Remember better protocol settings in ciphers_by_strength() / cipher_pref_check()

... in cases where the protcol section has not been run before.

Also add " -\n" on the screen/html if protocol is not supported. Also for
SSLv2 which can be supported but at the same time not offer any ciphers
mention there will be an output on the screen.
This commit is contained in:
Dirk Wetter 2020-04-27 16:51:45 +02:00
parent 0a859d7b98
commit 3b92b0cf85

View File

@ -259,6 +259,7 @@ APP_TRAF_KEY_INFO="" # Information about the application traf
TLS13_ONLY=false # Does the server support TLS 1.3 ONLY? TLS13_ONLY=false # Does the server support TLS 1.3 ONLY?
OSSL_SHORTCUT=${OSSL_SHORTCUT:-false} # Hack: if during the scan turns out the OpenSSL binary suports TLS 1.3 would be a better choice, this enables it. OSSL_SHORTCUT=${OSSL_SHORTCUT:-false} # Hack: if during the scan turns out the OpenSSL binary suports TLS 1.3 would be a better choice, this enables it.
TLS_EXTENSIONS="" TLS_EXTENSIONS=""
V2_HELLO_CIPHERSPEC_LENGTH=0
declare -r NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1" declare -r NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
# alpn_protos needs to be space-separated, not comma-seperated, including odd ones observed @ facebook and others, old ones like h2-17 omitted as they could not be found # alpn_protos needs to be space-separated, not comma-seperated, including odd ones observed @ facebook and others, old ones like h2-17 omitted as they could not be found
declare -r ALPN_PROTOs="h2 spdy/3.1 http/1.1 grpc-exp h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp" declare -r ALPN_PROTOs="h2 spdy/3.1 http/1.1 grpc-exp h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp"
@ -4045,7 +4046,7 @@ ciphers_by_strength() {
# The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1. # The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
if [[ "$OSSL_NAME" =~ LibreSSL ]]; then if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
ossl_ciphers_proto="" ossl_ciphers_proto=""
elif [[ "$proto" == -ssl2 ]] || [[ "$proto" == -ssl3 ]] || \ elif [[ $proto == -ssl2 ]] || [[ $proto == -ssl3 ]] || \
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \ [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 3.0.0* ]]; then [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 3.0.0* ]]; then
ossl_ciphers_proto="$proto" ossl_ciphers_proto="$proto"
@ -4072,23 +4073,32 @@ ciphers_by_strength() {
done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "$ossl_ciphers_proto -V") done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "$ossl_ciphers_proto -V")
fi fi
if [[ "$proto" == -ssl2 ]]; then if [[ $proto == -ssl2 ]]; then
if "$using_sockets"; then if "$using_sockets"; then
sslv2_sockets "${sslv2_ciphers:2}" "true" sslv2_sockets "${sslv2_ciphers:2}" "true"
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then if [[ $? -eq 3 ]] ; then
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")" add_tls_offered ssl2 yes
"$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")" if [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
for (( i=0 ; i<nr_ciphers; i++ )); do supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
if [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then "$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")"
ciphers_found[i]=true for (( i=0 ; i<nr_ciphers; i++ )); do
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s" if [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
fi ciphers_found[i]=true
done "$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
fi
done
else
outln " protocol support with no cipher "
fi
else
add_tls_offered ssl2 no
"$wide" && outln " - "
fi fi
else else
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? "$TMPFILE" sclient_connect_successful $? "$TMPFILE"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
add_tls_offered ssl2 yes
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)" supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
"$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")" "$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
for (( i=0 ; i<nr_ciphers; i++ )); do for (( i=0 ; i<nr_ciphers; i++ )); do
@ -4097,6 +4107,9 @@ ciphers_by_strength() {
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s" "$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
fi fi
done done
else
add_tls_offered ssl2 no
"$wide" && outln " - "
fi fi
fi fi
else # no SSLv2 else # no SSLv2
@ -4253,6 +4266,16 @@ ciphers_by_strength() {
fileout "$id" "INFO" "$proto_text $(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${export2[i]}") $available" fileout "$id" "INFO" "$proto_text $(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${export2[i]}") $available"
fi fi
done done
if [[ $proto != -ssl2 ]]; then
# We handled SSLv2 above already
if [[ -n "$cipher" ]]; then
add_tls_offered $proto yes
else
add_tls_offered $proto no
"$wide" && outln " -"
fi
fi
if ! "$wide" && [[ -n "$cipher" ]]; then if ! "$wide" && [[ -n "$cipher" ]]; then
outln outln
out "$(printf " %-10s " "$proto_text: ")" out "$(printf " %-10s " "$proto_text: ")"
@ -6542,12 +6565,12 @@ run_server_preference() {
fi fi
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check() # TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E ) # (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
if [[ "$proto_ossl" == ssl2 ]] || \ if [[ $proto_ossl == ssl2 ]] || \
( [[ "$proto_ossl" != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \ ( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
( [[ "$proto_ossl" == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then ( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
if [[ "$proto_ossl" == ssl2 ]]; then if [[ $proto_ossl == ssl2 ]]; then
outln " (listed by strength)" outln " (listed by strength)"
elif [[ "$proto_ossl" == tls1_3 ]]; then elif [[ $proto_ossl == tls1_3 ]]; then
outln " (no server order, thus listed by strength)" outln " (no server order, thus listed by strength)"
else else
prln_svrty_high " (no server order, thus listed by strength)" prln_svrty_high " (no server order, thus listed by strength)"
@ -6642,11 +6665,11 @@ check_tls12_pref() {
return 0 return 0
} }
# At the moment only called from run_server_preference()
cipher_pref_check() { cipher_pref_check() {
local proto_ossl="$1" proto_hex="$2" proto="$3" local proto_ossl="$1" proto_hex="$2" proto="$3"
local using_sockets="$4" local using_sockets="$4"
local wide="$5" # at the moment this is called ALWAYS via run_server_preference and ALWAYS w true local wide="$5" # at the moment always = true
local tested_cipher cipher order rfc_cipher rfc_order local tested_cipher cipher order rfc_cipher rfc_order
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA" local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
local -i i nr_ciphers nr_nonossl_ciphers num_bundles bundle_size bundle end_of_bundle success local -i i nr_ciphers nr_nonossl_ciphers num_bundles bundle_size bundle end_of_bundle success
@ -6890,6 +6913,10 @@ cipher_pref_check() {
fi fi
fi fi
fileout "cipherorder_${proto//./_}" "INFO" "$order" fileout "cipherorder_${proto//./_}" "INFO" "$order"
else
# Order doesn't contain any ciphers, so we can safely unset the protocol and put a dash out
add_tls_offered "$proto_ossl" no
outln " -"
fi fi
tmpfile_handle ${FUNCNAME[0]}-$proto_ossl.txt tmpfile_handle ${FUNCNAME[0]}-$proto_ossl.txt