diff --git a/testssl.sh b/testssl.sh index d0beddd..102b16e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3,7 +3,7 @@ # vim:ts=5:sw=5:expandtab # we have a spaces softtab, that ensures readability with other editors too -[ -z "$BASH_VERSINFO" ] && printf "\n\033[1;35m Please make sure you're using \"bash\"! Bye...\033[m\n\n" >&2 && exit 245 +[ -z "$BASH_VERSINFO" ] && printf "\n\033[1;35m Please make sure you're using \"bash\"! Bye...\033[m\n\n" >&2 && exit 245 [ $(kill -l | grep -c SIG) -eq 0 ] && printf "\n\033[1;35m Please make sure you're calling me without leading \"sh\"! Bye...\033[m\n\n" >&2 && exit 245 # testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some @@ -25,17 +25,17 @@ # USAGE WITHOUT ANY WARRANTY, THE SOFTWARE IS PROVIDED "AS IS". USE IT AT # your OWN RISK! -# HISTORY: +# HISTORY: # Back in 2006 it all started with a few openssl commands... -# That's because openssl is a such a good swiss army knife (see e.g. -# wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist -# wrapping some shell commands around it, which I used for my pen tests. This is how +# That's because openssl is a such a good swiss army knife (see e.g. +# wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist +# wrapping some shell commands around it, which I used for my pen tests. This is how # everything started. # Now it has grown up, it has bash socket support for some features which basically replacing # more and more functions of OpenSSL and will serve as some kind of library in the future. # The socket checks in bash may sound cool and unique -- they are -- but probably you # can achieve e.g. the same result with my favorite interactive shell: zsh (zmodload zsh/net/socket -# -- checkout zsh/net/tcp) too! +# -- checkout zsh/net/tcp) too! # /bin/bash though is way more often used within Linux and it's perfect # for cross platform support, see MacOS X and also under Windows the MSYS2 extension or Cygwin. # Cross-platform is one of the three main goals of this script. Second: Ease of installation. @@ -49,8 +49,8 @@ # internet. And those examples above 4) are 3rd parties. If these restrictions are all fine # with you and you need a management compatible rating -- go ahead and use those. -# But also if your fine with those restrictions: testssl.sh is meant as a tool in your hand -# and it's way more flexible. +# But also if your fine with those restrictions: testssl.sh is meant as a tool in your hand +# and it's way more flexible. # # Oh, and did I mention testssl.sh is open source? @@ -59,7 +59,7 @@ # are disabled as they'll impact security otherwise. For security # testing though we need all broken features. testssl.sh will # over time replace those checks with bash sockets -- however it's -# still recommended to use the supplied binaries or cook your own, see +# still recommended to use the supplied binaries or cook your own, see # https://github.com/drwetter/testssl.sh/blob/master/bin/Readme.md . # Don't worry if feature X is not available you'll get a warning about # this missing feature! The idea is if this script can't tell something @@ -86,7 +86,7 @@ MAPPING_FILE_RFC="" which git &>/dev/null && readonly GIT_REL=$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }') readonly CVS_REL=$(tail -5 "$0" | awk '/dirkw Exp/ { print $4" "$5" "$6}') readonly CVS_REL_SHORT=$(tail -5 "$0" | awk '/dirkw Exp/ { print $4 }') -readonly SYSTEM=$(uname -s) +readonly SYSTEM=$(uname -s) date --help >/dev/null 2>&1 && \ readonly HAS_GNUDATE=true || \ readonly HAS_GNUDATE=false @@ -112,14 +112,14 @@ TERM_CURRPOS=0 # custom line wrapping ne declare -x OPENSSL COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all SHOW_EACH_C=${SHOW_EACH_C:-0} # where individual ciphers are tested show just the positively ones tested #FIXME: upside down value -SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual? +SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual? QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native" ASSUMING_HTTP=${ASSUMING_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5 -DEBUG=${DEBUG:-0} # 1.: the temp files won't be erased. +DEBUG=${DEBUG:-0} # 1.: the temp files won't be erased. # 2: list more what's going on (formerly: eq VERBOSE=1, VERBERR=true), lists some errors of connections - # 3: slight hexdumps + other info, + # 3: slight hexdumps + other info, # 4: display