From 59299ce9e1f775596f3a22938ac3d9e5272f865b Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 17 Jun 2015 11:33:29 +0200 Subject: [PATCH] - FIX #119 (sed -E fails for old sed versions) - std_cipherlists tuned - fix for selfsigned certs (missed sometimes because of trailing space) --- testssl.sh | 83 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 57 insertions(+), 26 deletions(-) diff --git a/testssl.sh b/testssl.sh index 97cd61e..86f579a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -79,6 +79,9 @@ readonly SYSTEM=$(uname -s) date --help >/dev/null 2>&1 && \ readonly HAS_GNUDATE=true || \ readonly HAS_GNUDATE=false +echo A | sed -E 's/A//' >/dev/null 2>&1 && \ + readonly HAS_SED_E=true || \ + readonly HAS_SED_E=false readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS. TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line @@ -592,7 +595,7 @@ hsts() { pr_litegreen "$hsts_age_days days" ; out "=$hsts_age_sec s" else out "$hsts_age_sec s = " - pr_brown "$hsts_age_days days, <$HSTS_MIN is not good enough" + pr_brown "$hsts_age_days days, <$HSTS_MIN days is too short" fi includeSubDomains "$TMPFILE" preload "$TMPFILE" @@ -907,19 +910,26 @@ std_cipherlists() { $OPENSSL s_client -cipher "$1" $STARTTLS -connect $NODEIP:$PORT $SNI 2>$TMPFILE >/dev/null &5 2>/dev/null & sleep $2 @@ -1240,21 +1254,22 @@ runprotocols() { return 0 } +#TODO: work with a fixed list here run_std_cipherlists() { outln - pr_blue "--> Testing standard cipher lists"; outln "\n" + pr_blue "--> Testing ~standard cipher lists"; outln "\n" # see ciphers(1ssl) - std_cipherlists NULL:eNULL " Null Ciphers " 1 - std_cipherlists aNULL " Anonymous NULL Ciphers " 1 - std_cipherlists ADH " Anonymous DH Ciphers " 1 - std_cipherlists EXPORT40 " 40 Bit encryption " 1 - std_cipherlists EXPORT56 " 56 Bit encryption " 1 - std_cipherlists EXPORT " Export Ciphers (general) " 1 - std_cipherlists LOW " Low (<=64 Bit) " 1 - std_cipherlists DES " DES Ciphers " 1 - std_cipherlists 3DES " Triple DES Ciphers " 2 - std_cipherlists "MEDIUM:!NULL:!aNULL:!SSLv2" " Medium grade encryption " 2 - std_cipherlists "HIGH:!NULL:!aNULL" " High grade encryption " 0 + std_cipherlists NULL:eNULL " Null Ciphers " 1 + std_cipherlists aNULL " Anonymous NULL Ciphers " 1 + std_cipherlists ADH " Anonymous DH Ciphers " 1 + std_cipherlists EXPORT40 " 40 Bit encryption " 1 + std_cipherlists EXPORT56 " 56 Bit encryption " 1 + std_cipherlists EXPORT " Export Ciphers (general) " 1 + std_cipherlists 'LOW:!ADH' " Low (<=64 Bit) " 1 + std_cipherlists 'DES:!ADH:!EXPORT:!aNULL' " DES Ciphers " 1 + std_cipherlists 'MEDIUM:!NULL:!aNULL:!SSLv2' " Medium grade encryption " 2 + std_cipherlists '3DES:!ADH:!aNULL' " Triple DES Ciphers " 3 + std_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES:' " High grade encryption " 0 return 0 } @@ -1661,11 +1676,11 @@ server_defaults() { else issuer_c="" # CACert would have 'issuer= ' here otherwise fi - if [ "$issuer_o" == "issuer=" ] || [ "$issuer" == "$CN" ] ; then + if [ "$issuer_o" == "issuer=" ] || [ "$issuer_o" == "issuer= " ] || [ "$issuer" == "$CN" ] ; then pr_redln "selfsigned (not OK)" else [ "$issuer_c" == "" ] && \ - outln "$underline$issuer$off ($underline$issuer_o$off" || \ + outln "$underline$issuer$off ($underline$issuer_o$off)" || \ outln "$underline$issuer$off ($underline$issuer_o$off from $underline$issuer_c$off)" fi @@ -2283,7 +2298,11 @@ heartbleed(){ # determine TLS versions available: $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE $TMPFILE