mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-19 06:59:30 +01:00
Add prototype for STARTTLS+ LDAP via sockets
See #1258 To do: * more robustness. At least the success value from the response need to be retrieved and checked via starttls_io(). * double check the pre-handshake before the OID whether it's correct for every case * documentation * inline help It seems to work though against db.debian.org
This commit is contained in:
parent
06890d4506
commit
601ff16a0a
31
testssl.sh
31
testssl.sh
@ -11094,6 +11094,29 @@ starttls_postgres_dialog() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# RFC 2830
|
||||||
|
starttls_ldap_dialog() {
|
||||||
|
local debugpad=" > "
|
||||||
|
local -i ret=0
|
||||||
|
local starttls_init=",
|
||||||
|
x30, x1d, x02, x01, # LDAP extendedReq
|
||||||
|
x01, # messageID: 1
|
||||||
|
x77, x18, x80, x16, x31, x2e, x33, x2e, x36, x2e, # ProtocolOP: extendedReq
|
||||||
|
x31, x2e, x34, x2e, x31, x2e, x31, x34, x36, x36, x2e, x32, x30, x30, x33, x37" # OID for STATRTTLS = "1.3.6.1.4.1.1466.20037"
|
||||||
|
|
||||||
|
debugme echo "=== starting LDAP STARTTLS dialog ==="
|
||||||
|
socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" &&
|
||||||
|
starttls_just_read 1 "read succeeded"
|
||||||
|
|
||||||
|
# response is typically 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
|
||||||
|
# ^^ == success! That [9] should be checked also!
|
||||||
|
|
||||||
|
ret=$?
|
||||||
|
debugme echo "=== finished LDAP STARTTLS dialog with ${ret} ==="
|
||||||
|
return $ret
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
starttls_mysql_dialog() {
|
starttls_mysql_dialog() {
|
||||||
local debugpad=" > "
|
local debugpad=" > "
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
@ -11214,8 +11237,10 @@ fd_socket() {
|
|||||||
irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html
|
irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html
|
||||||
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
|
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
|
||||||
;;
|
;;
|
||||||
ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
|
ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830#section-2.1, https://tools.ietf.org/html/rfc4511
|
||||||
fatal "FIXME: LDAP+STARTTLS over sockets not supported yet (try \"--ssl-native\")" $ERR_NOSUPPORT
|
# https://ldap.com/ldapv3-wire-protocol-reference-extended/
|
||||||
|
#fatal "FIXME: LDAP+STARTTLS over sockets not supported yet (try \"--ssl-native\")" $ERR_NOSUPPORT
|
||||||
|
starttls_ldap_dialog
|
||||||
;;
|
;;
|
||||||
acap|acaps) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595
|
acap|acaps) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595
|
||||||
fatal "ACAP Easteregg: not implemented -- probably never will" $ERR_NOSUPPORT
|
fatal "ACAP Easteregg: not implemented -- probably never will" $ERR_NOSUPPORT
|
||||||
@ -11231,7 +11256,7 @@ fd_socket() {
|
|||||||
starttls_mysql_dialog
|
starttls_mysql_dialog
|
||||||
;;
|
;;
|
||||||
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
|
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
|
||||||
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not yet supported" $ERR_NOSUPPORT
|
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not supported yet" $ERR_NOSUPPORT
|
||||||
esac
|
esac
|
||||||
ret=$?
|
ret=$?
|
||||||
case $ret in
|
case $ret in
|
||||||
|
Loading…
Reference in New Issue
Block a user