mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Remember better protocol settings in ciphers_by_strength() / cipher_pref_check()
... in cases where the protcol section has not been run before. Also add " -\n" on the screen/html if protocol is not supported. Also for SSLv2 which can be supported but at the same time not offer any ciphers mention there will be an output on the screen.
This commit is contained in:
parent
0a859d7b98
commit
3b92b0cf85
63
testssl.sh
63
testssl.sh
@ -259,6 +259,7 @@ APP_TRAF_KEY_INFO="" # Information about the application traf
|
|||||||
TLS13_ONLY=false # Does the server support TLS 1.3 ONLY?
|
TLS13_ONLY=false # Does the server support TLS 1.3 ONLY?
|
||||||
OSSL_SHORTCUT=${OSSL_SHORTCUT:-false} # Hack: if during the scan turns out the OpenSSL binary suports TLS 1.3 would be a better choice, this enables it.
|
OSSL_SHORTCUT=${OSSL_SHORTCUT:-false} # Hack: if during the scan turns out the OpenSSL binary suports TLS 1.3 would be a better choice, this enables it.
|
||||||
TLS_EXTENSIONS=""
|
TLS_EXTENSIONS=""
|
||||||
|
V2_HELLO_CIPHERSPEC_LENGTH=0
|
||||||
declare -r NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
declare -r NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
||||||
# alpn_protos needs to be space-separated, not comma-seperated, including odd ones observed @ facebook and others, old ones like h2-17 omitted as they could not be found
|
# alpn_protos needs to be space-separated, not comma-seperated, including odd ones observed @ facebook and others, old ones like h2-17 omitted as they could not be found
|
||||||
declare -r ALPN_PROTOs="h2 spdy/3.1 http/1.1 grpc-exp h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp"
|
declare -r ALPN_PROTOs="h2 spdy/3.1 http/1.1 grpc-exp h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp"
|
||||||
@ -4045,7 +4046,7 @@ ciphers_by_strength() {
|
|||||||
# The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
|
# The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
|
||||||
if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
|
if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
|
||||||
ossl_ciphers_proto=""
|
ossl_ciphers_proto=""
|
||||||
elif [[ "$proto" == -ssl2 ]] || [[ "$proto" == -ssl3 ]] || \
|
elif [[ $proto == -ssl2 ]] || [[ $proto == -ssl3 ]] || \
|
||||||
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \
|
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \
|
||||||
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 3.0.0* ]]; then
|
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 3.0.0* ]]; then
|
||||||
ossl_ciphers_proto="$proto"
|
ossl_ciphers_proto="$proto"
|
||||||
@ -4072,23 +4073,32 @@ ciphers_by_strength() {
|
|||||||
done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "$ossl_ciphers_proto -V")
|
done < <(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL' "$ossl_ciphers_proto -V")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$proto" == -ssl2 ]]; then
|
if [[ $proto == -ssl2 ]]; then
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
sslv2_sockets "${sslv2_ciphers:2}" "true"
|
sslv2_sockets "${sslv2_ciphers:2}" "true"
|
||||||
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
if [[ $? -eq 3 ]] ; then
|
||||||
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
add_tls_offered ssl2 yes
|
||||||
"$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")"
|
if [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
||||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
||||||
if [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
|
"$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")"
|
||||||
ciphers_found[i]=true
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
if [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
|
||||||
fi
|
ciphers_found[i]=true
|
||||||
done
|
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
outln " protocol support with no cipher "
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
add_tls_offered ssl2 no
|
||||||
|
"$wide" && outln " - "
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? "$TMPFILE"
|
sclient_connect_successful $? "$TMPFILE"
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
|
add_tls_offered ssl2 yes
|
||||||
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
|
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
|
||||||
"$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
|
"$wide" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
|
||||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||||
@ -4097,6 +4107,9 @@ ciphers_by_strength() {
|
|||||||
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
else
|
||||||
|
add_tls_offered ssl2 no
|
||||||
|
"$wide" && outln " - "
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else # no SSLv2
|
else # no SSLv2
|
||||||
@ -4253,6 +4266,16 @@ ciphers_by_strength() {
|
|||||||
fileout "$id" "INFO" "$proto_text $(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${export2[i]}") $available"
|
fileout "$id" "INFO" "$proto_text $(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${export2[i]}") $available"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if [[ $proto != -ssl2 ]]; then
|
||||||
|
# We handled SSLv2 above already
|
||||||
|
if [[ -n "$cipher" ]]; then
|
||||||
|
add_tls_offered $proto yes
|
||||||
|
else
|
||||||
|
add_tls_offered $proto no
|
||||||
|
"$wide" && outln " -"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
if ! "$wide" && [[ -n "$cipher" ]]; then
|
if ! "$wide" && [[ -n "$cipher" ]]; then
|
||||||
outln
|
outln
|
||||||
out "$(printf " %-10s " "$proto_text: ")"
|
out "$(printf " %-10s " "$proto_text: ")"
|
||||||
@ -6542,12 +6565,12 @@ run_server_preference() {
|
|||||||
fi
|
fi
|
||||||
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
|
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
|
||||||
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
|
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
|
||||||
if [[ "$proto_ossl" == ssl2 ]] || \
|
if [[ $proto_ossl == ssl2 ]] || \
|
||||||
( [[ "$proto_ossl" != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
||||||
( [[ "$proto_ossl" == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
||||||
if [[ "$proto_ossl" == ssl2 ]]; then
|
if [[ $proto_ossl == ssl2 ]]; then
|
||||||
outln " (listed by strength)"
|
outln " (listed by strength)"
|
||||||
elif [[ "$proto_ossl" == tls1_3 ]]; then
|
elif [[ $proto_ossl == tls1_3 ]]; then
|
||||||
outln " (no server order, thus listed by strength)"
|
outln " (no server order, thus listed by strength)"
|
||||||
else
|
else
|
||||||
prln_svrty_high " (no server order, thus listed by strength)"
|
prln_svrty_high " (no server order, thus listed by strength)"
|
||||||
@ -6642,11 +6665,11 @@ check_tls12_pref() {
|
|||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# At the moment only called from run_server_preference()
|
||||||
cipher_pref_check() {
|
cipher_pref_check() {
|
||||||
local proto_ossl="$1" proto_hex="$2" proto="$3"
|
local proto_ossl="$1" proto_hex="$2" proto="$3"
|
||||||
local using_sockets="$4"
|
local using_sockets="$4"
|
||||||
local wide="$5" # at the moment this is called ALWAYS via run_server_preference and ALWAYS w true
|
local wide="$5" # at the moment always = true
|
||||||
local tested_cipher cipher order rfc_cipher rfc_order
|
local tested_cipher cipher order rfc_cipher rfc_order
|
||||||
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
|
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
|
||||||
local -i i nr_ciphers nr_nonossl_ciphers num_bundles bundle_size bundle end_of_bundle success
|
local -i i nr_ciphers nr_nonossl_ciphers num_bundles bundle_size bundle end_of_bundle success
|
||||||
@ -6890,6 +6913,10 @@ cipher_pref_check() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fileout "cipherorder_${proto//./_}" "INFO" "$order"
|
fileout "cipherorder_${proto//./_}" "INFO" "$order"
|
||||||
|
else
|
||||||
|
# Order doesn't contain any ciphers, so we can safely unset the protocol and put a dash out
|
||||||
|
add_tls_offered "$proto_ossl" no
|
||||||
|
outln " -"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
tmpfile_handle ${FUNCNAME[0]}-$proto_ossl.txt
|
tmpfile_handle ${FUNCNAME[0]}-$proto_ossl.txt
|
||||||
|
Loading…
Reference in New Issue
Block a user