICATE_LIST_ORDERING_PROBLEM=false
|
CERTIFICATE_LIST_ORDERING_PROBLEM=false
|
||||||
mv level0.crt $HOSTCERT
|
mv level0.crt $HOSTCERT
|
||||||
if [[ $nrsaved -eq 1 ]]; then
|
if [[ $nrsaved -eq 1 ]]; then
|
||||||
echo "" > $TEMPDIR/intermediatecerts.pem
|
echo "" > $TEMPDIR/intermediatecerts.pem
|
||||||
else
|
else
|
||||||
cat level?.crt > $TEMPDIR/intermediatecerts.pem
|
cat level?.crt > $TEMPDIR/intermediatecerts.pem
|
||||||
issuerDN="$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>/dev/null)"
|
issuerDN="$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>/dev/null)"
|
||||||
issuerDN="${issuerDN:8}"
|
issuerDN="${issuerDN:8}"
|
||||||
previssuerDN="$issuerDN"
|
previssuerDN="$issuerDN"
|
||||||
# The second certificate (level1.crt) SHOULD be issued to the CA
|
# The second certificate (level1.crt) SHOULD be issued to the CA
|
||||||
# that issued the server's certificate. But, according to RFC 8446
|
# that issued the server's certificate. But, according to RFC 8446
|
||||||
# clients SHOULD be prepared to handle cases in which the server
|
# clients SHOULD be prepared to handle cases in which the server
|
||||||
# does not order the certificates correctly.
|
# does not order the certificates correctly.
|
||||||
for (( i=1; i < nrsaved; i++ )); do
|
for (( i=1; i < nrsaved; i++ )); do
|
||||||
CAsubjectDN="$($OPENSSL x509 -in "level$i.crt" -noout -subject 2>/dev/null)"
|
CAsubjectDN="$($OPENSSL x509 -in "level$i.crt" -noout -subject 2>/dev/null)"
|
||||||
if [[ "${CAsubjectDN:9}" == "$issuerDN" ]]; then
|
if [[ "${CAsubjectDN:9}" == "$issuerDN" ]]; then
|
||||||
cp "level$i.crt" $TEMPDIR/hostcert_issuer.pem
|
cp "level$i.crt" $TEMPDIR/hostcert_issuer.pem
|
||||||
issuerDN="" # set to empty to prevent further matches
|
issuerDN="" # set to empty to prevent further matches
|
||||||
fi
|
fi
|
||||||
[[ "${CAsubjectDN:9}" != "$previssuerDN" ]] && CERTIFICATE_LIST_ORDERING_PROBLEM=true
|
[[ "${CAsubjectDN:9}" != "$previssuerDN" ]] && CERTIFICATE_LIST_ORDERING_PROBLEM=true
|
||||||
"$CERTIFICATE_LIST_ORDERING_PROBLEM" && [[ -z "$issuerDN" ]] && break
|
"$CERTIFICATE_LIST_ORDERING_PROBLEM" && [[ -z "$issuerDN" ]] && break
|
||||||
previssuerDN="$($OPENSSL x509 -in "level$i.crt" -noout -issuer 2>/dev/null)"
|
previssuerDN="$($OPENSSL x509 -in "level$i.crt" -noout -issuer 2>/dev/null)"
|
||||||
previssuerDN="${previssuerDN:8}"
|
previssuerDN="${previssuerDN:8}"
