mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
- FIX #119 (sed -E fails for old sed versions)
- std_cipherlists tuned - fix for selfsigned certs (missed sometimes because of trailing space)
This commit is contained in:
parent
06899f3cbf
commit
59299ce9e1
83
testssl.sh
83
testssl.sh
@ -79,6 +79,9 @@ readonly SYSTEM=$(uname -s)
|
|||||||
date --help >/dev/null 2>&1 && \
|
date --help >/dev/null 2>&1 && \
|
||||||
readonly HAS_GNUDATE=true || \
|
readonly HAS_GNUDATE=true || \
|
||||||
readonly HAS_GNUDATE=false
|
readonly HAS_GNUDATE=false
|
||||||
|
echo A | sed -E 's/A//' >/dev/null 2>&1 && \
|
||||||
|
readonly HAS_SED_E=true || \
|
||||||
|
readonly HAS_SED_E=false
|
||||||
readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
|
readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
|
||||||
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping
|
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping
|
||||||
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
|
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
|
||||||
@ -592,7 +595,7 @@ hsts() {
|
|||||||
pr_litegreen "$hsts_age_days days" ; out "=$hsts_age_sec s"
|
pr_litegreen "$hsts_age_days days" ; out "=$hsts_age_sec s"
|
||||||
else
|
else
|
||||||
out "$hsts_age_sec s = "
|
out "$hsts_age_sec s = "
|
||||||
pr_brown "$hsts_age_days days, <$HSTS_MIN is not good enough"
|
pr_brown "$hsts_age_days days, <$HSTS_MIN days is too short"
|
||||||
fi
|
fi
|
||||||
includeSubDomains "$TMPFILE"
|
includeSubDomains "$TMPFILE"
|
||||||
preload "$TMPFILE"
|
preload "$TMPFILE"
|
||||||
@ -907,19 +910,26 @@ std_cipherlists() {
|
|||||||
$OPENSSL s_client -cipher "$1" $STARTTLS -connect $NODEIP:$PORT $SNI 2>$TMPFILE >/dev/null </dev/null
|
$OPENSSL s_client -cipher "$1" $STARTTLS -connect $NODEIP:$PORT $SNI 2>$TMPFILE >/dev/null </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
[[ $DEBUG -ge 2 ]] && cat $TMPFILE
|
[[ $DEBUG -ge 2 ]] && cat $TMPFILE
|
||||||
|
out " " # in order to be in the same row as server preferences
|
||||||
case $3 in
|
case $3 in
|
||||||
0) # ok to offer
|
0) # ok to offer
|
||||||
[[ $ret -eq 0 ]] && \
|
[[ $ret -eq 0 ]] && \
|
||||||
pr_greenln "offered (OK)" || \
|
pr_greenln "offered (OK)" || \
|
||||||
pr_boldln "not offered" ;;
|
pr_brownln "not offered (NOT ok)" ;;
|
||||||
2) # not really bad
|
1) # the ugly ones
|
||||||
[[ $ret -eq 0 ]] && \
|
|
||||||
outln "offered" || \
|
|
||||||
pr_greenln "not offered (OK)" ;;
|
|
||||||
*) # the ugly rest
|
|
||||||
[[ $ret -eq 0 ]] && \
|
[[ $ret -eq 0 ]] && \
|
||||||
pr_redln "offered (NOT ok)" || \
|
pr_redln "offered (NOT ok)" || \
|
||||||
pr_greenln "not offered (OK)" ;;
|
pr_greenln "not offered (OK)" ;;
|
||||||
|
2) # bad but not worst
|
||||||
|
[[ $ret -eq 0 ]] && \
|
||||||
|
pr_literedln "offered (NOT ok)" || \
|
||||||
|
pr_litegreenln "not offered (OK)" ;;
|
||||||
|
3) # not totally bad
|
||||||
|
[[ $ret -eq 0 ]] && \
|
||||||
|
pr_brownln "offered (NOT ok)" || \
|
||||||
|
outln "not offered (OK)" ;;
|
||||||
|
*) # we shouldn't reach this
|
||||||
|
pr_litemagenta "? (please report this)" ;;
|
||||||
esac
|
esac
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
else
|
else
|
||||||
@ -936,7 +946,11 @@ std_cipherlists() {
|
|||||||
# ARG2: sleep
|
# ARG2: sleep
|
||||||
socksend() {
|
socksend() {
|
||||||
# the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do
|
# the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do
|
||||||
data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n')
|
if $HAS_SED_E; then
|
||||||
|
data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n')
|
||||||
|
else
|
||||||
|
data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -r 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n')
|
||||||
|
fi
|
||||||
[[ $DEBUG -ge 4 ]] && echo "\"$data\""
|
[[ $DEBUG -ge 4 ]] && echo "\"$data\""
|
||||||
printf -- "$data" >&5 2>/dev/null &
|
printf -- "$data" >&5 2>/dev/null &
|
||||||
sleep $2
|
sleep $2
|
||||||
@ -1240,21 +1254,22 @@ runprotocols() {
|
|||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#TODO: work with a fixed list here
|
||||||
run_std_cipherlists() {
|
run_std_cipherlists() {
|
||||||
outln
|
outln
|
||||||
pr_blue "--> Testing standard cipher lists"; outln "\n"
|
pr_blue "--> Testing ~standard cipher lists"; outln "\n"
|
||||||
# see ciphers(1ssl)
|
# see ciphers(1ssl)
|
||||||
std_cipherlists NULL:eNULL " Null Ciphers " 1
|
std_cipherlists NULL:eNULL " Null Ciphers " 1
|
||||||
std_cipherlists aNULL " Anonymous NULL Ciphers " 1
|
std_cipherlists aNULL " Anonymous NULL Ciphers " 1
|
||||||
std_cipherlists ADH " Anonymous DH Ciphers " 1
|
std_cipherlists ADH " Anonymous DH Ciphers " 1
|
||||||
std_cipherlists EXPORT40 " 40 Bit encryption " 1
|
std_cipherlists EXPORT40 " 40 Bit encryption " 1
|
||||||
std_cipherlists EXPORT56 " 56 Bit encryption " 1
|
std_cipherlists EXPORT56 " 56 Bit encryption " 1
|
||||||
std_cipherlists EXPORT " Export Ciphers (general) " 1
|
std_cipherlists EXPORT " Export Ciphers (general) " 1
|
||||||
std_cipherlists LOW " Low (<=64 Bit) " 1
|
std_cipherlists 'LOW:!ADH' " Low (<=64 Bit) " 1
|
||||||
std_cipherlists DES " DES Ciphers " 1
|
std_cipherlists 'DES:!ADH:!EXPORT:!aNULL' " DES Ciphers " 1
|
||||||
std_cipherlists 3DES " Triple DES Ciphers " 2
|
std_cipherlists 'MEDIUM:!NULL:!aNULL:!SSLv2' " Medium grade encryption " 2
|
||||||
std_cipherlists "MEDIUM:!NULL:!aNULL:!SSLv2" " Medium grade encryption " 2
|
std_cipherlists '3DES:!ADH:!aNULL' " Triple DES Ciphers " 3
|
||||||
std_cipherlists "HIGH:!NULL:!aNULL" " High grade encryption " 0
|
std_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES:' " High grade encryption " 0
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1661,11 +1676,11 @@ server_defaults() {
|
|||||||
else
|
else
|
||||||
issuer_c="" # CACert would have 'issuer= ' here otherwise
|
issuer_c="" # CACert would have 'issuer= ' here otherwise
|
||||||
fi
|
fi
|
||||||
if [ "$issuer_o" == "issuer=" ] || [ "$issuer" == "$CN" ] ; then
|
if [ "$issuer_o" == "issuer=" ] || [ "$issuer_o" == "issuer= " ] || [ "$issuer" == "$CN" ] ; then
|
||||||
pr_redln "selfsigned (not OK)"
|
