renamed pr_brown to pr_svrty_medium

This commit is contained in:
Thomas Martens 2016-03-01 20:42:34 +01:00
parent dbfa66e6c7
commit 38477b4383

View File

@ -346,8 +346,8 @@ pr_done_bestln() { pr_done_best "$1"; outln; }
pr_svrty_minor() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem pr_svrty_minor() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem
pr_svrty_minorln() { pr_svrty_minor "$1"; outln; } pr_svrty_minorln() { pr_svrty_minor "$1"; outln; }
pr_brown() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this pr_svrty_medium() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this
pr_brownln() { pr_brown "$1"; outln; } pr_svrty_mediumln() { pr_svrty_medium "$1"; outln; }
# color=1 functions # color=1 functions
@ -883,7 +883,7 @@ run_hsts() {
fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days" fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days"
else else
out "$hsts_age_sec s = " out "$hsts_age_sec s = "
pr_brown "$hsts_age_days days, <$HSTS_MIN days is too short" pr_svrty_medium "$hsts_age_days days, <$HSTS_MIN days is too short"
fileout "hsts_time" "NOT OK" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days" fileout "hsts_time" "NOT OK" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days"
fi fi
if includeSubDomains "$TMPFILE"; then if includeSubDomains "$TMPFILE"; then
@ -931,7 +931,7 @@ run_hpkp() {
: :
else else
hpkp_headers="" hpkp_headers=""
pr_brown "multiple HPKP headers: " pr_svrty_medium "multiple HPKP headers: "
# https://scotthelme.co.uk is a candidate # https://scotthelme.co.uk is a candidate
#FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> egrep -ai -w #FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> egrep -ai -w
for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do
@ -970,7 +970,7 @@ run_hpkp() {
fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)" fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)"
else else
out "$hpkp_age_sec s = " out "$hpkp_age_sec s = "
pr_brown "$hpkp_age_days days (<$HPKP_MIN days is not good enough)" pr_svrty_medium "$hpkp_age_days days (<$HPKP_MIN days is not good enough)"
fileout "hpkp_age" "NOT OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough." fileout "hpkp_age" "NOT OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough."
fi fi
@ -1168,7 +1168,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path
fi fi
nr_secure=$(grep -iac secure $TMPFILE) nr_secure=$(grep -iac secure $TMPFILE)
case $nr_secure in case $nr_secure in
0) pr_brown "$negative_word" ;; 0) pr_svrty_medium "$negative_word" ;;
[123456789]) pr_done_good "$nr_secure/$nr_cookies";; [123456789]) pr_done_good "$nr_secure/$nr_cookies";;
esac esac
out " secure, " out " secure, "
@ -1179,7 +1179,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path
fi fi
nr_httponly=$(grep -cai httponly $TMPFILE) nr_httponly=$(grep -cai httponly $TMPFILE)
case $nr_httponly in case $nr_httponly in
0) pr_brown "$negative_word" ;; 0) pr_svrty_medium "$negative_word" ;;
[123456789]) pr_done_good "$nr_httponly/$nr_cookies";; [123456789]) pr_done_good "$nr_httponly/$nr_cookies";;
esac esac
out " HttpOnly" out " HttpOnly"
@ -1358,7 +1358,7 @@ std_cipherlists() {
pr_done_bestln "offered (OK)" pr_done_bestln "offered (OK)"
fileout "std_$4" "OK" "$2 offered (OK)" fileout "std_$4" "OK" "$2 offered (OK)"
else else
pr_brownln "not offered (NOT ok)" pr_svrty_mediumln "not offered (NOT ok)"
fileout "std_$4" "NOT OK" "$2 not offered (NOT ok)" fileout "std_$4" "NOT OK" "$2 not offered (NOT ok)"
fi fi
;; ;;
@ -1382,7 +1382,7 @@ std_cipherlists() {
;; ;;
3) # not totally bad 3) # not totally bad
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_brownln "offered (NOT ok)" pr_svrty_mediumln "offered (NOT ok)"
fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - not too bad" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - not too bad"
else else
outln "not offered (OK)" outln "not offered (OK)"
@ -2202,7 +2202,7 @@ run_protocols() {
fileout "tls1" "INFO" "TLSv1.0 is not offered" fileout "tls1" "INFO" "TLSv1.0 is not offered"
;; # neither good or bad ;; # neither good or bad
2) 2)
pr_brown "not offered (NOT ok)" pr_svrty_medium "not offered (NOT ok)"
[[ $DEBUG -eq 1 ]] && out " -- downgraded" [[ $DEBUG -eq 1 ]] && out " -- downgraded"
outln outln
fileout "tls1" "NOT OK" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)" fileout "tls1" "NOT OK" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)"
@ -2258,11 +2258,11 @@ run_protocols() {
fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)" fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)"
;; # GCM cipher in TLS 1.2: very good! ;; # GCM cipher in TLS 1.2: very good!
