mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-06 00:39:44 +01:00
FIX #161 + small improvemnet on rengotiation
This commit is contained in:
Dirk
parent
e3fcd786f7
commit
405b0f10bf
17
testssl.sh
17
testssl.sh
@ -2849,15 +2849,15 @@ run_ccs_injection(){
|
|||||||
run_renego() {
|
run_renego() {
|
||||||
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
|
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
|
||||||
local legacycmd=""
|
local legacycmd=""
|
||||||
local insecure_renogo_str
|
local insecure_renogo_str="Secure Renegotiation IS NOT"
|
||||||
local sec_renego sec_client_renego
|
local sec_renego sec_client_renego
|
||||||
|
|
||||||
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for Renegotiation vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for Renegotiation vulnerability" && outln "\n"
|
||||||
|
|
||||||
pr_bold " Secure Renegotiation "; out "(CVE 2009-3555) " # and RFC5746, OSVDB 59968-59974
|
pr_bold " Secure Renegotiation "; out "(CVE 2009-3555) " # and RFC5746, OSVDB 59968-59974
|
||||||
# community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
|
# community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
|
||||||
insecure_renogo_str="Secure Renegotiation IS NOT"
|
if $OPENSSL s_client $OPTIMAL_PROTO $STARTTLS -connect $NODEIP:$PORT $SNI $PROXY 2>&1 </dev/null &>$TMPFILE; then
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY 2>&1 </dev/null | grep -iaq "$insecure_renogo_str"
|
grep -iaq "$insecure_renogo_str" $TMPFILE
|
||||||
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
|
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
|
||||||
#FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported"
|
#FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported"
|
||||||
case $sec_renego in
|
case $sec_renego in
|
||||||
@ -2865,6 +2865,9 @@ run_renego() {
|
|||||||
1) pr_greenln "not vulnerable (OK)" ;;
|
1) pr_greenln "not vulnerable (OK)" ;;
|
||||||
*) pr_magentaln "FIXME (bug): $sec_renego" ;;
|
*) pr_magentaln "FIXME (bug): $sec_renego" ;;
|
||||||
esac
|
esac
|
||||||
|
else
|
||||||
|
pr_magentaln "handshake didn't succeed"
|
||||||
|
fi
|
||||||
|
|
||||||
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746
|
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746
|
||||||
# see: https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
|
# see: https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
|
||||||
@ -2881,14 +2884,14 @@ run_renego() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
|
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
|
||||||
echo R | $OPENSSL s_client $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $PROXY &>$TMPFILE & # msg enables us to look deeper into it while debugging
|
echo R | $OPENSSL s_client $OPTIMAL_PROTO $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY &>$TMPFILE & # msg enables us to look deeper into it while debugging
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
if [ $? -eq 3 ]; then
|
if [ $? -eq 3 ]; then
|
||||||
pr_litegreen "likely not vulnerable (OK)"; outln " (timed out)" # it hung
|
pr_litegreen "likely not vulnerable (OK)"; outln " (timed out)" # it hung
|
||||||
sec_client_renego=1
|
sec_client_renego=1
|
||||||
else
|
else
|
||||||
# second try in the foreground as we are sure now it won't hang
|
# second try in the foreground as we are sure now it won't hang
|
||||||
echo R | $OPENSSL s_client $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $PROXY &>$TMPFILE
|
echo R | $OPENSSL s_client $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY &>$TMPFILE
|
||||||
sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln!
|
sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln!
|
||||||
case $sec_client_renego in
|
case $sec_client_renego in
|
||||||
0) pr_litered "VULNERABLE (NOT ok)"; outln ", DoS threat" ;;
|
0) pr_litered "VULNERABLE (NOT ok)"; outln ", DoS threat" ;;
|
||||||
@ -2924,7 +2927,7 @@ run_crime() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
[[ "$OSSL_VER" =~ "0.9.8" ]] && addcmd="-no_ssl2"
|
[[ "$OSSL_VER" =~ "0.9.8" ]] && addcmd="-no_ssl2"
|
||||||
$OPENSSL s_client $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI </dev/null &>$TMPFILE
|
$OPENSSL s_client $OPTIMAL_PROTO $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI </dev/null &>$TMPFILE
|
||||||
if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
|
if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
|
||||||
pr_litegreen "not vulnerable (OK)"
|
pr_litegreen "not vulnerable (OK)"
|
||||||
[[ $SERVICE == "HTTP" ]] || out " (not using HTTP anyway)"
|
[[ $SERVICE == "HTTP" ]] || out " (not using HTTP anyway)"
|
||||||
@ -4680,4 +4683,4 @@ fi
|
|||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.345 2015/08/15 16:48:44 dirkw Exp $
|
# $Id: testssl.sh,v 1.346 2015/08/15 19:33:15 dirkw Exp $
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user