mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
parent
06bd8b2517
commit
3891f5b13b
73
testssl.sh
73
testssl.sh
@ -68,7 +68,7 @@ USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
|
|||||||
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
||||||
|
|
||||||
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet. FC has only a CA bundle per default, ==> openssl version -d
|
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet. FC has only a CA bundle per default, ==> openssl version -d
|
||||||
HSTS_MIN=180 # >180 days is ok for HSTS
|
HSTS_MIN=179 # >180 days is ok for HSTS
|
||||||
HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints?
|
HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints?
|
||||||
CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
||||||
DAYS2WARN1=60 # days to warn before cert expires, threshold 1
|
DAYS2WARN1=60 # days to warn before cert expires, threshold 1
|
||||||
@ -168,7 +168,7 @@ SSLv2_CLIENT_HELLO="
|
|||||||
,00,1b # cipher spec length (here: 27 )
|
,00,1b # cipher spec length (here: 27 )
|
||||||
,00,00 # session ID length
|
,00,00 # session ID length
|
||||||
,00,10 # challenge length
|
,00,10 # challenge length
|
||||||
,05,00,80 # 1st cipher 9 cipher specs, only classical V2 ciphers are used here, see http://max.euston.net/d/tip_sslciphers.html
|
,05,00,80 # 1st cipher 9 cipher specs, only classical V2 ciphers are used here, see FIXME below
|
||||||
,03,00,80 # 2nd there are v3 in v2!!! : https://tools.ietf.org/html/rfc6101#appendix-E
|
,03,00,80 # 2nd there are v3 in v2!!! : https://tools.ietf.org/html/rfc6101#appendix-E
|
||||||
,01,00,80 # 3rd Cipher specifications introduced in version 3.0 can be included in version 2.0 client hello messages using
|
,01,00,80 # 3rd Cipher specifications introduced in version 3.0 can be included in version 2.0 client hello messages using
|
||||||
,07,00,c0 # 4th the syntax below. [..] # V2CipherSpec (see Version 3.0 name) = { 0x00, CipherSuite }; !!!!
|
,07,00,c0 # 4th the syntax below. [..] # V2CipherSpec (see Version 3.0 name) = { 0x00, CipherSuite }; !!!!
|
||||||
@ -178,6 +178,8 @@ SSLv2_CLIENT_HELLO="
|
|||||||
,02,00,80 # 8th
|
,02,00,80 # 8th
|
||||||
,00,00,00 # 9th
|
,00,00,00 # 9th
|
||||||
,29,22,be,b3,5a,01,8b,04,fe,5f,80,03,a0,13,eb,c4" # Challenge
|
,29,22,be,b3,5a,01,8b,04,fe,5f,80,03,a0,13,eb,c4" # Challenge
|
||||||
|
# https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/ (client)
|
||||||
|
# FIXME: http://max.euston.net/d/tip_sslciphers.html
|
||||||
|
|
||||||
|
|
||||||
###### output functions ######
|
###### output functions ######
|
||||||
@ -294,6 +296,7 @@ red=""
|
|||||||
green=""
|
green=""
|
||||||
brown=""
|
brown=""
|
||||||
blue=""
|
blue=""
|
||||||
|
cyan=""
|
||||||
off=""
|
off=""
|
||||||
bold=""
|
bold=""
|
||||||
underline=""
|
underline=""
|
||||||
@ -303,6 +306,7 @@ if [[ "$COLOR" -eq 2 ]]; then
|
|||||||
green=$(tput setaf 2)
|
green=$(tput setaf 2)
|
||||||
brown=$(tput setaf 3)
|
brown=$(tput setaf 3)
|
||||||
blue=$(tput setaf 4)
|
blue=$(tput setaf 4)
|
||||||
|
yellow=$(tput setaf 3; tput bold)
|
||||||
off=$(tput sgr0)
|
off=$(tput sgr0)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -555,7 +559,16 @@ hpkp() {
|
|||||||
emphasize_numbers_in_headers(){
|
emphasize_numbers_in_headers(){
|
||||||
# see http://www.grymoire.com/Unix/Sed.html#uh-3
|
# see http://www.grymoire.com/Unix/Sed.html#uh-3
|
||||||
# outln "$1" | sed "s/[0-9]*/$brown&$off/g"
|
# outln "$1" | sed "s/[0-9]*/$brown&$off/g"
|
||||||
outln "$1" | sed "s/\([0-9]\)/$brown\1$off/g"
|