bytes sent via sockets, 5: display bytes received via sockets, 6: whole 9 yards WIDE=${WIDE:-false} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc. LOGFILE=${LOGILE-""} # logfile if used @@ -271,7 +271,7 @@ readonly SSLv2_CLIENT_HELLO=" ###### output functions ###### -# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest. +# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest. out() { /usr/bin/printf -- "${1//%/%%}"; } outln() { out "$1\n"; } #TODO: Still no shell injection safe but if just run it from the cmd line: that's fine @@ -304,10 +304,10 @@ pr_greyln() { pr_grey "$1"; outln; } pr_litegreen() { [[ "$COLOR" -eq 2 ]] && out "\033[0;32m$1" || out "$1"; pr_off; } # This is good pr_litegreenln() { pr_litegreen "$1"; outln; } -pr_green() { [[ "$COLOR" -eq 2 ]] && out "\033[1;32m$1" || out "$1"; pr_off; } # This is the best +pr_green() { [[ "$COLOR" -eq 2 ]] && out "\033[1;32m$1" || out "$1"; pr_off; } # This is the best pr_greenln() { pr_green "$1"; outln; } -pr_yellow() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem +pr_yellow() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem pr_yellowln() { pr_yellow "$1"; outln; } pr_brown() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this pr_brownln() { pr_brown "$1"; outln; } @@ -317,7 +317,7 @@ pr_brownln() { pr_brown "$1"; outln; } pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m\c"; } pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; } pr_boldln() { pr_bold "$1" ; outln; } -pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; } +pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; } pr_underline() { [[ "$COLOR" -ne 0 ]] && out "\033[4m$1" || out "$1"; pr_off; } pr_reverse() { [[ "$COLOR" -ne 0 ]] && out "\033[7m$1" || out "$1"; pr_off; } pr_reverse_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[7m\033[1m$1" || out "$1"; pr_off; } @@ -475,7 +475,7 @@ is_ipv6addr() { #check on chars allowed: [[ -n "$(tr -d '0-9:a-fA-F ' <<< "$1" | sed -e '/^$/d')" ]] && \ return 1 - return 0 + return 0 } @@ -596,7 +596,7 @@ run_http_header() { if [[ $? -eq 0 ]]; then # we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it # again in the foreground ito get an ccurate header time! - printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE + printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE NOW_TIME=$(date "+%s") HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) HAD_SLEPT=0 @@ -630,7 +630,7 @@ run_http_header() { pr_bold " HTTP Status Code " [[ -z "$status_code" ]] && pr_litemagentaln "No status code" && return 3 - out " $status_code$msg_thereafter" + out " $status_code$msg_thereafter" case $status_code in 301|302|307|308) out ", redirecting to \"$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')\"" ;; 200) ;; @@ -639,7 +639,7 @@ run_http_header() { 401) grep -aq "^WWW-Authenticate" $HEADERFILE && out " "; strip_lf "$(grep -a "^WWW-Authenticate" $HEADERFILE)" ;; 403) ;; - 404) out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" ;; + 404) out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" ;; 405) ;; *) pr_litemagenta ". Oh, didn't expect a $status_code$msg_thereafter";; esac @@ -657,7 +657,7 @@ detect_ipv4() { local result local first=true local spaces=" " - + if [[ ! -s $HEADERFILE ]]; then run_http_header "$1" || return 3 fi @@ -665,7 +665,7 @@ detect_ipv4() { # remove pagespeed header as it is mistakenly identified as ipv4 address https://github.com/drwetter/testssl.sh/issues/158 # also facebook has a CSP rule for 127.0.0.1 if egrep -vi "pagespeed|page-speed|Content-Security-Policy" $HEADERFILE | grep -iqE "$ipv4address"; then - pr_bold " IPv4 address in header " + pr_bold " IPv4 address in header " while read line; do result="$(grep -E "$ipv4address" <<< "$line")" result=$(strip_lf "$result") @@ -681,7 +681,7 @@ detect_ipv4() { fi done < $HEADERFILE fi -} +} run_http_date() { @@ -914,7 +914,7 @@ run_rp_banner() { run_http_header "$1" || return 3 fi pr_bold " Reverse Proxy banner " - egrep -ai '^Via:|^X-Cache|^X-Squid|^X-Varnish:|^X-Server-Name:|^X-Server-Port:|^x-forwarded' $HEADERFILE >$TMPFILE + egrep -ai '^Via:|^X-Cache|^X-Squid|^X-Varnish:|^X-Server-Name:|^X-Server-Port:|^x-forwarded' $HEADERFILE >$TMPFILE if [[ $? -ne 0 ]]; then outln "--" else @@ -965,7 +965,7 @@ run_application_banner() { run_cookie_flags() { # ARG1: Path, ARG2: path local -i nr_cookies