|
||||||
done
|
done
|
||||||
# This should never happen, but if more than one certificate was
|
# This should never happen, but if more than one certificate was
|
||||||
# provided and none of them belong to the CA that issued the
|
# provided and none of them belong to the CA that issued the
|
||||||
# server's certificate, then the extra certificates should just
|
# server's certificate, then the extra certificates should just
|
||||||
# be deleted. There is code elsewhere that assumes that if
|
# be deleted. There is code elsewhere that assumes that if
|
||||||
# $TEMPDIR/intermediatecerts.pem is non-empty, then
|
# $TEMPDIR/intermediatecerts.pem is non-empty, then
|
||||||
# $TEMPDIR/hostcert_issuer.pem is also present.
|
# $TEMPDIR/hostcert_issuer.pem is also present.
|
||||||
[[ -n "$issuerDN" ]] && echo "" > $TEMPDIR/intermediatecerts.pem
|
[[ -n "$issuerDN" ]] && echo "" > $TEMPDIR/intermediatecerts.pem
|
||||||
rm level?.crt
|
rm level?.crt
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
cd "$savedir"
|
cd "$savedir"
|
||||||
return $success
|
return $success
|
||||||
|
@ -7265,15 +7265,15 @@ extract_stapled_ocsp() {
|
||||||
ocsp="$(strip_spaces "$(newline_to_spaces "$ocsp")")"
|
ocsp="$(strip_spaces "$(newline_to_spaces "$ocsp")")"
|
||||||
ocsp="${ocsp:8}"
|
ocsp="${ocsp:8}"
|
||||||
elif [[ "$response" =~ "TLS server extension \"status request\" (id=5), len=" ]]; then
|
elif [[ "$response" =~ "TLS server extension \"status request\" (id=5), len=" ]]; then
|
||||||
# This is OpenSSL 1.1.1 and the response is TLS 1.3.
|
# This is OpenSSL 1.1.1 and the response is TLS 1.3.
|
||||||
ocsp="${response##*TLS server extension \"status request\" (id=5), len=}"
|
ocsp="${response##*TLS server extension \"status request\" (id=5), len=}"
|
||||||
ocsp="${ocsp%%<<<*}"
|
ocsp="${ocsp%%<<<*}"
|
||||||
tmp="${ocsp%%[!0-9]*}"
|
tmp="${ocsp%%[!0-9]*}"
|
||||||
ocsp="${ocsp#$tmp}"
|
ocsp="${ocsp#$tmp}"
|
||||||
ocsp_len=2*$tmp
|
ocsp_len=2*$tmp
|
||||||
ocsp="$(awk ' { print $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15 $16 $17 } ' <<< "$ocsp" | sed 's/-//')"
|
ocsp="$(awk ' { print $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15 $16 $17 } ' <<< "$ocsp" | sed 's/-//')"
|
||||||
ocsp="$(strip_spaces "$(newline_to_spaces "$ocsp")")"
|
ocsp="$(strip_spaces "$(newline_to_spaces "$ocsp")")"
|
||||||
ocsp="${ocsp:0:ocsp_len}"
|
ocsp="${ocsp:0:ocsp_len}"
|
||||||
else
|
else
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
@ -7354,9 +7354,9 @@ get_server_certificate() {
|
||||||
"$HAS_NPN" && [[ -z "$STARTTLS" ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
|
"$HAS_NPN" && [[ -z "$STARTTLS" ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
|
||||||
|
|
||||||
if [[ -n "$2" ]]; then
|
if [[ -n "$2" ]]; then
|
||||||
protocols_to_try="$2"
|
protocols_to_try="$2"
|
||||||
else
|
else
|
||||||
protocols_to_try="tls1_2 tls1_1 tls1 ssl3"
|
protocols_to_try="tls1_2 tls1_1 tls1 ssl3"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# throwing 1st every cipher/protocol at the server to know what works
|
# throwing 1st every cipher/protocol at the server to know what works
|
||||||
|
@ -7405,7 +7405,7 @@ get_server_certificate() {
|
||||||
[[ $ret -eq 2 ]] && success=0
|
[[ $ret -eq 2 ]] && success=0
|
||||||
if [[ $success -eq 7 ]]; then
|
if [[ $success -eq 7 ]]; then
|
||||||
if [ -z "$1" ]; then
|
if [ -z "$1" ]; then
|
||||||
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
|
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
|
||||||
fi
|
fi
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 7 # this is ugly, I know
|
return 7 # this is ugly, I know
|
||||||
|
@ -7455,7 +7455,7 @@ get_server_certificate() {
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $ciphers_to_test -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
if [ -z "$1" ]; then
|
if [ -z "$1" ]; then
|
||||||
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
|
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
|
||||||
fi
|
fi
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 7 # this is ugly, I know