outln "$1" | sed -e "s/\([0-9]\)/$brown\1$off/g" \
|
||||||
|
-e "s/Debian/"$yellow"\Debian$off/g" \
|
||||||
|
-e "s/Ubuntu/"$yellow"Ubuntu$off/g" \
|
||||||
|
-e "s/ubuntu/"$yellow"ubuntu$off/g" \
|
||||||
|
-e "s/squeeze/"$yellow"squeeze$off/g" \
|
||||||
|
-e "s/lenny/"$yellow"lenny$off/g" \
|
||||||
|
-e "s/SUSE/"$yellow"SUSE$off/g" \
|
||||||
|
-e "s/Red Hat Enterprise Linux/"$yellow"Red Hat Enterprise Linux$off/g" \
|
||||||
|
-e "s/Red Hat/"$yellow"Red Hat$off/g" \
|
||||||
|
-e "s/CentOS/"$yellow"CentOS$off/g"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -1577,7 +1590,7 @@ len2twobytes() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
socksend_sslv2_clienthello() {
|
socksend_sslv2_clienthello() {
|
||||||
code2network "$SSLv2_CLIENT_HELLO"
|
code2network "$1"
|
||||||
data=$(echo $NW_STR)
|
data=$(echo $NW_STR)
|
||||||
[[ "$DEBUG" -ge 4 ]] && echo "\"$data\""
|
[[ "$DEBUG" -ge 4 ]] && echo "\"$data\""
|
||||||
printf -- "$data" >&5 2>/dev/null &
|
printf -- "$data" >&5 2>/dev/null &
|
||||||
@ -1611,10 +1624,12 @@ display_sslv2_serverhello() {
|
|||||||
# [certificate length] ==> certificate
|
# [certificate length] ==> certificate
|
||||||
# [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY!
|
# [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY!
|
||||||
|
|
||||||
|
local ret=3
|
||||||
|
|
||||||
v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
|
v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
|
||||||
[[ "$DEBUG" -ge 5 ]] && echo $v2_hello_ascii # one line without any blanks
|
[[ "$DEBUG" -ge 5 ]] && echo $v2_hello_ascii
|
||||||
if [[ -z $v2_hello_ascii ]] ; then
|
if [[ -z $v2_hello_ascii ]] ; then
|
||||||
ret=0 # no server hello received
|
ret=0 # 1 line without any blanks: no server hello received
|
||||||
debugme echo "server hello empty"
|
debugme echo "server hello empty"
|
||||||
else
|
else
|
||||||
# now scrape two bytes out of the reply per byte
|
# now scrape two bytes out of the reply per byte
|
||||||
@ -1624,9 +1639,16 @@ display_sslv2_serverhello() {
|
|||||||
v2_hello_cert_length="${v2_hello_ascii:14:4}"
|
v2_hello_cert_length="${v2_hello_ascii:14:4}"
|
||||||
v2_hello_cipherspec_length="${v2_hello_ascii:18:4}"
|
v2_hello_cipherspec_length="${v2_hello_ascii:18:4}"
|
||||||
|
|
||||||
|
V2_HELLO_CIPHERSPEC_LENGTH=$(printf "%d\n" "0x$v2_hello_cipherspec_length" 2>/dev/null)
|
||||||
|
[ $? -ne 0 ] && ret=7
|
||||||
|
|
||||||
if [[ $v2_hello_initbyte != "8" ]] || [[ $v2_hello_handshake != "04" ]]; then
|
if [[ $v2_hello_initbyte != "8" ]] || [[ $v2_hello_handshake != "04" ]]; then
|
||||||
[[ $DEBUG -ge 2 ]] && echo "$v2_hello_initbyte / $v2_hello_handshake"
|
|
||||||
ret=1
|
ret=1
|
||||||
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
|
echo "no correct server hello"
|
||||||
|
echo "SSLv2 server init byte: 0x0$v2_hello_initbyte"
|
||||||
|
echo "SSLv2 hello handshake : 0x$v2_hello_handshake"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
@ -1634,9 +1656,6 @@ display_sslv2_serverhello() {
|
|||||||
echo "SSLv2 certificate length: 0x$v2_hello_cert_length"
|
echo "SSLv2 certificate length: 0x$v2_hello_cert_length"
|
||||||
echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length"
|
echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
V2_HELLO_CIPHERSPEC_LENGTH=$(printf "%d\n" "0x$v2_hello_cipherspec_length" 2>/dev/null)
|
|
||||||
[ $? -ne 0 ] && ret=7
|
|
||||||
fi
|
fi
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
@ -1660,7 +1679,7 @@ display_tls_serverhello() {
|
|||||||
|
|
||||||
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
