- local dns matches don't need lookup anymore over net --> saves timeouts+time
- further banner tuning + funtion mybanner, 2 addtl global vars for debugging - cosmetic improvements
This commit is contained in:
parent
77ad7c9252
commit
452fd6762a
108
testssl.sh
108
testssl.sh
|
@ -10,7 +10,7 @@
|
||||||
# Please file bugs at github! https://github.com/drwetter/testssl.sh/issues
|
# Please file bugs at github! https://github.com/drwetter/testssl.sh/issues
|
||||||
|
|
||||||
VERSION="2.5dev"
|
VERSION="2.5dev"
|
||||||
SWURL="https://testssl.sh"
|
SWURL="http://dev.testssl.sh"
|
||||||
SWCONTACT="dirk aet testssl dot sh"
|
SWCONTACT="dirk aet testssl dot sh"
|
||||||
|
|
||||||
# Main author: Dirk Wetter, copyleft: 2007-2015, contributions so far see CREDIT.md
|
# Main author: Dirk Wetter, copyleft: 2007-2015, contributions so far see CREDIT.md
|
||||||
|
@ -61,6 +61,10 @@ readonly PROG_NAME=$(basename "$0")
|
||||||
readonly RUN_DIR=$(dirname $0)
|
readonly RUN_DIR=$(dirname $0)
|
||||||
readonly PROG_DIR=$(readlink "$BASH_SOURCE") 2>/dev/null
|
readonly PROG_DIR=$(readlink "$BASH_SOURCE") 2>/dev/null
|
||||||
|
|
||||||
|
which git &>/dev/null && readonly GIT_REL=$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')
|
||||||
|
readonly CVS_REL=$(tail -5 $0 | awk '/dirkw Exp/ { print $4" "$5" "$6}')
|
||||||
|
readonly CVS_REL_SHORT=$(tail -5 $0 | awk '/dirkw Exp/ { print $4 }')
|
||||||
|
|
||||||
# following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
|
# following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
|
||||||
# 0 means (normally) true here. Some of the variables are also accessible with a command line switch
|
# 0 means (normally) true here. Some of the variables are also accessible with a command line switch
|
||||||
|
|
||||||
|
@ -2721,7 +2725,7 @@ logjam() {
|
||||||
$OPENSSL s_client $STARTTLS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
[ "$VERBERR" -eq 0 ] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
[ "$VERBERR" -eq 0 ] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
addtl_warning="$addtl_warning, precomputed primes not checked yet. \"$PROG_NAME -E\" spots candidates"
|
addtl_warning="$addtl_warning, precomputable primes not checked yet. \"$PROG_NAME -E\" spots candidates"
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers"
|
pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers"
|
||||||
else
|
else
|
||||||
|
@ -3069,20 +3073,20 @@ EOF
|
||||||
|
|
||||||
|
|
||||||
mybanner() {
|
mybanner() {
|
||||||
me=$(basename "$0")
|
local nr_ciphers
|
||||||
osslver=$($OPENSSL version)
|
local idtag
|
||||||
osslpath=$(which $OPENSSL)
|
local bb
|
||||||
|
|
||||||
nr_ciphers=$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' | sed 's/:/ /g' | wc -w | sed 's/ //g')
|
nr_ciphers=$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' | sed 's/:/ /g' | wc -w | sed 's/ //g')
|
||||||
hn=$(hostname)
|
[ -z "$GIT_REL" ] && \
|
||||||
#poor man's ident (nowadays ident not neccessarily installed)
|
idtag="$CVS_REL" || \
|
||||||
idtag=$(grep -a '\$Id' $0 | grep -aw "[E]xp" | sed -e 's/^# //' -e 's/\$ $/\$/')
|
idtag="$GIT_REL -- $CVS_REL_SHORT"
|
||||||
which git &>/dev/null && idtag="$(git log --format='%h %ci' -1 2>/dev/null)"
|
|
||||||
[ "$COLOR" -ne 0 ] && idtag="\033[1;30m$idtag\033[m\033[1m"
|
[ "$COLOR" -ne 0 ] && idtag="\033[1;30m$idtag\033[m\033[1m"
|
||||||
bb=$(cat <<EOF
|
bb=$(cat <<EOF
|
||||||
|
|
||||||
#########################################################
|
#########################################################
|
||||||
$me v$VERSION ($SWURL)
|
$PROG_NAME $VERSION $SWURL
|
||||||
($idtag)
|
($idtag)
|
||||||
|
|
||||||
This program is free software. Redistribution +
|
This program is free software. Redistribution +
|
||||||
modification under GPLv2 is permitted.
|
modification under GPLv2 is permitted.
