diff --git a/testssl.sh b/testssl.sh index f6968ca..f284f1c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3,7 +3,7 @@ # vim:ts=5:sw=5:expandtab # we have a spaces softtab, that ensures readability with other editors too -[ -z "$BASH_VERSINFO" ] && printf "\n\033[1;35m Please make sure you're using \"bash\"! Bye...\033[m\n\n" >&2 && exit 245 +[ -z "$BASH_VERSINFO" ] && printf "\n\033[1;35m Please make sure you're using \"bash\"! Bye...\033[m\n\n" >&2 && exit 245 [ $(kill -l | grep -c SIG) -eq 0 ] && printf "\n\033[1;35m Please make sure you're calling me without leading \"sh\"! Bye...\033[m\n\n" >&2 && exit 245 # testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some @@ -20,33 +20,33 @@ # license permitted. # If you enclose this script or parts of it in your software, it has to # be accompanied by the same license (see link) and the place where to get -# the recent version of this program. Do not violate the license andif +# the recent version of this program. Do not violate the license andif # you do not agree to all of these terms, do not use it in the first place. # # OpenSSL which is being used and maybe distributed via one of this projects' # web site is subject to their licensing: https://www.openssl.org/source/license.txt -# +# # The client simulation data comes from SSLlabs and is licensed to the 'Qualys SSL Labs # Terms of Use' (v2.2), see https://www.ssllabs.com/downloads/Qualys_SSL_Labs_Terms_of_Use.pdf, # stating a CC BY 3.0 US license: https://creativecommons.org/licenses/by/3.0/us/ # -# Please note: USAGE WITHOUT ANY WARRANTY, THE SOFTWARE IS PROVIDED "AS IS". +# Please note: USAGE WITHOUT ANY WARRANTY, THE SOFTWARE IS PROVIDED "AS IS". # -# USE IT AT your OWN RISK! +# USE IT AT your OWN RISK! # Seriously! The threat is you run this code on your computer and input could be / # is being supplied via untrusted sources. -# HISTORY: +# HISTORY: # Back in 2006 it all started with a few openssl commands... -# That's because openssl is a such a good swiss army knife (see e.g. -# wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist -# wrapping some shell commands around it, which I used for my pen tests. This is how +# That's because openssl is a such a good swiss army knife (see e.g. +# wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist +# wrapping some shell commands around it, which I used for my pen tests. This is how # everything started. # Now it has grown up, it has bash socket support for some features which basically replacing # more and more functions of OpenSSL and will serve as some kind of library in the future. # The socket checks in bash may sound cool and unique -- they are -- but probably you # can achieve e.g. the same result with my favorite interactive shell: zsh (zmodload zsh/net/socket -# -- checkout zsh/net/tcp) too! +# -- checkout zsh/net/tcp) too! # /bin/bash though is way more often used within Linux and it's perfect # for cross platform support, see MacOS X and also under Windows the MSYS2 extension or Cygwin. # Cross-platform is one of the three main goals of this script. Second: Ease of installation. @@ -60,8 +60,8 @@ # internet. And those examples above 4) are 3rd parties. If these restrictions are all fine # with you and you need a management compatible rating -- go ahead and use those. -# But also if your fine with those restrictions: testssl.sh is meant as a tool in your hand -# and it's way more flexible. +# But also if your fine with those restrictions: testssl.sh is meant as a tool in your hand +# and it's way more flexible. # # Oh, and did I mention testssl.sh is open source? @@ -70,7 +70,7 @@ # are disabled as they'll impact security otherwise. For security # testing though we need all broken features. testssl.sh will # over time replace those checks with bash sockets -- however it's -# still recommended to use the supplied binaries or cook your own, see +# still recommended to use the supplied binaries or cook your own, see # https://github.com/drwetter/testssl.sh/blob/master/bin/Readme.md . # Don't worry if feature X is not available you'll get a warning about # this missing feature! The idea is if this script can't tell something @@ -108,7 +108,7 @@ if git log &>/dev/null; then else readonly REL_DATE=$(tail -5 "$0" | awk '/dirkw Exp/ { print $5 }') fi -readonly SYSTEM=$(uname -s) +readonly SYSTEM=$(uname -s) date --help >/dev/null 2>&1 && \ readonly HAS_GNUDATE=true || \ readonly HAS_GNUDATE=false @@ -134,14 +134,14 @@ TERM_CURRPOS=0 # custom line wrapping ne declare -x OPENSSL COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all SHOW_EACH_C=${SHOW_EACH_C:-0} # where individual ciphers are tested show just the positively ones tested #FIXME: upside down value -SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual? +SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual? QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native" ASSUMING_HTTP=${ASSUMING_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5 -DEBUG=${DEBUG:-0} # 1.: the temp files won't be erased. +DEBUG=${DEBUG:-0} # 1.: the temp files won't be erased. # 2: list more what's going on (formerly: eq VERBOSE=1, VERBERR=true), lists some errors of connections - # 3: slight hexdumps + other info, + # 3: slight hexdumps + other info, # 4: display bytes sent via sockets, 5: display bytes received via sockets, 6: whole 9 yards WIDE=${WIDE:-false} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc. LOGFILE=${LOGFILE:-""} # logfile if used @@ -173,7 +173,7 @@ IKNOW_FNAME=false # further global vars just declared here readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1" -# alpn_protos needs to be space-separated, not comma-seperated +# alpn_protos needs to be space-separated, not comma-seperated readonly ALPN_PROTOs="h2 h2-17 h2-16 h2-15 h2-14 spdy/3.1 http/1.1" TEMPDIR="" TMPFILE="" @@ -298,7 +298,7 @@ readonly SSLv2_CLIENT_HELLO=" ###### output functions ###### -# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest. +# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest. out() { /usr/bin/printf -- "${1//%/%%}"; } outln() { out "$1\n"; } #TODO: Still no shell injection safe but if just run it from the cmd line: that's fine @@ -331,10 +331,10 @@ pr_greyln() { pr_grey "$1"; outln; } pr_litegreen() { [[ "$COLOR" -eq 2 ]] && out "\033[0;32m$1" || out "$1"; pr_off; } # This is good pr_litegreenln() { pr_litegreen "$1"; outln; } -pr_green() { [[ "$COLOR" -eq 2 ]] && out "\033[1;32m$1" || out "$1"; pr_off; } # This is the best +pr_green() { [[ "$COLOR" -eq 2 ]] && out "\033[1;32m$1" || out "$1"; pr_off; } # This is the best pr_greenln() { pr_green "$1"; outln; } -pr_yellow() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem +pr_yellow() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem pr_yellowln() { pr_yellow "$1"; outln; } pr_brown() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this pr_brownln() { pr_brown "$1"; outln; } @@ -344,7 +344,7 @@ pr_brownln() { pr_brown "$1"; outln; } pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m\c"; } pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; } pr_boldln() { pr_bold "$1" ; outln; } -pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; } +pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; } pr_underline() { [[ "$COLOR" -ne 0 ]] && out "\033[4m$1" || out "$1"; pr_off; } pr_reverse() { [[ "$COLOR" -ne 0 ]] && out "\033[7m$1" || out "$1"; pr_off; } pr_reverse_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[7m\033[1m$1" || out "$1"; pr_off; } @@ -542,7 +542,7 @@ is_ipv6addr() { #check on chars allowed: [[ -n "$(tr -d '0-9:a-fA-F ' <<< "$1" | sed -e '/^$/d')" ]] && \ return 1 - return 0 + return 0 } @@ -668,7 +668,7 @@ run_http_header() { if [[ $? -eq 0 ]]; then # we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it # again in the foreground ito get an ccurate header time! - printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE + printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE NOW_TIME=$(date "+%s") HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) HAD_SLEPT=0 @@ -702,11 +702,11 @@ run_http_header() { pr_bold " HTTP Status Code " [[ -z "$status_code" ]] && pr_litemagentaln "No status code" && return 3 - out " $status_code$msg_thereafter" + out " $status_code$msg_thereafter" case $status_code in 301|302|307|308) redirect=`$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')` - out ", redirecting to \"$redirect\"" + out ", redirecting to \"$redirect\"" if [[ $redirect != "https://"* ]]; then pr_litered " -- Redirect to insecure URL (NOT ok)" output_finding "status_code" "$NODEIP" "$PORT" "NOT OK" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\"" @@ -714,39 +714,39 @@ run_http_header() { output_finding "status_code" "$NODEIP" "$PORT" "info" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter, redirecting to \"$redirect\"" ;; - 200) + 200) output_finding "status_code" "$NODEIP" "$PORT" "info" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter" ;; - 206) - out " -- WTF?" + 206) + out " -- WTF?" output_finding "status_code" "$NODEIP" "$PORT" "info" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter -- WTF?" ;; - 400) - pr_litemagenta " (Hint: better try another URL)" + 400) + pr_litemagenta " (Hint: better try another URL)" output_finding "status_code" "$NODEIP" "$PORT" "info" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter (Hint: better try another URL)" ;; - 401) + 401) grep -aq "^WWW-Authenticate" $HEADERFILE && out " "; strip_lf "$(grep -a "^WWW-Authenticate" $HEADERFILE)" output_finding "status_code" "$NODEIP" "$PORT" "info" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter $(grep -a "^WWW-Authenticate" $HEADERFILE)" ;; - 403) + 403) output_finding "status_code" "$NODEIP" "$PORT" "info" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter" ;; - 404) - out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" + 404) + out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" output_finding "status_code" "$NODEIP" "$PORT" "info" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" - ;; - 405) + ;; + 405) output_finding "status_code" "$NODEIP" "$PORT" "info" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter" ;; - *) + *) pr_litemagenta ". Oh, didn't expect a $status_code$msg_thereafter" output_finding "status_code" "$NODEIP" "$PORT" "info" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter" @@ -767,7 +767,7 @@ detect_ipv4() { local first=true local spaces=" " local count - + if [[ ! -s $HEADERFILE ]]; then run_http_header "$1" || return 3 fi @@ -776,7 +776,7 @@ detect_ipv4() { # also facebook has a CSP rule for 127.0.0.1 if egrep -vi "pagespeed|page-speed|Content-Security-Policy" $HEADERFILE | grep -iqE "$ipv4address"; then pr_bold " IPv4 address in header " - count=0 + count=0 while read line; do result="$(grep -E "$ipv4address" <<< "$line")" result=$(strip_lf "$result") @@ -794,7 +794,7 @@ detect_ipv4() { count=$count+1 done < $HEADERFILE fi -} +} run_http_date() { @@ -927,7 +927,7 @@ run_hpkp() { out "\n$spaces using first " first_hpkp_header=`awk -F':' '/Public-Key-Pins/ { print $1 }' $HEADERFILE | head -1` pr_italic "$first_hpkp_header, " - output_finding "hpkp_multiple" "$NODEIP" "$PORT" "WARN" "Multiple HPKP headers\n$hpkp_headers\nUsing first header: $first_hpkp_header" + output_finding "hpkp_multiple" "$NODEIP" "$PORT" "WARN" "Multiple HPKP headers\n$hpkp_headers\nUsing first header: $first_hpkp_header" fi # remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is @@ -941,10 +941,10 @@ run_hpkp() { out "# of keys: " if [[ $hpkp_nr_keys -eq 1 ]]; then pr_litered "1 (NOT ok), " - output_finding "hpkp_keys" "$NODEIP" "$PORT" "NOT OK" "Only one key pinned in HPKP header, this means the site may become unavaiable if the key is revoked" + output_finding "hpkp_keys" "$NODEIP" "$PORT" "NOT OK" "Only one key pinned in HPKP header, this means the site may become unavaiable if the key is revoked" else out "$hpkp_nr_keys, " - output_finding "hpkp_keys" "$NODEIP" "$PORT" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked" + output_finding "hpkp_keys" "$NODEIP" "$PORT" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked" fi # print key=value pair with awk, then strip non-numbers, to be improved with proper parsing of key-value with awk @@ -952,20 +952,20 @@ run_hpkp() { hpkp_age_days=$((hpkp_age_sec / 86400)) if [[ $hpkp_age_days -ge $HPKP_MIN ]]; then pr_litegreen "$hpkp_age_days days" ; out "=$hpkp_age_sec s" - output_finding "hpkp_age" "$NODEIP" "$PORT" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)" + output_finding "hpkp_age" "$NODEIP" "$PORT" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)" else out "$hpkp_age_sec s = " pr_brown "$hpkp_age_days days (<$HPKP_MIN days is not good enough)" - output_finding "hpkp_age" "$NODEIP" "$PORT" "NOT OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough." + output_finding "hpkp_age" "$NODEIP" "$PORT" "NOT OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough." fi if includeSubDomains "$TMPFILE"; then - output_finding "hpkp_subdomains" "$NODEIP" "$PORT" "INFO" "HPKP header is valid for subdomains as well" + output_finding "hpkp_subdomains" "$NODEIP" "$PORT" "INFO" "HPKP header is valid for subdomains as well" else - output_finding "hpkp_subdomains" "$NODEIP" "$PORT" "INFO" "HPKP header is valid for this domain only" + output_finding "hpkp_subdomains" "$NODEIP" "$PORT" "INFO" "HPKP header is valid for this domain only" fi if preload "$TMPFILE"; then - output_finding "hpkp_preload" "$NODEIP" "$PORT" "INFO" "HPKP header is marked for browser preloading" + output_finding "hpkp_preload" "$NODEIP" "$PORT" "INFO" "HPKP header is marked for browser preloading" else output_finding "hpkp_preload" "$NODEIP" "$PORT" "INFO" "HPKP header is NOT marked for browser preloading" fi @@ -1046,7 +1046,7 @@ run_server_banner() { output_finding "serverbanner" "$NODEIP" "$PORT" "INFO" "\"Server\" banner exists but empty string" else emphasize_stuff_in_headers "$serverbanner" - output_finding "serverbanner" "$NODEIP" "$PORT" "INFO" "\"Server\" banner identified: $serverbanner" + output_finding "serverbanner" "$NODEIP" "$PORT" "INFO" "\"Server\" banner identified: $serverbanner" if [[ "$serverbanner" = *Microsoft-IIS/6.* ]] && [[ $OSSL_VER == 1.0.2* ]]; then pr_litemagentaln " It's recommended to run another test w/ OpenSSL 1.01 !" # see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892 @@ -1074,7 +1074,7 @@ run_rp_banner() { run_http_header "$1" || return 3 fi pr_bold " Reverse Proxy banner " - egrep -ai '^Via:|^X-Cache|^X-Squid|^X-Varnish:|^X-Server-Name:|^X-Server-Port:|^x-forwarded' $HEADERFILE >$TMPFILE + egrep -ai '^Via:|^X-Cache|^X-Squid|^X-Varnish:|^X-Server-Name:|^X-Server-Port:|^x-forwarded' $HEADERFILE >$TMPFILE if [[ $? -ne 0 ]]; then outln "--" output_finding "rp_header" "$NODEIP" "$PORT" "INFO" "No reverse proxy banner found" @@ -1132,7 +1132,7 @@ run_application_banner() { run_cookie_flags() { # ARG1: Path, ARG2: path local -i nr_cookies local nr_httponly nr_secure - local negative_word + local negative_word if [[ ! -s $HEADERFILE ]]; then run_http_header "$1" || return 3 @@ -1194,7 +1194,7 @@ run_more_flags() { fi pr_bold " Security headers " # convert spaces to | (for egrep) - egrep_pattern=$(echo "$good_flags2test $other_flags2test"| sed -e 's/ /|\^/g' -e 's/^/\^/g') + egrep_pattern=$(echo "$good_flags2test $other_flags2test"| sed -e 's/ /|\^/g' -e 's/^/\^/g') egrep -ai "$egrep_pattern" $HEADERFILE >$TMPFILE if [[ $? -ne 0 ]]; then outln "--" @@ -1332,7 +1332,7 @@ std_cipherlists() { case $3 in 0) # ok to offer if [[ $sclient_success -eq 0 ]]; then - pr_greenln "offered (OK)" + pr_greenln "offered (OK)" output_finding "std_$4" "$NODEIP" "$PORT" "OK" "$2 offered (OK)" else pr_brownln "not offered (NOT ok)" @@ -1341,7 +1341,7 @@ std_cipherlists() { ;; 1) # the ugly ones if [[ $sclient_success -eq 0 ]]; then - pr_redln "offered (NOT ok)" + pr_redln "offered (NOT ok)" output_finding "std_$4" "$NODEIP" "$PORT" "NOT OK" "$2 offered (NOT OK) - ugly" else pr_greenln "not offered (OK)" @@ -1350,16 +1350,16 @@ std_cipherlists() { ;; 2) # bad but not worst if [[ $sclient_success -eq 0 ]]; then - pr_literedln "offered (NOT ok)" + pr_literedln "offered (NOT ok)" output_finding "std_$4" "$NODEIP" "$PORT" "NOT OK" "$2 offered (NOT OK) - bad" else pr_litegreenln "not offered (OK)" output_finding "std_$4" "$NODEIP" "$PORT" "OK" "$2 not offered (OK)" fi ;; - 3) # not totally bad + 3) # not totally bad if [[ $sclient_success -eq 0 ]]; then - pr_brownln "offered (NOT ok)" + pr_brownln "offered (NOT ok)" output_finding "std_$4" "$NODEIP" "$PORT" "NOT OK" "$2 offered (NOT OK) - not too bad" else outln "not offered (OK)" @@ -1493,7 +1493,7 @@ test_just_one(){ normalize_ciphercode $hexcode # is argument a number? if [[ $arg =~ $re ]]; then - neat_list $HEXC $ciph $kx $enc | grep -qai "$arg" + neat_list $HEXC $ciph $kx $enc | grep -qai "$arg" else neat_list $HEXC $ciph $kx $enc | grep -qwai "$arg" fi @@ -1553,7 +1553,7 @@ run_allciphers(){ if [[ $sclient_success -ne 0 ]] && [[ "$SHOW_EACH_C" -eq 0 ]]; then continue # no successful connect AND not verbose displaying each cipher fi - normalize_ciphercode $hexcode + normalize_ciphercode $hexcode if [[ $kx == "Kx=ECDH" ]] || [[ $kx == "Kx=DH" ]] || [[ $kx == "Kx=EDH" ]]; then dhlen=$(read_dhbits_from_file $TMPFILE quiet) kx="$kx $dhlen" @@ -1625,7 +1625,7 @@ run_cipher_per_proto(){ } run_client_simulation() { - # Runs browser simulations. Browser capabilities gathered from: + # Runs browser simulations. Browser capabilities gathered from: # https://www.ssllabs.com/ssltest/clients.html on 10 jan 2016 local names=() local short=() @@ -1885,7 +1885,7 @@ run_client_simulation() { names+=("OpenSSL 1.0.2 ") short+=("openssl102") protos+=("-no_ssl2") - ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") + ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5") tlsvers+=("-tls1_2 -tls1_1 -tls1") sni+=("$SNI") #warning+=("Tests are based on OpenSSL 1.01, therefore ciphers 0xe and 0xb are missing") @@ -1971,7 +1971,7 @@ run_client_simulation() { for name in "${short[@]}"; do #FIXME: printf formatting would look better, especially if we want a wide option here out " ${names[i]} " - $OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE + $OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE + $OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE debugme echo "$OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE $ERRFILE >$TMPFILE if ! sclient_connect_successful $? $TMPFILE; then pr_litemagenta "no matching cipher in this list found (pls report this): " @@ -2388,37 +2388,37 @@ run_server_preference() { fi default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') case "$default_proto" in - *TLSv1.2) - pr_greenln $default_proto + *TLSv1.2) + pr_greenln $default_proto output_finding "order_proto" "$NODEIP" "$PORT" "OK" "Default protocol TLS1.2 (OK)" ;; - *TLSv1.1) - pr_litegreenln $default_proto + *TLSv1.1) + pr_litegreenln $default_proto output_finding "order_proto" "$NODEIP" "$PORT" "OK" "Default protocol TLS1.1 (OK)" ;; - *TLSv1) - outln $default_proto + *TLSv1) + outln $default_proto output_finding "order_proto" "$NODEIP" "$PORT" "INFO" "Default protocol TLS1.0" ;; - *SSLv2) - pr_redln $default_proto + *SSLv2) + pr_redln $default_proto output_finding "order_proto" "$NODEIP" "$PORT" "NOT OK" "Default protocol SSLv2" ;; - *SSLv3) - pr_redln $default_proto + *SSLv3) + pr_redln $default_proto output_finding "order_proto" "$NODEIP" "$PORT" "NOT