|
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
|
||||||
[[ "$DEBUG" -eq 5 ]] && echo $tls_hello_ascii # one line without any blanks
|
[[ "$DEBUG" -eq 5 ]] && echo $tls_hello_ascii # one line without any blanks
|
||||||
[[ -z $tls_hello_ascii ]] && debugme echo "server hello empty" && return 0 # no server hello received
|
[[ -z $tls_hello_ascii ]] && debugme echo "server hello empty, TCP connection closed" && return 0 # no server hello received
|
||||||
|
|
||||||
# now scrape two bytes out of the reply per byte
|
# now scrape two bytes out of the reply per byte
|
||||||
tls_hello_initbyte="${tls_hello_ascii:0:2}" # normally this is x16
|
tls_hello_initbyte="${tls_hello_ascii:0:2}" # normally this is x16
|
||||||
@ -1715,7 +1734,7 @@ sslv2_sockets() {
|
|||||||
|
|
||||||
fd_socket 5 || return 6
|
fd_socket 5 || return 6
|
||||||
[[ "$DEBUG" -ge 2 ]] && outln "sending client hello... "
|
[[ "$DEBUG" -ge 2 ]] && outln "sending client hello... "
|
||||||
socksend_sslv2_clienthello
|
socksend_sslv2_clienthello "$SSLv2_CLIENT_HELLO"
|
||||||
|
|
||||||
sockread_serverhello 32768
|
sockread_serverhello 32768
|
||||||
[[ "$DEBUG" -ge 2 ]] && outln "reading server hello... "
|
[[ "$DEBUG" -ge 2 ]] && outln "reading server hello... "
|
||||||
@ -1725,29 +1744,31 @@ sslv2_sockets() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
display_sslv2_serverhello "$SOCK_REPLY_FILE"
|
display_sslv2_serverhello "$SOCK_REPLY_FILE"
|
||||||
if [ $? -eq 7 ]; then
|
case $? in
|
||||||
# strange reply
|
7) # strange reply, cpundn't convert the cipher spec length to a hex number
|
||||||
pr_litemagenta "strange v2 reply "
|
pr_litemagenta "strange v2 reply "
|
||||||
outln " (rerun with DEBUG=2)"
|
outln " (rerun with DEBUG >=2)"
|
||||||
[[ $DEBUG -ge 3 ]] && hexdump -C $SOCK_REPLY_FILE | head -1
|
[[ $DEBUG -ge 3 ]] && hexdump -C $SOCK_REPLY_FILE | head -1
|
||||||
else
|
ret=7 ;;
|
||||||
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
|
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
|
||||||
|
pr_greenln "not offered (OK)"
|
||||||
|
ret=0 ;;
|
||||||
|
0) # reset
|
||||||
|
pr_greenln "not offered (OK)"
|
||||||
|
ret=0 ;;
|
||||||
|
3) # everything else
|
||||||
lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l)
|
lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l)
|
||||||
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
|
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
|
||||||
|
|
||||||
if [[ "$lines" -gt 1 ]] ;then
|
if [[ "$lines" -gt 1 ]] ;then
|
||||||
ciphers_detected=$(($V2_HELLO_CIPHERSPEC_LENGTH / 3 ))
|
ciphers_detected=$(($V2_HELLO_CIPHERSPEC_LENGTH / 3 ))
|
||||||
if [ 0 -eq $ciphers_detected ] ; then
|
if [ 0 -eq "$ciphers_detected" ] ; then
|
||||||
pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)"
|
pr_litered "supported but couldn't detect a cipher"; outln "(may need further attention)"
|
||||||
else
|
else
|
||||||
pr_red "offered (NOT ok)"; outln " -- $ciphers_detected ciphers"
|
pr_red "offered (NOT ok)"; outln " -- $ciphers_detected ciphers"
|
||||||
fi
|
fi
|
||||||
ret=1
|
ret=1
|
||||||
else
|
fi ;;
|
||||||
pr_greenln "not offered (OK)"
|
esac
|
||||||
ret=0
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
pr_off
|
pr_off
|
||||||
debugme outln
|
debugme outln
|
||||||
|
|
||||||
@ -3280,6 +3301,6 @@ fi
|
|||||||
|
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.233 2015/04/22 09:56:12 dirkw Exp $
|
# $Id: testssl.sh,v 1.234 2015/04/22 13:22:52 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
||||||
|
Loading…
Reference in New Issue
Block a user