mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
* couple of checks for new proxy option from John Newbigin #124
* minor cleanups for #124
This commit is contained in:
parent
ddd680ac93
commit
5acfc93d79
56
testssl.sh
56
testssl.sh
@ -1499,8 +1499,10 @@ server_preference() {
|
|||||||
i=$(($i + 1))
|
i=$(($i + 1))
|
||||||
done
|
done
|
||||||
|
|
||||||
if spdy_pre ; then # is NPN/SPDY supported and is this no STARTTLS?
|
[ -n "$PROXY" ] && arg=" SPDY/NPN is"
|
||||||
$OPENSSL s_client -host $NODE -port $PORT $PROXY -nextprotoneg "$NPN_PROTOs" </dev/null 2>/dev/null >$TMPFILE
|
[ -n "$STARTTLS" ] && arg=" "
|
||||||
|
if spdy_pre " $arg"; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY
|
||||||
|
$OPENSSL s_client -host $NODE -port $PORT -nextprotoneg "$NPN_PROTOs" </dev/null 2>/dev/null >$TMPFILE
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g')
|
proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g')
|
||||||
if [ -z "${proto[i]}" ]; then
|
if [ -z "${proto[i]}" ]; then
|
||||||
@ -1567,10 +1569,10 @@ cipher_pref_check() {
|
|||||||
done
|
done
|
||||||
outln
|
outln
|
||||||
|
|
||||||
if ! spdy_pre ; then # is NPN/SPDY supported and is this no STARTTLS?
|
if ! spdy_pre " SPDY/NPN: " ; then # is NPN/SPDY supported and is this no STARTTLS?
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
protos=$($OPENSSL s_client -host $NODE -port $PORT -nextprotoneg \"\" $PROXY </dev/null 2>/dev/null | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
protos=$($OPENSSL s_client -host $NODE -port $PORT -nextprotoneg \"\" </dev/null 2>/dev/null | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
||||||
for p in $protos; do
|
for p in $protos; do
|
||||||
$OPENSSL s_client -host $NODE -port $PORT -nextprotoneg "$p" $PROXY </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client -host $NODE -port $PORT -nextprotoneg "$p" $PROXY </dev/null 2>/dev/null >$TMPFILE
|
||||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||||
@ -1927,11 +1929,18 @@ pfs() {
|
|||||||
# good source for configuration and bugs: https://wiki.mozilla.org/Security/Server_Side_TLS
|
# good source for configuration and bugs: https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||||
# good start to read: http://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS.2FSSL
|
# good start to read: http://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS.2FSSL
|
||||||
|
|
||||||
|
|
||||||
spdy_pre(){
|
spdy_pre(){
|
||||||
if [ ! -z "$STARTTLS" ]; then
|
if [ ! -z "$STARTTLS" ]; then
|
||||||
|
[ -n "$1" ] && out "$1"
|
||||||
out "(SPDY is a HTTP protocol and thus not tested here)"
|
out "(SPDY is a HTTP protocol and thus not tested here)"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
if [ ! -z "$PROXY" ]; then
|
||||||
|
[ -n "$1" ] && pr_litemagenta "$1 "
|
||||||
|
pr_litemagenta "not being tested as proxies do not support it"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
# first, does the current openssl support it?
|
# first, does the current openssl support it?
|
||||||
$OPENSSL s_client help 2>&1 | grep -qw nextprotoneg
|
$OPENSSL s_client help 2>&1 | grep -qw nextprotoneg
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
@ -1941,13 +1950,13 @@ spdy_pre(){
|
|||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
spdy() {
|
run_spdy() {
|
||||||
pr_bold " SPDY/NPN "
|
pr_bold " SPDY/NPN "
|
||||||
if ! spdy_pre ; then
|
if ! spdy_pre ; then
|
||||||
echo
|
echo
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client -host $NODE -port $PORT $PROXY -nextprotoneg $NPN_PROTOs </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs </dev/null 2>/dev/null >$TMPFILE
|
||||||
tmpstr=$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')
|
tmpstr=$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')
|
||||||
if [ -z "$tmpstr" -o "$tmpstr" == " " ] ; then
|
if [ -z "$tmpstr" -o "$tmpstr" == " " ] ; then
|
||||||
out "not offered"
|
out "not offered"
|
||||||
@ -1971,33 +1980,32 @@ spdy() {
|
|||||||
|
|
||||||
# arg for a fd doesn't work here
|
# arg for a fd doesn't work here
|
||||||
fd_socket() {
|
fd_socket() {
|
||||||
if [ "$PROXY" ] ; then
|
if [[ -n "$PROXY" ]]; then
|
||||||
if ! exec 5<> /dev/tcp/${PROXYIP}/${PROXYPORT}; then
|
if ! exec 5<> /dev/tcp/${PROXYIP}/${PROXYPORT}; then
|
||||||
outln
|
outln
|
||||||
pr_magenta "$(basename "$0"): unable to open a socket to proxy $PROXYIP:$PROXYPORT"
|
pr_magenta "$PROG_NAME: unable to open a socket to proxy $PROXYIP:$PROXYPORT"
|
||||||
return 6
|
return 6
|
||||||
fi
|
fi
|
||||||
echo "CONNECT $NODEIP:$PORT" >&5
|
echo "CONNECT $NODEIP:$PORT" >&5
|
||||||
while true ; do
|
while true ; do
|
||||||
read x <&5
|
read x <&5
|
||||||
if [ "${x%/*}" = "HTTP" ] ; then
|
if [[ "${x%/*}" == "HTTP" ]]; then
|
||||||
x=${x#* }
|
x=${x#* }
|
||||||
if [ "${x%% *}" != "200" ] ; then
|
if [[ "${x%% *}" != "200" ]] ; then
|
||||||
pr_magenta "Unable to CONNECT via proxy"
|
[[ "$PORT" != 443 ]] && outln "Check whether your proxy supports port $PORT and the underlying protocol."
|
||||||
|
pr_magenta "Unable to CONNECT via proxy. "
|
||||||
return 6
|
return 6
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$x" = $'\r' ] ; then
|
if [[ "$x" == $'\r' ]] ; then
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
elif ! exec 5<>/dev/tcp/$NODEIP/$PORT; then # 2>/dev/null removes an error message, but disables debugging
|
||||||
if ! exec 5<>/dev/tcp/$NODEIP/$PORT; then # 2>/dev/null removes an error message, but disables debugging
|
|
||||||
outln
|
outln
|
||||||
pr_magenta "Unable to open a socket to $NODEIP:$PORT. "
|
pr_magenta "Unable to open a socket to $NODEIP:$PORT. "
|
||||||
# It can last ~2 minutes but for for those rare occasions we don't do a timeout handler here, KISS
|
# It can last ~2 minutes but for for those rare occasions we don't do a timeout handler here, KISS
|
||||||
return 6
|
return 6
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
@ -3317,12 +3325,16 @@ openssl_age() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# We need to get the IP address of the proxy so we can use it in fs_socket
|
# We need to get the IP address of the proxy so we can use it in fd_socket
|
||||||
check_proxy()
|
check_proxy(){
|
||||||
{
|
if [ -n "$PROXY" ] ; then
|
||||||
if [ "$PROXY" ] ; then
|
if ! $OPENSSL s_client help 2>&1 | grep -qw proxy; then
|
||||||
|
pr_magentaln "Local problem: Your $OPENSSL is too old to support the \"--proxy\" option"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
PROXYNODE=${PROXY%:*}
|
PROXYNODE=${PROXY%:*}
|
||||||
PROXYPORT=${PROXY#*:}
|
PROXYPORT=${PROXY#*:}
|
||||||
|
#FIXME: dig. nslookup ==> central function
|
||||||
PROXYIP=$(host -t a $PROXYNODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
PROXYIP=$(host -t a $PROXYNODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
||||||
PROXY="-proxy $PROXYIP:$PROXYPORT"
|
PROXY="-proxy $PROXYIP:$PROXYPORT"
|
||||||
fi
|
fi
|
||||||
@ -4130,7 +4142,7 @@ lets_roll() {
|
|||||||
|
|
||||||
${do_test_just_one} && test_just_one ${single_cipher}
|
${do_test_just_one} && test_just_one ${single_cipher}
|
||||||
${do_protocols} && { run_protocols; ret=$(($? + ret)); }
|
${do_protocols} && { run_protocols; ret=$(($? + ret)); }
|
||||||
${do_spdy} && { spdy; ret=$(($? + ret)); }
|
${do_spdy} && { run_spdy; ret=$(($? + ret)); }
|
||||||
${do_run_std_cipherlists} && { run_std_cipherlists; ret=$(($? + ret)); }
|
${do_run_std_cipherlists} && { run_std_cipherlists; ret=$(($? + ret)); }
|
||||||
${do_pfs} && { pfs; ret=$(($? + ret)); }
|
${do_pfs} && { pfs; ret=$(($? + ret)); }
|
||||||
${do_server_preference} && { server_preference; ret=$(($? + ret)); }
|
${do_server_preference} && { server_preference; ret=$(($? + ret)); }
|
||||||
@ -4186,8 +4198,8 @@ initialize_globals
|
|||||||
parse_cmd_line "$@"
|
parse_cmd_line "$@"
|
||||||
set_color_functions
|
set_color_functions
|
||||||
find_openssl_binary
|
find_openssl_binary
|
||||||
check_proxy
|
|
||||||
mybanner
|
mybanner
|
||||||
|
check_proxy
|
||||||
openssl_age
|
openssl_age
|
||||||
maketempf
|
maketempf
|
||||||
|
|
||||||
@ -4235,4 +4247,4 @@ fi
|
|||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.296 2015/06/29 08:41:55 dirkw Exp $
|
# $Id: testssl.sh,v 1.298 2015/06/29 21:28:36 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user