OK" "Default protocol SSLv3" ;; - "") + "") pr_litemagenta "default proto empty" if [[ $OSSL_VER == 1.0.2* ]]; then - outln " (Hint: if IIS6 give OpenSSL 1.01 a try)" + outln " (Hint: if IIS6 give OpenSSL 1.01 a try)" output_finding "order_proto" "$NODEIP" "$PORT" "WARN" "Default protocol empty (Hint: if IIS6 give OpenSSL 1.01 a try)" else output_finding "order_proto" "$NODEIP" "$PORT" "WARN" "Default protocol empty" - fi - ;; - *) - pr_litemagenta "FIXME line $LINENO: $default_proto" + fi + ;; + *) + pr_litemagenta "FIXME line $LINENO: $default_proto" output_finding "order_proto" "$NODEIP" "$PORT" "WARN" "FIXME line $LINENO: $default_proto" ;; esac @@ -2426,38 +2426,38 @@ run_server_preference() { pr_bold " Negotiated cipher " default_cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') case "$default_cipher" in - *NULL*|*EXP*) - pr_red "$default_cipher" + *NULL*|*EXP*) + pr_red "$default_cipher" output_finding "order_cipher" "$NODEIP" "$PORT" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok)\n$remark4default_cipher" ;; - *RC4*) - pr_litered "$default_cipher" + *RC4*) + pr_litered "$default_cipher" output_finding "order_cipher" "$NODEIP" "$PORT" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok)\n$remark4default_cipher" ;; - *CBC*) - pr_brown "$default_cipher" + *CBC*) + pr_brown "$default_cipher" output_finding "order_cipher" "$NODEIP" "$PORT" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok)\n$remark4default_cipher" ;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list - *GCM*|*CHACHA20*) - pr_green "$default_cipher" + *GCM*|*CHACHA20*) + pr_green "$default_cipher" output_finding "order_cipher" "$NODEIP" "$PORT" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (OK)\n$remark4default_cipher" ;; # best ones - ECDHE*AES*) - pr_yellow "$default_cipher" + ECDHE*AES*) + pr_yellow "$default_cipher" output_finding "order_cipher" "$NODEIP" "$PORT" "WARN" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc)\n$remark4default_cipher" ;; # it's CBC. --> lucky13 - "") - pr_litemagenta "default cipher empty" ; + "") + pr_litemagenta "default cipher empty" ; if [[ $OSSL_VER == 1.0.2* ]]; then - out " (Hint: if IIS6 give OpenSSL 1.01 a try)" + out " (Hint: if IIS6 give OpenSSL 1.01 a try)" output_finding "order_cipher" "$NODEIP" "$PORT" "WARN" "Default cipher empty (Hint: if IIS6 give OpenSSL 1.01 a try)\n$remark4default_cipher" else output_finding "order_cipher" "$NODEIP" "$PORT" "WARN" "Default cipher empty\n$remark4default_cipher" fi ;; - *) - out "$default_cipher" + *) + out "$default_cipher" output_finding "order_cipher" "$NODEIP" "$PORT" "INFO" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE")\n$remark4default_cipher" ;; esac @@ -2612,7 +2612,7 @@ get_all_certs() { pr_litemagenta "problem getting all certs" savedir=$(pwd); cd $TEMPDIR # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ - awk -v n=-1 '/-----BEGIN CERTIFICATE-----/{ inc=1; n++ } + awk -v n=-1 '/-----BEGIN CERTIFICATE-----/{ inc=1; n++ } inc { print > ("level" n ".crt") } /---END CERTIFICATE-----/{ inc=0 }' $TEMPDIR/allcerts.txt nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)") @@ -2643,7 +2643,7 @@ verify_retcode_helper() { determine_trust() { local i=1 local bundle_fname - local -a certificate_file verify_retcode trust + local -a certificate_file verify_retcode trust local ok_was="" local notok_was="" local code @@ -2664,7 +2664,7 @@ determine_trust() { for bundle_fname in $ca_bundles; do certificate_file[i]=$(basename $bundle_fname | sed 's/\.pem//') if [[ ! -r $bundle_fname ]]; then - pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable" + pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable" return 7 fi debugme printf -- " %-12s" "${certificate_file[i]}" @@ -2684,11 +2684,11 @@ determine_trust() { debugme out " " # all stores ok if ${trust[1]} && ${trust[2]} && ${trust[3]} && ${trust[4]}; then - pr_litegreen "Ok " + pr_litegreen "Ok " output_finding "trust" "$NODEIP" "$PORT" "OK" "All certificate trust checks passed.\n$addtl_warning" # at least one failed else - pr_red "NOT ok" + pr_red "NOT ok" # all failed (we assume with the same issue) if ! ${trust[1]} && ! ${trust[2]} && ! ${trust[3]} && ! ${trust[4]}; then verify_retcode_helper "${verify_retcode[2]}" @@ -2761,7 +2761,7 @@ tls_time() { sclient_connect_successful() { [[ $1 -eq 0 ]] && return 0 [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0 - # second check saved like + # second check saved like # fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1 # what's left now is: master key empty and Session-ID not empty ==> probably client based auth with x509 certificate return 1 @@ -2825,7 +2825,7 @@ run_server_defaults() { outln "(none)" output_finding "tls_extensions" "$NODEIP" "$PORT" "INFO" "TLS server extensions (std): (none)" else - #echo $extensions | sed 's/ /,/g' + #echo $extensions | sed 's/ /,/g' outln "$TLS_EXTENSIONS" output_finding "tls_extensions" "$NODEIP" "$PORT" "INFO" "TLS server extensions (std): $TLS_EXTENSIONS" fi @@ -2845,7 +2845,7 @@ run_server_defaults() { pr_yellowln "(PFS requires session ticket keys to be rotated <= daily)" output_finding "session_ticket" "$NODEIP" "$PORT" "INFO" "TLS session tickes RFC 5077 valid for $lifetime $unit\nPFS requires session ticket keys to be rotated at least daily" fi - + pr_bold " SSL Session ID support " if $NO_SSL_SESSIONID; then outln "no" @@ -2890,32 +2890,32 @@ run_server_defaults() { pr_bold " Signature Algorithm " case $sig_algo in - sha1WithRSAEncryption) - pr_brownln "SHA1 with RSA" + sha1WithRSAEncryption) + pr_brownln "SHA1 with RSA" output_finding "algorithm" "$NODEIP" "$PORT" "WARN" "Signature Algorithm: SHA1 with RSA (warning)" ;; - sha256WithRSAEncryption) - pr_litegreenln "SHA256 with RSA" + sha256WithRSAEncryption) + pr_litegreenln "SHA256 with RSA" output_finding "algorithm" "$NODEIP" "$PORT" "OK" "Signature Algorithm: SHA256 with RSA (OK)" ;; - sha384WithRSAEncryption) - pr_litegreenln "SHA384 with RSA" + sha384WithRSAEncryption) + pr_litegreenln "SHA384 with RSA" output_finding "algorithm" "$NODEIP" "$PORT" "OK" "Signature Algorithm: SHA384 with RSA (OK)" ;; - sha512WithRSAEncryption) - pr_litegreenln "SHA512 with RSA" + sha512WithRSAEncryption) + pr_litegreenln "SHA512 with RSA" output_finding "algorithm" "$NODEIP" "$PORT" "OK" "Signature Algorithm: SHA512 with RSA (OK)" ;; - ecdsa-with-SHA256) - pr_litegreenln "ECDSA with SHA256" + ecdsa-with-SHA256) + pr_litegreenln "ECDSA with SHA256" output_finding "algorithm" "$NODEIP" "$PORT" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)" ;; - md5*) - pr_redln "MD5" + md5*) + pr_redln "MD5" output_finding "algorithm" "$NODEIP" "$PORT" "NOT OK" "Signature Algorithm: MD5 (NOT ok)" ;; - *) - outln "$sig_algo" + *) + outln "$sig_algo" output_finding "algorithm" "$NODEIP" "$PORT" "INFO" "Signature Algorithm: $sign_algo" ;; esac @@ -3032,7 +3032,7 @@ run_server_defaults() { out " (" pr_dquoted "$issuer_O" if [[ -n "$issuer_C" ]]; then - out " from " + out " from " pr_dquoted "$issuer_C" output_finding "issuer" "$NODEIP" "$PORT" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")" else @@ -3051,7 +3051,7 @@ run_server_defaults() { [[ 2.16.578.1.26.1.3.3 == "$policy_oid" ]] || \ [[ 1.3.6.1.4.1.17326.10.14.2.1.2 == "$policy_oid" ]] || \ [[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \ - [[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then + [[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then out "yes " output_finding "ev" "$NODEIP" "$PORT" "OK" "Extended Validation (EV) (experimental) : yes" else @@ -3060,7 +3060,7 @@ run_server_defaults() { fi debugme echo "($(newline_to_spaces "$policy_oid"))" outln -#TODO: use browser OIDs: +#TODO: use browser OIDs: # https://mxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp # http://src.chromium.org/chrome/trunk/src/net/cert/ev_root_ca_metadata.cc # https://certs.opera.com/03/ev-oids.xml @@ -3076,7 +3076,7 @@ run_server_defaults() { startdate=$(LC_ALL=C date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M") LC_ALL=C days2expire=$(( $(date -j -f "%F %H:%M %z" "$enddate" "+%s") - $(date "+%s") )) # in seconds fi - days2expire=$((days2expire / 3600 / 24 )) + days2expire=$((days2expire / 3600 / 24 )) expire=$($OPENSSL x509 -in $HOSTCERT -checkend 0 2>>$ERRFILE) if ! echo $expire | grep -qw not; then @@ -3124,7 +3124,7 @@ run_server_defaults() { outln "$crl" output_finding "crl" "$NODEIP" "$PORT" "INFO" "Certificate Revocation List : $crl" else # more than one CRL - out_row_aligned "$crl" "$spaces" + out_row_aligned "$crl" "$spaces" output_finding "crl" "$NODEIP" "$PORT" "INFO" "Certificate Revocation List : $crl" fi else @@ -3165,7 +3165,7 @@ run_server_defaults() { fi outln - # if we call tls_time before tmpfile_handle it throws an error because the function tls_sockets removed $TMPFILE + # if we call tls_time before tmpfile_handle it throws an error because the function tls_sockets removed $TMPFILE # already -- and that was a different one -- means that would get overwritten anyway tmpfile_handle $FUNCNAME.txt @@ -3335,7 +3335,7 @@ run_spdy() { else # now comes a strange thing: "Protocols advertised by server:" is empty but connection succeeded if echo $tmpstr | egrep -aq "h2|spdy|http" ; then - out "$tmpstr" + out "$tmpstr" outln " (advertised)" output_finding "spdy_npn" "$NODEIP" "$PORT" "INFO" "SPDY/NPN : $tmpstr (advertised)" ret=0 @@ -3355,7 +3355,7 @@ run_spdy() { run_http2() { local tmpstr - local -i ret=0 + local -i ret=0 local had_alpn_proto=false local alpn_finding="" @@ -3400,7 +3400,7 @@ starttls_line() { debugme echo -e "\n=== sending \"$1\" ..." echo -e "$1" >&5 - # we don't know how much to read and it's blocking! So we just put a cat into the + # we don't know how much to read and it's blocking! So we just put a cat into the # background and read until $STARTTLS_SLEEP and: cross our fingers cat <&5 >$TMPFILE & wait_kill $! $STARTTLS_SLEEP @@ -3410,7 +3410,7 @@ starttls_line() { if egrep -q "$2" $TMPFILE; then debugme echo "---> reply matched \"$2\"" else - # slow down for exim and friends who need a proper handshake:, see + # slow down for exim and friends who need a proper handshake:, see # https://github.com/drwetter/testssl.sh/issues/218 FAST_STARTTLS=false debugme echo -e "\n=== sending with automated FAST_STARTTLS=false \"$1\" ..." @@ -3496,7 +3496,7 @@ fd_socket() { ;; smtp|smtps) # SMTP, see https://tools.ietf.org/html/rfc4217 $FAST_STARTTLS || starttls_just_read - $FAST_STARTTLS || starttls_line "EHLO testssl.sh" "220|250" && starttls_just_send "EHLO testssl.sh" + $FAST_STARTTLS || starttls_line "EHLO testssl.sh" "220|250" && starttls_just_send "EHLO testssl.sh" starttls_line "STARTTLS" "220" ;; pop3|pop3s) # POP, see https://tools.ietf.org/html/rfc2595 @@ -3524,9 +3524,9 @@ fd_socket() { [[ -z $XMPP_HOST ]] && XMPP_HOST="$NODE" jabber=$(cat < - @@ -3664,7 +3664,7 @@ parse_tls_serverhello() { [[ "$DEBUG" -eq 5 ]] && echo $tls_hello_ascii # one line without any blanks if [[ -z "$tls_hello_ascii" ]]; then - debugme echo "server hello empty, TCP connection closed" + debugme echo "server hello empty, TCP connection closed" return 1 # no server hello received fi @@ -3682,14 +3682,14 @@ parse_tls_serverhello() { if [[ $tls_content_type == "15" ]]; then # TLS ALERT tls_err_level=${tls_hello_ascii:10:2} # 1: warning, 2: fatal - tls_err_descr=${tls_hello_ascii:12:2} # 112/0x70: Unrecognized name, 111/0x6F: certificate_unobtainable, + tls_err_descr=${tls_hello_ascii:12:2} # 112/0x70: Unrecognized name, 111/0x6F: certificate_unobtainable, # 113/0x71: bad_certificate_status_response, #114/0x72: bad_certificate_hash_value if [[ $DEBUG -ge 2 ]]; then echo "tls_protocol (reclyr): 0x$tls_protocol" echo "tls_content_type: 0x$tls_content_type" echo "tls_len_all: $tls_len_all" echo "tls_err_descr: 0x${tls_err_descr} / = $(hex2dec ${tls_err_descr})" - echo "tls_err_level: ${tls_err_level} (warning:1, fatal:2)" + echo "tls_err_level: ${tls_err_level} (warning:1, fatal:2)" fi # now, here comes a strange thing... -- on the first glance # IF an apache 2.2/2.4 server e.g. has a default servername configured but we send SNI @@ -3754,17 +3754,17 @@ sslv2_sockets() { pr_litemagenta "strange v2 reply " outln " (rerun with DEBUG >=2)" [[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1 - ret=7 + ret=7 output_finding "sslv2" "$NODEIP" "$PORT" "WARN" "SSLv2: received a strange SSLv2 replay (rerun with DEBUG>=2)" ;; 1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP! pr_greenln "not offered (OK)" - ret=0 + ret=0 output_finding "sslv2" "$NODEIP" "$PORT" "OK" "SSLv2 not offered (OK)" ;; 0) # reset pr_greenln "not offered (OK)" - ret=0 + ret=0 output_finding "sslv2" "$NODEIP" "$PORT" "OK" "SSLv2 not offered (OK)" ;; 3) # everything else @@ -3773,11 +3773,11 @@ sslv2_sockets() { if [[ "$lines" -gt 1 ]]; then ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) if [[ 0 -eq "$ciphers_detected" ]]; then - pr_litered "supported but couldn't detect a cipher"; + pr_litered "supported but couldn't detect a cipher"; outln " (may need further attention)" output_finding "sslv2" "$NODEIP" "$PORT" "NOT OK" "SSLv2 offered (NOT ok), but could not detect a cipher (may need futher attention)" else - pr_red "offered (NOT ok)"; + pr_red "offered (NOT ok)"; outln " -- $ciphers_detected ciphers" output_finding "sslv2" "$NODEIP" "$PORT" "NOT OK" "SSLv2 offered (NOT ok).\nDetected ciphers: $ciphers_detected" fi @@ -3806,7 +3806,7 @@ socksend_tls_clienthello() { local len_sni_listlen len_sni_ext len_extension_hex local cipher_suites len_ciph_suites len_ciph_suites_word local len_client_hello_word len_all_word - + #len_servername=$(echo ${#NODE}) len_servername=${#NODE} hexdump_format_str="$len_servername/1 \"%02x,\"" @@ -3896,10 +3896,10 @@ socksend_tls_clienthello() { extension_signature_algorithms=" 00, 0d, # Type: signature_algorithms , see RFC 5246 00, 20, # len - 00,1e, 06,01, 06,02, 06,03, 05,01, 05,02, 05,03, + 00,1e, 06,01, 06,02, 06,03, 05,01, 05,02, 05,03, 04,01, 04,02, 04,03, 03,01, 03,02, 03,03, 02,01, 02,02, 02,03" -# Extension: Haertbeat 00 0f +# Extension: Haertbeat 00 0f # len 00 01 # peer allowed to send requests 01 @@ -3927,7 +3927,7 @@ socksend_tls_clienthello() { return 0 } -# arg1: TLS version low byte +# arg1: TLS version low byte # (00: SSLv3, 01: TLS 1.0, 02: TLS 1.1, 03: TLS 1.2) tls_sockets() { local -i ret=0 @@ -4203,7 +4203,7 @@ run_ccs_injection(){ if [[ $DEBUG -ge 3 ]]; then outln "\n1st reply: " out "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20 -# ok: 15 | 0301 | 02 | 02 | 0a +# ok: 15 | 0301 | 02 | 02 | 0a # ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a) # or just timed out outln @@ -4217,7 +4217,7 @@ run_ccs_injection(){ if [[ $DEBUG -ge 3 ]]; then outln "\n2nd reply: " printf -- "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" -# not ok: 15 | 0301 | 02 | 02 | 15 +# not ok: 15 | 0301 | 02 | 02 | 15 # ALERT | TLS 1.0 | Length=2 | Decryption failed (21) # ok: 0a or nothing: ==> RST outln @@ -4272,21 +4272,21 @@ run_renego() { sec_renego=$? # 0= Secure Renegotiation IS NOT supported #FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported" case $sec_renego in - 0) - pr_redln "VULNERABLE (NOT ok)" + 0) + pr_redln "VULNERABLE (NOT ok)" output_finding "secure_renego" "$NODEIP" "$PORT" "NOT OK" "Secure Renegotiation (CVE-2009-3555) : VULNERABLE (NOT ok)" ;; - 1) - pr_greenln "not vulnerable (OK)" + 1) + pr_greenln "not vulnerable (OK)" output_finding "secure_renego" "$NODEIP" "$PORT" "OK" "Secure Renegotiation (CVE-2009-3555) : not vulnerable (OK)" ;; - *) - pr_litemagentaln "FIXME (bug): $sec_renego" + *) + pr_litemagentaln "FIXME (bug): $sec_renego" output_finding "secure_renego" "$NODEIP" "$PORT" "WARN" "Secure Renegotiation (CVE-2009-3555) : FIXME (bug) $sec_renego" ;; esac else - pr_litemagentaln "handshake didn't succeed" + pr_litemagentaln "handshake didn't succeed" output_finding "secure_renego" "$NODEIP" "$PORT" "WARN" "Secure Renegotiation (CVE-2009-3555) : handshake didn't succeed" fi @@ -4296,19 +4296,19 @@ run_renego() { case "$OSSL_VER" in 0.9.8*) # we need this for Mac OSX unfortunately case "$OSSL_VER_APPENDIX" in - [a-l]) + [a-l]) local_problem "$OPENSSL cannot test this secure renegotiation vulnerability" output_finding "sec_client_renego" "$NODEIP" "$PORT" "WARN" "Secure Client-Initiated Renegotiation : $OPENSSL cannot test this secure renegotiation vulnerability" - return 3 + return 3 ;; - [m-z]) + [m-z]) ;; # all ok - esac + esac ;; - 1.0.1*|1.0.2*) - legacycmd="-legacy_renegotiation" + 1.0.1*|1.0.2*) + legacycmd="-legacy_renegotiation" ;; - 0.9.9*|1.0*) + 0.9.9*|1.0*) ;; # all ok esac @@ -4319,7 +4319,7 @@ run_renego() { else # We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background # msg enables us to look deeper into it while debugging - echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE & + echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE & wait_kill $! $HEADER_MAXSLEEP if [[ $? -eq 3 ]]; then pr_litegreen "likely not vulnerable (OK)"; outln " (timed out)" # it hung @@ -4330,16 +4330,16 @@ run_renego() { echo R | $OPENSSL s_client $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln! case $sec_client_renego in - 0) - pr_litered "VULNERABLE (NOT ok)"; outln ", DoS threat" + 0) + pr_litered "VULNERABLE (NOT ok)"; outln ", DoS threat" output_finding "sec_client_renego" "$NODEIP" "$PORT" "NOT OK" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat" ;; - 1) - pr_litegreenln "not vulnerable (OK)" + 1) + pr_litegreenln "not vulnerable (OK)" output_finding "sec_client_renego" "$NODEIP" "$PORT" "OK" "Secure Client-Initiated Renegotiation : not vulnerable (OK)" ;; - *) - pr_literedln "FIXME (bug): $sec_client_renego" + *) + pr_literedln "FIXME (bug): $sec_client_renego" output_finding "sec_client_renego" "$NODEIP" "$PORT" "WARN" "Secure Client-Initiated Renegotiation : FIXME (bug) $sec_client_renego - Please report" ;; esac @@ -4362,7 +4362,7 @@ run_crime() { # means anyway "game over", w/wo CRIME # www.h-online.com/security/news/item/Vulnerability-in-SSL-encryption-is-barely-exploitable-1708604.html - [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln + [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln pr_bold " CRIME, TLS " ; out "(CVE-2012-4929) " # first we need to test whether OpenSSL binary has zlib support @@ -4373,11 +4373,11 @@ run_crime() { return 7 fi - [[ "$OSSL_VER" == "*0.9.8*" ]] && addcmd="-no_ssl2" + [[ "$OSSL_VER" == "*0.9.8*" ]] && addcmd="-no_ssl2" $OPENSSL s_client $OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $TMPFILE if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then pr_litegreen "not vulnerable (OK)" - if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then + if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then out " (not using HTTP anyway)" output_finding "crime" "$NODEIP" "$PORT" "OK" "CRIME, TLS (CVE-2012-4929) : Not vulnerable (OK) (not using HTTP anyway)" else @@ -4603,17 +4603,17 @@ run_freak() { local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5" local addtl_warning="" - [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for FREAK attack " && outln + [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for FREAK attack " && outln pr_bold " FREAK"; out " (CVE-2015-0204) " nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportrsa_cipher_list)) #echo "========= ${PIPESTATUS[*]} case $nr_supported_ciphers in - 0) + 0) local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured" output_finding "freak" "$NODEIP" "$PORT" "WARN" "FREAK (CVE-2015-0204) : Not tested. $OPENSSL doesn't have any EXPORT RSA ciphers configured" - return 7 + return 7 ;; 1|2|3) addtl_warning=" ($magenta""tested only with $nr_supported_ciphers out of 9 ciphers only!