mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-25 18:09:30 +01:00
Merge branch 'client_sim_sockets' of https://github.com/dcooper16/testssl.sh into client_sim_sockets
This commit is contained in:
commit
4aba0b90bf
212
testssl.sh
212
testssl.sh
@ -109,9 +109,13 @@ else
|
|||||||
readonly REL_DATE=$(tail -5 "$0" | awk '/dirkw Exp/ { print $5 }')
|
readonly REL_DATE=$(tail -5 "$0" | awk '/dirkw Exp/ { print $5 }')
|
||||||
fi
|
fi
|
||||||
readonly SYSTEM=$(uname -s)
|
readonly SYSTEM=$(uname -s)
|
||||||
date --help >/dev/null 2>&1 && \
|
date -d @735275209 >/dev/null 2>&1 && \
|
||||||
readonly HAS_GNUDATE=true || \
|
readonly HAS_GNUDATE=true || \
|
||||||
readonly HAS_GNUDATE=false
|
readonly HAS_GNUDATE=false
|
||||||
|
# FreeBSD and OS X date(1) accept "-f inputformat"
|
||||||
|
date -j -f '%s' 1234567 >/dev/null 2>&1 && \
|
||||||
|
readonly HAS_FREEBSDDATE=true || \
|
||||||
|
readonly HAS_FREEBSDDATE=false
|
||||||
echo A | sed -E 's/A//' >/dev/null 2>&1 && \
|
echo A | sed -E 's/A//' >/dev/null 2>&1 && \
|
||||||
readonly HAS_SED_E=true || \
|
readonly HAS_SED_E=true || \
|
||||||
readonly HAS_SED_E=false
|
readonly HAS_SED_E=false
|
||||||
@ -121,9 +125,9 @@ tty -s && \
|
|||||||
readonly INTERACTIVE=false
|
readonly INTERACTIVE=false
|
||||||
|
|
||||||
if ! tput cols &>/dev/null || ! $INTERACTIVE; then # Prevent tput errors if running non interactive
|
if ! tput cols &>/dev/null || ! $INTERACTIVE; then # Prevent tput errors if running non interactive
|
||||||
TERM_DWITH=${COLUMNS:-80}
|
TERM_WIDTH=${COLUMNS:-80}
|
||||||
else
|
else
|
||||||
TERM_DWITH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes
|
TERM_WIDTH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes
|
||||||
fi
|
fi
|
||||||
TERM_CURRPOS=0 # custom line wrapping needs alter the current horizontal cursor pos
|
TERM_CURRPOS=0 # custom line wrapping needs alter the current horizontal cursor pos
|
||||||
|
|
||||||
@ -149,6 +153,7 @@ WIDE=${WIDE:-false} # whether to display for some options th
|
|||||||
LOGFILE=${LOGFILE:-""} # logfile if used
|
LOGFILE=${LOGFILE:-""} # logfile if used
|
||||||
JSONFILE=${JSONFILE:-""} # jsonfile if used
|
JSONFILE=${JSONFILE:-""} # jsonfile if used
|
||||||
CSVFILE=${CSVFILE:-""} # csvfile if used
|
CSVFILE=${CSVFILE:-""} # csvfile if used
|
||||||
|
APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it
|
||||||
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
||||||
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
|
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
|
||||||
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs)
|
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs)
|
||||||
@ -358,7 +363,7 @@ pr_svrty_criticalln(){ pr_svrty_critical "$1"; outln; }
|
|||||||
|
|
||||||
|
|
||||||
# color=1 functions
|
# color=1 functions
|
||||||
pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m\c"; }
|
pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m"; }
|
||||||
pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; }
|
pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; }
|
||||||
pr_boldln() { pr_bold "$1" ; outln; }
|
pr_boldln() { pr_bold "$1" ; outln; }
|
||||||
pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; }
|
pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; }
|
||||||
@ -454,21 +459,29 @@ strip_quote() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
fileout_header() {
|
fileout_header() {
|
||||||
"$do_json" && printf "[\n" > "$JSONFILE"
|
if "$APPEND"; then
|
||||||
"$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE"
|
if [[ -f "$JSONFILE" ]]; then
|
||||||
|
FIRST_FINDING=false # We need to insert a comma, because there is file content already
|
||||||
|
else
|
||||||
|
"$do_json" && printf "[\n" > "$JSONFILE"
|
||||||
|
fi
|
||||||
|
"$do_csv" && [[ ! -f "CSVFILE" ]] && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE"
|
||||||
|
else
|
||||||
|
"$do_json" && printf "[\n" > "$JSONFILE"
|
||||||
|
"$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_footer() {
|
fileout_footer() {
|
||||||
"$do_json" && printf "]\n" >> "$JSONFILE"
|
"$do_json" && [[ -f "$JSONFILE" ]] && printf "]\n" >> "$JSONFILE"
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout() { # ID, SEVERITY, FINDING
|
fileout() { # ID, SEVERITY, FINDING
|
||||||
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
|
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
|
||||||
|
|
||||||
if "$do_json"; then
|
if "$do_json"; then
|
||||||
"$FIRST_FINDING" || echo "," >> $JSONFILE
|
"$FIRST_FINDING" || echo -n "," >> $JSONFILE
|
||||||
echo -e "
|
echo -e " {
|
||||||
{
|
|
||||||
\"id\" : \"$1\",
|
\"id\" : \"$1\",
|
||||||
\"ip\" : \"$NODE/$NODEIP\",
|
\"ip\" : \"$NODE/$NODEIP\",
|
||||||
\"port\" : \"$PORT\",
|
\"port\" : \"$PORT\",
|
||||||
@ -610,6 +623,20 @@ wait_kill(){
|
|||||||
return 3 # means killed
|
return 3 # means killed
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# parse_date date format input-format
|
||||||
|
if "$HAS_GNUDATE"; then # Linux and NetBSD
|
||||||
|
parse_date() {
|
||||||
|
LC_ALL=C date -d "$1" "$2"
|
||||||
|
}
|
||||||
|
elif "$HAS_FREEBSDDATE"; then # FreeBSD and OS X
|
||||||
|
parse_date() {
|
||||||
|
LC_ALL=C date -j -f "$3" "$2" "$1"
|
||||||
|
}
|
||||||
|
else
|
||||||
|
parse_date() {
|
||||||
|
LC_ALL=C date -j "$2" "$1"
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
###### check code starts here ######
|
###### check code starts here ######
|
||||||
|
|
||||||
@ -831,11 +858,7 @@ run_http_date() {
|
|||||||
out "not tested as we're not targeting HTTP"
|
out "not tested as we're not targeting HTTP"
|
||||||
else
|
else
|
||||||
if [[ -n "$HTTP_TIME" ]]; then
|
if [[ -n "$HTTP_TIME" ]]; then
|
||||||
if "$HAS_GNUDATE"; then
|
HTTP_TIME=$(parse_date "$HTTP_TIME" "+%s" "%a, %d %b %Y %T %Z" 2>>$ERRFILE) # the trailing \r confuses BSD flavors otherwise
|
||||||
HTTP_TIME=$(date --date="$HTTP_TIME" "+%s")
|
|
||||||
else
|
|
||||||
HTTP_TIME=$(LC_ALL=C date -j -f "%a, %d %b %Y %T %Z" "$HTTP_TIME" "+%s" 2>>$ERRFILE) # the trailing \r confuses BSD flavors otherwise
|
|
||||||
fi
|
|
||||||
|
|
||||||
difftime=$((HTTP_TIME - $NOW_TIME))
|
difftime=$((HTTP_TIME - $NOW_TIME))
|
||||||
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
||||||
@ -856,19 +879,19 @@ run_http_date() {
|
|||||||
includeSubDomains() {
|
includeSubDomains() {
|
||||||
if grep -aiqw includeSubDomains "$1"; then
|
if grep -aiqw includeSubDomains "$1"; then
|
||||||
pr_done_good ", includeSubDomains"
|
pr_done_good ", includeSubDomains"
|
||||||
return 1
|
return 0
|
||||||
else
|
else
|
||||||
pr_litecyan ", just this domain"
|
pr_litecyan ", just this domain"
|
||||||
return 0
|
return 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
preload() {
|
preload() {
|
||||||
if grep -aiqw preload "$1"; then
|
if grep -aiqw preload "$1"; then
|
||||||
pr_done_good ", preload"
|
pr_done_good ", preload"
|
||||||
return 1
|
|
||||||
else
|
|
||||||
return 0
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -886,9 +909,18 @@ run_hsts() {
|
|||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -waq "1" || out "(two HSTS header, using 1st one) "
|
grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -waq "1" || out "(two HSTS header, using 1st one) "
|
||||||
hsts_age_sec=$(sed -e 's/[^0-9]*//g' $TMPFILE | head -1)
|
hsts_age_sec=$(sed -e 's/[^0-9]*//g' $TMPFILE | head -1)
|
||||||
#FIXME: test for number!
|
if [[ -n $hsts_age_sec ]]; then
|
||||||
hsts_age_days=$(( hsts_age_sec / 86400))
|
hsts_age_days=$(( hsts_age_sec / 86400))
|
||||||
if [[ $hsts_age_days -gt $HSTS_MIN ]]; then
|
else
|
||||||
|
hsts_age_days=-1
|
||||||
|
fi
|
||||||
|
if [[ $hsts_age_days -eq -1 ]]; then
|
||||||
|
pr_svrty_medium "HSTS max-age is required but missing. Setting 15552000 s (180 days) or more is recommended"
|
||||||
|
fileout "hsts_time" "MEDIUM" "HSTS max-age missing. 15552000 s (180 days) or more recommnded"
|
||||||
|
elif [[ $hsts_age_days -eq 0 ]]; then
|
||||||
|
pr_svrty_medium "HSTS max-age is set to 0. HSTS is disabled"
|
||||||
|
fileout "hsts_time" "MEDIUM" "HSTS max-age set to 0. HSTS is disabled"
|
||||||
|
elif [[ $hsts_age_days -gt $HSTS_MIN ]]; then
|
||||||
pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
|
pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
|
||||||
fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days"
|
fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days"
|
||||||
else
|
else
|
||||||
@ -1967,6 +1999,13 @@ run_client_simulation() {
|
|||||||
local handshakebytes=()
|
local handshakebytes=()
|
||||||
local lowest_protocol=()
|
local lowest_protocol=()
|
||||||
local highest_protocol=()
|
local highest_protocol=()
|
||||||
|
local service=()
|
||||||
|
local minDhBits=()
|
||||||
|
local maxDhBits=()
|
||||||
|
local minRsaBits=()
|
||||||
|
local maxRsaBits=()
|
||||||
|
local minEcdsaBits=()
|
||||||
|
local requiresSha2=()
|
||||||
local i=0
|
local i=0
|
||||||
local name tls proto cipher
|
local name tls proto cipher
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
@ -1982,7 +2021,6 @@ run_client_simulation() {
|
|||||||
|
|
||||||
# Get handshakes from external file
|
# Get handshakes from external file
|
||||||
. "client-simulation-data.sh"
|
. "client-simulation-data.sh"
|
||||||
# FIXME: At a certain time we should put the following to an external file
|
|
||||||
|
|
||||||
outln
|
outln
|
||||||
pr_headlineln " Running browser simulations (experimental) "
|
pr_headlineln " Running browser simulations (experimental) "
|
||||||
@ -2014,8 +2052,9 @@ run_client_simulation() {
|
|||||||
else
|
else
|
||||||
#FIXME: awk
|
#FIXME: awk
|
||||||
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
||||||
if [[ "$proto" == TLSv1.2 || "$proto" == TLSv1 ]] && ( ! $using_sockets || [[ -z "${handshakebytes[i]}" ]] ); then
|
[[ "$proto" == TLSv1 ]] && proto="TLSv1.0"
|
||||||
# OpenSSL reports TLS1.2/TLSv1 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
|
if [[ "$proto" == TLSv1.2 ]] && ( ! $using_sockets || [[ -z "${handshakebytes[i]}" ]] ); then
|
||||||
|
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
|
||||||
for tls in ${tlsvers[i]}; do
|
for tls in ${tlsvers[i]}; do
|
||||||
$OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
|
$OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
|
||||||
debugme echo "$OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
|
debugme echo "$OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
|
||||||
@ -2041,7 +2080,7 @@ run_client_simulation() {
|
|||||||
fi
|
fi
|
||||||
#FiXME: awk
|
#FiXME: awk
|
||||||
cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://')
|
cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://')
|
||||||
$using_sockets && [[ -n "${handshakebytes[i]}" ]] && cipher="$(rfc2openssl "$cipher")"
|
$using_sockets && [[ -n "${handshakebytes[i]}" ]] && [[ -n "$MAPPING_FILE_RFC" ]] && cipher="$(rfc2openssl "$cipher")"
|
||||||
outln "$proto $cipher"
|
outln "$proto $cipher"
|
||||||
if [[ -n "${warning[i]}" ]]; then
|
if [[ -n "${warning[i]}" ]]; then
|
||||||
out " "
|
out " "
|
||||||
@ -3381,15 +3420,9 @@ certificate_info() {
|
|||||||
|
|
||||||
out "$indent"; pr_bold " Certificate Expiration "
|
out "$indent"; pr_bold " Certificate Expiration "
|
||||||
|
|
||||||
if "$HAS_GNUDATE"; then
|
enddate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z" "%b %d %T %Y %Z")
|
||||||
enddate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z")
|
startdate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M" "%b %d %T %Y %Z")
|
||||||
startdate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M")
|
days2expire=$(( $(parse_date "$enddate" "+%s" "%F %H:%M %z") - $(LC_ALL=C date "+%s") )) # in seconds
|
||||||
days2expire=$(( $(date --date="$enddate" "+%s") - $(date "+%s") )) # in seconds
|
|
||||||
else
|
|
||||||
enddate=$(LC_ALL=C date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z")
|
|
||||||
startdate=$(LC_ALL=C date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M")
|
|
||||||
LC_ALL=C days2expire=$(( $(date -j -f "%F %H:%M %z" "$enddate" "+%s") - $(date "+%s") )) # in seconds
|
|
||||||
fi
|
|
||||||
days2expire=$((days2expire / 3600 / 24 ))
|
days2expire=$((days2expire / 3600 / 24 ))
|
||||||
|
|
||||||
if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then # we take the half of the thresholds for LE certificates
|
if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then # we take the half of the thresholds for LE certificates
|
||||||
@ -4351,10 +4384,14 @@ parse_tls_serverhello() {
|
|||||||
echo "Protocol : TLSv1.$((0x$tls_protocol2-0x0301))" >> $TMPFILE
|
echo "Protocol : TLSv1.$((0x$tls_protocol2-0x0301))" >> $TMPFILE
|
||||||
fi
|
fi
|
||||||
echo "===============================================================================" >> $TMPFILE
|
echo "===============================================================================" >> $TMPFILE
|
||||||
if [[ "${tls_cipher_suite:0:2}" == "00" ]]; then
|
if [[ -n "$MAPPING_FILE_RFC" ]]; then
|
||||||
echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:2:2}"))" >> $TMPFILE
|
if [[ "${tls_cipher_suite:0:2}" == "00" ]]; then
|
||||||
|
echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:2:2}"))" >> $TMPFILE
|
||||||
|
else
|
||||||
|
echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:0:4}"))" >> $TMPFILE
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:0:4}"))" >> $TMPFILE
|
echo "Cipher : $($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' | grep -i " 0x${tls_cipher_suite:0:2},0x${tls_cipher_suite:2:2} " | awk '{ print $3 }')" >> $TMPFILE
|
||||||
fi
|
fi
|
||||||
echo "===============================================================================" >> $TMPFILE
|
echo "===============================================================================" >> $TMPFILE
|
||||||
|
|
||||||
@ -4365,11 +4402,7 @@ parse_tls_serverhello() {
|
|||||||
echo " tls_sid_len: 0x$tls_sid_len_hex / = $((tls_sid_len/2))"
|
echo " tls_sid_len: 0x$tls_sid_len_hex / = $((tls_sid_len/2))"
|
||||||
fi
|
fi
|
||||||
echo -n " tls_hello_time: 0x$tls_hello_time "
|
echo -n " tls_hello_time: 0x$tls_hello_time "
|
||||||
if "$HAS_GNUDATE"; then
|
parse_date "$TLS_TIME" "+%Y-%m-%d %r" "%s"
|
||||||
date --date="@$TLS_TIME" "+%Y-%m-%d %r"
|
|
||||||
else
|
|
||||||
LC_ALL=C date -j -f %s "$TLS_TIME" "+%Y-%m-%d %r"
|
|
||||||
fi
|
|
||||||
echo " tls_cipher_suite: 0x$tls_cipher_suite"
|
echo " tls_cipher_suite: 0x$tls_cipher_suite"
|
||||||
echo -n " tls_compression_method: 0x$tls_compression_method "
|
echo -n " tls_compression_method: 0x$tls_compression_method "
|
||||||
case $tls_compression_method in
|
case $tls_compression_method in
|
||||||
@ -4726,7 +4759,7 @@ tls_sockets() {
|
|||||||
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
||||||
run_heartbleed(){
|
run_heartbleed(){
|
||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
||||||
pr_bold " Heartbleed\c"; out " (CVE-2014-0160) "
|
pr_bold " Heartbleed"; out " (CVE-2014-0160) "
|
||||||
|
|
||||||
[[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions
|
[[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions
|
||||||
if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then
|
if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then
|
||||||
@ -5140,7 +5173,7 @@ run_crime() {
|
|||||||
# $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE
|
# $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE
|
||||||
# if [[ $? -eq 0 ]]; then
|
# if [[ $? -eq 0 ]]; then
|
||||||
# echo
|
# echo
|
||||||
# pr_bold "CRIME Vulnerability, SPDY \c" ; outln "(CVE-2012-4929): \c"
|
# pr_bold "CRIME Vulnerability, SPDY " ; outln "(CVE-2012-4929): "
|
||||||
|
|
||||||
# STR=$(grep Compression $TMPFILE )
|
# STR=$(grep Compression $TMPFILE )
|
||||||
# if echo $STR | grep -q NONE >/dev/null; then
|
# if echo $STR | grep -q NONE >/dev/null; then
|
||||||
@ -5650,7 +5683,7 @@ run_lucky13() {
|
|||||||
# in a nutshell: don't offer CBC suites (again). MAC as a fix for padding oracles is not enough. Best: TLS v1.2+ AES GCM
|
# in a nutshell: don't offer CBC suites (again). MAC as a fix for padding oracles is not enough. Best: TLS v1.2+ AES GCM
|
||||||
echo "FIXME"
|
echo "FIXME"
|
||||||
fileout "lucky13" "WARN" "LUCKY13 (CVE-2013-0169) : No tested. Not implemented. #FIXME"
|
fileout "lucky13" "WARN" "LUCKY13 (CVE-2013-0169) : No tested. Not implemented. #FIXME"
|
||||||
return -1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -5969,11 +6002,12 @@ output options (can also be preset via environment variables):
|
|||||||
|
|
||||||
file output options (can also be preset via environment variables):
|
file output options (can also be preset via environment variables):
|
||||||
--log, --logging logs stdout to <NODE-YYYYMMDD-HHMM.log> in current working directory
|
--log, --logging logs stdout to <NODE-YYYYMMDD-HHMM.log> in current working directory
|
||||||
--logfile <file> logs stdout to <file/NODE-YYYYMMDD-HHMM.log> if file is a dir or to specified file
|
--logfile <logfile> logs stdout to <file/NODE-YYYYMMDD-HHMM.log> if file is a dir or to specified log file
|
||||||
--json additional output of findings to JSON file <NODE-YYYYMMDD-HHMM.json> in cwd (experimental)
|
--json additional output of findings to JSON file <NODE-YYYYMMDD-HHMM.json> in cwd
|
||||||
--jsonfile <file> additional output to JSON and output JSON to the specified file (experimental)
|
--jsonfile <jsonfile> additional output to JSON and output JSON to the specified file
|
||||||
--csv additional output of findings to CSV file <NODE-YYYYMMDD-HHMM.csv> in cwd (experimental)
|
--csv additional output of findings to CSV file <NODE-YYYYMMDD-HHMM.csv> in cwd
|
||||||
--csvfile <file> set output to CSV and output CSV to the specified file (experimental)
|
--csvfile <csvfile> set output to CSV and output CSV to the specified file
|
||||||
|
--append if <csvfile> or <jsonfile> exists rather append then overwrite
|
||||||
|
|
||||||
All options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
|
All options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
|
||||||
|
|
||||||
@ -6036,9 +6070,10 @@ MAPPING_FILE_RFC: $MAPPING_FILE_RFC
|
|||||||
CAPATH: $CAPATH
|
CAPATH: $CAPATH
|
||||||
COLOR: $COLOR
|
COLOR: $COLOR
|
||||||
COLORBLIND: $COLORBLIND
|
COLORBLIND: $COLORBLIND
|
||||||
TERM_DWITH: $TERM_DWITH
|
TERM_WIDTH: $TERM_WIDTH
|
||||||
INTERACTIVE: $INTERACTIVE
|
INTERACTIVE: $INTERACTIVE
|
||||||
HAS_GNUDATE: $HAS_GNUDATE
|
HAS_GNUDATE: $HAS_GNUDATE
|
||||||
|
HAS_FREEBSDDATE: $HAS_FREEBSDDATE
|
||||||
HAS_SED_E: $HAS_SED_E
|
HAS_SED_E: $HAS_SED_E
|
||||||
|
|
||||||
SHOW_EACH_C: $SHOW_EACH_C
|
SHOW_EACH_C: $SHOW_EACH_C
|
||||||
@ -6125,7 +6160,7 @@ cleanup () {
|
|||||||
[[ -d "$TEMPDIR" ]] && rm -rf "$TEMPDIR";
|
[[ -d "$TEMPDIR" ]] && rm -rf "$TEMPDIR";
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
fileout_footer
|
"$APPEND" || fileout_footer
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal() {
|
fatal() {
|
||||||
@ -6192,7 +6227,6 @@ ignore_no_or_lame() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# arg1: URI
|
# arg1: URI
|
||||||
# arg2: protocol
|
|
||||||
parse_hn_port() {
|
parse_hn_port() {
|
||||||
local tmp_port
|
local tmp_port
|
||||||
|
|
||||||
@ -6225,13 +6259,27 @@ parse_hn_port() {
|
|||||||
debugme echo $NODE:$PORT
|
debugme echo $NODE:$PORT
|
||||||
SNI="-servername $NODE"
|
SNI="-servername $NODE"
|
||||||
|
|
||||||
# now do logging if instructed
|
URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port
|
||||||
|
URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> /
|
||||||
|
[[ -z "$URL_PATH" ]] && URL_PATH="/"
|
||||||
|
debugme echo $URL_PATH
|
||||||
|
return 0 # NODE, URL_PATH, PORT is set now
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# now do logging if instructed
|
||||||
|
# arg1: for testing mx records name we put a name of logfile in here, otherwise we get strange file names
|
||||||
|
prepare_logging() {
|
||||||
|
local fname_prefix="$1"
|
||||||
|
|
||||||
|
[[ -z "$fname_prefix" ]] && fname_prefix="$NODE"
|
||||||
|
|
||||||
if "$do_logging"; then
|
if "$do_logging"; then
|
||||||
if [[ -z "$LOGFILE" ]]; then
|
if [[ -z "$LOGFILE" ]]; then
|
||||||
LOGFILE=$NODE-$(date +"%Y%m%d-%H%M".log)
|
LOGFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".log)
|
||||||
elif [[ -d "$LOGFILE" ]]; then
|
elif [[ -d "$LOGFILE" ]]; then
|
||||||
# actually we were instructed to place all files in a DIR instead of the current working dir
|
# actually we were instructed to place all files in a DIR instead of the current working dir
|
||||||
LOGFILE=$LOGFILE/$NODE-$(date +"%Y%m%d-%H%M".log)
|
LOGFILE=$LOGFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".log)
|
||||||
else
|
else
|
||||||
: # just for clarity: a log file was specified, no need to do anything else
|
: # just for clarity: a log file was specified, no need to do anything else
|
||||||
fi
|
fi
|
||||||
@ -6245,29 +6293,23 @@ parse_hn_port() {
|
|||||||
|
|
||||||
if "$do_json"; then
|
if "$do_json"; then
|
||||||
if [[ -z "$JSONFILE" ]]; then
|
if [[ -z "$JSONFILE" ]]; then
|
||||||
JSONFILE=$NODE-$(date +"%Y%m%d-%H%M".json)
|
JSONFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".json)
|
||||||
elif [[ -d "$JSONFILE" ]]; then
|
elif [[ -d "$JSONFILE" ]]; then
|
||||||
# actually we were instructed to place all files in a DIR instead of the current working dir
|
# actually we were instructed to place all files in a DIR instead of the current working dir
|
||||||
JSONFILE=$JSONFILE/$NODE-$(date +"%Y%m%d-%H%M".json)
|
JSONFILE=$JSONFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".json)
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if "$do_csv"; then
|
if "$do_csv"; then
|
||||||
if [[ -z "$CSVFILE" ]]; then
|
if [[ -z "$CSVFILE" ]]; then
|
||||||
CSVFILE=$NODE-$(date +"%Y%m%d-%H%M".csv)
|
CSVFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".csv)
|
||||||
elif [[ -d "$CSVFILE" ]]; then
|
elif [[ -d "$CSVFILE" ]]; then
|
||||||
# actually we were instructed to place all files in a DIR instead of the current working dir
|
# actually we were instructed to place all files in a DIR instead of the current working dir
|
||||||
CSVFILE=$CSVFILE/$NODE-$(date +"%Y%m%d-%H%M".csv)
|
CSVFILE=$CSVFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".csv)
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fileout_header # write out any CSV/JSON header line
|
fileout_header # write out any CSV/JSON header line
|
||||||
|
|
||||||
URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port
|
return 0
|
||||||
URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> /
|
|
||||||
[[ -z "$URL_PATH" ]] && URL_PATH="/"
|
|
||||||
debugme echo $URL_PATH
|
|
||||||
return 0 # NODE, URL_PATH, PORT is set now
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -6706,7 +6748,7 @@ draw_line() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
mx_all_ips() {
|
run_mx_all_ips() {
|
||||||
local mxs mx
|
local mxs mx
|
||||||
local mxport
|
local mxport
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
@ -6716,12 +6758,17 @@ mx_all_ips() {
|
|||||||
# test first higher priority servers
|
# test first higher priority servers
|
||||||
mxs=$(get_mx_record "$1" | sort -n | sed -e 's/^.* //' -e 's/\.$//' | tr '\n' ' ')
|
mxs=$(get_mx_record "$1" | sort -n | sed -e 's/^.* //' -e 's/\.$//' | tr '\n' ' ')
|
||||||
mxport=${2:-25}
|
mxport=${2:-25}
|
||||||
|
if [[ -n "$LOGFILE" ]]; then
|
||||||
|
prepare_logging
|
||||||
|
else
|
||||||
|
prepare_logging "mx-$1"
|
||||||
|
fi
|
||||||
if [[ -n "$mxs" ]] && [[ "$mxs" != ' ' ]]; then
|
if [[ -n "$mxs" ]] && [[ "$mxs" != ' ' ]]; then
|
||||||
[[ $mxport == "465" ]] && \
|
[[ $mxport == "465" ]] && \
|
||||||
STARTTLS_PROTOCOL="" # no starttls for Port 465, on all other ports we speak starttls
|
STARTTLS_PROTOCOL="" # no starttls for Port 465, on all other ports we speak starttls
|
||||||
pr_bold "Testing now all MX records (on port $mxport): "; outln "$mxs"
|
pr_bold "Testing now all MX records (on port $mxport): "; outln "$mxs"
|
||||||
for mx in $mxs; do
|
for mx in $mxs; do
|
||||||
draw_line "-" $((TERM_DWITH * 2 / 3))
|
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||||
outln
|
outln
|
||||||
parse_hn_port "$mx:$mxport"
|
parse_hn_port "$mx:$mxport"
|
||||||
determine_ip_addresses || continue
|
determine_ip_addresses || continue
|
||||||
@ -6737,7 +6784,7 @@ mx_all_ips() {
|
|||||||
fi
|
fi
|
||||||
ret=$(($? + ret))
|
ret=$(($? + ret))
|
||||||
done
|
done
|
||||||
draw_line "-" $((TERM_DWITH * 2 / 3))
|
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||||
outln
|
outln
|
||||||
pr_bold "Done testing now all MX records (on port $mxport): "; outln "$mxs"
|
pr_bold "Done testing now all MX records (on port $mxport): "; outln "$mxs"
|
||||||
else
|
else
|
||||||
@ -6746,6 +6793,7 @@ mx_all_ips() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
run_mass_testing_parallel() {
|
run_mass_testing_parallel() {
|
||||||
local cmdline=""
|
local cmdline=""
|
||||||
local global_cmdline=${CMDLINE%%--file*}
|
local global_cmdline=${CMDLINE%%--file*}
|
||||||
@ -6755,12 +6803,14 @@ run_mass_testing_parallel() {
|
|||||||
fi
|
fi
|
||||||
pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln
|
pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln
|
||||||
outln "(output is in ....\n)"
|
outln "(output is in ....\n)"
|
||||||
|
#FIXME: once this function is being called we need a handler which does the right thing
|
||||||
|
# ==> not overwrite
|
||||||
while read cmdline; do
|
while read cmdline; do
|
||||||
cmdline=$(filter_input "$cmdline")
|
cmdline=$(filter_input "$cmdline")
|
||||||
[[ -z "$cmdline" ]] && continue
|
[[ -z "$cmdline" ]] && continue
|
||||||
[[ "$cmdline" == "EOF" ]] && break
|
[[ "$cmdline" == "EOF" ]] && break
|
||||||
cmdline="$0 $global_cmdline --warnings=batch -q $cmdline"
|
cmdline="$0 $global_cmdline --warnings=batch -q $cmdline"
|
||||||
draw_line "=" $((TERM_DWITH / 2)); outln;
|
draw_line "=" $((TERM_WIDTH / 2)); outln;
|
||||||
determine_logfile
|
determine_logfile
|
||||||
outln "$cmdline"
|
outln "$cmdline"
|
||||||
$cmdline >$LOGFILE &
|
$cmdline >$LOGFILE &
|
||||||
@ -6779,15 +6829,17 @@ run_mass_testing() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
pr_reverse "====== Running in file batch mode with file=\"$FNAME\" ======"; outln "\n"
|
pr_reverse "====== Running in file batch mode with file=\"$FNAME\" ======"; outln "\n"
|
||||||
|
APPEND=false # Make sure we close out our files
|
||||||
while read cmdline; do
|
while read cmdline; do
|
||||||
cmdline=$(filter_input "$cmdline")
|
cmdline=$(filter_input "$cmdline")
|
||||||
[[ -z "$cmdline" ]] && continue
|
[[ -z "$cmdline" ]] && continue
|
||||||
[[ "$cmdline" == "EOF" ]] && break
|
[[ "$cmdline" == "EOF" ]] && break
|
||||||
cmdline="$0 $global_cmdline --warnings=batch -q $cmdline"
|
cmdline="$0 $global_cmdline --warnings=batch -q --append $cmdline"
|
||||||
draw_line "=" $((TERM_DWITH / 2)); outln;
|
draw_line "=" $((TERM_WIDTH / 2)); outln;
|
||||||
outln "$cmdline"
|
outln "$cmdline"
|
||||||
$cmdline
|
$cmdline
|
||||||
done < "${FNAME}"
|
done < "${FNAME}"
|
||||||
|
fileout_footer
|
||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -7160,6 +7212,9 @@ parse_cmd_line() {
|
|||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
do_csv=true
|
do_csv=true
|
||||||
;;
|
;;
|
||||||
|
--append)
|
||||||
|
APPEND=true
|
||||||
|
;;
|
||||||
--openssl|--openssl=*)
|
--openssl|--openssl=*)
|
||||||
OPENSSL=$(parse_opt_equal_sign "$1" "$2")
|
OPENSSL=$(parse_opt_equal_sign "$1" "$2")
|
||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
@ -7335,10 +7390,11 @@ fi
|
|||||||
if $do_mx_all_ips; then
|
if $do_mx_all_ips; then
|
||||||
query_globals # if we have just 1x "do_*" --> we do a standard run -- otherwise just the one specified
|
query_globals # if we have just 1x "do_*" --> we do a standard run -- otherwise just the one specified
|
||||||
[[ $? -eq 1 ]] && set_scanning_defaults
|
[[ $? -eq 1 ]] && set_scanning_defaults
|
||||||
mx_all_ips "${URI}" $PORT
|
run_mx_all_ips "${URI}" $PORT # we should reduce run_mx_all_ips to the stuff neccessary as ~15 lines later we have sililar code
|
||||||
ret=$?
|
ret=$?
|
||||||
else
|
else
|
||||||
parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now
|
parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now
|
||||||
|
prepare_logging
|
||||||
if ! determine_ip_addresses && [[ -z "$CMDLINE_IP" ]]; then
|
if ! determine_ip_addresses && [[ -z "$CMDLINE_IP" ]]; then
|
||||||
fatal "No IP address could be determined"
|
fatal "No IP address could be determined"
|
||||||
fi
|
fi
|
||||||
@ -7352,13 +7408,13 @@ else
|
|||||||
if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check
|
if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check
|
||||||
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
||||||
for ip in $IPADDRs; do
|
for ip in $IPADDRs; do
|
||||||
draw_line "-" $((TERM_DWITH * 2 / 3))
|
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||||
outln
|
outln
|
||||||
NODEIP="$ip"
|
NODEIP="$ip"
|
||||||
lets_roll "${STARTTLS_PROTOCOL}"
|
lets_roll "${STARTTLS_PROTOCOL}"
|
||||||
ret=$(($? + ret))
|
ret=$(($? + ret))
|
||||||
done
|
done
|
||||||
draw_line "-" $((TERM_DWITH * 2 / 3))
|
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||||
outln
|
outln
|
||||||
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
|
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
|
||||||
else # we need just one ip4v to check
|
else # we need just one ip4v to check
|
||||||
@ -7372,4 +7428,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.502 2016/06/15 19:31:09 dirkw Exp $
|
# $Id: testssl.sh,v 1.507 2016/06/24 17:00:58 dirkw Exp $
|
||||||
|
@ -13,7 +13,7 @@ sleep 3
|
|||||||
STDOPTIONS="--prefix=/usr/ --openssldir=/etc/ssl -DOPENSSL_USE_BUILD_DATE enable-zlib \
|
STDOPTIONS="--prefix=/usr/ --openssldir=/etc/ssl -DOPENSSL_USE_BUILD_DATE enable-zlib \
|
||||||
enable-ssl2 enable-ssl3 enable-ssl-trace enable-rc5 enable-rc2 \
|
enable-ssl2 enable-ssl3 enable-ssl-trace enable-rc5 enable-rc2 \
|
||||||
enable-gost enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
enable-gost enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
||||||
enable-seed enable-camellia enable-idea enable-rfc3779 experimental-jpake -DTEMP_GOST_TLS"
|
enable-seed enable-camellia enable-idea enable-rfc3779 experimental-jpake"
|
||||||
|
|
||||||
clean() {
|
clean() {
|
||||||
case $NOCLEAN in
|
case $NOCLEAN in
|
||||||
@ -42,49 +42,77 @@ makeall() {
|
|||||||
|
|
||||||
copyfiles() {
|
copyfiles() {
|
||||||
echo; apps/openssl version -a; echo
|
echo; apps/openssl version -a; echo
|
||||||
cp -p apps/openssl ../openssl.$(uname).$(uname -m).$1
|
if grep static <<< "$1"; then
|
||||||
echo
|
cp -p apps/openssl ../openssl.$(uname).$(uname -m)
|
||||||
|
else
|
||||||
|
cp -p apps/openssl ../openssl.$(uname).$(uname -m).krb5
|
||||||
|
fi
|
||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
case $(uname -m) in
|
testv6_patch() {
|
||||||
"i686") clean
|
if grep -q 'ending bracket for IPv6' apps/s_socket.c; then
|
||||||
if [[ "$1" = krb ]]; then
|
STDOPTIONS="$STDOPTIONS -DOPENSSL_USE_IPV6"
|
||||||
name2add=krb
|
else
|
||||||
./config $STDOPTIONS no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT
|
|
||||||
else
|
|
||||||
name2add=static
|
|
||||||
./config $STDOPTIONS no-ec_nistp_64_gcc_128 -static
|
|
||||||
fi
|
|
||||||
[ $? -ne 0 ] && error "configuring"
|
|
||||||
makeall && copyfiles "$name2add"
|
|
||||||
[ $? -ne 0 ] && error "copying files"
|
|
||||||
apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l
|
|
||||||
echo
|
echo
|
||||||
echo "------------ all ok ------------"
|
echo "no IPv6 patch (Fedora) detected!! -- Press ^C and dl & apply from"
|
||||||
|
echo "https://github.com/drwetter/testssl.sh/blob/master/bin/fedora-dirk-ipv6.diff"
|
||||||
|
echo "or press any key to ignore"
|
||||||
echo
|
echo
|
||||||
|
read a
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
testv6_patch
|
||||||
|
|
||||||
|
|
||||||
|
case $(uname) in
|
||||||
|
Linux|FreeBSD)
|
||||||
|
case $(uname -m) in
|
||||||
|
"i686") clean
|
||||||
|
if [[ "$1" = krb ]]; then
|
||||||
|
name2add=krb
|
||||||
|
./config $STDOPTIONS no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT
|
||||||
|
else
|
||||||
|
name2add=static
|
||||||
|
./config $STDOPTIONS no-ec_nistp_64_gcc_128 -static
|
||||||
|
fi
|
||||||
|
[ $? -ne 0 ] && error "configuring"
|
||||||
|
makeall && copyfiles "$name2add"
|
||||||
|
[ $? -ne 0 ] && error "copying files"
|
||||||
|
apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l
|
||||||
|
echo
|
||||||
|
echo "------------ all ok ------------"
|
||||||
|
echo
|
||||||
|
;;
|
||||||
|
"x86_64") clean
|
||||||
|
if [[ "$1" = krb ]]; then
|
||||||
|
name2add=krb
|
||||||
|
./config $STDOPTIONS enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT
|
||||||
|
else
|
||||||
|
name2add=static
|
||||||
|
./config $STDOPTIONS enable-ec_nistp_64_gcc_128 -static
|
||||||
|
fi
|
||||||
|
[ $? -ne 0 ] && error "configuring"
|
||||||
|
makeall && copyfiles "$name2add"
|
||||||
|
[ $? -ne 0 ] && error "copying files"
|
||||||
|
apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l
|
||||||
|
echo
|
||||||
|
echo "------------ all ok ------------"
|
||||||
|
echo
|
||||||
|
;;
|
||||||
|
*) echo " Sorry, don't know this architecture $(uname -m)"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
;;
|
;;
|
||||||
"x86_64") clean
|
Darwin)
|
||||||
if [[ "$1" = krb ]]; then
|
|
||||||
name2add=krb
|
|
||||||
./config $STDOPTIONS enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT
|
|
||||||
else
|
|
||||||
name2add=static
|
|
||||||
./config $STDOPTIONS enable-ec_nistp_64_gcc_128 -static
|
|
||||||
fi
|
|
||||||
[ $? -ne 0 ] && error "configuring"
|
|
||||||
makeall && copyfiles "$name2add"
|
|
||||||
[ $? -ne 0 ] && error "copying files"
|
|
||||||
apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l
|
|
||||||
echo
|
|
||||||
echo "------------ all ok ------------"
|
|
||||||
echo
|
|
||||||
;;
|
|
||||||
*) echo " Sorry, don't know this architecture $(uname -m)"
|
|
||||||
exit 1
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
||||||
# vim:tw=90:ts=5:sw=5
|
# vim:tw=90:ts=5:sw=5
|
||||||
# $Id: make-openssl.sh,v 1.14 2015/07/20 19:40:54 dirkw Exp $
|
# $Id: make-openssl.sh,v 1.14 2015/07/20 19:40:54 dirkw Exp $
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user