local nr_httponly nr_secure - local negative_word + local negative_word if [[ ! -s $HEADERFILE ]]; then run_http_header "$1" || return 3 @@ -1015,7 +1015,7 @@ run_more_flags() { fi pr_bold " Security headers " # convert spaces to | (for egrep) - egrep_pattern=$(echo "$good_flags2test $other_flags2test"| sed -e 's/ /|\^/g' -e 's/^/\^/g') + egrep_pattern=$(echo "$good_flags2test $other_flags2test"| sed -e 's/ /|\^/g' -e 's/^/\^/g') egrep -ai "$egrep_pattern" $HEADERFILE >$TMPFILE if [[ $? -ne 0 ]]; then outln "--" @@ -1161,7 +1161,7 @@ std_cipherlists() { [[ $sclient_success -eq 0 ]] && \ pr_literedln "offered (NOT ok)" || \ pr_litegreenln "not offered (OK)" ;; - 3) # not totally bad + 3) # not totally bad [[ $sclient_success -eq 0 ]] && \ pr_brownln "offered (NOT ok)" || \ outln "not offered (OK)" ;; @@ -1278,7 +1278,7 @@ test_just_one(){ normalize_ciphercode $hexcode # is argument a number? if [[ $arg =~ $re ]]; then - neat_list $HEXC $ciph $kx $enc | grep -qai "$arg" + neat_list $HEXC $ciph $kx $enc | grep -qai "$arg" else neat_list $HEXC $ciph $kx $enc | grep -qwai "$arg" fi @@ -1406,7 +1406,7 @@ locally_supported() { } -# the protocol check needs to be revamped. It sucks. +# the protocol check needs to be revamped. It sucks. # 1) we need to have a variable where the resulta are being stored so that every other test doesn't have to do this again. # 2) the code is too old and one can do that way better # 3) HAS_SSL3/2 does already exist @@ -1429,7 +1429,7 @@ run_prototest_openssl() { # SSLv3 doesn't have SNI (openssl doesn't complain though -- yet) $OPENSSL s_client -state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $sni >$TMPFILE 2>$ERRFILE $ERRFILE >$TMPFILE if ! sclient_connect_successful $? $TMPFILE; then pr_litemagenta "no matching cipher in this list found (pls report this): " @@ -1691,7 +1691,7 @@ run_server_preference() { *TLSv1) outln $default_proto ;; *SSLv2) pr_redln $default_proto ;; *SSLv3) pr_redln $default_proto ;; - "") pr_litemagenta "default proto empty"; [[ $OSSL_VER == 1.0.2* ]] && outln " (Hint: if IIS6 give OpenSSL 1.01 a try)" ;; + "") pr_litemagenta "default proto empty"; [[ $OSSL_VER == 1.0.2* ]] && outln " (Hint: if IIS6 give OpenSSL 1.01 a try)" ;; *) pr_litemagenta "FIXME line $LINENO: $default_proto" ;; esac @@ -1849,7 +1849,7 @@ get_all_certs() { pr_litemagenta "problem getting all certs" savedir=$(pwd); cd $TEMPDIR # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ - awk -v n=-1 '/-----BEGIN CERTIFICATE-----/{ inc=1; n++ } + awk -v n=-1 '/-----BEGIN CERTIFICATE-----/{ inc=1; n++ } inc { print > ("level" n ".crt") } /---END CERTIFICATE-----/{ inc=0 }' $TEMPDIR/allcerts.txt nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)") @@ -1880,7 +1880,7 @@ verify_retcode_helper() { determine_trust() { local i=1 local bundle_fname - local -a certificate_file verify_retcode trust + local -a certificate_file verify_retcode trust local ok_was="" local notok_was="" local code @@ -1897,7 +1897,7 @@ determine_trust() { for bundle_fname in $ca_bundles; do certificate_file[i]=$(basename $bundle_fname | sed 's/\.pem//') if [[ ! -r $bundle_fname ]]; then - pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable" + pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable" return 7 fi debugme printf -- " %-12s" "${certificate_file[i]}" @@ -1917,10 +1917,10 @@ determine_trust() { debugme out " " # all stores ok if ${trust[1]} && ${trust[2]} && ${trust[3]} && ${trust[4]}; then - pr_litegreen "Ok " + pr_litegreen "Ok " # at least one failed else - pr_litered "NOT ok" + pr_litered "NOT ok" # all failed (we assume with the same issue) if ! ${trust[1]} && ! ${trust[2]} && ! ${trust[3]} && ! ${trust[4]}; then verify_retcode_helper "${verify_retcode[2]}" @@ -1985,7 +1985,7 @@ tls_time() { sclient_connect_successful() { [[ $1 -eq 0 ]] && return 0 [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0 - # second check saved like + # second check saved like # fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1 # what's left now is: master key empty and Session-ID not empty ==> probably client based auth with x509 certificate return 1 @@ -2045,7 +2045,7 @@ run_server_defaults() { if [[ -z "$TLS_EXTENSIONS" ]]; then outln "(none)" else - #echo $extensions | sed 's/ /,/g' + #echo $extensions | sed 's/ /,/g' outln "$TLS_EXTENSIONS" fi @@ -2062,7 +2062,7 @@ run_server_defaults() { out "$lifetime $unit " pr_yellowln "(PFS requires session ticket keys to be rotated <= daily)" fi - + pr_bold " SSL Session ID support " if $NO_SSL_SESSIONID; then outln "no" @@ -2194,7 +2194,7 @@ run_server_defaults() { out " (" pr_dquoted "$issuer_O" if [[ -n "$issuer_C" ]]; then - out " from " + out " from " pr_dquoted "$issuer_C" fi outln ")" @@ -2210,14 +2210,14 @@ run_server_defaults() { [[ 2.16.578.1.26.1.3.3 == "$policy_oid" ]] || \ [[ 1.3.6.1.4.1.17326.10.14.2.1.2 == "$policy_oid" ]] || \ [[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \ - [[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then + [[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then out "yes " else out "no " fi debugme echo "($(newline_to_spaces "$policy_oid"))" outln -#TODO: use browser OIDs: +#TODO: use browser OIDs: # https://mxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp # http://src.chromium.org/chrome/trunk/src/net/cert/ev_root_ca_metadata.cc # https://certs.opera.com/03/ev-oids.xml @@ -2264,7 +2264,7 @@ run_server_defaults() { if [[ $(count_lines "$crl") -eq 1 ]]; then outln "$crl" else # more than one CRL - out_row_aligned "$crl" "$spaces" + out_row_aligned "$crl" "$spaces" fi else pr_litemagentaln "no parsable output \"$url\", pls report" @@ -2293,7 +2293,7 @@ run_server_defaults() { fi outln - # if we call tls_time before tmpfile_handle it throws an error because the function tls_sockets removed $TMPFILE + # if we call tls_time before tmpfile_handle it throws an error because the function tls_sockets removed $TMPFILE # already -- and that was a different one -- means that would get overwritten anyway tmpfile_handle $FUNCNAME.txt @@ -2429,7 +2429,7 @@ run_spdy() { else # now comes a strange thing: "Protocols advertised by server:" is empty but connection succeeded if echo $tmpstr | egrep -aq "spdy|http" ; then - out "$tmpstr" + out "$tmpstr" outln " (advertised)" ret=0 else @@ -2451,7 +2451,7 @@ starttls_line() { debugme echo -e "\n=== sending \"$1\" ..." echo -e "$1" >&5 - # we don't know how much to read and it's blocking! So we just put a cat into the + # we don't know how much to read and it's blocking! So we just put a cat into the # background and read until $STARTTLS_SLEEP and: cross our fingers cat <&5 >$TMPFILE & wait_kill $! $STARTTLS_SLEEP @@ -2461,7 +2461,7 @@ starttls_line() { if egrep -q "$2" $TMPFILE; then debugme echo "---> reply matched \"$2\"" else - # slow down for exim and friends who need a proper handshake:, see + # slow down for exim and friends who need a proper handshake:, see # https://github.com/drwetter/testssl.sh/issues/218 FAST_STARTTLS=false debugme echo -e "\n=== sending with automated FAST_STARTTLS=false \"$1\" ..." @@ -2547,7 +2547,7 @@ fd_socket() { ;; smtp|smtps) # SMTP, see https://tools.ietf.org/html/rfc4217 $FAST_STARTTLS || starttls_just_read - $FAST_STARTTLS || starttls_line "EHLO testssl.sh" "220|250" && starttls_just_send "EHLO testssl.sh" + $FAST_STARTTLS || starttls_line "EHLO testssl.sh" "220|250" && starttls_just_send "EHLO testssl.sh" starttls_line "STARTTLS" "220" ;; pop3|pop3s) # POP, see https://tools.ietf.org/html/rfc2595 @@ -2575,9 +2575,9 @@ fd_socket() { [[ -z $XMPP_HOST ]] && XMPP_HOST="$NODE" jabber=$(cat < - @@ -2715,7 +2715,7 @@ parse_tls_serverhello() { [[ "$DEBUG" -eq 5 ]] && echo $tls_hello_ascii # one line without any blanks if [[ -z "$tls_hello_ascii" ]]; then - debugme echo "server hello empty, TCP connection closed" + debugme echo "server hello empty, TCP connection closed" return 1 # no server hello received fi @@ -2733,14 +2733,14 @@ parse_tls_serverhello() { if [[ $tls_content_type == "15" ]]; then # TLS ALERT tls_err_level=${tls_hello_ascii:10:2} # 1: warning, 2: fatal - tls_err_descr=${tls_hello_ascii:12:2} # 112/0x70: Unrecognized name, 111/0x6F: certificate_unobtainable, + tls_err_descr=${tls_hello_ascii:12:2} # 112/0x70: Unrecognized name, 111/0x6F: certificate_unobtainable, # 113/0x71: bad_certificate_status_response, #114/0x72: bad_certificate_hash_value if [[ $DEBUG -ge 2 ]]; then echo "tls_protocol (reclyr): 0x$tls_protocol" echo "tls_content_type: 0x$tls_content_type" echo "tls_len_all: $tls_len_all" echo "tls_err_descr: 0x${tls_err_descr} / = $(hex2dec ${tls_err_descr})" - echo "tls_err_level: ${tls_err_level} (warning:1, fatal:2)" + echo "tls_err_level: ${tls_err_level} (warning:1, fatal:2)" fi # now, here comes a strange thing... -- on the first glance # IF an apache 2.2/2.4 server e.g. has a default servername configured but we send SNI @@ -2847,7 +2847,7 @@ socksend_tls_clienthello() { local len_sni_listlen len_sni_ext len_extension_hex local cipher_suites len_ciph_suites len_ciph_suites_word local len_client_hello_word len_all_word - + #len_servername=$(echo ${#NODE}) len_servername=${#NODE} hexdump_format_str="$len_servername/1 \"%02x,\"" @@ -2937,10 +2937,10 @@ socksend_tls_clienthello() { extension_signature_algorithms=" 00, 0d, # Type: signature_algorithms , see RFC 5246 00, 20, # len - 00,1e, 06,01, 06,02, 06,03, 05,01, 05,02, 05,03, + 00,1e, 06,01, 06,02, 06,03, 05,01, 05,02, 05,03, 04,01, 04,02, 04,03, 03,01, 03,02, 03,03, 02,01, 02,02, 02,03" -# Extension: Haertbeat 00 0f +# Extension: Haertbeat 00 0f # len 00 01 # peer allowed to send requests 01 @@ -2968,7 +2968,7 @@ socksend_tls_clienthello() { return 0 } -# arg1: TLS version low byte +# arg1: TLS version low byte # (00: SSLv3, 01: TLS 1.0, 02: TLS 1.1, 03: TLS 1.2) tls_sockets() { local -i ret=0 @@ -3233,7 +3233,7 @@ run_ccs_injection(){ if [[ $DEBUG -ge 3 ]]; then outln "\n1st reply: " out "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20 -# ok: 15 | 0301 | 02 | 02 | 0a +# ok: 15 | 0301 | 02 | 02 | 0a # ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a) # or just timed out outln @@ -3247,7 +3247,7 @@ run_ccs_injection(){ if [[ $DEBUG -ge 3 ]]; then outln "\n2nd reply: " printf -- "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" -# not ok: 15 | 0301 | 02 | 02 | 15 +# not ok: 15 | 0301 | 02 | 02 | 15 # ALERT | TLS 1.0 | Length=2 | Decryption failed (21) # ok: 0a or nothing: ==> RST outln @@ -3297,7 +3297,7 @@ run_renego() { *) pr_litemagentaln "FIXME (bug): $sec_renego" ;; esac else - pr_litemagentaln "handshake didn't succeed" + pr_litemagentaln "handshake didn't succeed" fi pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746 @@ -3320,7 +3320,7 @@ run_renego() { else # We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background # msg enables us to look deeper into it while debugging - echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE & + echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE & wait_kill $! $HEADER_MAXSLEEP if [[ $? -eq 3 ]]; then pr_litegreen "likely not vulnerable (OK)"; outln " (timed out)" # it hung @@ -3353,7 +3353,7 @@ run_crime() { # means anyway "game over", w/wo CRIME # www.h-online.com/security/news/item/Vulnerability-in-SSL-encryption-is-barely-exploitable-1708604.html - [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln + [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln pr_bold " CRIME, TLS " ; out "(CVE-2012-4929) " # first we need to test whether OpenSSL binary has zlib support @@ -3363,11 +3363,11 @@ run_crime() { return 7 fi - [[ "$OSSL_VER" == "*0.9.8*" ]] && addcmd="-no_ssl2" + [[ "$OSSL_VER" == "*0.9.8*" ]] && addcmd="-no_ssl2" $OPENSSL s_client $OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $TMPFILE if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then pr_litegreen "not vulnerable (OK)" - if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then + if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then out " (not using HTTP anyway)" fi ret=0 @@ -3573,7 +3573,7 @@ run_freak() { local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5" local addtl_warning="" - [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for FREAK attack " && outln + [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for FREAK attack " && outln pr_bold " FREAK"; out " (CVE-2015-0204) " nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportrsa_cipher_list)) @@ -3615,7 +3615,7 @@ run_logjam() { local -i nr_supported_ciphers=0 local addtl_warning="" - [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln + [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln pr_bold " LOGJAM"; out " (CVE-2015-4000), experimental " nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list)) @@ -3639,7 +3639,7 @@ run_logjam() { $HAS_DH_BITS && addtl_warning="$addtl_warning See below for any DH ciphers + bit size" fi fi - + if [[ $sclient_success -eq 0 ]]; then pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked." else @@ -3725,7 +3725,7 @@ run_beast(){ if [[ $sclient_success -eq 0 ]]; then [[ -n "$higher_proto_supported" ]] && \ pr_yellowln "available" || \ - pr_brownln "available" + pr_brownln "available" else outln "not a/v" @@ -3882,10 +3882,10 @@ get_install_dir() { #INSTALL_DIR=$(cd "$(dirname "$0")" && pwd)/$(basename "$0") INSTALL_DIR=$(dirname ${BASH_SOURCE[0]}) - [[ -r "$RUN_DIR/etc/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/etc/mapping-rfc.txt" + [[ -r "$RUN_DIR/etc/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/etc/mapping-rfc.txt" [[ -r "$INSTALL_DIR/etc/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$INSTALL_DIR/etc/mapping-rfc.txt" # those will disapper: - [[ -r "$RUN_DIR/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/mapping-rfc.txt" + [[ -r "$RUN_DIR/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/mapping-rfc.txt" [[ -r "$INSTALL_DIR/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$INSTALL_DIR/mapping-rfc.txt" # we haven't found the mapping file yet... @@ -3934,7 +3934,7 @@ test_openssl_suffix() { fi return 1 } - + find_openssl_binary() { # 0. check environment variable whether it's executable @@ -4065,7 +4065,7 @@ $PROG_NAME URI ("$PROG_NAME URI" does everything except -E) -t, --starttls does a default run against a STARTTLS enabled --xmpphost for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed --mx tests MX records from high to low priority (STARTTLS, port 25) - --ip a) tests the supplied v4 or v6 address instead of resolving host(s) in URI + --ip a) tests the supplied v4 or v6 address instead of resolving host(s) in URI b) arg "one" means: just test the first DNS returns (useful for multiple IPs) --file mass testing option: Reads command lines from , one line per instance. Comments via # allowed, EOF signals end of . Implicitly turns on "--warnings batch" @@ -4108,7 +4108,7 @@ maketempf() { TEMPDIR=$(mktemp -d /tmp/ssltester.XXXXXX) || exit -6 TMPFILE=$TEMPDIR/tempfile.txt || exit -6 if [[ "$DEBUG" -eq 0 ]]; then - ERRFILE="/dev/null" + ERRFILE="/dev/null" else ERRFILE=$TEMPDIR/errorfile.txt || exit -6 fi @@ -4205,8 +4205,8 @@ mybanner() { $PROG_NAME $VERSION from $SWURL ($idtag) - This program is free software. Distribution and - modification under GPLv2 permitted. + This program is free software. Distribution and + modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ @@ -4223,9 +4223,9 @@ EOF cwd=$(/bin/pwd) || \ cwd=$RUN_DIR if [[ "$openssl_location" =~ $(/bin/pwd)/bin ]]; then - echo "\$PWD/bin/$(basename "$openssl_location")" + echo "\$PWD/bin/$(basename "$openssl_location")" elif [[ "$openssl_location" =~ $cwd ]] && [[ "$cwd" != '.' ]]; then - echo "${openssl_location%%$cwd}" + echo "${openssl_location%%$cwd}" else echo "$openssl_location" fi @@ -4235,7 +4235,7 @@ EOF cleanup () { if [[ "$DEBUG" -ge 1 ]]; then - outln + outln pr_underline "DEBUG (level $DEBUG): see files in $TEMPDIR" outln else @@ -4393,7 +4393,7 @@ filter_ip4_address() { get_local_aaaa() { local ip6="" local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" - + # for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution ip6=$(grep -wh "$NODE" $etchosts 2>/dev/null | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }') if is_ipv6addr "$ip6"; then @@ -4406,7 +4406,7 @@ get_local_aaaa() { get_local_a() { local ip4="" local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" - + # for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution ip4=$(grep -wh "$1" $etchosts 2>/dev/null | egrep -v ':|^#' | egrep "[[:space:]]$1" | awk '{ print $1 }') if is_ipv4addr "$ip4"; then @@ -4417,8 +4417,8 @@ get_local_a() { } check_resolver_bins() { - if ! which dig &> /dev/null && ! which drill &> /dev/null && ! which host &> /dev/null && ! which nslookup &>/dev/null; then - fatal "Neither \"dig\", \"drill\", \"host\" or \"nslookup\" is present" "-3" + if ! which dig &> /dev/null && ! which host &> /dev/null && ! which nslookup &>/dev/null; then + fatal "Neither \"dig\", \"host\" or \"nslookup\" is present" "-3" fi return 0 } @@ -4446,10 +4446,6 @@ get_a_record() { which host &> /dev/null && \ ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | grep -v alias | sed 's/^.