1) 1)
pr_brownln "not offered (NOT ok)" pr_svrty_mediumln "not offered (NOT ok)"
fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered (NOT ok)" fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered (NOT ok)"
;; # no GCM, penalty ;; # no GCM, penalty
2) 2)
pr_brown "not offered (NOT ok)" pr_svrty_medium "not offered (NOT ok)"
[[ $DEBUG -eq 1 ]] && out " -- downgraded" [[ $DEBUG -eq 1 ]] && out " -- downgraded"
outln outln
fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered and downgraded to a weaker protocol (NOT ok)" fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered and downgraded to a weaker protocol (NOT ok)"
@ -2332,7 +2332,7 @@ read_dhbits_from_file() {
elif [[ "$bits" -le 800 ]]; then elif [[ "$bits" -le 800 ]]; then
pr_svrty_high "$bits $add" pr_svrty_high "$bits $add"
elif [[ "$bits" -le 1280 ]]; then elif [[ "$bits" -le 1280 ]]; then
pr_brown "$bits $add" pr_svrty_medium "$bits $add"
elif [[ "$bits" -ge 2048 ]]; then elif [[ "$bits" -ge 2048 ]]; then
pr_done_good "$bits $add" pr_done_good "$bits $add"
else else
@ -2471,7 +2471,7 @@ run_server_preference() {
fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher" fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher"
;; ;;
*CBC*) *CBC*)
pr_brown "$default_cipher" pr_svrty_medium "$default_cipher"
fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list ;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
*GCM*|*CHACHA20*) *GCM*|*CHACHA20*)
@ -2923,7 +2923,7 @@ certificate_info() {
out "$indent" ; pr_bold " Signature Algorithm " out "$indent" ; pr_bold " Signature Algorithm "
case $sig_algo in case $sig_algo in
sha1WithRSAEncryption) sha1WithRSAEncryption)
pr_brownln "SHA1 with RSA" pr_svrty_mediumln "SHA1 with RSA"
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)" fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
;; ;;
sha256WithRSAEncryption) sha256WithRSAEncryption)
@ -2972,7 +2972,7 @@ certificate_info() {
pr_svrty_high "$keysize" pr_svrty_high "$keysize"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 163 ]]; then elif [[ "$keysize" -le 163 ]]; then
pr_brown "$keysize" pr_svrty_medium "$keysize"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 224 ]]; then elif [[ "$keysize" -le 224 ]]; then
out "$keysize" out "$keysize"
@ -2995,7 +2995,7 @@ certificate_info() {
outln " bits" outln " bits"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
elif [[ "$keysize" -le 1024 ]]; then elif [[ "$keysize" -le 1024 ]]; then
pr_brown "$keysize" pr_svrty_medium "$keysize"
outln " bits" outln " bits"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
elif [[ "$keysize" -le 2048 ]]; then elif [[ "$keysize" -le 2048 ]]; then
@ -3075,7 +3075,7 @@ certificate_info() {
if [[ $SERVICE != "HTTP" ]]; then if [[ $SERVICE != "HTTP" ]]; then
outln outln
cnfinding+="\n" cnfinding+="\n"
#pr_brownln " (non-SNI clients don't match CN but for non-HTTP services it might be ok)" #pr_svrty_mediumln " (non-SNI clients don't match CN but for non-HTTP services it might be ok)"
#FIXME: this is irritating and needs to be redone. Then also the wildcard match needs to be tested against "$cn_nosni" #FIXME: this is irritating and needs to be redone. Then also the wildcard match needs to be tested against "$cn_nosni"
elif [[ -z "$cn_nosni" ]]; then elif [[ -z "$cn_nosni" ]]; then
out " (request w/o SNI didn't succeed"; out " (request w/o SNI didn't succeed";
@ -3187,7 +3187,7 @@ certificate_info() {
pr_done_good "$days2expire >= $DAYS2WARN1 days" pr_done_good "$days2expire >= $DAYS2WARN1 days"
expfinding+="$days2expire >= $DAYS2WARN1 days" expfinding+="$days2expire >= $DAYS2WARN1 days"
else else
pr_brown "expires < $DAYS2WARN1 days ($days2expire)" pr_svrty_medium "expires < $DAYS2WARN1 days ($days2expire)"
expfinding+="expires < $DAYS2WARN1 days ($days2expire)" expfinding+="expires < $DAYS2WARN1 days ($days2expire)"
expok="WARN" expok="WARN"
fi fi
@ -3433,7 +3433,7 @@ run_pfs() {
sclient_success=$? sclient_success=$?
