mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Merge branch '2.9dev' into openssl_location
This commit is contained in:
commit
43a4358442
28
testssl.sh
28
testssl.sh
@ -752,7 +752,7 @@ fileout_footer() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# ID, SEVERITY, FINDING, CVE, CWE, HINT
|
# ID, SEVERITY, FINDING, CVE, CWE, HINT
|
||||||
fileout() {
|
fileout() {
|
||||||
local severity="$2"
|
local severity="$2"
|
||||||
local cwe="$5"
|
local cwe="$5"
|
||||||
local hint="$6"
|
local hint="$6"
|
||||||
@ -2443,7 +2443,7 @@ neat_list(){
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
test_just_one(){
|
run_cipher_match(){
|
||||||
local hexc n auth export ciphers_to_test supported_sslv2_ciphers s
|
local hexc n auth export ciphers_to_test supported_sslv2_ciphers s
|
||||||
local -a hexcode normalized_hexcode ciph sslvers kx enc export2 sigalg
|
local -a hexcode normalized_hexcode ciph sslvers kx enc export2 sigalg
|
||||||
local -a ciphers_found ciphers_found2 ciph2 rfc_ciph rfc_ciph2 ossl_supported
|
local -a ciphers_found ciphers_found2 ciph2 rfc_ciph rfc_ciph2 ossl_supported
|
||||||
@ -3986,7 +3986,7 @@ pr_dh_quality() {
|
|||||||
pr_done_good "$string"
|
pr_done_good "$string"
|
||||||
else
|
else
|
||||||
out "$string"
|
out "$string"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
pr_ecdh_quality() {
|
pr_ecdh_quality() {
|
||||||
@ -4053,7 +4053,7 @@ pr_ecdh_curve_quality() {
|
|||||||
# The return value is an indicator of the quality of the cipher in $1:
|
# The return value is an indicator of the quality of the cipher in $1:
|
||||||
# 0 = $1 is empty
|
# 0 = $1 is empty
|
||||||
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
|
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
|
||||||
# 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best
|
# 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best
|
||||||
pr_cipher_quality() {
|
pr_cipher_quality() {
|
||||||
local cipher="$1"
|
local cipher="$1"
|
||||||
local text="$2"
|
local text="$2"
|
||||||
@ -4949,7 +4949,7 @@ extract_new_tls_extensions() {
|
|||||||
# check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS
|
# check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS
|
||||||
while read -d "\"" -r line; do
|
while read -d "\"" -r line; do
|
||||||
if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then
|
if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then
|
||||||
#FIXME: This is a string of quoted strings, so this seems to determine the output format already. Better e.g. would be an array
|
#FIXME: This is a string of quoted strings, so this seems to determine the output format already. Better e.g. would be an array
|
||||||
TLS_EXTENSIONS+=" \"${line}\""
|
TLS_EXTENSIONS+=" \"${line}\""
|
||||||
fi
|
fi
|
||||||
done <<<$tls_extensions
|
done <<<$tls_extensions
|
||||||
@ -10603,7 +10603,7 @@ help() {
|
|||||||
single check as <options> ("$PROG_NAME URI" does everything except -E):
|
single check as <options> ("$PROG_NAME URI" does everything except -E):
|
||||||
-e, --each-cipher checks each local cipher remotely
|
-e, --each-cipher checks each local cipher remotely
|
||||||
-E, --cipher-per-proto checks those per protocol
|
-E, --cipher-per-proto checks those per protocol
|
||||||
-f, --ciphers checks common cipher suites
|
-s, --std, --standard tests certain lists of cipher suites by strength
|
||||||
-p, --protocols checks TLS/SSL protocols (including SPDY/HTTP2)
|
-p, --protocols checks TLS/SSL protocols (including SPDY/HTTP2)
|
||||||
-y, --spdy, --npn checks for SPDY/NPN
|
-y, --spdy, --npn checks for SPDY/NPN
|
||||||
-Y, --http2, --alpn checks for HTTP2/ALPN
|
-Y, --http2, --alpn checks for HTTP2/ALPN
|
||||||
@ -10628,7 +10628,7 @@ single check as <options> ("$PROG_NAME URI" does everything except -E):
|
|||||||
-F, --freak tests for FREAK vulnerability
|
-F, --freak tests for FREAK vulnerability
|
||||||
-J, --logjam tests for LOGJAM vulnerability
|
-J, --logjam tests for LOGJAM vulnerability
|
||||||
-D, --drown tests for DROWN vulnerability
|
-D, --drown tests for DROWN vulnerability
|
||||||
-s, --pfs, --fs, --nsa checks (perfect) forward secrecy settings
|
-f, --pfs, --fs, --nsa checks (perfect) forward secrecy settings
|
||||||
-4, --rc4, --appelbaum which RC4 ciphers are being offered?
