Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixes ssl-native and LOGJAM: no common primes

Browse Source 
When testssl.sh was using -ssl-native and the local openssl version
didn't support any DH ciphers the deliberately lazy approach was to
not complete the second part of the test: check for common primes.
This is a FIX for issue #1016.
This commit is contained in:
Dirk
2018-03-17 15:40:28 +01:00
parent f6dc501aed
commit 377bde14cc
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
testssl.sh
View File

@@ -12890,6 +12890,7 @@ run_logjam() {
local dh_p="" local dh_p=""
local spaces=" " local spaces=" "
local vuln_exportdh_ciphers=false local vuln_exportdh_ciphers=false
local openssl_no_dhciphers=false
local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
local comment="" str="" local comment="" str=""
local -i lineno_matched=0 local -i lineno_matched=0
@@ -12912,9 +12913,8 @@ run_logjam() {
case $nr_supported_ciphers in case $nr_supported_ciphers in
0) prln_local_problem "$OPENSSL doesn't have any DH EXPORT ciphers configured" 0) prln_local_problem "$OPENSSL doesn't have any DH EXPORT ciphers configured"
fileout "$jsonID" "WARN" "Not tested. $OPENSSL doesn't support any DH EXPORT ciphers" "$cve" "$cwe" fileout "$jsonID" "WARN" "Not tested. $OPENSSL doesn't support any DH EXPORT ciphers" "$cve" "$cwe"
# we could continue here testing common primes but the logjam test would be not complete and it'd be misleading out "$spaces"
#FIXME: with low priority this can be fixed openssl_no_dhciphers=true
return 1
;; ;;
1|2|3) addtl_warning=" ($magenta""tested w/ $nr_supported_ciphers/4 ciphers only!$off)" ;; 1|2|3) addtl_warning=" ($magenta""tested w/ $nr_supported_ciphers/4 ciphers only!$off)" ;;
4) ;; 4) ;;
@@ -13062,9 +13062,11 @@ run_logjam() {
out "Common prime with $len_dh_p bits detected: "; pr_italic "$comment" out "Common prime with $len_dh_p bits detected: "; pr_italic "$comment"
fileout "$jsonID2" "INFO" "common prime \"$comment\" detected" fileout "$jsonID2" "INFO" "common prime \"$comment\" detected"
fi fi
if ! "$openssl_no_dhciphers"; then
outln "," outln ","
out "${spaces}but no DH EXPORT ciphers${addtl_warning}" out "${spaces}but no DH EXPORT ciphers${addtl_warning}"
fileout "$jsonID" "OK" "not vulnerable, no DH EXPORT ciphers,$addtl_warning" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable, no DH EXPORT ciphers,$addtl_warning" "$cve" "$cwe"
fi
elif [[ $subret -eq 3 ]]; then elif [[ $subret -eq 3 ]]; then
pr_svrty_good "not vulnerable (OK):"; out " no DH EXPORT ciphers${addtl_warning}" pr_svrty_good "not vulnerable (OK):"; out " no DH EXPORT ciphers${addtl_warning}"
fileout "$jsonID" "OK" "not vulnerable, no DH EXPORT ciphers,$addtl_warning" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable, no DH EXPORT ciphers,$addtl_warning" "$cve" "$cwe"