Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2
This commit is contained in:
commit
6730ed8340
108
testssl.sh
108
testssl.sh
|
@ -3836,7 +3836,7 @@ compare_server_name_to_cert()
|
||||||
|
|
||||||
# Check whether any of the DNS names in the certificate match the servername
|
# Check whether any of the DNS names in the certificate match the servername
|
||||||
dns_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
dns_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||||
tr '.' '\n' grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
|
tr ',' '\n' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
|
||||||
for san in $dns_sans; do
|
for san in $dns_sans; do
|
||||||
[[ "$san" == "$servername" ]] && return 0
|
[[ "$san" == "$servername" ]] && return 0
|
||||||
# If $san is a wildcard name, then do a wildcard match
|
# If $san is a wildcard name, then do a wildcard match
|
||||||
|
@ -3864,7 +3864,8 @@ certificate_info() {
|
||||||
local ocsp_response=$5
|
local ocsp_response=$5
|
||||||
local ocsp_response_status=$6
|
local ocsp_response_status=$6
|
||||||
local cert_sig_algo cert_sig_hash_algo cert_key_algo
|
local cert_sig_algo cert_sig_hash_algo cert_key_algo
|
||||||
local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_C issuer_O issuer sans san cn cn_nosni
|
local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer sans san cn
|
||||||
|
local cn_nosni=""
|
||||||
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
|
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
|
||||||
local policy_oid
|
local policy_oid
|
||||||
local spaces=""
|
local spaces=""
|
||||||
|
@ -4104,8 +4105,10 @@ certificate_info() {
|
||||||
|
|
||||||
# no cipher suites specified here. We just want the default vhost subject
|
# no cipher suites specified here. We just want the default vhost subject
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
||||||
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
|
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
|
||||||
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
|
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
|
||||||
|
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
|
||||||
|
fi
|
||||||
|
|
||||||
#FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite)
|
#FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite)
|
||||||
|
|
||||||
|
@ -4170,7 +4173,7 @@ certificate_info() {
|
||||||
issuer="$($OPENSSL x509 -in $HOSTCERT -noout -issuer -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)"
|
issuer="$($OPENSSL x509 -in $HOSTCERT -noout -issuer -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)"
|
||||||
issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")"
|
issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")"
|
||||||
issuer_O="$(awk -F'=' '/O=/ { print $2 }' <<< "$issuer")"
|
issuer_O="$(awk -F'=' '/O=/ { print $2 }' <<< "$issuer")"
|
||||||
issuer_C="$(awk -F'=' '/C=/ { print $2 }' <<< "$issuer")"
|
issuer_C="$(awk -F'=' '/ C=/ { print $2 }' <<< "$issuer")"
|
||||||
|
|
||||||
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then
|
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then
|
||||||
pr_svrty_criticalln "self-signed (NOT ok)"
|
pr_svrty_criticalln "self-signed (NOT ok)"
|
||||||
|
@ -4182,9 +4185,9 @@ certificate_info() {
|
||||||
if [[ -n "$issuer_C" ]]; then
|
if [[ -n "$issuer_C" ]]; then
|
||||||
out " from "
|
out " from "
|
||||||
pr_dquoted "$issuer_C"
|
pr_dquoted "$issuer_C"
|
||||||
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")"
|
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer_CN\" ( \"$issuer_O\" from \"$issuer_C\")"
|
||||||
else
|
else
|
||||||
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" )"
|
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer_CN\" ( \"$issuer_O\" )"
|
||||||
fi
|
fi
|
||||||
outln ")"
|
outln ")"
|
||||||
fi
|
fi
|
||||||
|
@ -4514,13 +4517,18 @@ run_server_defaults() {
|
||||||
|
|
||||||
run_pfs() {
|
run_pfs() {
|
||||||
local -i sclient_success
|
local -i sclient_success
|
||||||
local pfs_offered=false
|
local pfs_offered=false ecdhe_offered=false
|
||||||
local tmpfile
|
local tmpfile
|
||||||
local dhlen
|
local dhlen
|
||||||
local hexcode dash pfs_cipher sslvers kx auth enc mac
|
local hexcode dash pfs_cipher sslvers kx auth enc mac curve
|
||||||
local pfs_cipher_list="$ROBUST_PFS_CIPHERS"
|
local pfs_cipher_list="$ROBUST_PFS_CIPHERS"
|
||||||
local -i nr_supported_ciphers=0
|
local ecdhe_cipher_list=""
|
||||||
local pfs_ciphers
|
local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
|
||||||
|
local -a curves_ossl_output=("K-163" "sect163r1" "B-163" "sect193r1" "sect193r2" "K-233" "B-233" "sect239k1" "K-283" "B-283" "K-409" "B-409" "K-571" "B-571" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "P-192" "secp224k1" "P-224" "secp256k1" "P-256" "P-384" "P-521" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
|
||||||
|
local -a supported_curves=()
|
||||||
|
local -i nr_supported_ciphers=0 nr_curves=0 i j low high
|
||||||
|
local pfs_ciphers curves_offered curves_to_test temp
|
||||||
|
local curve_found curve_used
|
||||||
|
|
||||||
outln
|
outln
|
||||||
pr_headlineln " Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here "
|
pr_headlineln " Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here "
|
||||||
|
@ -4542,7 +4550,7 @@ run_pfs() {
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
if [[ $? -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then
|
if [[ $? -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then
|
||||||
outln
|
outln
|
||||||
pr_svrty_mediumln "No ciphers supporting Forward Secrecy offered"
|
pr_svrty_mediumln " No ciphers supporting Forward Secrecy offered"
|
||||||
fileout "pfs" "MEDIUM" "(Perfect) Forward Secrecy : No ciphers supporting Forward Secrecy offered"
|
fileout "pfs" "MEDIUM" "(Perfect) Forward Secrecy : No ciphers supporting Forward Secrecy offered"
|
||||||
else
|
else
|
||||||
outln
|
outln
|
||||||
|
@ -4554,7 +4562,7 @@ run_pfs() {
|
||||||
outln ", ciphers follow (client/browser support is important here) \n"
|
outln ", ciphers follow (client/browser support is important here) \n"
|
||||||
neat_header
|
neat_header
|
||||||
else
|
else
|
||||||
out " "
|
out " "
|
||||||
fi
|
fi
|
||||||
while read hexcode dash pfs_cipher sslvers kx auth enc mac; do
|
while read hexcode dash pfs_cipher sslvers kx auth enc mac; do
|
||||||
tmpfile=$TMPFILE.$hexcode
|
tmpfile=$TMPFILE.$hexcode
|
||||||
|
@ -4564,6 +4572,7 @@ run_pfs() {
|
||||||
if [[ "$sclient_success" -ne 0 ]] && ! "$SHOW_EACH_C"; then
|
if [[ "$sclient_success" -ne 0 ]] && ! "$SHOW_EACH_C"; then
|
||||||
continue # no successful connect AND not verbose displaying each cipher
|
continue # no successful connect AND not verbose displaying each cipher
|
||||||
fi
|
fi
|
||||||
|
[[ "$sclient_success" -eq 0 ]] && [[ $pfs_cipher == "ECDHE-"* ]] && ecdhe_offered=true && ecdhe_cipher_list+=":$pfs_cipher"
|
||||||
|
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
normalize_ciphercode $hexcode
|
normalize_ciphercode $hexcode
|
||||||
|
@ -4600,6 +4609,63 @@ run_pfs() {
|
||||||
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
|
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if "$ecdhe_offered"; then
|
||||||
|
# find out what elliptic curves are supported.
|
||||||
|
curves_offered=""
|
||||||
|
for curve in "${curves_ossl[@]}"; do
|
||||||
|
$OPENSSL ecparam -list_curves | grep -q $curve
|
||||||
|
[[ $? -eq 0 ]] && nr_curves+=1 && supported_curves+=("$curve")
|
||||||
|
done
|
||||||
|
|
||||||
|
# OpenSSL limits the number of curves that can be specified in the
|
||||||
|
# "-curves" option to 28. So, the list is broken in two since there
|
||||||
|
# are currently 30 curves defined.
|
||||||
|
for i in 1 2; do
|
||||||
|
case $i in
|
||||||
|
1) low=0; high=$nr_curves/2 ;;
|
||||||
|
2) low=$nr_curves/2; high=$nr_curves ;;
|
||||||
|
esac
|
||||||
|
sclient_success=0
|
||||||
|
while [[ "$sclient_success" -eq 0 ]]; do
|
||||||
|
curves_to_test=""
|
||||||
|
for (( j=low; j < high; j++ )); do
|
||||||
|
[[ ! " $curves_offered " =~ " ${supported_curves[j]} " ]] && curves_to_test+=":${supported_curves[j]}"
|
||||||
|
done
|
||||||
|
if [[ -n "$curves_to_test" ]]; then
|
||||||
|
$OPENSSL s_client -cipher "${ecdhe_cipher_list:1}" -curves "${curves_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI &>$tmpfile </dev/null
|
||||||
|
sclient_connect_successful $? $tmpfile
|
||||||
|
sclient_success=$?