|
||||||
|
@ -3093,12 +3097,11 @@ $me v$VERSION ($SWURL)
|
||||||
#########################################################
|
#########################################################
|
||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
pr_bold "$bb"
|
pr_bold "$bb"
|
||||||
outln "\n"
|
outln "\n"
|
||||||
outln " Using \"$osslver\" [~$nr_ciphers ciphers] on
|
outln " Using \"$($OPENSSL version)\" [~$nr_ciphers ciphers] on"
|
||||||
$hn:$osslpath
|
outln " $(hostname):$(which $OPENSSL)"
|
||||||
(built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
|
outln " (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -3112,7 +3115,8 @@ maketempf() {
|
||||||
if [ $DEBUG -ne 0 ]; then
|
if [ $DEBUG -ne 0 ]; then
|
||||||
cat >$TEMPDIR/environment.txt << EOF
|
cat >$TEMPDIR/environment.txt << EOF
|
||||||
|
|
||||||
$idtag
|
CVS_REL: $CVS_REL
|
||||||
|
GIT_REL: $GIT_REL
|
||||||
|
|
||||||
PID: $$
|
PID: $$
|
||||||
bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
|
bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
|
||||||
|
@ -3325,7 +3329,7 @@ parse_hn_port() {
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
${do_mx_allentries} || initialize_engine
|
${do_mx_all_ips} || initialize_engine
|
||||||
outln
|
outln
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
|
@ -3340,32 +3344,34 @@ get_dns_entries() {
|
||||||
else
|
else
|
||||||
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
|
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
|
||||||
IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
|
IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
|
||||||
if which host &> /dev/null && [ -z "$IP4" ] ; then
|
if [ -z "$IP4" ]; then
|
||||||
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
if which host &> /dev/null && [ -z "$IP4" ] ; then
|
||||||
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
|
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
||||||
return 1
|
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -z "$IP4" ] ; then
|
||||||
|
# MSYS2 has no host or getent, so we need nslookup
|
||||||
|
IP4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
||||||
|
[ -z "$IP4" ] && return 2
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# MSYS2 has no host or getent, so we do this
|
|
||||||
if [ -z "$IP4" ] ; then
|
|
||||||
IP4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
|
||||||
[ -z "$IP4" ] && return 2
|
|
||||||
fi
|
|
||||||
|
|
||||||
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
|
IP6=$(grep -w "$NODE" /etc/hosts | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
|
||||||
#which getent 2>&1 >/dev/null && IP6=$(getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq)
|
|
||||||
if [ -z "$IP6" ] ; then
|
if [ -z "$IP6" ] ; then
|
||||||
|
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
|
||||||
|
#which getent 2>&1 >/dev/null && IP6=$(getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq)
|
||||||
if host -t aaaa $NODE &>/dev/null ; then
|
if host -t aaaa $NODE &>/dev/null ; then
|
||||||
IP6=$(host -t aaaa $NODE | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //')
|
IP6=$(host -t aaaa $NODE | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //')
|
||||||
else
|
else
|
||||||
IP6=""
|
IP6=""
|
||||||
fi
|
fi
|
||||||
|
# MSYS2 has no host or getent, so we need nslookup
|
||||||
|
if [ -z "$IP6" ] ; then
|
||||||
|
IP6=$(nslookup -type=aaaa $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
# MSYS2 has no host or getent, so we do this
|
|
||||||
if [ -z "$IP6" ] ; then
|
|
||||||
IP6=$(nslookup -type=aaaa $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
|
||||||
fi
|
|
||||||
|
|
||||||
fi # test4iponly
|
fi # test4iponly
|
||||||
|
|
||||||
IPADDRs="$IP4"
|
IPADDRs="$IP4"
|
||||||
|
@ -3412,10 +3418,15 @@ datebanner() {
|
||||||
outln
|
outln
|
||||||
}
|
}
|
||||||
|
|
||||||
|
draw_dotted_line() {
|
||||||
|
printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
|
||||||
|
}
|
||||||
|
|
||||||
mx_allentries() {
|
|
||||||
|
mx_all_ips() {
|
||||||
local mxs mx
|
local mxs mx
|
||||||
local mxport
|
local mxport
|
||||||
|
local ret=0
|
||||||
|
|
||||||
if which host &> /dev/null; then
|
if which host &> /dev/null; then
|
||||||
