Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove ldap protocol early returns

Browse Source 
Partly revert bb5450e3f5
This commit is contained in:
Dirk Wetter
2022-01-31 10:36:51 +01:00
parent 9447c8c866
commit 4639e996db
1 changed files with 7 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
testssl.sh
View File

@@ -7512,7 +7512,7 @@ tls_time() {
pr_bold " TLS clock skew" ; out "$spaces" pr_bold " TLS clock skew" ; out "$spaces"
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
return 1 return 1
fi fi
@@ -7872,7 +7872,7 @@ get_server_certificate() {
success=$? success=$?
else else
# For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP) # For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
if [[ "$STARTTLS" =~ ldap ]] || [[ "$STARTTLS" =~ irc ]]; then if [[ "$STARTTLS" =~ irc ]]; then
return 1 return 1
elif [[ "$1" =~ tls1_3_RSA ]]; then elif [[ "$1" =~ tls1_3_RSA ]]; then
tls_sockets "04" "$TLS13_CIPHER" "all+" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01" tls_sockets "04" "$TLS13_CIPHER" "all+" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01"
@@ -15852,7 +15852,7 @@ run_heartbleed(){
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
pr_bold " Heartbleed"; out " ($cve) " pr_bold " Heartbleed"; out " ($cve) "
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
return 1 return 1
fi fi
@@ -15962,7 +15962,7 @@ run_ccs_injection(){
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
pr_bold " CCS"; out " ($cve) " pr_bold " CCS"; out " ($cve) "
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
return 1 return 1
fi fi
@@ -17653,7 +17653,7 @@ run_drown() {
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /} cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
fi fi
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
return 1 return 1
fi fi
@@ -18058,7 +18058,7 @@ run_winshock() {
outln outln
return 0 return 0
fi fi
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
return 1 return 1
fi fi
@@ -19039,7 +19039,7 @@ run_robot() {
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln
pr_bold " ROBOT " pr_bold " ROBOT "
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then if [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
return 1 return 1
fi fi
@@ -21400,7 +21400,6 @@ determine_sizelimitbug() {
# For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP) # For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
# Fixme: find out whether we can't skip this in general for STARTTLS # Fixme: find out whether we can't skip this in general for STARTTLS
[[ "$STARTTLS" =~ ldap ]] && return 0
[[ "$STARTTLS" =~ irc ]] && return 0 [[ "$STARTTLS" =~ irc ]] && return 0
# Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practice. Thus # Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practice. Thus