From 4cb8cf2ff49ad72dffbbb3ea4d4817fbc6521a12 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 27 May 2015 14:28:18 +0200 Subject: [PATCH] - first candidate for logjam (missing the precomuted primes though) - 1024 DH is now brown instead of red, 768 will be red, 512 bold red - dumped calls to ok() - further cosmetic stuff --- testssl.sh | 96 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 67 insertions(+), 29 deletions(-) diff --git a/testssl.sh b/testssl.sh index b37d846..03a9cb6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -834,24 +834,17 @@ std_cipherlists() { [[ $DEBUG -ge 2 ]] && cat $TMPFILE case $3 in 0) # ok to offer - if [[ $ret -eq 0 ]]; then # was offered - ok 1 0 # pr_green - else - ok 0 0 # black - fi ;; + [[ $ret -eq 0 ]] && \ + pr_greenln "offered (OK)" || \ + pr_boldln "not offered" ;; 2) # not really bad - if [[ $ret -eq 0 ]]; then - ok 2 0 # offered in normal - else - ok 0 1 # not offered also in normal - fi;; + [[ $ret -eq 0 ]] && \ + outln "offered" || \ + pr_greenln "not offered (OK)" ;; *) # the ugly rest - if [[ $ret -eq 0 ]]; then - ok 1 1 # was offered! --> pr_red - else - #ok 0 0 # was not offered, that's ok - ok 0 1 # was not offered --> pr_green - fi ;; + [[ $ret -eq 0 ]] && \ + pr_redln "offered (NOT ok)" || \ + pr_greenln "not offered (OK)" ;; esac tmpfile_handle $FUNCNAME.txt else @@ -1127,7 +1120,7 @@ runprotocols() { case $? in 0) pr_literedln "offered (NOT ok)" ;; 1) pr_greenln "not offered (OK)" ;; - 2) ok 0 1 ;; #FIXME: downgraded. still missing a testcase here + 2) pr_magentaln "#FIXME: downgraded. still missing a testcase here" ;; 5) pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)" ;; # protocol ok, but no cipher 7) ;; # no local support esac @@ -1141,7 +1134,7 @@ runprotocols() { case $? in 0) outln "offered" ;; # no GCM, thus only normal print 1) outln "not offered" ;; # neither good or bad - # 2) ok 0 0 ;; downgraded + 2) pr_magentaln "downgraded. still missing a testcase here" ;; 5) outln "supported but couldn't detect a cipher (may need debugging)" ;; # protocol ok, but no cipher 7) ;; # no local support esac @@ -1209,10 +1202,12 @@ read_dhbits_from_file() { [ -n "$bits" ] && [ -z "$2" ] && out ", " if [[ $what_dh == "DH" ]] || [[ $what_dh == "EDH" ]] ; then [ -z "$2" ] && add="bit DH" - if [[ "$bits" -le 800 ]]; then + if [[ "$bits" -le 600 ]]; then pr_red "$bits $add" - elif [[ "$bits" -le 1280 ]]; then + elif [[ "$bits" -le 800 ]]; then pr_litered "$bits $add" + elif [[ "$bits" -le 1280 ]]; then + pr_brown "$bits $add" elif [[ "$bits" -ge 2048 ]]; then pr_litegreen "$bits $add" else @@ -2310,7 +2305,7 @@ ccs_injection(){ # see https://www.openssl.org/news/secadv_20140605.txt # mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607 [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for CCS injection vulnerability" && outln "\n" - pr_bold " CCS "; out " (CVE-2014-0224) " + pr_bold " CCS"; out " (CVE-2014-0224) " if [ ! -z "$STARTTLS" ] ; then outln "(not yet implemented for STARTTLS)" @@ -2642,7 +2637,7 @@ freak() { local addtl_warning="" [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for FREAK attack" && outln "\n" - pr_bold " FREAK "; out " (CVE-2015-0204), experimental " + pr_bold " FREAK"; out " (CVE-2015-0204), experimental " no_exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | egrep -a "^EXP.*RSA" | wc -l | sed 's/ //g') exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/^EXP.*RSA/ {print $1}' | tr '\n' ':') debugme echo $exportrsa_ciphers @@ -2651,11 +2646,11 @@ freak() { case $no_exportrsa_ciphers in 0) pr_magentaln "Local problem: your $OPENSSL doesn't have any EXPORT RSA ciphers configured" return 3 ;; - 1,2,3) + 1|2|3) addtl_warning=" (tested only with $no_exportrsa_ciphers out of 9 ciphers)" ;; - 7,8,9,10,11) + 8|9|10|11) addtl_warning="" ;; - 4,5,6) + 4|5|6|7) addtl_warning=" (tested with $no_exportrsa_ciphers/9 ciphers)" ;; esac $OPENSSL s_client $STARTTLS -cipher $exportrsa_ciphers -connect $NODEIP:$PORT $SNI &>$TMPFILE Testing for LOGJAM vulnerability" && outln "\n" + pr_bold " LOGJAM"; out " (CVE-2015-4000), experimental " + no_exportdhe_ciphers=$($OPENSSL ciphers "$exportdhe_ciphers" | sed 's/:/ /g' | wc -w | sed 's/ //g') + case $no_exportdhe_ciphers in + 0) pr_magentaln "Local problem: your $OPENSSL doesn't have any DHE EXPORT ciphers configured" + return 3 ;; + 1|2|3) addtl_warning=" (tested only w/ $no_exportdhe_ciphers/4 ciphers)" ;; + 4) ;; + esac + $OPENSSL s_client $STARTTLS -cipher $exportdhe_ciphers -connect $NODEIP:$PORT $SNI &>$TMPFILE