Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

- do not do HTTP2+SPDY checks if non-STARTTLS but also non-HTTP

Browse Source 
- ASSUMING_HTTP --> ASSUME_HTTP
- minor cleanups
This commit is contained in:
Dirk 2016-10-11 22:30:30 +02:00
parent d59c581700
commit 6723622024
1 changed files with 15 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
testssl.sh
View File

@ -143,7 +143,7 @@ SHOW_SIGALGO=${SHOW_SIGALGO:-false} # "secret" switch whether testssl.sh sho
SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual? SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual?
QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native" SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
ASSUMING_HTTP=${ASSUMING_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks ASSUME_HTTP=${ASSUME_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5 BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5
DEBUG=${DEBUG:-0} # 1: normal putput the files in /tmp/ are kept for further debugging purposes DEBUG=${DEBUG:-0} # 1: normal putput the files in /tmp/ are kept for further debugging purposes
# 2: list more what's going on , also lists some errors of connections # 2: list more what's going on , also lists some errors of connections
@ -251,7 +251,6 @@ TLS_NOW=""
NOW_TIME="" NOW_TIME=""
HTTP_TIME="" HTTP_TIME=""
GET_REQ11="" GET_REQ11=""
HEAD_REQ10=""
readonly UA_STD="TLS tester from $SWURL" readonly UA_STD="TLS tester from $SWURL"
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0" readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"
FIRST_FINDING=true # Is this the first finding we are outputting to file? FIRST_FINDING=true # Is this the first finding we are outputting to file?
@ -657,7 +656,7 @@ fi
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS) # determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
# arg1 could be the protocol determined as "working". IIS6 needs that # arg1 could be the protocol determined as "working". IIS6 needs that
runs_HTTP() { service_detection() {
local -i ret=0 local -i ret=0
local -i was_killed local -i was_killed
local addcmd="" local addcmd=""
@ -693,10 +692,10 @@ runs_HTTP() {
fileout "client_auth" "INFO" "certificate based authentication => skipping all HTTP checks" fileout "client_auth" "INFO" "certificate based authentication => skipping all HTTP checks"
else else
out " Couldn't determine what's running on port $PORT" out " Couldn't determine what's running on port $PORT"
if $ASSUMING_HTTP; then if "$ASSUME_HTTP"; then
SERVICE=HTTP SERVICE=HTTP
out " -- ASSUMING_HTTP set though" out " -- ASSUME_HTTP set though"
fileout "service" "DEBUG" "Couldn't determine service, --ASSUMING_HTTP set" fileout "service" "DEBUG" "Couldn't determine service, --ASSUME_HTTP set"
ret=0 ret=0
else else
out ", assuming no HTTP service => skipping all HTTP checks" out ", assuming no HTTP service => skipping all HTTP checks"
@ -5128,7 +5127,7 @@ run_pfs() {
spdy_pre(){ spdy_pre(){
if [[ -n "$STARTTLS" ]]; then if [[ -n "$STARTTLS" ]] || [[ "$SERVICE" != HTTP ]]; then
[[ -n "$1" ]] && out "$1" [[ -n "$1" ]] && out "$1"
out "(SPDY is an HTTP protocol and thus not tested here)" out "(SPDY is an HTTP protocol and thus not tested here)"
fileout "spdy_npn" "INFO" "SPDY/NPN : (SPY is an HTTP protocol and thus not tested here)" fileout "spdy_npn" "INFO" "SPDY/NPN : (SPY is an HTTP protocol and thus not tested here)"
@ -5149,7 +5148,7 @@ spdy_pre(){
} }
http2_pre(){ http2_pre(){
if [[ -n "$STARTTLS" ]]; then if [[ -n "$STARTTLS" ]] || [[ "$SERVICE" != HTTP ]]; then
[[ -n "$1" ]] && out "$1" [[ -n "$1" ]] && out "$1"
outln "(HTTP/2 is a HTTP protocol and thus not tested here)" outln "(HTTP/2 is a HTTP protocol and thus not tested here)"
fileout "https_alpn" "INFO" "HTTP2/ALPN : HTTP/2 is and HTTP protocol and thus not tested" fileout "https_alpn" "INFO" "HTTP2/ALPN : HTTP/2 is and HTTP protocol and thus not tested"
@ -7418,7 +7417,7 @@ partly mandatory parameters:
tuning options (can also be preset via environment variables): tuning options (can also be preset via environment variables):
--bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s
--assuming-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks
--ssl-native fallback to checks with OpenSSL where sockets are normally used --ssl-native fallback to checks with OpenSSL where sockets are normally used
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME) --openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME)
--proxy <host>:<port> connect via the specified HTTP proxy --proxy <host>:<port> connect via the specified HTTP proxy
@ -7520,7 +7519,7 @@ HAS_SED_E: $HAS_SED_E
SHOW_EACH_C: $SHOW_EACH_C SHOW_EACH_C: $SHOW_EACH_C
SSL_NATIVE: $SSL_NATIVE SSL_NATIVE: $SSL_NATIVE
ASSUMING_HTTP $ASSUMING_HTTP ASSUME_HTTP $ASSUME_HTTP
SNEAKY: $SNEAKY SNEAKY: $SNEAKY
DEBUG: $DEBUG DEBUG: $DEBUG
@ -8126,10 +8125,10 @@ determine_service() {
ua="$UA_SNEAKY" || \ ua="$UA_SNEAKY" || \
ua="$UA_STD" ua="$UA_STD"
GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n" GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n"
HEAD_REQ11="HEAD $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n" #HEAD_REQ11="HEAD $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n"
GET_REQ10="GET $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n" #GET_REQ10="GET $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n"
HEAD_REQ10="HEAD $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n" #HEAD_REQ10="HEAD $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n"
runs_HTTP $OPTIMAL_PROTO service_detection $OPTIMAL_PROTO
else else
# STARTTLS # STARTTLS
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
@ -8599,7 +8598,7 @@ parse_cmd_line() {
WIDE=true WIDE=true
;; ;;
--assuming[_-]http|--assume[-_]http) --assuming[_-]http|--assume[-_]http)
ASSUMING_HTTP=true ASSUME_HTTP=true
;; ;;
--sneaky) --sneaky)
SNEAKY=true SNEAKY=true
@ -8896,4 +8895,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.557 2016/10/10 21:27:33 dirkw Exp $ # $Id: testssl.sh,v 1.558 2016/10/11 20:30:29 dirkw Exp $