mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-01 06:19:44 +01:00
- enabled+renamed tolerance test per default
- quoted some bool vars for faster execution
This commit is contained in:
parent
38b61ed36f
commit
541690b46e
45
testssl.sh
45
testssl.sh
@ -2016,7 +2016,7 @@ run_client_simulation() {
|
|||||||
local name tls proto cipher
|
local name tls proto cipher
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
|
|
||||||
if $SSL_NATIVE || [[ -n "$STARTTLS" ]]; then
|
if "$SSL_NATIVE" || [[ -n "$STARTTLS" ]]; then
|
||||||
using_sockets=false
|
using_sockets=false
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -2758,7 +2758,7 @@ run_client_simulation() {
|
|||||||
for name in "${short[@]}"; do
|
for name in "${short[@]}"; do
|
||||||
#FIXME: printf formatting would look better, especially if we want a wide option here
|
#FIXME: printf formatting would look better, especially if we want a wide option here
|
||||||
out " ${names[i]} "
|
out " ${names[i]} "
|
||||||
if $using_sockets && [[ -n "${handshakebytes[i]}" ]]; then
|
if "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; then
|
||||||
client_simulation_sockets "${handshakebytes[i]}"
|
client_simulation_sockets "${handshakebytes[i]}"
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
@ -2781,7 +2781,7 @@ run_client_simulation() {
|
|||||||
#FIXME: awk
|
#FIXME: awk
|
||||||
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
||||||
[[ "$proto" == TLSv1 ]] && proto="TLSv1.0"
|
[[ "$proto" == TLSv1 ]] && proto="TLSv1.0"
|
||||||
if [[ "$proto" == TLSv1.2 ]] && ( ! $using_sockets || [[ -z "${handshakebytes[i]}" ]] ); then
|
if [[ "$proto" == TLSv1.2 ]] && ( ! "$using_sockets" || [[ -z "${handshakebytes[i]}" ]] ); then
|
||||||
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
|
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
|
||||||
for tls in ${tlsvers[i]}; do
|
for tls in ${tlsvers[i]}; do
|
||||||
$OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
|
$OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
|
||||||
@ -2807,7 +2807,7 @@ run_client_simulation() {
|
|||||||
fi
|
fi
|
||||||
#FiXME: awk
|
#FiXME: awk
|
||||||
cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://')
|
cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://')
|
||||||
$using_sockets && [[ -n "${handshakebytes[i]}" ]] && [[ -n "$MAPPING_FILE_RFC" ]] && cipher="$(rfc2openssl "$cipher")"
|
"$using_sockets" && [[ -n "${handshakebytes[i]}" ]] && [[ -n "$MAPPING_FILE_RFC" ]] && cipher="$(rfc2openssl "$cipher")"
|
||||||
outln "$proto $cipher"
|
outln "$proto $cipher"
|
||||||
if [[ -n "${warning[i]}" ]]; then
|
if [[ -n "${warning[i]}" ]]; then
|
||||||
out " "
|
out " "
|
||||||
@ -2893,11 +2893,11 @@ run_protocols() {
|
|||||||
local supported_no_ciph2="supported but couldn't detect a cipher"
|
local supported_no_ciph2="supported but couldn't detect a cipher"
|
||||||
local latest_supported="" # version.major and version.minor of highest version supported by the server.
|
local latest_supported="" # version.major and version.minor of highest version supported by the server.
|
||||||
local detected_version_string latest_supported_string
|
local detected_version_string latest_supported_string
|
||||||
local extra_spaces=""
|
local extra_spaces=" "
|
||||||
|
|
||||||
outln; pr_headline " Testing protocols "
|
outln; pr_headline " Testing protocols "
|
||||||
|
|
||||||
if $SSL_NATIVE; then
|
if "$SSL_NATIVE"; then
|
||||||
using_sockets=false
|
using_sockets=false
|
||||||
pr_headlineln "(via native openssl)"
|
pr_headlineln "(via native openssl)"
|
||||||
else
|
else
|
||||||
@ -2906,9 +2906,8 @@ run_protocols() {
|
|||||||
using_sockets=false
|
using_sockets=false
|
||||||
else
|
else
|
||||||
using_sockets=true
|
using_sockets=true
|
||||||
if $EXPERIMENTAL; then
|
if "$EXPERIMENTAL"; then
|
||||||
pr_headlineln "(via sockets except SPDY+HTTP2) "
|
pr_headlineln "(via sockets except SPDY+HTTP2) "
|
||||||
extra_spaces=" "
|
|
||||||
else
|
else
|
||||||
pr_headlineln "(via sockets except TLS 1.2, SPDY+HTTP2) "
|
pr_headlineln "(via sockets except TLS 1.2, SPDY+HTTP2) "
|
||||||
fi
|
fi
|
||||||
@ -2917,7 +2916,7 @@ run_protocols() {
|
|||||||
outln
|
outln
|
||||||
|
|
||||||
pr_bold " SSLv2 $extra_spaces";
|
pr_bold " SSLv2 $extra_spaces";
|
||||||
if ! $SSL_NATIVE; then
|
if ! "$SSL_NATIVE"; then
|
||||||
sslv2_sockets #FIXME: messages/output need to be moved to this (higher) level
|
sslv2_sockets #FIXME: messages/output need to be moved to this (higher) level
|
||||||
else
|
else
|
||||||
run_prototest_openssl "-ssl2"
|
run_prototest_openssl "-ssl2"
|
||||||
@ -2943,7 +2942,7 @@ run_protocols() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " SSLv3 $extra_spaces";
|
pr_bold " SSLv3 $extra_spaces";
|
||||||
if $using_sockets; then
|
if "$using_sockets"; then
|
||||||
tls_sockets "00" "$TLS_CIPHER"
|
tls_sockets "00" "$TLS_CIPHER"
|
||||||
else
|
else
|
||||||
run_prototest_openssl "-ssl3"
|
run_prototest_openssl "-ssl3"
|
||||||
@ -2982,7 +2981,7 @@ run_protocols() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
pr_bold " TLS 1 $extra_spaces";
|
pr_bold " TLS 1 $extra_spaces";
|
||||||
if $using_sockets; then
|
if "$using_sockets"; then
|
||||||
tls_sockets "01" "$TLS_CIPHER"
|
tls_sockets "01" "$TLS_CIPHER"
|
||||||
else
|
else
|
||||||
run_prototest_openssl "-tls1"
|
run_prototest_openssl "-tls1"
|
||||||
@ -2997,7 +2996,7 @@ run_protocols() {
|
|||||||
;; # nothing wrong with it -- per se
|
;; # nothing wrong with it -- per se
|
||||||
1)
|
1)
|
||||||
out "not offered"
|
out "not offered"
|
||||||
if ! $using_sockets || [[ -z $latest_supported ]]; then
|
if ! "$using_sockets" || [[ -z $latest_supported ]]; then
|
||||||
outln
|
outln
|
||||||
fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad
|
fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad
|
||||||
else
|
else
|
||||||
@ -3031,7 +3030,7 @@ run_protocols() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
pr_bold " TLS 1.1 $extra_spaces";
|
pr_bold " TLS 1.1 $extra_spaces";
|
||||||
if $using_sockets; then
|
if "$using_sockets"; then
|
||||||
tls_sockets "02" "$TLS_CIPHER"
|
tls_sockets "02" "$TLS_CIPHER"
|
||||||
else
|
else
|
||||||
run_prototest_openssl "-tls1_1"
|
run_prototest_openssl "-tls1_1"
|
||||||
@ -3046,7 +3045,7 @@ run_protocols() {
|
|||||||
;; # nothing wrong with it
|
;; # nothing wrong with it
|
||||||
1)
|
1)
|
||||||
out "not offered"
|
out "not offered"
|
||||||
if ! $using_sockets || [[ -z $latest_supported ]]; then
|
if ! "$using_sockets" || [[ -z $latest_supported ]]; then
|
||||||
outln
|
outln
|
||||||
fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad
|
fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad
|
||||||
else
|
else
|
||||||
@ -3083,7 +3082,7 @@ run_protocols() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
pr_bold " TLS 1.2 $extra_spaces";
|
pr_bold " TLS 1.2 $extra_spaces";
|
||||||
if $using_sockets && $EXPERIMENTAL; then #TODO: IIS servers do have a problem here with our handshake
|
if "$using_sockets" && "$EXPERIMENTAL"; then #TODO: IIS servers do have a problem here with our handshake
|
||||||
tls_sockets "03" "$TLS12_CIPHER"
|
tls_sockets "03" "$TLS12_CIPHER"
|
||||||
else
|
else
|
||||||
run_prototest_openssl "-tls1_2"
|
run_prototest_openssl "-tls1_2"
|
||||||
@ -3098,7 +3097,7 @@ run_protocols() {
|
|||||||
;; # GCM cipher in TLS 1.2: very good!
|
;; # GCM cipher in TLS 1.2: very good!
|
||||||
1)
|
1)
|
||||||
pr_svrty_mediumln "not offered"
|
pr_svrty_mediumln "not offered"
|
||||||
if ! $using_sockets || ! $EXPERIMENTAL || [[ -z $latest_supported ]]; then
|
if ! "$using_sockets" || ! "$EXPERIMENTAL" || [[ -z $latest_supported ]]; then
|
||||||
outln
|
outln
|
||||||
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
|
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
|
||||||
else
|
else
|
||||||
@ -3143,8 +3142,8 @@ run_protocols() {
|
|||||||
# If a TLS server receives a ClientHello containing a version number
|
# If a TLS server receives a ClientHello containing a version number
|
||||||
# greater than the highest version supported by the server, it MUST
|
# greater than the highest version supported by the server, it MUST
|
||||||
# reply according to the highest version supported by the server.
|
# reply according to the highest version supported by the server.
|
||||||
if [[ -n $latest_supported ]] && $using_sockets && $EXPERIMENTAL; then
|
if [[ -n $latest_supported ]] && "$using_sockets"; then
|
||||||
pr_bold " Version Negotiation ";
|
pr_bold " Version tolerance "
|
||||||
tls_sockets "05" "$TLS12_CIPHER"
|
tls_sockets "05" "$TLS12_CIPHER"
|
||||||
case $? in
|
case $? in
|
||||||
0)
|
0)
|
||||||
@ -4971,9 +4970,7 @@ http2_pre(){
|
|||||||
run_spdy() {
|
run_spdy() {
|
||||||
local tmpstr
|
local tmpstr
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
extra_spaces=""
|
local extra_spaces=" "
|
||||||
|
|
||||||
! $SSL_NATIVE && [[ -z "$STARTTLS" ]] && $EXPERIMENTAL && extra_spaces=" "
|
|
||||||
|
|
||||||
pr_bold " SPDY/NPN $extra_spaces"
|
pr_bold " SPDY/NPN $extra_spaces"
|
||||||
if ! spdy_pre ; then
|
if ! spdy_pre ; then
|
||||||
@ -5012,9 +5009,7 @@ run_http2() {
|
|||||||
local -i ret=0
|
local -i ret=0
|
||||||
local had_alpn_proto=false
|
local had_alpn_proto=false
|
||||||
local alpn_finding=""
|
local alpn_finding=""
|
||||||
extra_spaces=""
|
local extra_spaces=" "
|
||||||
|
|
||||||
! $SSL_NATIVE && [[ -z "$STARTTLS" ]] && $EXPERIMENTAL && extra_spaces=" "
|
|
||||||
|
|
||||||
pr_bold " HTTP2/ALPN $extra_spaces"
|
pr_bold " HTTP2/ALPN $extra_spaces"
|
||||||
if ! http2_pre ; then
|
if ! http2_pre ; then
|
||||||
@ -8613,4 +8608,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.530 2016/07/23 12:52:24 dirkw Exp $
|
# $Id: testssl.sh,v 1.531 2016/07/23 13:12:12 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user