mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
pretty json format + severity levels filter
This commit is contained in:
parent
ef78aec50b
commit
694e4c7b6e
@ -28,7 +28,7 @@ foreach my $f ( @$json ) {
|
|||||||
if ( $f->{id} eq "expiration" ) {
|
if ( $f->{id} eq "expiration" ) {
|
||||||
$found = 1;
|
$found = 1;
|
||||||
like($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding reads expired."); $tests++;
|
like($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding reads expired."); $tests++;
|
||||||
is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++;
|
is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
|
||||||
last;
|
last;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -56,7 +56,7 @@ foreach my $f ( @$json ) {
|
|||||||
if ( $f->{id} eq "chain_of_trust" ) {
|
if ( $f->{id} eq "chain_of_trust" ) {
|
||||||
$found = 1;
|
$found = 1;
|
||||||
like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); $tests++;
|
like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); $tests++;
|
||||||
is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++;
|
is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
|
||||||
last;
|
last;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -100,7 +100,7 @@ foreach my $f ( @$json ) {
|
|||||||
if ( $f->{id} eq "chain_of_trust" ) {
|
if ( $f->{id} eq "chain_of_trust" ) {
|
||||||
$found = 1;
|
$found = 1;
|
||||||
like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;
|
like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;
|
||||||
is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++;
|
is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
|
||||||
last;
|
last;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -118,7 +118,7 @@ is($found,1,"We had a finding for this in the JSON output"); $tests++;
|
|||||||
# if ( $f->{id} eq "chain_of_trust" ) {
|
# if ( $f->{id} eq "chain_of_trust" ) {
|
||||||
# $found = 1;
|
# $found = 1;
|
||||||
# like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;
|
# like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;
|
||||||
# is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++;
|
# is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
|
||||||
# last;
|
# last;
|
||||||
# }
|
# }
|
||||||
#}
|
#}
|
||||||
|
360
testssl.sh
360
testssl.sh
@ -252,6 +252,8 @@ HEAD_REQ10=""
|
|||||||
readonly UA_STD="TLS tester from $SWURL"
|
readonly UA_STD="TLS tester from $SWURL"
|
||||||
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"
|
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"
|
||||||
FIRST_FINDING=true # Is this the first finding we are outputting to file?
|
FIRST_FINDING=true # Is this the first finding we are outputting to file?
|
||||||
|
START_TIME=0
|
||||||
|
END_TIME=0
|
||||||
|
|
||||||
# Devel stuff, see -q below
|
# Devel stuff, see -q below
|
||||||
TLS_LOW_BYTE=""
|
TLS_LOW_BYTE=""
|
||||||
@ -261,6 +263,45 @@ HEX_CIPHER=""
|
|||||||
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyze the reply
|
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyze the reply
|
||||||
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
|
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
|
||||||
|
|
||||||
|
#################### SEVERITY ####################
|
||||||
|
INFO=0
|
||||||
|
OK=0
|
||||||
|
LOW=1
|
||||||
|
MEDIUM=2
|
||||||
|
HIGH=3
|
||||||
|
CRITICAL=4
|
||||||
|
|
||||||
|
SEVERITY_LEVEL=0
|
||||||
|
|
||||||
|
set_severity_level() {
|
||||||
|
local severity=$1
|
||||||
|
|
||||||
|
if [[ "$severity" == "LOW" ]]; then
|
||||||
|
SEVERITY_LEVEL=$LOW
|
||||||
|
elif [[ "$severity" == "MEDIUM" ]]; then
|
||||||
|
SEVERITY_LEVEL=$MEDIUM
|
||||||
|
elif [[ "$severity" == "HIGH" ]]; then
|
||||||
|
SEVERITY_LEVEL=$HIGH
|
||||||
|
elif [[ "$severity" == "CRITICAL" ]]; then
|
||||||
|
SEVERITY_LEVEL=$CRITICAL
|
||||||
|
else
|
||||||
|
echo "Supported severity levels are LOW, MEDIUM, HIGH, CRITICAL!"