|
return 7 # this is ugly, I know
|
||||||
|
@ -7832,7 +7832,7 @@ etsi_etls_visibility_info() {
|
||||||
j+=1
|
j+=1
|
||||||
j+=2*0x${dercert:j:1}+1
|
j+=2*0x${dercert:j:1}+1
|
||||||
else
|
else
|
||||||
j+=2
|
j+=2
|
||||||
fi
|
fi
|
||||||
# The value for this otherName is encoded as a SEQUENCE (30):
|
# The value for this otherName is encoded as a SEQUENCE (30):
|
||||||
# VisibilityInformation ::= SEQUENCE {
|
# VisibilityInformation ::= SEQUENCE {
|
||||||
|
@ -8659,8 +8659,8 @@ certificate_info() {
|
||||||
# we adjust the thresholds by %50 for LE certificates, relaxing those warnings
|
# we adjust the thresholds by %50 for LE certificates, relaxing those warnings
|
||||||
# . instead of \' because it does not break syntax highlighting in vim
|
# . instead of \' because it does not break syntax highlighting in vim
|
||||||
if [[ "$issuer_CN" =~ ^Let.s\ Encrypt\ Authority ]] ; then
|
if [[ "$issuer_CN" =~ ^Let.s\ Encrypt\ Authority ]] ; then
|
||||||
days2warn2=$((days2warn2 / 2))
|
days2warn2=$((days2warn2 / 2))
|
||||||
days2warn1=$((days2warn1 / 2))
|
days2warn1=$((days2warn1 / 2))
|
||||||
fi
|
fi
|
||||||
diffseconds=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(parse_date "$startdate" "+%s" $'%F %H:%M') ))
|
diffseconds=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(parse_date "$startdate" "+%s" $'%F %H:%M') ))
|
||||||
fi
|
fi
|
||||||
|
@ -10265,7 +10265,7 @@ fd_socket() {
|
||||||
;;
|
;;
|
||||||
xmpp|xmpps) # XMPP, see https://tools.ietf.org/html/rfc6120
|
xmpp|xmpps) # XMPP, see https://tools.ietf.org/html/rfc6120
|
||||||
starttls_xmpp_dialog
|
starttls_xmpp_dialog
|
||||||
# IM observatory: https://xmpp.net , XMPP server directory: https://xmpp.net/directory.php
|
# IM observatory: https://xmpp.net , XMPP server directory: https://xmpp.net/directory.php
|
||||||
;;
|
;;
|
||||||
postgres) # Postgres SQL, see http://www.postgresql.org/docs/devel/static/protocol-message-formats.html
|
postgres) # Postgres SQL, see http://www.postgresql.org/docs/devel/static/protocol-message-formats.html
|
||||||
starttls_postgres_dialog
|
starttls_postgres_dialog
|
||||||
|
@ -10404,23 +10404,23 @@ get_pub_key_size() {
|
||||||
case $len1 in
|
case $len1 in
|
||||||
129) len="0x${pubkey:i:2}" ;;
|
129) len="0x${pubkey:i:2}" ;;
|
||||||
130) len="0x${pubkey:i:2}"
|
130) len="0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*$len+"0x${pubkey:i:2}"
|
len=256*$len+"0x${pubkey:i:2}"
|
||||||
;;
|
;;
|
||||||
131) len="0x${pubkey:i:2}"
|
131) len="0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*$len+"0x${pubkey:i:2}"
|
len=256*$len+"0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*$len+"0x${pubkey:i:2}"
|
len=256*$len+"0x${pubkey:i:2}"
|
||||||
;;
|
;;
|
||||||
132) len="0x${pubkey:i:2}"
|
132) len="0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*$len+"0x${pubkey:i:2}"
|
len=256*$len+"0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*$len+"0x${pubkey:i:2}"
|
len=256*$len+"0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*$len+"0x${pubkey:i:2}"
|
len=256*$len+"0x${pubkey:i:2}"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
i=$i+2+2*$len
|
i=$i+2+2*$len
|
||||||
fi
|
fi
|
||||||
|
@ -10445,23 +10445,23 @@ get_pub_key_size() {
|
||||||
case $len1 in
|
case $len1 in
|
||||||
129) len="0x${pubkey:i:2}" ;;
|
129) len="0x${pubkey:i:2}" ;;
|
||||||
130) len="0x${pubkey:i:2}"
|
130) len="0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*$len+"0x${pubkey:i:2}"
|
len=256*$len+"0x${pubkey:i:2}"
|
||||||
;;
|
;;
|
||||||
131) len="0x${pubkey:i:2}"
|
131) len="0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*$len+"0x${pubkey:i:2}"
|
len=256*$len+"0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*$len+"0x${pubkey:i:2}"
|
len=256*$len+"0x${pubkey:i:2}"
|
||||||
;;
|
;;
|
||||||
132) len="0x${pubkey:i:2}"
|
132) len="0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*"0x${pubkey:i:2}"
|
len=256*"0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*"0x${pubkey:i:2}"
|
len=256*"0x${pubkey:i:2}"
|
||||||
i=$i+2
|
i=$i+2
|
||||||
len=256*"0x${pubkey:i:2}"
|
len=256*"0x${pubkey:i:2}"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
len=8*$len # convert from bytes to bits
|
len=8*$len # convert from bytes to bits
|
||||||
|
@ -12212,7 +12212,7 @@ parse_tls_serverhello() {
|
||||||
# create a new $tls_certificate_ascii that only contains a list of certificates.
|
# create a new $tls_certificate_ascii that only contains a list of certificates.
|
||||||
if [[ -n "$tls_certificate_ascii" ]]; then
|
if [[ -n "$tls_certificate_ascii" ]]; then
|
||||||
if [[ "${tls_certificate_ascii:0:2}" != "00" ]]; then
|
if [[ "${tls_certificate_ascii:0:2}" != "00" ]]; then
|
||||||
debugme tmln_warning "Malformed Certificate Handshake message in ServerHello."
|
debugme tmln_warning "Malformed Certificate Handshake message in ServerHello."
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
@ -13340,7 +13340,7 @@ resend_if_hello_retry_request() {
|
||||||
cipher_suite="${tls_hello_ascii:22:2},${tls_hello_ascii:24:2}"
|
cipher_suite="${tls_hello_ascii:22:2},${tls_hello_ascii:24:2}"
|
||||||
extns_offset=26
|
extns_offset=26
|
||||||
else
|
else
|
||||||
extns_offset=22
|
extns_offset=22
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
sid_len=2*$(hex2dec "${tls_hello_ascii:86:2}")
|
sid_len=2*$(hex2dec "${tls_hello_ascii:86:2}")
|
||||||
|
@ -13439,9 +13439,9 @@ resend_if_hello_retry_request() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$server_version" == 0304 ]] || [[ 0x$server_version -ge 0x7f16 ]]; then
|
if [[ "$server_version" == 0304 ]] || [[ 0x$server_version -ge 0x7f16 ]]; then
|
||||||
# Send a dummy change cipher spec for middlebox compatibility.
|
# Send a dummy change cipher spec for middlebox compatibility.
|
||||||
debugme echo -en "\nsending dummy change cipher spec... "
|
debugme echo -en "\nsending dummy change cipher spec... "
|
||||||
socksend ", x14, x03, x03 ,x00, x01, x01" 0
|
socksend ", x14, x03, x03 ,x00, x01, x01" 0
|
||||||
fi
|
fi
|
||||||
debugme echo -en "\nsending second client hello... "
|
debugme echo -en "\nsending second client hello... "
|
||||||
second_clienthello="$(modify_clienthello "$original_clienthello" "$new_key_share" "$cookie")"
|
second_clienthello="$(modify_clienthello "$original_clienthello" "$new_key_share" "$cookie")"
|
||||||
|
@ -14731,8 +14731,8 @@ run_tls_fallback_scsv() {
|
||||||
for p in tls1_2 tls1_1 tls1 ssl3; do
|
for p in tls1_2 tls1_1 tls1 ssl3; do
|
||||||
[[ $(has_server_protocol "$p") -eq 1 ]] && continue
|
[[ $(has_server_protocol "$p") -eq 1 ]] && continue
|
||||||
if [[ $(has_server_protocol "$p") -eq 0 ]]; then
|
if [[ $(has_server_protocol "$p") -eq 0 ]]; then
|
||||||
high_proto="$p"
|
high_proto="$p"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
|
@ -15893,19 +15893,19 @@ run_rc4() {
|
||||||
|
|
||||||
|
|
||||||
run_youknowwho() {
|
run_youknowwho() {
|
||||||
local cve="CVE-2013-2566"
|
local cve="CVE-2013-2566"
|
||||||
local cwe="CWE-310"
|
local cwe="CWE-310"
