- WONTFIX remarks for #103 and #102

- better warning for openssl < 1.0
This commit is contained in:
Dirk 2015-05-11 16:58:57 +02:00
parent 35d8469f67
commit 3a64bd1005

View File

@ -447,7 +447,7 @@ EOF
pid=$! pid=$!
if wait_kill $pid $HEADER_MAXSLEEP; then if wait_kill $pid $HEADER_MAXSLEEP; then
if ! egrep -iaq "XML|HTML|DOCTYPE|HTTP|Connection" $HEADERFILE; then if ! egrep -iaq "XML|HTML|DOCTYPE|HTTP|Connection" $HEADERFILE; then
pr_litemagenta "likely HTTP header requests failed (#lines: $(wc -l < $HEADERFILE))." pr_litemagenta "likely HTTP header requests failed (#lines: $(wc -l < $HEADERFILE | sed 's/ //g'))."
outln "Rerun with DEBUG=1 and inspect \"http_header.txt\"\n" outln "Rerun with DEBUG=1 and inspect \"http_header.txt\"\n"
debugme cat $HEADERFILE debugme cat $HEADERFILE
ret=7 ret=7
@ -639,7 +639,7 @@ cookieflags() { # ARG1: Path, ARG2: path
pr_bold " Cookie(s) " pr_bold " Cookie(s) "
grep -ai '^Set-Cookie' $HEADERFILE >$TMPFILE grep -ai '^Set-Cookie' $HEADERFILE >$TMPFILE
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
nr_cookies=$(wc -l < $TMPFILE) nr_cookies=$(wc -l < $TMPFILE | sed 's/ //g')
out "$nr_cookies issued: " out "$nr_cookies issued: "
if [ $nr_cookies -gt 1 ] ; then if [ $nr_cookies -gt 1 ] ; then
negative_word="NONE" negative_word="NONE"
@ -743,14 +743,14 @@ prettyprint_local() {
neat_header neat_header
if [ -z "$1" ]; then if [ -z "$1" ]; then
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslvers kx auth enc mac export ; do $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
normalize_ciphercode $hexcode normalize_ciphercode $hexcode
neat_list $HEXC $ciph $kx $enc neat_list $HEXC $ciph $kx $enc
outln outln
done done
else else
for arg in $(echo $@ | sed 's/,/ /g'); do for arg in $(echo $@ | sed 's/,/ /g'); do
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslvers kx auth enc mac export ; do $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
normalize_ciphercode $hexcode normalize_ciphercode $hexcode
neat_list $HEXC $ciph $kx $enc | grep -wai "$arg" neat_list $HEXC $ciph $kx $enc | grep -wai "$arg"
done done
@ -937,7 +937,7 @@ cipher_per_proto(){
outln " -ssl2 SSLv2\n -ssl3 SSLv3\n -tls1 TLS 1\n -tls1_1 TLS 1.1\n -tls1_2 TLS 1.2"| while read proto proto_text; do outln " -ssl2 SSLv2\n -ssl3 SSLv3\n -tls1 TLS 1\n -tls1_1 TLS 1.1\n -tls1_2 TLS 1.2"| while read proto proto_text; do
locally_supported "$proto" "$proto_text" || continue locally_supported "$proto" "$proto_text" || continue
outln outln
$OPENSSL ciphers $proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode n ciph sslvers kx auth enc mac export; do $OPENSSL ciphers $proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode n ciph sslvers kx auth enc mac export; do # -V doesn't work with openssl < 1.0
$OPENSSL s_client -cipher $ciph $proto $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null $OPENSSL s_client -cipher $ciph $proto $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
ret=$? ret=$?