|
||||||
|
help
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
show_finding() {
|
||||||
|
local severity=$1
|
||||||
|
|
||||||
|
([[ "$severity" == "DEBUG" ]]) ||
|
||||||
|
([[ "$severity" == "WARN" ]]) ||
|
||||||
|
([[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]]) ||
|
||||||
|
([[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]]) ||
|
||||||
|
([[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]]) ||
|
||||||
|
([[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]]) ||
|
||||||
|
([[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]]) ||
|
||||||
|
([[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]])
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
###### some hexbytes for bash network sockets follow ######
|
###### some hexbytes for bash network sockets follow ######
|
||||||
@ -456,12 +497,117 @@ strip_quote() {
|
|||||||
-e 's/ *$//g' <<< "$1"
|
-e 's/ *$//g' <<< "$1"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#################### JSON FILE FORMATING ####################
|
||||||
|
fileout_pretty_json_header() {
|
||||||
|
START_TIME=$(date +%s)
|
||||||
|
|
||||||
|
echo -e " \"host\" : \"$NODE\",
|
||||||
|
\"port\" : \"$PORT\",
|
||||||
|
\"startTime\" : \"$START_TIME\",
|
||||||
|
\"version\" : \"$VERSION\",
|
||||||
|
\"scanResult\" : {
|
||||||
|
"
|
||||||
|
}
|
||||||
|
|
||||||
|
fileout_pretty_json_footer() {
|
||||||
|
local scan_time=$((END_TIME - START_TIME))
|
||||||
|
echo -e " },
|
||||||
|
\"ip\" : \"$NODEIP\",
|
||||||
|
\"scanTime\" : \"$scan_time\"\n}"
|
||||||
|
}
|
||||||
|
|
||||||
|
fileout_json_header() {
|
||||||
|
"$do_json" && printf "[\n" > "$JSONFILE"
|
||||||
|
"$do_pretty_json" && (printf "{\n%s" "$(fileout_pretty_json_header)") > "$JSONFILE"
|
||||||
|
}
|
||||||
|
|
||||||
|
fileout_json_footer() {
|
||||||
|
"$do_json" && printf "]\n" >> "$JSONFILE"
|
||||||
|
"$do_pretty_json" && (printf "\n%s" "$(fileout_pretty_json_footer)") >> "$JSONFILE"
|
||||||
|
}
|
||||||
|
|
||||||
|
fileout_json_section() {
|
||||||
|
case $1 in
|
||||||
|
1)
|
||||||
|
echo -e " \"service\" : ["
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
echo -e ",\n \"protocols\" : ["
|
||||||
|
;;
|
||||||
|
3)
|
||||||
|
echo -e ",\n \"ciphers\" : ["
|
||||||
|
;;
|
||||||
|
4)
|
||||||
|
echo -e ",\n \"pfs\" : ["
|
||||||
|
;;
|
||||||
|
5)
|
||||||
|
echo -e ",\n \"serverPreferences\" : ["
|
||||||
|
;;
|
||||||
|
6)
|
||||||
|
echo -e ",\n \"serverDefaults\" : ["
|
||||||
|
;;
|
||||||
|
7)
|
||||||
|
echo -e ",\n \"headerResponse\" : ["
|
||||||
|
;;
|
||||||
|
8)
|
||||||
|
echo -e ",\n \"vulnerabilities\" : ["
|
||||||
|
;;
|
||||||
|
9)
|
||||||
|
echo -e ",\n \"cipherTests\" : ["
|
||||||
|
;;
|
||||||
|
10)
|
||||||
|
echo -e ",\n \"browserSimulations\": ["
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "invalid section"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
fileout_section_header(){
|
||||||
|
local str=""
|