|
||||||
# NOT FIXME as there's no code: http://www.isg.rhul.ac.uk/tls/
|
# NOT FIXME as there's no code: http://www.isg.rhul.ac.uk/tls/
|
||||||
# http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
|
# http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
|
||||||
return 0
|
return 0
|
||||||
# in a nutshell: don't use RC4, really not!
|
# in a nutshell: don't use RC4, really not!
|
||||||
}
|
}
|
||||||
|
|
||||||
# https://www.usenix.org/conference/woot13/workshop-program/presentation/smyth
|
# https://www.usenix.org/conference/woot13/workshop-program/presentation/smyth
|
||||||
# https://secure-resumption.com/tlsauth.pdf
|
# https://secure-resumption.com/tlsauth.pdf
|
||||||
run_tls_truncation() {
|
run_tls_truncation() {
|
||||||
#FIXME: difficult to test, is there any test available: pls let me know
|
#FIXME: difficult to test, is there any test available: pls let me know
|
||||||
:
|
:
|
||||||
}
|
}
|
||||||
|
|
||||||
# Test for various server implementation errors that aren't tested for elsewhere.
|
# Test for various server implementation errors that aren't tested for elsewhere.
|
||||||
|
@ -15995,17 +15995,17 @@ run_grease() {
|
||||||
fileout "$jsonID" "MEDIUM" "Server responded with a ServerHello rather than an alert even though it doesn't support any of the client-offered cipher suites."
|
fileout "$jsonID" "MEDIUM" "Server responded with a ServerHello rather than an alert even though it doesn't support any of the client-offered cipher suites."
|
||||||
bug_found=true
|
bug_found=true
|
||||||
else
|
else
|
||||||
# Send a list of non-existent ciphers such that for each cipher that
|
# Send a list of non-existent ciphers such that for each cipher that
|
||||||
# is defined, there is one in the list that matches in the second byte
|
# is defined, there is one in the list that matches in the second byte
|
||||||
# (but make sure list contains at more 127 ciphers).
|
# (but make sure list contains at more 127 ciphers).
|
||||||
debugme echo -e "\nSending ClientHello with non-existent ciphers, but that match existing ciphers in second byte."
|
debugme echo -e "\nSending ClientHello with non-existent ciphers, but that match existing ciphers in second byte."
|
||||||
tls_sockets "$proto" "de,01, de,02, de,03, de,04, de,05, de,06, de,07, de,08, de,09, de,0a, de,0b, de,0c, de,0d, de,0e, de,0f, de,10, de,11, de,12, de,13, de,14, de,15, de,16, de,17, de,18, de,19, de,1a, de,1b, de,23, de,24, de,25, de,26, de,27, de,28, de,29, de,2a, de,2b, de,2c, de,2d, de,2e, de,2f, de,30, de,31, de,32, de,33, de,34, de,35, de,36, de,37, de,38, de,39, de,3a, de,3b, de,3c, de,3d, de,3e, de,3f, de,40, de,41, de,42, de,43, de,44, de,45, de,46, de,60, de,61, de,62, de,63, de,64, de,65, de,66, de,67, de,68, de,69, de,6a, de,6b, de,6c, de,6d, de,72, de,73, de,74, de,75, de,76, de,77, de,78, de,79, de,84, de,85, de,86, de,87, de,88, de,89, de,96, de,97, de,98, de,99, de,9a, de,9b, de,9c, de,9d, de,9e, de,9f, de,a0, de,a1, de,a2, de,a3, de,a4, de,a5, de,a6, de,a7, de,ba, de,bb, de,bc, de,bd, de,be, de,bf, de,c0, de,c1, de,c2, de,c3, de,c4, de,c5, 00,ff"
|
tls_sockets "$proto" "de,01, de,02, de,03, de,04, de,05, de,06, de,07, de,08, de,09, de,0a, de,0b, de,0c, de,0d, de,0e, de,0f, de,10, de,11, de,12, de,13, de,14, de,15, de,16, de,17, de,18, de,19, de,1a, de,1b, de,23, de,24, de,25, de,26, de,27, de,28, de,29, de,2a, de,2b, de,2c, de,2d, de,2e, de,2f, de,30, de,31, de,32, de,33, de,34, de,35, de,36, de,37, de,38, de,39, de,3a, de,3b, de,3c, de,3d, de,3e, de,3f, de,40, de,41, de,42, de,43, de,44, de,45, de,46, de,60, de,61, de,62, de,63, de,64, de,65, de,66, de,67, de,68, de,69, de,6a, de,6b, de,6c, de,6d, de,72, de,73, de,74, de,75, de,76, de,77, de,78, de,79, de,84, de,85, de,86, de,87, de,88, de,89, de,96, de,97, de,98, de,99, de,9a, de,9b, de,9c, de,9d, de,9e, de,9f, de,a0, de,a1, de,a2, de,a3, de,a4, de,a5, de,a6, de,a7, de,ba, de,bb, de,bc, de,bd, de,be, de,bf, de,c0, de,c1, de,c2, de,c3, de,c4, de,c5, 00,ff"
|
||||||
success=$?
|
success=$?
|
||||||
if [[ $success -eq 0 ]] || [[ $success -eq 2 ]]; then
|
if [[ $success -eq 0 ]] || [[ $success -eq 2 ]]; then
|
||||||
prln_svrty_medium " Server claims to support non-existent cipher suite."
|
prln_svrty_medium " Server claims to support non-existent cipher suite."
|
||||||
fileout "$jsonID" "MEDIUM" "Server claims to support non-existent cipher suite."
|
fileout "$jsonID" "MEDIUM" "Server claims to support non-existent cipher suite."
|
||||||
bug_found=true
|
bug_found=true
|
||||||
elif grep -q " The ServerHello specifies a cipher suite that wasn't included in the ClientHello" "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" ; then
|
elif grep -q " The ServerHello specifies a cipher suite that wasn't included in the ClientHello" "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" ; then
|
||||||
prln_svrty_medium " Server only compares against second byte in each cipher suite in ClientHello."
|
prln_svrty_medium " Server only compares against second byte in each cipher suite in ClientHello."
|
||||||
fileout "$jsonID" "MEDIUM" "Server only compares against second byte in each cipher suite in ClientHello."
|
fileout "$jsonID" "MEDIUM" "Server only compares against second byte in each cipher suite in ClientHello."
|
||||||
bug_found=true
|
bug_found=true
|
||||||
|
@ -16421,7 +16421,7 @@ run_robot() {
|
||||||
len=${#encrypted_pms}
|
len=${#encrypted_pms}
|
||||||
client_key_exchange=""
|
client_key_exchange=""
|
||||||
for (( i=0; i<len; i=i+2 )); do
|
for (( i=0; i<len; i=i+2 )); do
|
||||||
client_key_exchange+=", x${encrypted_pms:i:2}"
|
client_key_exchange+=", x${encrypted_pms:i:2}"
|
||||||
done
|
done
|
||||||
|
|
||||||
# The contents of change cipher spec are fixed.
|
# The contents of change cipher spec are fixed.
|
||||||
|
@ -16570,10 +16570,10 @@ get_install_dir() {
|
||||||
|
|
||||||
# still no cipher mapping file (and realpath is not present):
|
# still no cipher mapping file (and realpath is not present):
|
||||||
if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && type -p readlink &>/dev/null ; then
|
if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && type -p readlink &>/dev/null ; then
|
||||||
readlink -f ls &>/dev/null && \
|
readlink -f ls &>/dev/null && \
|
||||||
TESTSSL_INSTALL_DIR="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")" || \
|
TESTSSL_INSTALL_DIR="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")" || \
|
||||||
TESTSSL_INSTALL_DIR="$(dirname "$(readlink "${BASH_SOURCE[0]}")")"
|
TESTSSL_INSTALL_DIR="$(dirname "$(readlink "${BASH_SOURCE[0]}")")"
|
||||||
# not sure whether Darwin has -f
|
# not sure whether Darwin has -f
|
||||||
CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt"
|
CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt"
|
||||||
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
|
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
|
||||||
fi
|
fi
|
||||||
|
@ -16689,7 +16689,7 @@ find_openssl_binary() {
|
||||||
elif [[ "$openssl_location" =~ $cwd ]] && [[ "$cwd" != '.' ]]; then
|
elif [[ "$openssl_location" =~ $cwd ]] && [[ "$cwd" != '.' ]]; then
|
||||||
OPENSSL_LOCATION="${openssl_location%%$cwd}"
|
OPENSSL_LOCATION="${openssl_location%%$cwd}"
|
||||||
else
|
else
|
||||||
OPENSSL_LOCATION="$openssl_location"
|
OPENSSL_LOCATION="$openssl_location"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
OSSL_CIPHERS_S=""
|
OSSL_CIPHERS_S=""
|
||||||
|
@ -16720,7 +16720,7 @@ find_openssl_binary() {
|
||||||
HAS_AES128_GCM=false
|
HAS_AES128_GCM=false
|
||||||
HAS_AES256_GCM=false
|
HAS_AES256_GCM=false
|
||||||
HAS_ZLIB=false
|
HAS_ZLIB=false
|
||||||
|
|
||||||
$OPENSSL ciphers -s 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL ciphers -s 2>&1 | grep -aq "unknown option" || \
|
||||||
OSSL_CIPHERS_S="-s"
|
OSSL_CIPHERS_S="-s"
|
||||||
|
|
||||||
|
@ -17348,8 +17348,8 @@ initialize_engine(){
|
||||||
# to suppress the warning (confuses users), see #1119
|
# to suppress the warning (confuses users), see #1119
|
||||||
# https://github.com/openssl/openssl/commit/b524b808a1d1ba204dbdcbb42de4e3bddb3472ac
|
# https://github.com/openssl/openssl/commit/b524b808a1d1ba204dbdcbb42de4e3bddb3472ac
|
||||||
if ! grep -q 'using the .include directive' /etc/ssl/openssl.cnf; then
|
if ! grep -q 'using the .include directive' /etc/ssl/openssl.cnf; then
|
||||||
outln
|
outln
|
||||||
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
|
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
|
||||||
fi
|
fi
|
||||||
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
|
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
|
||||||
# Avoid clashes of OpenSSL 1.1.1 config file with our openssl 1.0.2. This is for Debian 10
|
# Avoid clashes of OpenSSL 1.1.1 config file with our openssl 1.0.2. This is for Debian 10
|
||||||
|
@ -17928,7 +17928,7 @@ determine_optimal_sockets_params() {
|
||||||
local i proto cipher_offered
|
local i proto cipher_offered
|
||||||
local all_failed=true
|
local all_failed=true
|
||||||
|
|
||||||
# If a STARTTLS protocol is specified and $SSL_NATIVE is true, then skip this test, since
|
# If a STARTTLS protocol is specified and $SSL_NATIVE is true, then skip this test, since
|
||||||
# $SSL_NATIVE may have been set to true as a result of tls_sockets() not supporting the STARTTLS
|
# $SSL_NATIVE may have been set to true as a result of tls_sockets() not supporting the STARTTLS
|
||||||
# protocol.
|
# protocol.
|
||||||
[[ -n "$STARTTLS_PROTOCOL" ]] && "$SSL_NATIVE" && return 0
|
[[ -n "$STARTTLS_PROTOCOL" ]] && "$SSL_NATIVE" && return 0
|
||||||
|
@ -19124,7 +19124,7 @@ parse_cmd_line() {
|
||||||
prepare_debug
|
prepare_debug
|
||||||
mybanner
|
mybanner
|
||||||
exit $ALLOK
|
exit $ALLOK
|
||||||
;;
|
;;
|
||||||
--mx)
|
--mx)
|
||||||
do_mx_all_ips=true
|
do_mx_all_ips=true
|
||||||
PORT=25
|
PORT=25
|
||||||
|
@ -19773,7 +19773,7 @@ lets_roll() {
|
||||||
fileout_section_header $section_number true && ((section_number++))
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
"$do_client_simulation" && { run_client_simulation; ret=$(($? + ret)); stopwatch run_client_simulation; }
|
"$do_client_simulation" && { run_client_simulation; ret=$(($? + ret)); stopwatch run_client_simulation; }
|
||||||
fi
|
fi
|
||||||
fileout_section_footer true
|
fileout_section_footer true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
outln
|
outln
|
||||||
|
|
Loading…
Reference in New Issue