pr_redln "selfsigned (not OK)"
|
||||||
else
|
else
|
||||||
[ "$issuer_c" == "" ] && \
|
[ "$issuer_c" == "" ] && \
|
||||||
outln "$underline$issuer$off ($underline$issuer_o$off" || \
|
outln "$underline$issuer$off ($underline$issuer_o$off)" || \
|
||||||
outln "$underline$issuer$off ($underline$issuer_o$off from $underline$issuer_c$off)"
|
outln "$underline$issuer$off ($underline$issuer_o$off from $underline$issuer_c$off)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -2283,7 +2298,11 @@ heartbleed(){
|
|||||||
# determine TLS versions available:
|
# determine TLS versions available:
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null
|
||||||
|
|
||||||
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
if $HAS_SED_E; then
|
||||||
|
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
||||||
|
else
|
||||||
|
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -r 's/[^[:digit:]]//g')
|
||||||
|
fi
|
||||||
case $tls_proto_offered in
|
case $tls_proto_offered in
|
||||||
12) tls_hexcode="x03, x03" ;;
|
12) tls_hexcode="x03, x03" ;;
|
||||||
11) tls_hexcode="x03, x02" ;;
|
11) tls_hexcode="x03, x02" ;;
|
||||||
@ -2397,8 +2416,11 @@ ccs_injection(){
|
|||||||
fi
|
fi
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT &>$TMPFILE </dev/null
|
||||||
|
|
||||||
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
if $HAS_SED_E; then
|
||||||
#tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed 's/^.*Protocol//')
|
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
||||||
|
else
|
||||||
|
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -r 's/[^[:digit:]]//g')
|
||||||
|
fi
|
||||||
case $tls_proto_offered in
|
case $tls_proto_offered in
|
||||||
12) tls_hexcode="x03, x03" ;;
|
12) tls_hexcode="x03, x03" ;;
|
||||||
11) tls_hexcode="x03, x02" ;;
|
11) tls_hexcode="x03, x02" ;;
|
||||||
@ -2681,6 +2703,14 @@ EOF
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# trim spaces for BSD and old sed
|
||||||
|
count_lines() {
|
||||||
|
echo "$1" | wc -l | sed 's/ //g'
|
||||||
|
}
|
||||||
|
count_words() {
|
||||||
|
echo "$1" | wc -w | sed 's/ //g'
|
||||||
|
}
|
||||||
|
|
||||||
### two helper functions for vulnerabilities follow
|
### two helper functions for vulnerabilities follow
|
||||||
count_ciphers() {
|
count_ciphers() {
|
||||||
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g'
|
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g'
|
||||||
@ -3274,6 +3304,7 @@ ECHO: $ECHO
|
|||||||
COLOR: $COLOR
|
COLOR: $COLOR
|
||||||
TERM_DWITH: $TERM_DWITH
|
TERM_DWITH: $TERM_DWITH
|
||||||
HAS_GNUDATE: $HAS_GNUDATE
|
HAS_GNUDATE: $HAS_GNUDATE
|
||||||
|
HAS_SED_E: $HAS_SED_E
|
||||||
|
|
||||||
SHOW_LOC_CIPH: $SHOW_LOC_CIPH
|
SHOW_LOC_CIPH: $SHOW_LOC_CIPH
|
||||||
SHOW_EACH_C: $SHOW_EACH_C
|
SHOW_EACH_C: $SHOW_EACH_C
|
||||||
@ -4029,6 +4060,6 @@ fi
|
|||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.278 2015/06/16 21:00:46 dirkw Exp $
|
# $Id: testssl.sh,v 1.279 2015/06/17 09:33:28 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
||||||
|
Loading…
Reference in New Issue
Block a user