$off)" ;; @@ -4650,16 +4650,16 @@ run_logjam() { local -i nr_supported_ciphers=0 local addtl_warning="" - [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln + [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln pr_bold " LOGJAM"; out " (CVE-2015-4000), experimental " nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list)) case $nr_supported_ciphers in - 0) + 0) local_problem "$OPENSSL doesn't have any DHE EXPORT ciphers configured" output_finding "logjam" "$NODEIP" "$PORT" "WARN" "LOGJAM (CVE-2015-4000) : Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured" - return 3 + return 3 ;; 1|2) addtl_warning=" ($magenta""tested w/ $nr_supported_ciphers/4 ciphers only!$off)" ;; 3) addtl_warning=" (tested w/ $nr_supported_ciphers/4 ciphers)" ;; @@ -4677,7 +4677,7 @@ run_logjam() { $HAS_DH_BITS && addtl_warning="$addtl_warning See below for any DH ciphers + bit size" fi fi - + if [[ $sclient_success -eq 0 ]]; then pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked." output_finding "logjam" "$NODEIP" "$PORT" "NOT OK" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked." @@ -4766,7 +4766,7 @@ run_beast(){ if [[ $sclient_success -eq 0 ]]; then [[ -n "$higher_proto_supported" ]] && \ pr_yellowln "available" || \ - pr_brownln "available" + pr_brownln "available" else outln "not a/v" @@ -4934,11 +4934,11 @@ get_install_dir() { #INSTALL_DIR=$(cd "$(dirname "$0")" && pwd)/$(basename "$0") INSTALL_DIR=$(dirname ${BASH_SOURCE[0]}) - [[ -r "$RUN_DIR/etc/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/etc/mapping-rfc.txt" + [[ -r "$RUN_DIR/etc/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/etc/mapping-rfc.txt" [[ -r "$INSTALL_DIR/etc/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$INSTALL_DIR/etc/mapping-rfc.txt" if [[ ! -r "$MAPPING_FILE_RFC" ]]; then # those will disapper: - [[ -r "$RUN_DIR/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/mapping-rfc.txt" + [[ -r "$RUN_DIR/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$RUN_DIR/mapping-rfc.txt" [[ -r "$INSTALL_DIR/mapping-rfc.txt" ]] && MAPPING_FILE_RFC="$INSTALL_DIR/mapping-rfc.txt" fi @@ -4988,7 +4988,7 @@ test_openssl_suffix() { fi return 1 } - + find_openssl_binary() { # 0. check environment variable whether it's executable @@ -5122,7 +5122,7 @@ $PROG_NAME URI ("$PROG_NAME URI" does everything except -E) -t, --starttls does a default run against a STARTTLS enabled --xmpphost for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed --mx tests MX records from high to low priority (STARTTLS, port 25) - --ip a) tests the supplied v4 or v6 address instead of resolving host(s) in URI + --ip a) tests the supplied v4 or v6 address instead of resolving host(s) in URI b) arg "one" means: just test the first DNS returns (useful for multiple IPs) --file mass testing option: Reads command lines from , one line per instance. Comments via # allowed, EOF signals end of . Implicitly turns on "--warnings batch" @@ -5172,7 +5172,7 @@ maketempf() { TEMPDIR=$(mktemp -d /tmp/ssltester.XXXXXX) || exit -6 TMPFILE=$TEMPDIR/tempfile.txt || exit -6 if [[ "$DEBUG" -eq 0 ]]; then - ERRFILE="/dev/null" + ERRFILE="/dev/null" else ERRFILE=$TEMPDIR/errorfile.txt || exit -6 fi @@ -5269,8 +5269,8 @@ mybanner() { $PROG_NAME $VERSION from $SWURL ($idtag) - This program is free software. Distribution and - modification under GPLv2 permitted. + This program is free software. Distribution and + modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ @@ -5287,9 +5287,9 @@ EOF cwd=$(/bin/pwd) || \ cwd=$RUN_DIR if [[ "$openssl_location" =~ $(/bin/pwd)/bin ]]; then - OPENSSL_LOCATION="\$PWD/bin/$(basename "$openssl_location")" + OPENSSL_LOCATION="\$PWD/bin/$(basename "$openssl_location")" elif [[ "$openssl_location" =~ $cwd ]] && [[ "$cwd" != '.' ]]; then - OPENSSL_LOCATION="${openssl_location%%$cwd}" + OPENSSL_LOCATION="${openssl_location%%$cwd}" else OPENSSL_LOCATION="$openssl_location" fi @@ -5300,7 +5300,7 @@ EOF cleanup () { if [[ "$DEBUG" -ge 1 ]]; then - outln + outln pr_underline "DEBUG (level $DEBUG): see files in $TEMPDIR" outln else @@ -5461,7 +5461,7 @@ filter_ip4_address() { get_local_aaaa() { local ip6="" local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" - + # for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution ip6=$(grep -wh "$NODE" $etchosts 2>/dev/null | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }') if is_ipv6addr "$ip6"; then @@ -5474,7 +5474,7 @@ get_local_aaaa() { get_local_a() { local ip4="" local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" - + # for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution ip4=$(grep -wh "$1" $etchosts 2>/dev/null | egrep -v ':|^#' | egrep "[[:space:]]$1" | awk '{ print $1 }') if is_ipv4addr "$ip4"; then @@ -5557,7 +5557,7 @@ get_aaaa_record() { } -# now get all IP addresses +# now get all IP addresses determine_ip_addresses() { local ip4="" local ip6="" @@ -5573,7 +5573,7 @@ determine_ip_addresses() { else LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl fi - # same now for ipv6 + # same now for ipv6 ip6=$(get_local_aaaa $NODE) if [[ -z $ip6 ]]; then check_resolver_bins @@ -5681,10 +5681,10 @@ sclient_auth() { [[ $1 -eq 0 ]] && return 0 # no client auth (CLIENT_AUTH=false is preset globally) if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then # connect succeeded if grep -q '^<<< .