From 0d75bae19521ba6b20d07606b4ccbfc47154049d Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 21 Dec 2016 14:55:01 -0500 Subject: [PATCH 1/3] Use sockets for run_logjam() This PR changes `run_logjam()` to use sockets. --- testssl.sh | 50 ++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 12 deletions(-) diff --git a/testssl.sh b/testssl.sh index 405e138..6c709c5 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8865,16 +8865,24 @@ run_freak() { run_logjam() { local -i sclient_success=0 local exportdhe_cipher_list="EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA" - local -i nr_supported_ciphers=0 - local addtl_warning="" + local exportdhe_cipher_list_hex="00,63, 00,65, 00,14, 00,11" + local -i i nr_supported_ciphers=0 + local addtl_warning="" hexc local cve="CVE-2015-4000" local cwe="CWE-310" local hint="" + local using_sockets=true + + "$SSL_NATIVE" && using_sockets=false [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln pr_bold " LOGJAM"; out " ($cve), experimental " - nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list)) + if "$using_sockets"; then + nr_supported_ciphers=$(count_words "$exportdhe_cipher_list_hex") + else + nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list)) + fi case $nr_supported_ciphers in 0) @@ -8886,16 +8894,22 @@ run_logjam() { 3) addtl_warning=" (tested w/ $nr_supported_ciphers/4 ciphers)" ;; 4) ;; esac - $OPENSSL s_client $STARTTLS $BUGS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE Date: Wed, 28 Dec 2016 23:47:35 +0100 Subject: [PATCH 2/3] - Stronger warning if ~/etc is missing, also requires more explicit consent to continue - fix lfs for -e -E if openssl has not DH/ECDH - further minor output corrections --- testssl.sh | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index 3413654..1868a2b 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2350,8 +2350,8 @@ run_allciphers() { pr_headlineln " Testing $nr_ciphers_tested via OpenSSL and sockets against the server, ordered by encryption strength " else pr_headlineln " Testing all $nr_ciphers_tested locally available ciphers against the server, ordered by encryption strength " - outln [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" + outln if ! "$HAS_DH_BITS"; then [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "." pr_warningln " Your $OPENSSL cannot show DH/ECDH bits" @@ -2526,8 +2526,8 @@ run_cipher_per_proto() { pr_headlineln " Testing per protocol via OpenSSL and sockets against the server, ordered by encryption strength " else pr_headlineln " Testing all locally available ciphers per protocol against the server, ordered by encryption strength " - outln [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" + outln if ! "$HAS_DH_BITS"; then [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "." pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)" @@ -9483,8 +9483,11 @@ get_install_dir() { [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" fi - [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && unset ADD_RFC_STR && pr_warningln "\nNo cipher mapping file in \$TESTSSL_INSTALL_DIR/etc/ found" + [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && unset ADD_RFC_STR && pr_warningln "\nNo cipher mapping file found " debugme echo "$CIPHERS_BY_STRENGTH_FILE" + pr_warningln "Please note from 2.9dev on testssl.sh needs some files in \$TESTSSL_INSTALL_DIR/etc to function correctly" + ignore_no_or_lame "Type \"yes\" to ignore " + [[ $? -ne 0 ]] && exit -2 } @@ -9622,13 +9625,15 @@ check4openssl_oldfarts() { ;; esac if [[ $OSSL_VER_MAJOR -lt 1 ]]; then ## mm: Patch for libressl - pr_magentaln " Your \"$OPENSSL\" is way too old ( Date: Thu, 29 Dec 2016 00:09:44 +0100 Subject: [PATCH 3/3] fix for 83d2a63 --- testssl.sh | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index 1868a2b..7a0a368 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9483,11 +9483,14 @@ get_install_dir() { [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" fi - [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && unset ADD_RFC_STR && pr_warningln "\nNo cipher mapping file found " - debugme echo "$CIPHERS_BY_STRENGTH_FILE" - pr_warningln "Please note from 2.9dev on testssl.sh needs some files in \$TESTSSL_INSTALL_DIR/etc to function correctly" - ignore_no_or_lame "Type \"yes\" to ignore " - [[ $? -ne 0 ]] && exit -2 + if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] ; then + unset ADD_RFC_STR + pr_warningln "\nNo cipher mapping file found " + debugme echo "$CIPHERS_BY_STRENGTH_FILE" + pr_warningln "Please note from 2.9dev on testssl.sh needs some files in \$TESTSSL_INSTALL_DIR/etc to function correctly" + ignore_no_or_lame "Type \"yes\" to ignore " + [[ $? -ne 0 ]] && exit -2 + fi }