- emphasize also OS names in HTTP headers
This commit is contained in:
Dirk 2015-04-22 15:22:53 +02:00
parent 06bd8b2517
commit 3891f5b13b
1 changed files with 57 additions and 36 deletions

View File

@ -68,7 +68,7 @@ USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet. FC has only a CA bundle per default, ==> openssl version -d CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet. FC has only a CA bundle per default, ==> openssl version -d
HSTS_MIN=180 # >180 days is ok for HSTS HSTS_MIN=179 # >180 days is ok for HSTS
HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints? HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints?
CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
DAYS2WARN1=60 # days to warn before cert expires, threshold 1 DAYS2WARN1=60 # days to warn before cert expires, threshold 1
@ -168,7 +168,7 @@ SSLv2_CLIENT_HELLO="
,00,1b # cipher spec length (here: 27 ) ,00,1b # cipher spec length (here: 27 )
,00,00 # session ID length ,00,00 # session ID length
,00,10 # challenge length ,00,10 # challenge length
,05,00,80 # 1st cipher 9 cipher specs, only classical V2 ciphers are used here, see http://max.euston.net/d/tip_sslciphers.html ,05,00,80 # 1st cipher 9 cipher specs, only classical V2 ciphers are used here, see FIXME below
,03,00,80 # 2nd there are v3 in v2!!! : https://tools.ietf.org/html/rfc6101#appendix-E ,03,00,80 # 2nd there are v3 in v2!!! : https://tools.ietf.org/html/rfc6101#appendix-E
,01,00,80 # 3rd Cipher specifications introduced in version 3.0 can be included in version 2.0 client hello messages using ,01,00,80 # 3rd Cipher specifications introduced in version 3.0 can be included in version 2.0 client hello messages using
,07,00,c0 # 4th the syntax below. [..] # V2CipherSpec (see Version 3.0 name) = { 0x00, CipherSuite }; !!!! ,07,00,c0 # 4th the syntax below. [..] # V2CipherSpec (see Version 3.0 name) = { 0x00, CipherSuite }; !!!!
@ -178,6 +178,8 @@ SSLv2_CLIENT_HELLO="
,02,00,80 # 8th ,02,00,80 # 8th
,00,00,00 # 9th ,00,00,00 # 9th
,29,22,be,b3,5a,01,8b,04,fe,5f,80,03,a0,13,eb,c4" # Challenge ,29,22,be,b3,5a,01,8b,04,fe,5f,80,03,a0,13,eb,c4" # Challenge
# https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/ (client)
# FIXME: http://max.euston.net/d/tip_sslciphers.html
###### output functions ###### ###### output functions ######
@ -294,6 +296,7 @@ red=""
green="" green=""
brown="" brown=""
blue="" blue=""
cyan=""
off="" off=""
bold="" bold=""
underline="" underline=""
@ -303,6 +306,7 @@ if [[ "$COLOR" -eq 2 ]]; then
green=$(tput setaf 2) green=$(tput setaf 2)
brown=$(tput setaf 3) brown=$(tput setaf 3)
blue=$(tput setaf 4) blue=$(tput setaf 4)
yellow=$(tput setaf 3; tput bold)
off=$(tput sgr0) off=$(tput sgr0)
fi fi
@ -555,7 +559,16 @@ hpkp() {
emphasize_numbers_in_headers(){ emphasize_numbers_in_headers(){
# see http://www.grymoire.com/Unix/Sed.html#uh-3 # see http://www.grymoire.com/Unix/Sed.html#uh-3
# outln "$1" | sed "s/[0-9]*/$brown&$off/g" # outln "$1" | sed "s/[0-9]*/$brown&$off/g"
outln "$1" | sed "s/\([0-9]\)/$brown\1$off/g" outln "$1" | sed -e "s/\([0-9]\)/$brown\1$off/g" \
-e "s/Debian/"$yellow"\Debian$off/g" \
-e "s/Ubuntu/"$yellow"Ubuntu$off/g" \
-e "s/ubuntu/"$yellow"ubuntu$off/g" \
-e "s/squeeze/"$yellow"squeeze$off/g" \
-e "s/lenny/"$yellow"lenny$off/g" \
-e "s/SUSE/"$yellow"SUSE$off/g" \
-e "s/Red Hat Enterprise Linux/"$yellow"Red Hat Enterprise Linux$off/g" \
-e "s/Red Hat/"$yellow"Red Hat$off/g" \
-e "s/CentOS/"$yellow"CentOS$off/g"
} }
@ -1577,7 +1590,7 @@ len2twobytes() {
} }
socksend_sslv2_clienthello() { socksend_sslv2_clienthello() {
code2network "$SSLv2_CLIENT_HELLO" code2network "$1"
data=$(echo $NW_STR) data=$(echo $NW_STR)
[[ "$DEBUG" -ge 4 ]] && echo "\"$data\"" [[ "$DEBUG" -ge 4 ]] && echo "\"$data\""
printf -- "$data" >&5 2>/dev/null & printf -- "$data" >&5 2>/dev/null &
@ -1611,10 +1624,12 @@ display_sslv2_serverhello() {
# [certificate length] ==> certificate # [certificate length] ==> certificate
# [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY! # [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY!
local ret=3
v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1) v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
[[ "$DEBUG" -ge 5 ]] && echo $v2_hello_ascii # one line without any blanks [[ "$DEBUG" -ge 5 ]] && echo $v2_hello_ascii
if [[ -z $v2_hello_ascii ]] ; then if [[ -z $v2_hello_ascii ]] ; then
ret=0 # no server hello received ret=0 # 1 line without any blanks: no server hello received
debugme echo "server hello empty" debugme echo "server hello empty"
else else
# now scrape two bytes out of the reply per byte # now scrape two bytes out of the reply per byte
@ -1624,9 +1639,16 @@ display_sslv2_serverhello() {
v2_hello_cert_length="${v2_hello_ascii:14:4}" v2_hello_cert_length="${v2_hello_ascii:14:4}"
v2_hello_cipherspec_length="${v2_hello_ascii:18:4}" v2_hello_cipherspec_length="${v2_hello_ascii:18:4}"
V2_HELLO_CIPHERSPEC_LENGTH=$(printf "%d\n" "0x$v2_hello_cipherspec_length" 2>/dev/null)
[ $? -ne 0 ] && ret=7
if [[ $v2_hello_initbyte != "8" ]] || [[ $v2_hello_handshake != "04" ]]; then if [[ $v2_hello_initbyte != "8" ]] || [[ $v2_hello_handshake != "04" ]]; then
[[ $DEBUG -ge 2 ]] && echo "$v2_hello_initbyte / $v2_hello_handshake"
ret=1 ret=1
if [[ $DEBUG -ge 2 ]]; then
echo "no correct server hello"
echo "SSLv2 server init byte: 0x0$v2_hello_initbyte"
echo "SSLv2 hello handshake : 0x$v2_hello_handshake"
fi
fi fi
if [[ $DEBUG -ge 3 ]]; then if [[ $DEBUG -ge 3 ]]; then
@ -1634,9 +1656,6 @@ display_sslv2_serverhello() {
echo "SSLv2 certificate length: 0x$v2_hello_cert_length" echo "SSLv2 certificate length: 0x$v2_hello_cert_length"
echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length" echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length"
fi fi
V2_HELLO_CIPHERSPEC_LENGTH=$(printf "%d\n" "0x$v2_hello_cipherspec_length" 2>/dev/null)
[ $? -ne 0 ] && ret=7
fi fi
return $ret return $ret
} }
@ -1660,7 +1679,7 @@ display_tls_serverhello() {
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1) tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
[[ "$DEBUG" -eq 5 ]] && echo $tls_hello_ascii # one line without any blanks [[ "$DEBUG" -eq 5 ]] && echo $tls_hello_ascii # one line without any blanks
[[ -z $tls_hello_ascii ]] && debugme echo "server hello empty" && return 0 # no server hello received [[ -z $tls_hello_ascii ]] && debugme echo "server hello empty, TCP connection closed" && return 0 # no server hello received
# now scrape two bytes out of the reply per byte # now scrape two bytes out of the reply per byte
tls_hello_initbyte="${tls_hello_ascii:0:2}" # normally this is x16 tls_hello_initbyte="${tls_hello_ascii:0:2}" # normally this is x16
@ -1715,7 +1734,7 @@ sslv2_sockets() {
fd_socket 5 || return 6 fd_socket 5 || return 6
[[ "$DEBUG" -ge 2 ]] && outln "sending client hello... " [[ "$DEBUG" -ge 2 ]] && outln "sending client hello... "
socksend_sslv2_clienthello socksend_sslv2_clienthello "$SSLv2_CLIENT_HELLO"
sockread_serverhello 32768 sockread_serverhello 32768
[[ "$DEBUG" -ge 2 ]] && outln "reading server hello... " [[ "$DEBUG" -ge 2 ]] && outln "reading server hello... "
@ -1725,29 +1744,31 @@ sslv2_sockets() {
fi fi
display_sslv2_serverhello "$SOCK_REPLY_FILE" display_sslv2_serverhello "$SOCK_REPLY_FILE"
if [ $? -eq 7 ]; then case $? in
# strange reply 7) # strange reply, cpundn't convert the cipher spec length to a hex number
pr_litemagenta "strange v2 reply " pr_litemagenta "strange v2 reply "
outln " (rerun with DEBUG=2)" outln " (rerun with DEBUG >=2)"
[[ $DEBUG -ge 3 ]] && hexdump -C $SOCK_REPLY_FILE | head -1 [[ $DEBUG -ge 3 ]] && hexdump -C $SOCK_REPLY_FILE | head -1
else ret=7 ;;
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL 1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
pr_greenln "not offered (OK)"
ret=0 ;;
0) # reset
pr_greenln "not offered (OK)"
ret=0 ;;
3) # everything else
lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l) lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l)
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) " [[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
if [[ "$lines" -gt 1 ]] ;then if [[ "$lines" -gt 1 ]] ;then
ciphers_detected=$(($V2_HELLO_CIPHERSPEC_LENGTH / 3 )) ciphers_detected=$(($V2_HELLO_CIPHERSPEC_LENGTH / 3 ))
if [ 0 -eq $ciphers_detected ] ; then if [ 0 -eq "$ciphers_detected" ] ; then
pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)" pr_litered "supported but couldn't detect a cipher"; outln "(may need further attention)"
else else
pr_red "offered (NOT ok)"; outln " -- $ciphers_detected ciphers" pr_red "offered (NOT ok)"; outln " -- $ciphers_detected ciphers"
fi fi
ret=1 ret=1
else fi ;;
pr_greenln "not offered (OK)" esac
ret=0
fi
fi
pr_off pr_off
debugme outln debugme outln
@ -3280,6 +3301,6 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.233 2015/04/22 09:56:12 dirkw Exp $ # $Id: testssl.sh,v 1.234 2015/04/22 13:22:52 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab # ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab