diff --git a/testssl.sh b/testssl.sh index 23ece10..fc74e03 100755 --- a/testssl.sh +++ b/testssl.sh @@ -276,6 +276,7 @@ HAS_FALLBACK_SCSV=false HAS_PROXY=false HAS_XMPP=false HAS_POSTGRES=false +HAS_MYSQL=false PORT=443 # unless otherwise auto-determined, see below NODE="" NODEIP="" @@ -7012,6 +7013,15 @@ starttls_postgres_dialog() { return $ret } +starttls_mysql_dialog() { + debugme echo "=== starting mysql STARTTLS dialog ===" + + debugme echo "mysql socket dialog not yet implemented" + + debugme echo "=== finished mysql STARTTLS dialog with ${ret} ===" + return $ret +} + # arg for a fd doesn't work here fd_socket() { local jabber="" @@ -7093,6 +7103,9 @@ EOF postgres) # Postgres SQL, see http://www.postgresql.org/docs/devel/static/protocol-message-formats.html starttls_postgres_dialog ;; + mysql) # MySQL, see https://dev.mysql.com/doc/internals/en/x-protocol-lifecycle-lifecycle.html#x-protocol-lifecycle-tls-extension + starttls_mysql_dialog + ;; *) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not yet supported" -4 esac @@ -11061,6 +11074,9 @@ find_openssl_binary() { grep -q 'postgres' $s_client_starttls_has && \ HAS_POSTGRES=true + grep -q 'mysql' $s_client_starttls_has && \ + HAS_MYSQL=true + if [[ "$OPENSSL_TIMEOUT" != "" ]]; then if which timeout >&2 2>/dev/null ; then # there are different "timeout". Check whether --preserve-status is supported @@ -11145,7 +11161,7 @@ help() { "$PROG_NAME [options] ", where [options] is: -t, --starttls Does a default run against a STARTTLS enabled (latter three require supplied openssl) + protocol is (latter 4 require supplied openssl) --xmpphost For STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed --mx Tests MX records from high to low priority (STARTTLS, port 25) --file Mass testing option: Reads command lines from , one line per instance. @@ -11288,6 +11304,7 @@ HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV HAS_PROXY: $HAS_PROXY HAS_XMPP: $HAS_XMPP HAS_POSTGRES: $HAS_POSTGRES +HAS_MYSQL: $HAS_MYSQL PATH: $PATH PROG_NAME: $PROG_NAME @@ -12057,7 +12074,7 @@ determine_optimal_proto() { } -# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap, postgres (maybe with trailing s) +# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap, postgres, mysql (maybe with trailing s) determine_service() { local ua local protocol @@ -12088,7 +12105,7 @@ determine_service() { protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc fi case "$protocol" in - ftp|smtp|pop3|imap|xmpp|telnet|ldap|postgres) + ftp|smtp|pop3|imap|xmpp|telnet|ldap|postgres|mysql) STARTTLS="-starttls $protocol" SNI="" if [[ "$protocol" == xmpp ]]; then @@ -12108,6 +12125,12 @@ determine_service() { fatal "Your $OPENSSL does not support the \"-starttls postgres\" option" -5 fi fi + if [[ "$protocol" == mysql ]]; then + # Check if openssl version supports mysql. + if ! "$HAS_MYSQL"; then + fatal "Your $OPENSSL does not support the \"-starttls mysql\" option" -5 + fi + fi $OPENSSL s_client -connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS 2>$ERRFILE >$TMPFILE &2 help 1 ;;