Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Complete shortcut checks (Renegotiation and CRIME)"

Browse Source 
This reverts commit 8c24d1a6f2.
This commit is contained in:
Dirk 2020-01-18 21:54:42 +01:00
parent f109d3bbd6
commit 44d1139e99
1 changed files with 11 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
testssl.sh
View File

@ -14334,9 +14334,9 @@ run_renego() {
pr_bold " Secure Renegotiation (RFC 5746) " pr_bold " Secure Renegotiation (RFC 5746) "
jsonID="secure_renego" jsonID="secure_renego"
if "$TLS13_ONLY"; then if "$TLS13_ONLY" && [[ "$proto" == -no_tls1_3 ]]; then
# https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/ # https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
pr_svrty_best "not vulnerable (OK)"; outln ", no renegotiation support in TLS 1.3 only servers" prln_svrty_best "no support in TLS 1.3 only servers (OK)"
fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe" fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe"
else else
# first fingerprint for the Line "Secure Renegotiation IS NOT" or "Secure Renegotiation IS " # first fingerprint for the Line "Secure Renegotiation IS NOT" or "Secure Renegotiation IS "
@ -14396,13 +14396,13 @@ run_renego() {
esac esac
if "$TLS13_ONLY"; then if "$CLIENT_AUTH"; then
pr_svrty_best "not vulnerable (OK)"; outln ", no renegotiation support in TLS 1.3 only servers"
fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe"
elif "$CLIENT_AUTH"; then
prln_warning "client x509-based authentication prevents this from being tested" prln_warning "client x509-based authentication prevents this from being tested"
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested"
sec_client_renego=1 sec_client_renego=1
elif "$TLS13_ONLY" && [[ "$proto" == -no_tls1_3 ]]; then
pr_svrty_best "not vulnerable (OK)"; outln " (TLS 1.3 only server)"
fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe"
else else
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background # We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
# msg enables us to look deeper into it while debugging # msg enables us to look deeper into it while debugging
@ -14471,21 +14471,15 @@ run_crime() {
local cwe="CWE-310" local cwe="CWE-310"
local hint="" local hint=""
# In a nutshell: don't offer TLS/SPDY compression. This tests for CRIME Vulnerability on HTTPS only, # in a nutshell: don't offer TLS/SPDY compression on the server side
# not SPDY or ALPN (yet). Please note that it is an attack where you need client side control, so in # This tests for CRIME Vulnerability (www.ekoparty.org/2012/juliano-rizzo.php) on HTTPS, not SPDY (yet)
# regular situations this # means anyway "game over", with or without CRIME. # Please note that it is an attack where you need client side control, so in regular situations this
# # means anyway "game over", w/wo CRIME
# https://blog.qualys.com/ssllabs/2012/09/14/crime-information-leakage-attack-against-ssltls # www.h-online.com/security/news/item/Vulnerability-in-SSL-encryption-is-barely-exploitable-1708604.html
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln
pr_bold " CRIME, TLS " ; out "($cve) " pr_bold " CRIME, TLS " ; out "($cve) "
if "$TLS13_ONLY"; then
pr_svrty_best "not vulnerable (OK)"; outln ", no compression in TLS 1.3 only servers"
fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe"
return 0
fi
if ! "$HAS_ZLIB"; then if ! "$HAS_ZLIB"; then
if "$SSL_NATIVE"; then if "$SSL_NATIVE"; then
prln_local_problem "$OPENSSL lacks zlib support" prln_local_problem "$OPENSSL lacks zlib support"