if [ $ret -ne 0 ] && [ "$SHOW_EACH_C" -eq 0 ]; then if [ $ret -ne 0 ] && [ "$SHOW_EACH_C" -eq 0 ]; then
@ -1498,7 +1498,7 @@ pfs() {
outln outln
pr_blue "--> Testing (perfect) forward secrecy, (P)FS"; outln " -- omitting 3DES, RC4 and Null Encryption here" pr_blue "--> Testing (perfect) forward secrecy, (P)FS"; outln " -- omitting 3DES, RC4 and Null Encryption here"
$OPENSSL ciphers -V "$pfs_ciphers" >$TMPFILE 2>/dev/null $OPENSSL ciphers -V "$pfs_ciphers" >$TMPFILE 2>/dev/null # -V doesn't work with openssl < 1.0
if [ $? -ne 0 ] ; then if [ $? -ne 0 ] ; then
number_pfs=$(wc -l < $TMPFILE | sed 's/ //g') number_pfs=$(wc -l < $TMPFILE | sed 's/ //g')
if [ "$number_pfs" -le "$CLIENT_MIN_PFS" ] ; then if [ "$number_pfs" -le "$CLIENT_MIN_PFS" ] ; then
@ -1539,7 +1539,7 @@ pfs() {
fi fi
fi fi
outln outln
done < <($OPENSSL ciphers -V "$pfs_ciphers") done < <($OPENSSL ciphers -V "$pfs_ciphers") # -V doesn't work with openssl < 1.0
# ^^^^^ posix redirect as shopt will either segfault or doesn't work with old bash versions # ^^^^^ posix redirect as shopt will either segfault or doesn't work with old bash versions
debugme echo $none debugme echo $none
@ -1809,7 +1809,7 @@ sslv2_sockets() {
pr_greenln "not offered (OK)" pr_greenln "not offered (OK)"
ret=0 ;; ret=0 ;;
3) # everything else 3) # everything else
lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l) lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l | sed 's/ //g')
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) " [[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
if [[ "$lines" -gt 1 ]] ;then if [[ "$lines" -gt 1 ]] ;then
ciphers_detected=$(($V2_HELLO_CIPHERSPEC_LENGTH / 3 )) ciphers_detected=$(($V2_HELLO_CIPHERSPEC_LENGTH / 3 ))
@ -1967,7 +1967,7 @@ tls_sockets() {
save=$? save=$?
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL # see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l) lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l | sed 's/ //g')
[[ "$DEBUG" -ge 2 ]] && out " (returned $lines lines) " [[ "$DEBUG" -ge 2 ]] && out " (returned $lines lines) "
# printf "Protokoll "; tput bold; printf "$tls_low_byte = $tls_str"; tput sgr0; printf ": " # printf "Protokoll "; tput bold; printf "$tls_low_byte = $tls_str"; tput sgr0; printf ": "
@ -2093,7 +2093,7 @@ heartbleed(){
outln outln
fi fi
lines_returned=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l) lines_returned=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l | sed 's/ //g')
if [ $lines_returned -gt 1 ]; then if [ $lines_returned -gt 1 ]; then
pr_red "VULNERABLE (NOT ok)" pr_red "VULNERABLE (NOT ok)"
ret=1 ret=1
@ -2204,7 +2204,7 @@ ccs_injection(){
fi fi
reply_sanitized=$(echo "$SOCKREPLY" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//') reply_sanitized=$(echo "$SOCKREPLY" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//')
lines=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l) lines=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l | sed 's/ //g')
if [ "$reply_sanitized" == "0a" ] || [ "$lines" -gt 1 ] ; then if [ "$reply_sanitized" == "0a" ] || [ "$lines" -gt 1 ] ; then
pr_green "not vulnerable (OK)" pr_green "not vulnerable (OK)"
@ -2453,7 +2453,7 @@ freak() {
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for FREAK attack" && outln "\n" [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for FREAK attack" && outln "\n"
pr_bold " FREAK "; out " (CVE-2015-0204), experimental " pr_bold " FREAK "; out " (CVE-2015-0204), experimental "
no_exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | egrep -a "^EXP.*RSA" | wc -l) no_exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | egrep -a "^EXP.*RSA" | wc -l | sed 's/ //g')
exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/^EXP.*RSA/ {print $1}' | tr '\n' ':') exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/^EXP.*RSA/ {print $1}' | tr '\n' ':')
debugme echo $exportrsa_ciphers debugme echo $exportrsa_ciphers
# with correct build it should list these 7 ciphers (plus the two latter as SSLv2 ciphers): # with correct build it should list these 7 ciphers (plus the two latter as SSLv2 ciphers):
@ -2502,7 +2502,7 @@ beast(){
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
continue # protocol no supported, so we do not need to check each cipher with that protocol continue # protocol no supported, so we do not need to check each cipher with that protocol
fi fi
#FIXME: doesn't work on FreeBSD, needs a warning and bailout #FIXME: doesn't work on with openssl 0.98, we won't fix though
while read hexcode dash cbc_cipher sslvers kx auth enc mac export ; do while read hexcode dash cbc_cipher sslvers kx auth enc mac export ; do
$OPENSSL s_client -cipher "$cbc_cipher" -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI >$TMPFILE 2>/dev/null </dev/null $OPENSSL s_client -cipher "$cbc_cipher" -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI >$TMPFILE 2>/dev/null </dev/null
#normalize_ciphercode $hexcode #normalize_ciphercode $hexcode
@ -2510,7 +2510,7 @@ beast(){
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
detected_cbc_cipher="$detected_cbc_cipher ""$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')" detected_cbc_cipher="$detected_cbc_cipher ""$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')"
fi fi
done < <($OPENSSL ciphers -V 'ALL:eNULL' | grep -a CBC) done < <($OPENSSL ciphers -V 'ALL:eNULL' | grep -a CBC) # -V doesn't work with openssl < 1.0
# ^^^^^ process substitution as shopt will either segfault or doesn't work with old bash versions # ^^^^^ process substitution as shopt will either segfault or doesn't work with old bash versions
#detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g') #detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g')
@ -2564,7 +2564,7 @@ rc4() {
fi fi
pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808) " pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808) "
$OPENSSL ciphers -V 'RC4:@STRENGTH' >$TMPFILE $OPENSSL ciphers -V 'RC4:@STRENGTH' >$TMPFILE # -V doesn't work with openssl < 1.0
[ $LONG -eq 0 ] && [ $SHOW_LOC_CIPH -eq 0 ] && echo "local ciphers available for testing RC4:" && echo $(cat $TMPFILE) [ $LONG -eq 0 ] && [ $SHOW_LOC_CIPH -eq 0 ] && echo "local ciphers available for testing RC4:" && echo $(cat $TMPFILE)
$OPENSSL s_client -cipher $($OPENSSL ciphers RC4) $STARTTLS -connect $NODEIP:$PORT $SNI &>/dev/null </dev/null $OPENSSL s_client -cipher $($OPENSSL ciphers RC4) $STARTTLS -connect $NODEIP:$PORT $SNI &>/dev/null </dev/null
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -2574,7 +2574,7 @@ rc4() {
[[ $LONG -eq 0 ]] && neat_header [[ $LONG -eq 0 ]] && neat_header
while read hexcode n ciph sslvers kx auth enc mac; do while read hexcode n ciph sslvers kx auth enc mac; do
$OPENSSL s_client -cipher $ciph $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null &>/dev/null $OPENSSL s_client -cipher $ciph $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null &>/dev/null
ret=$? ret=$? # here we have a fp with openssl < 1.0
if [[ $ret -ne 0 ]] && [[ "$SHOW_EACH_C" -eq 0 ]] ; then if [[ $ret -ne 0 ]] && [[ "$SHOW_EACH_C" -eq 0 ]] ; then
continue # no successful connect AND not verbose displaying each cipher continue # no successful connect AND not verbose displaying each cipher
fi fi
@ -2678,20 +2678,20 @@ openssl_age() {
0.9.8) 0.9.8)
case $OSSL_VER_APPENDIX in case $OSSL_VER_APPENDIX in
a|b|c|d|e) old_fart;; # no SNI! a|b|c|d|e) old_fart;; # no SNI!
# other than that we leave this for MacOSX but it's a pain and no guarantees! # other than that we leave this for MacOSX and FREEBSD but it's a pain and likely gives false negatives/positives
esac esac
;; ;;
esac esac
if [ $OSSL_VER_MAJOR -lt 1 ]; then ## mm: Patch for libressl if [ $OSSL_VER_MAJOR -lt 1 ]; then ## mm: Patch for libressl
outln outln
outln " Your \"$OPENSSL\" is way too old (<version 1.0)" pr_magentaln " Your \"$OPENSSL\" is way too old (<version 1.0)"
case $SYSTEM in case $SYSTEM in
*BSD|Darwin) *BSD|Darwin)
outln " Please use openssl from ports/brew or compile from github.com/PeterMosmans/openssl" ;; outln " Please use openssl from ports/brew or compile from github.com/PeterMosmans/openssl" ;;
*) outln " Update openssl binaries or compile from github.com/PeterMosmans/openssl" ;; *) outln " Update openssl binaries or compile from github.com/PeterMosmans/openssl" ;;
esac esac
outln outln
pr_magentaln " Proceeding may result in false negatives or positives ¡¡¡ <Enter> at your own risk !!! \n" pr_magentaln " ¡¡¡ Proceeding WILL CERTAINLY result in false negatives or positives !!! Hit <ENTER> to acknowledge \n"
read a read a
fi fi
} }
@ -3423,6 +3423,6 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.246 2015/05/11 08:47:25 dirkw Exp $ # $Id: testssl.sh,v 1.247 2015/05/11 14:58:56 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab # ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab