mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-23 08:59:31 +01:00
FIX: experiration threshold < 30 days
This commit is contained in:
parent
e84a5efd8f
commit
67b68d1d10
25
testssl.sh
25
testssl.sh
@ -2,7 +2,7 @@
|
|||||||
#
|
#
|
||||||
# bash is needed for some distros which use dash as /bin/sh and for tcp sockets which
|
# bash is needed for some distros which use dash as /bin/sh and for tcp sockets which
|
||||||
# this program uses a couple of times. Also some expressions are bashisms as I expect
|
# this program uses a couple of times. Also some expressions are bashisms as I expect
|
||||||
# them to be faster. Idea is to not overdo it though
|
# them to be faster. Idea is to not overdo it though.
|
||||||
|
|
||||||
# testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some
|
# testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some
|
||||||
# vulnerablities or features
|
# vulnerablities or features
|
||||||
@ -27,14 +27,17 @@ SWCONTACT="dirk aet testssl dot sh"
|
|||||||
# your OWN RISK
|
# your OWN RISK
|
||||||
|
|
||||||
# HISTORY: I know reading this shell script is sometimes neither nice nor is it rocket science
|
# HISTORY: I know reading this shell script is sometimes neither nice nor is it rocket science
|
||||||
# As openssl is a such a good swiss army knife (e.g. wiki.openssl.org/index.php/Command_Line_Utilities)
|
# (well ok, maybe the bash sockets are kind of cool).
|
||||||
# it was difficult to resist wrapping it with some shell commandos. That's how everything
|
# It all started with a few openssl commands. It is a such a good swiss army knife (see e.g.
|
||||||
# started
|
# wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist wrapping
|
||||||
|
# with some shell commandos around it. This is how everything started
|
||||||
|
# Probably you can achieve the same result with my favorite zsh (zmodload zsh/net/socket b4
|
||||||
|
# -- checkout zsh/net/tcp too! -- but bash is way more often used, within Linux and: cross-platform!
|
||||||
|
|
||||||
# Q: So what's the difference between https://www.ssllabs.com/ssltest or
|
# Q: So what's the difference between https://www.ssllabs.com/ssltest or
|
||||||
# https://sslcheck.globalsign.com/?
|
# https://sslcheck.globalsign.com/?
|
||||||
# A: As of now ssllabs only check webservers on standard ports, reachable from
|
# A: As of now ssllabs only check webservers on standard ports, reachable from
|
||||||
# the internet. And the two above are 3rd parties. If those restrictions are fine
|
# the internet. And the examples above are 3rd parties. If those restrictions are fine
|
||||||
# with you, they might tell you more than this tool -- as of now.
|
# with you, they might tell you more than this tool -- as of now.
|
||||||
|
|
||||||
# Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities)
|
# Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities)
|
||||||
@ -349,7 +352,7 @@ poodle() {
|
|||||||
ret=$?
|
ret=$?
|
||||||
[ "$VERBERR" -eq 0 ] && cat $TMPFILE | egrep "error|failure" | egrep -v "unable to get local|verify error"
|
[ "$VERBERR" -eq 0 ] && cat $TMPFILE | egrep "error|failure" | egrep -v "unable to get local|verify error"
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
pr_litered "VULNERABLE"; out ", uses SSLv3 (no TLS_FALLBACK_SCSV tested)"
|
pr_litered "VULNERABLE"; out ", uses SSLv3 (no TLS_FALLBACK_SCSV mitigation tested)"
|
||||||
else
|
else
|
||||||
pr_green "not vulnerable (OK)"
|
pr_green "not vulnerable (OK)"
|
||||||
fi
|
fi
|
||||||
@ -1123,7 +1126,7 @@ server_defaults() {
|
|||||||
if ! echo $expire | grep -qw not; then
|
if ! echo $expire | grep -qw not; then
|
||||||
pr_red "expired!"
|
pr_red "expired!"
|
||||||
else
|
else
|
||||||
SECS2WARN=`expr 24 \* 60 \* 60 \* $DAYS2WARN1` # pr_red threshold first
|
SECS2WARN=`expr 24 \* 60 \* 60 \* $DAYS2WARN2` # low threshold first
|
||||||
expire=`$OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN`
|
expire=`$OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN`
|
||||||
if echo "$expire" | grep -qw not; then
|
if echo "$expire" | grep -qw not; then
|
||||||
SECS2WARN=`expr 24 \* 60 \* 60 \* $DAYS2WARN2`
|
SECS2WARN=`expr 24 \* 60 \* 60 \* $DAYS2WARN2`
|
||||||
@ -1131,10 +1134,10 @@ server_defaults() {
|
|||||||
if echo "$expire" | grep -qw not; then
|
if echo "$expire" | grep -qw not; then
|
||||||
pr_litegreen ">= $DAYS2WARN1 days"
|
pr_litegreen ">= $DAYS2WARN1 days"
|
||||||
else
|
else
|
||||||
pr_litered "expires < $DAYS2WARN2 days"
|
pr_brown "expires < $DAYS2WARN1 days"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
pr_brown "expires < $DAYS2WARN1 days"
|
pr_litered "expires < $DAYS2WARN2 days!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
enddate=`date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate | cut -d= -f 2)" +"%F %H:%M %z"`
|
enddate=`date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate | cut -d= -f 2)" +"%F %H:%M %z"`
|
||||||
@ -2050,7 +2053,7 @@ $PRG <options> URI
|
|||||||
<-E|-ee|--cipher-per-proto> check those per protocol
|
<-E|-ee|--cipher-per-proto> check those per protocol
|
||||||
<-f|--ciphers> check cipher suites
|
<-f|--ciphers> check cipher suites
|
||||||
<-p|--protocols> check TLS/SSL protocols only
|
<-p|--protocols> check TLS/SSL protocols only
|
||||||
<-S|--server_defaults> displays the servers default picks and cert info
|
<-S|--server_defaults> displays the servers default picks and certificate info
|
||||||
<-P|--preference> displays the servers picks: protocol+cipher
|
<-P|--preference> displays the servers picks: protocol+cipher
|
||||||
<-y|--spdy> checks for SPDY/NPN
|
<-y|--spdy> checks for SPDY/NPN
|
||||||
<-x|--single-ciphers-test> <pattern> tests matched <pattern> of cipher
|
<-x|--single-ciphers-test> <pattern> tests matched <pattern> of cipher
|
||||||
@ -2548,6 +2551,6 @@ case "$1" in
|
|||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.177 2015/01/29 22:24:48 dirkw Exp $
|
# $Id: testssl.sh,v 1.178 2015/01/30 15:26:54 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user