*address //')) fi - if [[ -z "$ip4" ]]; then - which drill &> /dev/null && \ - ip4=$(filter_ip4_address $(drill a "$1" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')) - fi if [[ -z "$ip4" ]]; then if which nslookup &>/dev/null; then # filtering from Name to EOF, remove iline with 'Name', the filter out non-numbers and ".'", and empty lines @@ -4479,9 +4475,8 @@ get_aaaa_record() { ip6=$(filter_ip6_address $(host -t aaaa "$NODE" | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //')) elif which dig &> /dev/null; then ip6=$(filter_ip6_address $(dig +short -t aaaa "$NODE" 2>/dev/null)) - elif which drill &> /dev/null; then - ip6=$(filter_ip6_address $(drill aaaa "$NODE" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/^\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')) elif which nslookup &>/dev/null; then + # same as above. Only we're using grep -A instead of awk ip6=$(filter_ip6_address $(nslookup -type=aaaa "$NODE" 2>/dev/null | grep -A10 Name | grep -v Name)) fi fi @@ -4490,7 +4485,7 @@ get_aaaa_record() { } -# now get all IP addresses +# now get all IP addresses determine_ip_addresses() { local ip4="" local ip6="" @@ -4506,7 +4501,7 @@ determine_ip_addresses() { else LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl fi - # same now for ipv6 + # same now for ipv6 ip6=$(get_local_aaaa $NODE) if [[ -z $ip6 ]]; then check_resolver_bins @@ -4549,8 +4544,6 @@ determine_rdns() { rDNS=$(dig -x $NODEIP +noall +answer | awk '/PTR/ { print $NF }') # +short returns also CNAME, e.g. openssl.org elif which host &> /dev/null; then rDNS=$(host -t PTR $NODEIP 2>/dev/null | awk '/pointer/ { print $NF }') - elif which drill &> /dev/null; then - rDNS=$(drill -x ptr $NODEIP 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d') elif which nslookup &> /dev/null; then rDNS=$(nslookup -type=PTR $NODEIP 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//') fi @@ -4570,12 +4563,10 @@ get_mx_record() { mxs=$(host -t MX "$1" 2>/dev/null | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//') elif which dig &> /dev/null; then mxs=$(dig +short -t MX "$1" 2>/dev/null) - elif which drill &> /dev/null; then - mxs=$(drill mx "$1" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d') elif which nslookup &> /dev/null; then mxs=$(nslookup -type=MX "$1" 2>/dev/null | grep 'mail exchanger = ' | sed 's/^.*mail exchanger = //g') else - fatal "No dig, drill, host or nslookup" -3 + fatal "No dig, host or nslookup" -3 fi OPENSSL_CONF="$saved_openssl_conf" echo "$mxs" @@ -4614,10 +4605,10 @@ sclient_auth() { [[ $1 -eq 0 ]] && return 0 # no client auth (CLIENT_AUTH=false is preset globally) if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then # connect succeeded if grep -q '^<<< .*CertificateRequest' "$2"; then # CertificateRequest message in -msg - CLIENT_AUTH=true + CLIENT_AUTH=true return 0 fi - if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session + if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then # do another sanity check to be sure CLIENT_AUTH=false NO_SSL_SESSIONID=true # NO_SSL_SESSIONI is preset globally to false for all other cases @@ -4630,7 +4621,7 @@ sclient_auth() { } -# this function determines OPTIMAL_PROTO. It is a workaround function as under certain circumstances +# this function determines OPTIMAL_PROTO. It is a workaround function as under certain circumstances # (e.g. IIS6.0 and openssl 1.0.2 as opposed to 1.0.1) needs a protocol otherwise s_client -connect will fail! # Circumstances observed so far: 1.) IIS 6 2.) starttls + dovecot imap # The first try in the loop is empty as we prefer not to specify always a protocol if it works w/o. @@ -4687,7 +4678,7 @@ determine_optimal_proto() { # arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap (maybe with trailing s) determine_service() { - local ua + local ua local protocol if ! fd_socket; then # check if we can connect to $NODEIP:$PORT @@ -4699,8 +4690,8 @@ determine_service() { datebanner " Start" outln - if [[ -z "$1" ]]; then - # no STARTTLS. + if [[ -z "$1" ]]; then + # no STARTTLS. determine_optimal_proto "$1" $SNEAKY && \ ua="$UA_SNEAKY" || \ @@ -4710,7 +4701,7 @@ determine_service() { GET_REQ10="GET $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n" HEAD_REQ10="HEAD $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n" runs_HTTP $OPTIMAL_PROTO - else + else # STARTTLS protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc case "$protocol" in @@ -4796,7 +4787,7 @@ draw_line() { mx_all_ips() { local mxs mx - local mxport + local mxport local -i ret=0 STARTTLS_PROTOCOL="smtp" @@ -4811,7 +4802,7 @@ mx_all_ips() { for mx in $mxs; do draw_line "-" $((TERM_DWITH * 2 / 3)) outln - parse_hn_port "$mx:$mxport" + parse_hn_port "$mx:$mxport" determine_ip_addresses || continue if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" @@ -4854,7 +4845,7 @@ run_mass_testing() { -# This initializes boolean global do_* variables. They keep track of what to do +# This initializes boolean global do_* variables. They keep track of what to do # -- as the name insinuates initialize_globals() { do_allciphers=false @@ -4941,7 +4932,7 @@ debug_globals() { # arg1+2 are just the options parse_opt_equal_sign() { if [[ "$1" == *=* ]]; then - echo "$1" | awk -F'=' '{ print $2 }' + echo "$1" | awk -F'=' '{ print $2 }' return 1 # = means we don't need to shift args! else echo $2 @@ -4957,7 +4948,7 @@ parse_cmd_line() { while [[ $# -gt 0 ]]; do case $1 in -h|--help) - help 0 + help 0 ;; -b|--banner|-v|--version) find_openssl_binary @@ -4971,11 +4962,11 @@ parse_cmd_line() { ;; --mx465) # doesn't work with major ISPs do_mx_all_ips=true - PORT=465 + PORT=465 ;; --mx587) # doesn't work with major ISPs do_mx_all_ips=true - PORT=587 + PORT=587 ;; --ip|--ip=*) CMDLINE_IP=$(parse_opt_equal_sign "$1" "$2") @@ -4987,7 +4978,7 @@ parse_cmd_line() { mybanner openssl_age prettyprint_local $(parse_opt_equal_sign "$1" "$2") - exit $? + exit $? ;; -x|-x=*|--single[-_]cipher|--single[-_]cipher=*) do_test_just_one=true @@ -5047,15 +5038,15 @@ parse_cmd_line() { do_logjam=true do_beast=true do_rc4=true - VULN_COUNT=10 + VULN_COUNT=10 ;; -B|--heartbleed) do_heartbleed=true - let "VULN_COUNT++" + let "VULN_COUNT++" ;; -I|--ccs|--ccs[-_]injection) do_ccs_injection=true - let "VULN_COUNT++" + let "VULN_COUNT++" ;; -R|--renegotiation) do_renego=true @@ -5103,16 +5094,16 @@ parse_cmd_line() { # DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0 # DEBUG=3 ./testssl.sh --devel 00 # DEBUG=3 ./testssl.sh --devel 22 - TLS_LOW_BYTE="$2"; + TLS_LOW_BYTE="$2"; if [[ $# -eq 4 ]]; then # protocol AND ciphers specified HEX_CIPHER="$3" shift fi shift do_tls_sockets=true - outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}" + outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}" ;; - --wide) + --wide) WIDE=true ;; --assuming[_-]http|--assume[-_]http) @@ -5133,27 +5124,27 @@ parse_cmd_line() { do_mass_testing=true ;; --warnings|--warnings=*) - WARNINGS=$(parse_opt_equal_sign "$1" "$2") + WARNINGS=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift case "$WARNINGS" in batch|off|false) ;; - *) pr_magentaln "\nwarnings can be either \"batch\", \"off\" or \"false\"" + *) pr_magentaln "\nwarnings can be either \"batch\", \"off\" or \"false\"" help 1 esac ;; --show[-_]each) SHOW_EACH_C=1 #FIXME: sense is vice versa - ;; + ;; --bugs) BUGS="-bugs" - ;; + ;; --debug|--debug=*) DEBUG=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift case $DEBUG in [0-6]) ;; *) pr_magentaln "\nunrecognized debug value \"$1\", must be between 0..6" 1>&2 - help 1 + help 1 esac ;; --color|--color=*) @@ -5167,14 +5158,14 @@ parse_cmd_line() { esac ;; --log|--logging) - do_logging=true + do_logging=true ;; # DEFINITION of LOGFILE if no arg specified via ENV or automagically in parse_hn_ports() # following does the same but we can specify a log location additionally --logfile=*) LOGFILE=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift - do_logging=true - ;; + do_logging=true + ;; --openssl|--openssl=*) OPENSSL=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift @@ -5193,12 +5184,12 @@ parse_cmd_line() { SSL_NATIVE=true ;; (--) shift - break + break ;; (-*) pr_magentaln "\n$0: unrecognized option \"$1\"" 1>&2; - help 1 + help 1 ;; - (*) break + (*) break ;; esac shift @@ -5295,7 +5286,7 @@ lets_roll() { $do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); } outln - datebanner " Done" + datebanner " Done" return $ret } @@ -5327,14 +5318,14 @@ if $do_mx_all_ips; then [[ $? -eq 1 ]] && set_scanning_defaults mx_all_ips "${URI}" $PORT ret=$? -else +else parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now if ! determine_ip_addresses && [[ -z "$CMDLINE_IP" ]]; then fatal "No IP address could be determined" fi - if [[ -n "$CMDLINE_IP" ]]; then + if [[ -n "$CMDLINE_IP" ]]; then [[ "$CMDLINE_IP" == "one" ]] && \ - CMDLINE_IP=$(echo -n "$IPADDRs" | awk '{ print $1 }') + CMDLINE_IP=$(echo -n "$IPADDRs" | awk '{ print $1 }') NODEIP="$CMDLINE_IP" # specific ip address for NODE was supplied lets_roll "${STARTTLS_PROTOCOL}" ret=$?