mxs=$(host -t MX "$1" | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//')
|
mxs=$(host -t MX "$1" | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//')
|
||||||
|
@ -3448,10 +3459,6 @@ mx_allentries() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
draw_dotted_line() {
|
|
||||||
printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# This initializes boolean global do_* variables, meant primarily to keep track of what to do
|
# This initializes boolean global do_* variables, meant primarily to keep track of what to do
|
||||||
initialize_globals() {
|
initialize_globals() {
|
||||||
|
@ -3466,7 +3473,7 @@ initialize_globals() {
|
||||||
do_logjam=false
|
do_logjam=false
|
||||||
do_header=false
|
do_header=false
|
||||||
do_heartbleed=false
|
do_heartbleed=false
|
||||||
do_mx_allentries=false
|
do_mx_all_ips=false
|
||||||
do_pfs=false
|
do_pfs=false
|
||||||
do_protocols=false
|
do_protocols=false
|
||||||
do_rc4=false
|
do_rc4=false
|
||||||
|
@ -3510,7 +3517,7 @@ query_globals() {
|
||||||
local true_nr=0
|
local true_nr=0
|
||||||
|
|
||||||
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
||||||
do_freak do_logjam do_header do_heartbleed do_mx_allentries do_pfs do_protocols do_rc4 do_renego \
|
do_freak do_logjam do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
||||||
do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \
|
do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \
|
||||||
do_test_just_one do_tls_sockets; do
|
do_test_just_one do_tls_sockets; do
|
||||||
[ "${!gbl}" == "true" ] && let true_nr++
|
[ "${!gbl}" == "true" ] && let true_nr++
|
||||||
|
@ -3523,7 +3530,7 @@ debug_globals() {
|
||||||
local gbl
|
local gbl
|
||||||
|
|
||||||
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
||||||
do_freak do_logjam do_header do_heartbleed do_rc4 do_mx_allentries do_pfs do_protocols do_rc4 do_renego \
|
do_freak do_logjam do_header do_heartbleed do_rc4 do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
||||||
do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \
|
do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \
|
||||||
do_test_just_one do_tls_sockets; do
|
do_test_just_one do_tls_sockets; do
|
||||||
printf "%-22s = %s\n" $gbl "${!gbl}"
|
printf "%-22s = %s\n" $gbl "${!gbl}"
|
||||||
|
@ -3545,13 +3552,16 @@ startup() {
|
||||||
mybanner
|
mybanner
|
||||||
exit 0;;
|
exit 0;;
|
||||||
--mx)
|
--mx)
|
||||||
do_mx_allentries=true;;
|
do_mx_all_ips=true;;
|
||||||
--mx465) # doesn't work with major ISPs
|
--mx465) # doesn't work with major ISPs
|
||||||
do_mx_allentries=true
|
do_mx_all_ips=true
|
||||||
PORT=465 ;;
|
PORT=465 ;;
|
||||||
--mx587) # doesn't work with major ISPs
|
--mx587) # doesn't work with major ISPs
|
||||||
do_mx_allentries=true
|
do_mx_all_ips=true
|
||||||
PORT=587 ;;
|
PORT=587 ;;
|
||||||
|
--ip)
|
||||||
|
CMDLINE_IP=$2
|
||||||
|
shift ;;
|
||||||
-V|--local) # this is only displaying local, thus we don't put it in the loop
|
-V|--local) # this is only displaying local, thus we don't put it in the loop
|
||||||
find_openssl_binary
|
find_openssl_binary
|
||||||
mybanner
|
mybanner
|
||||||
|
@ -3758,12 +3768,12 @@ mybanner
|
||||||
openssl_age
|
openssl_age
|
||||||
maketempf
|
maketempf
|
||||||
|
|
||||||
if ${do_mx_allentries} ; then
|
if ${do_mx_all_ips} ; then
|
||||||
query_globals
|
query_globals
|
||||||
# if we have just one "do_*" set here --> query_globals: we do a standard run -- otherwise just the one specified
|
# if we have just one "do_*" set here --> query_globals: we do a standard run -- otherwise just the one specified
|
||||||
[ $? -eq 1 ] && set_scanning_defaults
|
[ $? -eq 1 ] && set_scanning_defaults
|
||||||
initialize_engine
|
initialize_engine
|
||||||
mx_allentries "${URI}" $PORT
|
mx_all_ips "${URI}" $PORT
|
||||||
ret=$?
|
ret=$?
|
||||||
else
|
else
|
||||||
parse_hn_port "${URI}" "${STARTTLS_PROTOCOL}"
|
parse_hn_port "${URI}" "${STARTTLS_PROTOCOL}"
|
||||||
|
@ -3773,6 +3783,6 @@ fi
|
||||||
|
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.265 2015/05/29 12:12:21 dirkw Exp $
|
# $Id: testssl.sh,v 1.267 2015/05/31 12:40:11 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
||||||
|
|
Loading…
Reference in New Issue