|
-4, --rc4, --appelbaum which RC4 ciphers are being offered?
|
||||||
|
|
||||||
tuning / connect options (most also can be preset via environment variables):
|
tuning / connect options (most also can be preset via environment variables):
|
||||||
@ -11848,7 +11848,7 @@ initialize_globals() {
|
|||||||
do_ssl_poodle=false
|
do_ssl_poodle=false
|
||||||
do_sweet32=false
|
do_sweet32=false
|
||||||
do_tls_fallback_scsv=false
|
do_tls_fallback_scsv=false
|
||||||
do_test_just_one=false
|
do_cipher_match=false
|
||||||
do_tls_sockets=false
|
do_tls_sockets=false
|
||||||
do_client_simulation=false
|
do_client_simulation=false
|
||||||
do_display_only=false
|
do_display_only=false
|
||||||
@ -11892,7 +11892,7 @@ query_globals() {
|
|||||||
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
||||||
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
||||||
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
||||||
do_sweet32 do_client_simulation do_test_just_one do_tls_sockets do_mass_testing do_display_only; do
|
do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only; do
|
||||||
[[ "${!gbl}" == "true" ]] && let true_nr++
|
[[ "${!gbl}" == "true" ]] && let true_nr++
|
||||||
done
|
done
|
||||||
return $true_nr
|
return $true_nr
|
||||||
@ -11905,7 +11905,7 @@ debug_globals() {
|
|||||||
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
||||||
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
||||||
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
||||||
do_sweet32 do_client_simulation do_test_just_one do_tls_sockets do_mass_testing do_display_only; do
|
do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only; do
|
||||||
printf "%-22s = %s\n" $gbl "${!gbl}"
|
printf "%-22s = %s\n" $gbl "${!gbl}"
|
||||||
done
|
done
|
||||||
printf "%-22s : %s\n" URI: "$URI"
|
printf "%-22s : %s\n" URI: "$URI"
|
||||||
@ -11973,7 +11973,7 @@ parse_cmd_line() {
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
-x|-x=*|--single[-_]cipher|--single[-_]cipher=*)
|
-x|-x=*|--single[-_]cipher|--single[-_]cipher=*)
|
||||||
do_test_just_one=true
|
do_cipher_match=true
|
||||||
single_cipher=$(parse_opt_equal_sign "$1" "$2")
|
single_cipher=$(parse_opt_equal_sign "$1" "$2")
|
||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
;;
|
;;
|
||||||
@ -12009,7 +12009,7 @@ parse_cmd_line() {
|
|||||||
-Y|--http2|--alpn)
|
-Y|--http2|--alpn)
|
||||||
do_http2=true
|
do_http2=true
|
||||||
;;
|
;;
|
||||||
-f|--ciphers)
|
-s|--std|--standard)
|
||||||
do_std_cipherlists=true
|
do_std_cipherlists=true
|
||||||
;;
|
;;
|
||||||
-S|--server[-_]defaults)
|
-S|--server[-_]defaults)
|
||||||
@ -12099,7 +12099,7 @@ parse_cmd_line() {
|
|||||||
do_rc4=true
|
do_rc4=true
|
||||||
let "VULN_COUNT++"
|
let "VULN_COUNT++"
|
||||||
;;
|
;;
|
||||||
-s|--pfs|--fs|--nsa)
|
-f|--pfs|--fs|--nsa)
|
||||||
do_pfs=true
|
do_pfs=true
|
||||||
;;
|
;;
|
||||||
--devel) ### this development feature will soon disappear
|
--devel) ### this development feature will soon disappear
|
||||||
@ -12349,7 +12349,7 @@ lets_roll() {
|
|||||||
|
|
||||||
$do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets "" "true"; echo "$?" ; exit 0; }
|
$do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets "" "true"; echo "$?" ; exit 0; }
|
||||||
$do_tls_sockets && [[ $TLS_LOW_BYTE -ne 22 ]] && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all"; echo "$?" ; exit 0; }
|
$do_tls_sockets && [[ $TLS_LOW_BYTE -ne 22 ]] && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all"; echo "$?" ; exit 0; }
|
||||||
$do_test_just_one && test_just_one ${single_cipher} && time_right_align
|
$do_cipher_match && run_cipher_match ${single_cipher} && time_right_align
|
||||||
|
|
||||||
# all top level functions now following have the prefix "run_"
|
# all top level functions now following have the prefix "run_"
|
||||||
fileout_section_header $section_number false && ((section_number++))
|
fileout_section_header $section_number false && ((section_number++))
|
||||||
|
Loading…
Reference in New Issue
Block a user