*CertificateRequest' "$2"; then # CertificateRequest message in -msg - CLIENT_AUTH=true + CLIENT_AUTH=true return 0 fi - if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session + if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then # do another sanity check to be sure CLIENT_AUTH=false NO_SSL_SESSIONID=true # NO_SSL_SESSIONI is preset globally to false for all other cases @@ -5697,7 +5697,7 @@ sclient_auth() { } -# this function determines OPTIMAL_PROTO. It is a workaround function as under certain circumstances +# this function determines OPTIMAL_PROTO. It is a workaround function as under certain circumstances # (e.g. IIS6.0 and openssl 1.0.2 as opposed to 1.0.1) needs a protocol otherwise s_client -connect will fail! # Circumstances observed so far: 1.) IIS 6 2.) starttls + dovecot imap # The first try in the loop is empty as we prefer not to specify always a protocol if it works w/o. @@ -5754,7 +5754,7 @@ determine_optimal_proto() { # arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap (maybe with trailing s) determine_service() { - local ua + local ua local protocol if ! fd_socket; then # check if we can connect to $NODEIP:$PORT @@ -5766,8 +5766,8 @@ determine_service() { datebanner " Start" outln - if [[ -z "$1" ]]; then - # no STARTTLS. + if [[ -z "$1" ]]; then + # no STARTTLS. determine_optimal_proto "$1" $SNEAKY && \ ua="$UA_SNEAKY" || \ @@ -5777,7 +5777,7 @@ determine_service() { GET_REQ10="GET $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n" HEAD_REQ10="HEAD $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n" runs_HTTP $OPTIMAL_PROTO - else + else # STARTTLS protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc case "$protocol" in @@ -5865,7 +5865,7 @@ draw_line() { mx_all_ips() { local mxs mx - local mxport + local mxport local -i ret=0 STARTTLS_PROTOCOL="smtp" @@ -5880,7 +5880,7 @@ mx_all_ips() { for mx in $mxs; do draw_line "-" $((TERM_DWITH * 2 / 3)) outln - parse_hn_port "$mx:$mxport" + parse_hn_port "$mx:$mxport" determine_ip_addresses || continue if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" @@ -5909,7 +5909,7 @@ run_mass_testing_parallel() { if [[ ! -r "$FNAME" ]] && $IKNOW_FNAME; then fatal "Can't read file \"$FNAME\"" "-1" fi - pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln + pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln outln "(output is in ....\n)" while read cmdline; do cmdline=$(filter_input "$cmdline") @@ -5917,7 +5917,7 @@ run_mass_testing_parallel() { [[ "$cmdline" == "EOF" ]] && break echo "$0 -q $cmdline" draw_line "=" $((TERM_DWITH / 2)); outln; - determine_logfile + determine_logfile $0 -q $cmdline >$LOGFILE & sleep $PARALLEL_SLEEP done < "$FNAME" @@ -5945,7 +5945,7 @@ run_mass_testing() { -# This initializes boolean global do_* variables. They keep track of what to do +# This initializes boolean global do_* variables. They keep track of what to do # -- as the name insinuates initialize_globals() { do_allciphers=false @@ -6038,7 +6038,7 @@ debug_globals() { # arg1+2 are just the options parse_opt_equal_sign() { if [[ "$1" == *=* ]]; then - echo "$1" | awk -F'=' '{ print $2 }' + echo "$1" | awk -F'=' '{ print $2 }' return 1 # = means we don't need to shift args! else echo $2 @@ -6054,7 +6054,7 @@ parse_cmd_line() { while [[ $# -gt 0 ]]; do case $1 in -h|--help) - help 0 + help 0 ;; -b|--banner|-v|--version) find_openssl_binary @@ -6068,11 +6068,11 @@ parse_cmd_line() { ;; --mx465) # doesn't work with major ISPs do_mx_all_ips=true - PORT=465 + PORT=465 ;; --mx587) # doesn't work with major ISPs do_mx_all_ips=true - PORT=587 + PORT=587 ;; --ip|--ip=*) CMDLINE_IP=$(parse_opt_equal_sign "$1" "$2") @@ -6084,7 +6084,7 @@ parse_cmd_line() { mybanner openssl_age prettyprint_local $(parse_opt_equal_sign "$1" "$2") - exit $? + exit $? ;; -x|-x=*|--single[-_]cipher|--single[-_]cipher=*) do_test_just_one=true @@ -6151,15 +6151,15 @@ parse_cmd_line() { do_logjam=true do_beast=true do_rc4=true - VULN_COUNT=10 + VULN_COUNT=10 ;; -B|--heartbleed) do_heartbleed=true - let "VULN_COUNT++" + let "VULN_COUNT++" ;; -I|--ccs|--ccs[-_]injection) do_ccs_injection=true - let "VULN_COUNT++" + let "VULN_COUNT++" ;; -R|--renegotiation) do_renego=true @@ -6207,16 +6207,16 @@ parse_cmd_line() { # DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0 # DEBUG=3 ./testssl.sh --devel 00 # DEBUG=3 ./testssl.sh --devel 22 - TLS_LOW_BYTE="$2"; + TLS_LOW_BYTE="$2"; if [[ $# -eq 4 ]]; then # protocol AND ciphers specified HEX_CIPHER="$3" shift fi shift do_tls_sockets=true - outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}" + outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}" ;; - --wide) + --wide) WIDE=true ;; --assuming[_-]http|--assume[-_]http) @@ -6237,27 +6237,27 @@ parse_cmd_line() { do_mass_testing=true ;; --warnings|--warnings=*) - WARNINGS=$(parse_opt_equal_sign "$1" "$2") + WARNINGS=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift case "$WARNINGS" in batch|off|false) ;; - *) pr_magentaln "\nwarnings can be either \"batch\", \"off\" or \"false\"" + *) pr_magentaln "\nwarnings can be either \"batch\", \"off\" or \"false\"" help 1 esac ;; --show[-_]each) SHOW_EACH_C=1 #FIXME: sense is vice versa - ;; + ;; --bugs) BUGS="-bugs" - ;; + ;; --debug|--debug=*) DEBUG=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift case $DEBUG in [0-6]) ;; *) pr_magentaln "\nunrecognized debug value \"$1\", must be between 0..6" 1>&2 - help 1 + help 1 esac ;; --color|--color=*) @@ -6271,14 +6271,14 @@ parse_cmd_line() { esac ;; --log|--logging) - do_logging=true + do_logging=true ;; # DEFINITION of LOGFILE if no arg specified via ENV or automagically in parse_hn_ports() # following does the same but we can specify a log location additionally --logfile=*) LOGFILE=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift - do_logging=true - ;; + do_logging=true + ;; --json) do_json=true ;; # DEFINITION of JSONFILE is not arg specified via ENV or automagically in parse_hn_ports() @@ -6287,7 +6287,7 @@ parse_cmd_line() { JSONFILE=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift do_json=true - ;; + ;; --csv) do_csv=true ;; # DEFINITION of CSVFILE is not arg specified via ENV or automagically in parse_hn_ports() @@ -6296,7 +6296,7 @@ parse_cmd_line() { CSVFILE=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift do_csv=true - ;; + ;; --openssl|--openssl=*) OPENSSL=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift @@ -6315,12 +6315,12 @@ parse_cmd_line() { SSL_NATIVE=true ;; (--) shift - break + break ;; (-*) pr_magentaln "\n$0: unrecognized option \"$1\"" 1>&2; - help 1 + help 1 ;; - (*) break + (*) break ;; esac shift @@ -6422,7 +6422,7 @@ lets_roll() { $do_client_simulation && { run_client_simulation; ret=$(($? + ret)); } outln - datebanner " Done" + datebanner " Done" return $ret } @@ -6455,14 +6455,14 @@ if $do_mx_all_ips; then [[ $? -eq 1 ]] && set_scanning_defaults mx_all_ips "${URI}" $PORT ret=$? -else +else parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now if ! determine_ip_addresses && [[ -z "$CMDLINE_IP" ]]; then fatal "No IP address could be determined" fi - if [[ -n "$CMDLINE_IP" ]]; then + if [[ -n "$CMDLINE_IP" ]]; then [[ "$CMDLINE_IP" == "one" ]] && \ - CMDLINE_IP=$(echo -n "$IPADDRs" | awk '{ print $1 }') + CMDLINE_IP=$(echo -n "$IPADDRs" | awk '{ print $1 }') NODEIP="$CMDLINE_IP" # specific ip address for NODE was supplied lets_roll "${STARTTLS_PROTOCOL}" ret=$?