Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

- if a record is local host it is shown now

Browse Source 
- also look in etc hosts for MSYS2
- cosmetic improvements
This commit is contained in:
Dirk 2015-08-12 00:17:28 +02:00
parent 81b158431f
commit 5bc6e5fda9
1 changed files with 53 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
testssl.sh
View File

@ -121,7 +121,7 @@ USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
FNAME=${FNAME:=""} # file name to read commands from FNAME=${FNAME:-""} # file name to read commands from
IKNOW_FNAME=false IKNOW_FNAME=false
readonly HSTS_MIN=179 # >179 days is ok for HSTS readonly HSTS_MIN=179 # >179 days is ok for HSTS
readonly HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints? readonly HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints?
@ -575,7 +575,7 @@ run_http_date() {
else else
out "Got no HTTP time, maybe try different URL?"; out "Got no HTTP time, maybe try different URL?";
fi fi
debugme out "$HTTP_TIME" debugme out " epoch: $HTTP_TIME"
fi fi
outln outln
detect_ipv4 detect_ipv4
@ -3923,16 +3923,36 @@ filter_ip4_address() {
done done
} }
get_local_aaaa() {
local ip6=""
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
ip6=$(grep -wh "$NODE" $etchosts 2>/dev/null | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
if is_ipv6addr "$ip6"; then
echo "$ip6"
else
echo ""
fi
}
get_local_a() {
local ip4=""
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
ip4=$(grep -wh "$1" $etchosts 2>/dev/null | egrep -v ':|^#' | egrep "[[:space:]]$1" | awk '{ print $1 }')
if is_ipv4addr "$ip4"; then
echo "$ip4"
else
echo ""
fi
}
# arg1: a host name. Returned will be 0-n IPv4 addresses # arg1: a host name. Returned will be 0-n IPv4 addresses
get_a_record() { get_a_record() {
local ip4="" local ip4=""
local saved_openssl_conf="$OPENSSL_CONF" local saved_openssl_conf="$OPENSSL_CONF"
local etchosts="/etc/hosts"
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
ip4=$(is_ipv4addr $(grep -w "$1" "$etchosts" | egrep -v ':|^#' | egrep "[[:space:]]$1" | awk '{ print $1 }'))
[[ -n $"ip4" ]] && LOCAL_A=true
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
if [[ -z "$ip4" ]]; then if [[ -z "$ip4" ]]; then
@ -3957,11 +3977,6 @@ get_a_record() {
get_aaaa_record() { get_aaaa_record() {
local ip6="" local ip6=""
local saved_openssl_conf="$OPENSSL_CONF" local saved_openssl_conf="$OPENSSL_CONF"
local etchosts="/etc/hosts"
ip6=$(grep -w "$NODE" "$etchosts" | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
[[ -n $"ip6" ]] && LOCAL_AAAA=true
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
if [[ -z "$ip6" ]]; then if [[ -z "$ip6" ]]; then
@ -3988,12 +4003,24 @@ determine_ip_addresses() {
ip4="$NODE" # only an IPv4 address was supplied as an argument, no hostname ip4="$NODE" # only an IPv4 address was supplied as an argument, no hostname
SNI="" # override Server Name Indication as we test the IP only SNI="" # override Server Name Indication as we test the IP only
else else
ip4=$(get_a_record $NODE) ip4=$(get_local_a $NODE) # is there a local host entry?
ip6=$(get_aaaa_record $NODE) if [ -z $ip4 ]; then # empty: no (LOCAL_A is predefined as false)
ip4=$(get_a_record $NODE)
else
LOCAL_A=true # we have the ip4 from local host entry and need to set this
fi
# same now for ipv6 (though not supported) <-- can't do this yet as it shows up under "further IP addresses"
# and we didn't bother to show the fact that it is local there
ip6=$(get_local_aaaa $NODE)
#if [ -z $ip6 ]; then
ip6=$(get_aaaa_record $NODE)
#else
# LOCAL_AAAA=true # we have the ip4 from local host entry and need to set this
#fi
fi fi
IPADDRs=$(newline_to_spaces "$ip4") IPADDRs=$(newline_to_spaces "$ip4")
if [[ -z "$IPADDRs" ]] && [[ -z "$CMDLINE_IP" ]] ; then if [[ -z "$IPADDRs" ]] && [[ -z "$CMDLINE_IP" ]] ; then
pr_magenta "Can't proceed: No IP address for \"$NODE\" available" pr_magenta "Can't proceed: No IPv4 address for \"$NODE\" available"
outln "\n" outln "\n"
exit -1 exit -1
fi fi
@ -4041,7 +4068,8 @@ get_mx_record() {
# We need to get the IP address of the proxy so we can use it in fd_socket # We need to get the IP address of the proxy so we can use it in fd_socket
check_proxy(){ check_proxy(){
local save_LOCAL_A="$LOCAL_A" local save_LOCAL_A=$LOCAL_A
local save_LOCAL_AAAA=$LOCAL_AAAA
if [[ -n "$PROXY" ]]; then if [[ -n "$PROXY" ]]; then
if ! $OPENSSL s_client help 2>&1 | grep -qw proxy; then if ! $OPENSSL s_client help 2>&1 | grep -qw proxy; then
@ -4052,7 +4080,8 @@ check_proxy(){
PROXYPORT=${PROXY#*:} PROXYPORT=${PROXY#*:}
PROXYIP=$(get_a_record $PROXYNODE 2>/dev/null | grep -v alias | sed 's/^.*address //') PROXYIP=$(get_a_record $PROXYNODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
LOCAL_A="$save_LOCAL_A" LOCAL_A=$save_LOCAL_A
LOCAL_AAAA=$save_LOCAL_AAAA
# no RFC 1918: # no RFC 1918:
#if ! is_ipv4addr $PROXYIP ; then #if ! is_ipv4addr $PROXYIP ; then
if [[ -z "$PROXYIP" ]]; then if [[ -z "$PROXYIP" ]]; then
@ -4079,7 +4108,7 @@ determine_service() {
datebanner "Testing" datebanner "Testing"
if [[ -z "$1" ]] ; then # for starttls we want another check if [[ -z "$1" ]]; then # for starttls we want another check
# determine protocol which works (needed for IIS6). If we don't have IIS6, 1st try will succeed --> better because we use the variable # determine protocol which works (needed for IIS6). If we don't have IIS6, 1st try will succeed --> better because we use the variable
# all over the place. Stupid thing that we need to do that stuff for IIS<=6 # all over the place. Stupid thing that we need to do that stuff for IIS<=6
for OPTIMAL_PROTO in "" "-tls1_2" "-tls1" "-ssl3" "-tls1_1" "-ssl2" ""; do for OPTIMAL_PROTO in "" "-tls1_2" "-tls1" "-ssl3" "-tls1_1" "-ssl2" ""; do
@ -4154,8 +4183,9 @@ display_rdns_etc() {
done done
outln outln
fi fi
if [ -n "$rDNS" ] ; then [[ -n "$rDNS" ]] && printf " %-23s %s" "rDNS ($NODEIP):" "$rDNS"
printf " %-23s %s" "rDNS ($NODEIP):" "$rDNS" if "$LOCAL_A"; then
out " (A record via /etc/hosts) "
fi fi
} }
@ -4188,6 +4218,7 @@ mx_all_ips() {
if [ -n "$mxs" ] && [ "$mxs" != ' ' ] ; then if [ -n "$mxs" ] && [ "$mxs" != ' ' ] ; then
[[ $mxport == "465" ]] && \ [[ $mxport == "465" ]] && \
starttls_proto="" # no starttls for Port 465, on all other ports we speak starttls starttls_proto="" # no starttls for Port 465, on all other ports we speak starttls
outln
pr_bold "Testing now all MX records (on port $mxport): "; outln "$mxs" pr_bold "Testing now all MX records (on port $mxport): "; outln "$mxs"
for mx in $mxs; do for mx in $mxs; do
draw_dotted_line "-" $(($TERM_DWITH * 2 / 3)) draw_dotted_line "-" $(($TERM_DWITH * 2 / 3))
@ -4677,4 +4708,4 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.340 2015/08/10 13:58:55 dirkw Exp $ # $Id: testssl.sh,v 1.342 2015/08/11 22:17:27 dirkw Exp $