From 26ec80e76423d6cc7d7f91d7f2a02740be948f5a Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 3 Jul 2017 14:28:21 -0400 Subject: [PATCH 1/3] run_hpkp() bug fix In `run_hpkp()` there is a call to `$OPENSSL s_client` that uses `${sni[i]}` as one of the command line options, but `sni` is not defined. My guess is that this was a copy/paste error from `run_client_simulation()`, which is the only function where an `sni` array is defined. I am guessing that the intention was to use `$SNI` in `run_hpkp()`. --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index fc74e03..8e2fa28 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1725,7 +1725,7 @@ run_hpkp() { hpkp_ca="$($OPENSSL x509 -in $HOSTCERT -issuer -noout|sed 's/^.*CN=//' | sed 's/\/.*$//')" # Get keys/hashes from intermediate certificates - $OPENSSL s_client $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE + $OPENSSL s_client $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT $SNI $TMPFILE 2>$ERRFILE # Place the server's certificate in $HOSTCERT and any intermediate # certificates that were provided in $TEMPDIR/intermediatecerts.pem # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ From a8ae90137def4555a6edcccd593a174a412b4ee1 Mon Sep 17 00:00:00 2001 From: Steven Danneman Date: Fri, 30 Jun 2017 11:15:13 -0700 Subject: [PATCH 2/3] fd_socket now also modifies NW_STR Assign to local variable sooner. --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 84db326..ad1a9f1 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3447,8 +3447,8 @@ client_simulation_sockets() { done debugme echo "sending client hello..." code2network "${data}" - fd_socket 5 || return 6 data="$NW_STR" + fd_socket 5 || return 6 [[ "$DEBUG" -ge 4 ]] && echo "\"$data\"" printf -- "$data" >&5 2>/dev/null & sleep $USLEEP_SND From 8be69e9789376b78d0d56e8b93ff0b556e665f8d Mon Sep 17 00:00:00 2001 From: Steven Danneman Date: Fri, 30 Jun 2017 15:54:39 -0700 Subject: [PATCH 3/3] Add sockets implementation of mysql starttls This is the simplest direct socket implementation of the MySQL STARTTLS protocol. This is a binary protocol, so it requires a new stream based send (instead of the current line based send). --- testssl.sh | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index ad1a9f1..fc2295a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6883,11 +6883,18 @@ starttls_line() { return 0 } +# Line based send with newline characters appended starttls_just_send(){ debugme echo -e "C: $1" echo -ne "$1\r\n" >&5 } +# Stream based send +starttls_just_send2(){ + debugme echo -e "C: $1" + echo -ne "$1" >&5 +} + starttls_just_read(){ debugme echo "=== just read banner ===" if [[ "$DEBUG" -ge 2 ]]; then @@ -7015,9 +7022,20 @@ starttls_postgres_dialog() { starttls_mysql_dialog() { debugme echo "=== starting mysql STARTTLS dialog ===" - - debugme echo "mysql socket dialog not yet implemented" - + local login_request=" + , 20, 00, 00, 01, # payload_length, sequence_id + 85, ae, ff, 00, # capability flags, CLIENT_SSL always set + 00, 00, 00, 01, # max-packet size + 21, # character set + 00, 00, 00, 00, 00, 00, 00, 00, # string[23] reserved (all [0]) + 00, 00, 00, 00, 00, 00, 00, 00, + 00, 00, 00, 00, 00, 00, 00" + code2network "${login_request}" + starttls_just_read && debugme echo -e "\nreceived server greeting" && + starttls_just_send2 "$NW_STR" && debugme echo "initiated STARTTLS" + # TODO: We could detect if the server supports STARTTLS via the "Server Capabilities" + # bit field, but we'd need to parse the binary stream, with greater precision than regex. + local ret=$? debugme echo "=== finished mysql STARTTLS dialog with ${ret} ===" return $ret }