|
||||||
|
else
|
||||||
|
sclient_success=1
|
||||||
|
fi
|
||||||
|
if [[ "$sclient_success" -eq 0 ]]; then
|
||||||
|
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$tmpfile")
|
||||||
|
curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)"
|
||||||
|
j=0; curve_used=""
|
||||||
|
for curve in "${curves_ossl[@]}"; do
|
||||||
|
[[ "${curves_ossl_output[j]}" == "$curve_found" ]] && curve_used="${curves_ossl[j]}" && break
|
||||||
|
j+=1
|
||||||
|
done
|
||||||
|
if [[ -n "$curve_used" ]]; then
|
||||||
|
curves_offered+="$curve "
|
||||||
|
else
|
||||||
|
sclient_success=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
# Reorder list of curves that were found to match their ordering in NamedCurve
|
||||||
|
curve_found=""
|
||||||
|
for curve in "${curves_ossl[@]}"; do
|
||||||
|
[[ " $curves_offered " =~ " $curve " ]] && curve_found+="$curve "
|
||||||
|
done
|
||||||
|
if [[ -n "$curves_offered" ]]; then
|
||||||
|
"$WIDE" && outln
|
||||||
|
pr_bold " Elliptic curves offered: "; outln "$curves_offered"
|
||||||
|
fileout "ecdhe_curves" "INFO" "Elliptic curves offered $curves_offered"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
|
@ -5421,10 +5487,10 @@ socksend_tls_clienthello() {
|
||||||
extensions_ecc="
|
extensions_ecc="
|
||||||
00, 0a, # Type: Supported Elliptic Curves , see RFC 4492
|
00, 0a, # Type: Supported Elliptic Curves , see RFC 4492
|
||||||
00, 3e, 00, 3c, # lengths
|
00, 3e, 00, 3c, # lengths
|
||||||
00, 01, 00, 02, 00, 03, 00, 04, 00, 05, 00, 06, 00, 07, 00, 08,
|
00, 0e, 00, 0d, 00, 19, 00, 1c, 00, 1e, 00, 0b, 00, 0c, 00, 1b,
|
||||||
00, 09, 00, 0a, 00, 0b, 00, 0c, 00, 0d, 00, 0e, 00, 0f, 00, 10,
|
00, 18, 00, 09, 00, 0a, 00, 1a, 00, 16, 00, 17, 00, 1d, 00, 08,
|
||||||
00, 11, 00, 12, 00, 13, 00, 14, 00, 15, 00, 16, 00, 17, 00, 18,
|
00, 06, 00, 07, 00, 14, 00, 15, 00, 04, 00, 05, 00, 12, 00, 13,
|
||||||
00, 19, 00, 1a, 00, 1b, 00, 1c, 00, 1d, 00, 1e,
|
00, 01, 00, 02, 00, 03, 00, 0f, 00, 10, 00, 11,
|
||||||
00, 0b, # Type: Supported Point Formats , see RFC 4492
|
00, 0b, # Type: Supported Point Formats , see RFC 4492
|
||||||
00, 02, # len
|
00, 02, # len
|
||||||
01, 00"
|
01, 00"
|
||||||
|
@ -6772,7 +6838,11 @@ check4openssl_oldfarts() {
|
||||||
# FreeBSD needs to have /dev/fd mounted. This is a friendly hint, see #258
|
# FreeBSD needs to have /dev/fd mounted. This is a friendly hint, see #258
|
||||||
check_bsd_mount() {
|
check_bsd_mount() {
|
||||||
if [[ "$(uname)" == FreeBSD ]]; then
|
if [[ "$(uname)" == FreeBSD ]]; then
|
||||||
if ! mount | grep '/dev/fd' | grep -q fdescfs; then
|
if ! mount | grep -q "^devfs"; then
|
||||||
|
outln "you seem to run $PROG_NAME= in a jail. Hopefully you're did \"mount -t fdescfs fdesc /dev/fd\""
|
||||||
|
elif mount | grep '/dev/fd' | grep -q fdescfs; then
|
||||||
|
:
|
||||||
|
else
|
||||||
fatal "You need to mount fdescfs on FreeBSD: \"mount -t fdescfs fdesc /dev/fd\"" -3
|
fatal "You need to mount fdescfs on FreeBSD: \"mount -t fdescfs fdesc /dev/fd\"" -3
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -8293,4 +8363,4 @@ fi
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.523 2016/07/11 14:20:35 dirkw Exp $
|
# $Id: testssl.sh,v 1.527 2016/07/20 15:36:50 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue