Check for matching SSLv2 cipher
Some servers respond to an SSLv2 ClientHello with a list of all SSLv2 ciphers that the server supports rather than just a list of ciphers that it supports in common with the client (i.e., that appear in the ClientHello). This PR changes the sockets version of `run_freak()` so that, if `sslv2_sockets()` is successful, it checks whether there are any ciphers in common between the ClientHello and the ServerHello before declaring that the server supports an export RSA cipher.
This commit is contained in:
parent
5e5199ddb5
commit
5270747eb0
14
testssl.sh
14
testssl.sh
|
@ -9212,11 +9212,12 @@ run_tls_fallback_scsv() {
|
||||||
# Factoring RSA Export Keys: don't use EXPORT RSA ciphers, see https://freakattack.com/
|
# Factoring RSA Export Keys: don't use EXPORT RSA ciphers, see https://freakattack.com/
|
||||||
run_freak() {
|
run_freak() {
|
||||||
local -i sclient_success=0
|
local -i sclient_success=0
|
||||||
local -i i nr_supported_ciphers=0
|
local -i i nr_supported_ciphers=0 len
|
||||||
# with correct build it should list these 9 ciphers (plus the two latter as SSLv2 ciphers):
|
# with correct build it should list these 9 ciphers (plus the two latter as SSLv2 ciphers):
|
||||||
local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5"
|
local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5"
|
||||||
local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03"
|
local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03"
|
||||||
local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80"
|
local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80"
|
||||||
|
local detected_ssl2_ciphers
|
||||||
local addcmd="" addtl_warning="" hexc
|
local addcmd="" addtl_warning="" hexc
|
||||||
local cve="CVE-2015-0204"
|
local cve="CVE-2015-0204"
|
||||||
local cwe="CWE-310"
|
local cwe="CWE-310"
|
||||||
|
@ -9253,8 +9254,15 @@ run_freak() {
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
||||||
if [[ $sclient_success -ne 0 ]]; then
|
if [[ $sclient_success -ne 0 ]]; then
|
||||||
sslv2_sockets "$exportrsa_ssl2_cipher_list_hex"
|
sslv2_sockets "$exportrsa_ssl2_cipher_list_hex" "true"
|
||||||
[[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]] && sclient_success=0
|
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
||||||
|
exportrsa_ssl2_cipher_list_hex="$(strip_spaces "${exportrsa_ssl2_cipher_list_hex//,/}")"
|
||||||
|
len=${#exportrsa_ssl2_cipher_list_hex}
|
||||||
|
detected_ssl2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
||||||
|
for (( i=0; i<len; i=i+6 )); do
|
||||||
|
[[ "$detected_ssl2_ciphers" =~ "x${exportrsa_ssl2_cipher_list_hex:i:6}" ]] && sclient_success=0 && break
|
||||||
|
done
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
"$HAS_NO_SSL2" && addcmd="-no_ssl2" || addcmd=""
|
"$HAS_NO_SSL2" && addcmd="-no_ssl2" || addcmd=""
|
||||||
|
|
Loading…
Reference in New Issue