outln outln
if [[ $sclient_success -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then if [[ $sclient_success -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then
pr_brownln "Not OK: No ciphers supporting Forward Secrecy offered" pr_svrty_mediumln "Not OK: No ciphers supporting Forward Secrecy offered"
fileout "pfs" "NOT OK" "(Perfect) Forward Secrecy : Not OK: No ciphers supporting Forward Secrecy offered" fileout "pfs" "NOT OK" "(Perfect) Forward Secrecy : Not OK: No ciphers supporting Forward Secrecy offered"
else else
pfs_offered=true pfs_offered=true
@ -3480,7 +3480,7 @@ run_pfs() {
$WIDE || outln $WIDE || outln
if ! "$pfs_offered"; then if ! "$pfs_offered"; then
pr_brown "no PFS ciphers found" pr_svrty_medium "no PFS ciphers found"
fileout "pfs_ciphers" "NOT OK" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)" fileout "pfs_ciphers" "NOT OK" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
else else
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers" fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
@ -4615,7 +4615,7 @@ run_crime() {
pr_svrty_high "VULNERABLE (NOT ok)" pr_svrty_high "VULNERABLE (NOT ok)"
fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)" fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)"
else else
pr_brown "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" pr_svrty_medium "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known"
fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok), but not using HTTP: probably no exploit known"
fi fi
ret=1 ret=1
@ -4789,7 +4789,7 @@ run_tls_fallback_scsv() {
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE </dev/null
if grep -q "CONNECTED(00" "$TMPFILE"; then if grep -q "CONNECTED(00" "$TMPFILE"; then
if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
pr_brown "Downgrade attack prevention NOT supported" pr_svrty_medium "Downgrade attack prevention NOT supported"
fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported" fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
ret=1 ret=1
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
@ -4798,11 +4798,11 @@ run_tls_fallback_scsv() {
ret=0 ret=0
elif grep -qa "alert handshake failure" "$TMPFILE"; then elif grep -qa "alert handshake failure" "$TMPFILE"; then
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121 # see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
pr_brown "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
ret=2 ret=2
elif grep -qa "ssl handshake failure" "$TMPFILE"; then elif grep -qa "ssl handshake failure" "$TMPFILE"; then
pr_brown "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
ret=3 ret=3
else else
pr_litemagenta "Check failed, unexpected result " pr_litemagenta "Check failed, unexpected result "
@ -4998,7 +4998,7 @@ run_beast(){
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
[[ -n "$higher_proto_supported" ]] && \ [[ -n "$higher_proto_supported" ]] && \
pr_svrty_minorln "available" || \ pr_svrty_minorln "available" || \
pr_brownln "available" pr_svrty_mediumln "available"
else else
outln "not a/v" outln "not a/v"
@ -5026,7 +5026,7 @@ run_beast(){
out "$(toupper $proto):" out "$(toupper $proto):"
[[ -n "$higher_proto_supported" ]] && \ [[ -n "$higher_proto_supported" ]] && \
pr_svrty_minorln "$detected_cbc_ciphers" || \ pr_svrty_minorln "$detected_cbc_ciphers" || \
pr_brownln "$detected_cbc_ciphers" pr_svrty_mediumln "$detected_cbc_ciphers"
detected_cbc_ciphers="" # empty for next round detected_cbc_ciphers="" # empty for next round
first=false first=false
else else
@ -5061,7 +5061,7 @@ run_beast(){
else else
out "$spaces" out "$spaces"
fi fi
pr_brown "VULNERABLE (NOT ok)" pr_svrty_medium "VULNERABLE (NOT ok)"
outln " -- and no higher protocols as mitigation supported" outln " -- and no higher protocols as mitigation supported"
fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported" fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
fi fi