||||||
|
$2 && str="$(fileout_section_footer)"
|
||||||
|
"$do_pretty_json" && FIRST_FINDING=true && (printf "%s%s\n" "$str" "$(fileout_json_section "$1")") >> "$JSONFILE"
|
||||||
|
}
|
||||||
|
|
||||||
|
fileout_section_footer() {
|
||||||
|
"$do_pretty_json" && printf "\n ]" >> "$JSONFILE"
|
||||||
|
}
|
||||||
|
|
||||||
|
fileout_json_finding() {
|
||||||
|
if "$do_json"; then
|
||||||
|
"$FIRST_FINDING" || echo -n "," >> "$JSONFILE"
|
||||||
|
echo -e " {
|
||||||
|
\"id\" : \"$1\",
|
||||||
|
\"ip\" : \"$NODE/$NODEIP\",
|
||||||
|
\"port\" : \"$PORT\",
|
||||||
|
\"severity\" : \"$2\",
|
||||||
|
\"finding\" : \"$finding\"
|
||||||
|
}" >> "$JSONFILE"
|
||||||
|
fi
|
||||||
|
if "$do_pretty_json"; then
|
||||||
|
("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE"
|
||||||
|
echo -e -n "
|
||||||
|
\"id\" : \"$1\",
|
||||||
|
\"severity\" : \"$2\",
|
||||||
|
\"finding\" : \"$finding\"
|
||||||
|
}" >> "$JSONFILE"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
is_json_format() {
|
||||||
|
([[ -f "$JSONFILE" ]] && ("$do_json" || "$do_pretty_json"))
|
||||||
|
}
|
||||||
|
|
||||||
|
################# JSON FILE FORMATING END ####################
|
||||||
|
|
||||||
|
##################### FILE FORMATING #########################
|
||||||
fileout_header() {
|
fileout_header() {
|
||||||
if "$APPEND"; then
|
if "$APPEND"; then
|
||||||
if [[ -f "$JSONFILE" ]]; then
|
if [[ -f "$JSONFILE" ]]; then
|
||||||
FIRST_FINDING=false # We need to insert a comma, because there is file content already
|
FIRST_FINDING=false # We need to insert a comma, because there is file content already
|
||||||
else
|
else
|
||||||
"$do_json" && printf "[\n" > "$JSONFILE"
|
fileout_json_header
|
||||||
fi
|
fi
|
||||||
if "$do_csv"; then
|
if "$do_csv"; then
|
||||||
if [[ -f "$CSVFILE" ]]; then
|
if [[ -f "$CSVFILE" ]]; then
|
||||||
@ -473,34 +619,31 @@ fileout_header() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
"$do_json" && printf "[\n" > "$JSONFILE"
|
fileout_json_header
|
||||||
"$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE"
|
"$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_footer() {
|
fileout_footer() {
|
||||||
"$do_json" && [[ -f "$JSONFILE" ]] && printf "]\n" >> "$JSONFILE"
|
is_json_format && fileout_json_footer
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout() { # ID, SEVERITY, FINDING
|
fileout() { # ID, SEVERITY, FINDING
|
||||||
|
local severity="$2"
|
||||||
|
|
||||||
|
if show_finding "$severity"; then
|
||||||
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
|
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
|
||||||
|
|
||||||
if "$do_json"; then
|
is_json_format && (fileout_json_finding "$1" "$severity" "$finding")
|
||||||
"$FIRST_FINDING" || echo -n "," >> $JSONFILE
|
|
||||||
echo -e " {
|
|
||||||
\"id\" : \"$1\",
|
|
||||||
\"ip\" : \"$NODE/$NODEIP\",
|
|
||||||
\"port\" : \"$PORT\",
|
|
||||||
\"severity\" : \"$2\",
|
|
||||||
\"finding\" : \"$finding\"
|
|
||||||
}" >> $JSONFILE
|
|
||||||
fi
|
|
||||||
# does the following do any sanitization?
|
# does the following do any sanitization?
|
||||||
if "$do_csv"; then
|
if "$do_csv"; then
|
||||||
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$2"\",\""$finding"\"" >>$CSVFILE
|
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$severity"\",\""$finding"\"" >> "$CSVFILE"
|
||||||
fi
|
fi
|
||||||
"$FIRST_FINDING" && FIRST_FINDING=false
|
"$FIRST_FINDING" && FIRST_FINDING=false
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
################### FILE FORMATING END #########################
|
||||||
|
|
||||||
###### helper function definitions ######
|
###### helper function definitions ######
|
||||||
|
|
||||||
@ -801,7 +944,7 @@ run_http_header() {
|
|||||||
out ", redirecting to \"$redirect\""
|
out ", redirecting to \"$redirect\""
|
||||||
if [[ $redirect == "http://"* ]]; then
|
if [[ $redirect == "http://"* ]]; then
|
||||||
pr_svrty_high " -- Redirect to insecure URL (NOT ok)"
|
pr_svrty_high " -- Redirect to insecure URL (NOT ok)"
|
||||||
fileout "HTTP_STATUS_CODE" "NOT ok" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\""
|
fileout "HTTP_STATUS_CODE" "HIGH" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\""
|
||||||
fi
|
fi
|
||||||
fileout "HTTP_STATUS_CODE" "INFO" \
|
fileout "HTTP_STATUS_CODE" "INFO" \
|
||||||
"Testing HTTP header response @ \"$URL_PATH\", $HTTP_STATUS_CODE$msg_thereafter, redirecting to \"$redirect\""
|
"Testing HTTP header response @ \"$URL_PATH\", $HTTP_STATUS_CODE$msg_thereafter, redirecting to \"$redirect\""
|
||||||
@ -885,7 +1028,7 @@ detect_ipv4() {
|
|||||||
fi
|
fi
|
||||||
pr_svrty_high "$result"
|
pr_svrty_high "$result"
|
||||||
outln "\n$spaces$your_ip_msg"
|
outln "\n$spaces$your_ip_msg"
|
||||||
fileout "ip_in_header_$count" "NOT ok" "IPv4 address in header $result $your_ip_msg"
|
fileout "ip_in_header_$count" "HIGH" "IPv4 address in header $result $your_ip_msg"
|
||||||
fi
|
fi
|
||||||
count=$count+1
|
count=$count+1
|
||||||
done < $HEADERFILE
|
done < $HEADERFILE
|
||||||
@ -988,7 +1131,7 @@ run_hsts() {
|
|||||||
# and https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json
|
# and https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json
|
||||||
else
|
else
|
||||||
out "--"
|
out "--"
|
||||||
fileout "hsts" "NOT ok" "No support for HTTP Strict Transport Security"
|
fileout "hsts" "HIGH" "No support for HTTP Strict Transport Security"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
@ -1044,7 +1187,7 @@ run_hpkp() {
|
|||||||
out "# of keys: "
|
out "# of keys: "
|
||||||
if [[ $hpkp_nr_keys -eq 1 ]]; then
|
if [[ $hpkp_nr_keys -eq 1 ]]; then
|
||||||
pr_svrty_high "1 (NOT ok), "
|
pr_svrty_high "1 (NOT ok), "
|
||||||
fileout "hpkp_keys" "NOT ok" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked"
|
fileout "hpkp_keys" "HIGH" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked"
|
||||||
else
|
else
|
||||||
out "$hpkp_nr_keys, "
|
out "$hpkp_nr_keys, "
|
||||||
fileout "hpkp_keys" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked"
|
fileout "hpkp_keys" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked"
|
||||||
@ -1473,7 +1616,7 @@ std_cipherlists() {
|
|||||||
1) # the ugly ones
|
1) # the ugly ones
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_svrty_critical "offered (NOT ok)"
|
pr_svrty_critical "offered (NOT ok)"
|
||||||
fileout "std_$4" "NOT ok" "$2 offered (NOT ok) - ugly"
|
fileout "std_$4" "CRITICAL" "$2 offered (NOT ok) - ugly"
|
||||||
else
|
else
|
||||||
pr_done_best "not offered (OK)"
|
pr_done_best "not offered (OK)"
|
||||||
fileout "std_$4" "OK" "$2 not offered (OK)"
|
fileout "std_$4" "OK" "$2 not offered (OK)"
|
||||||
@ -1482,7 +1625,7 @@ std_cipherlists() {
|
|||||||
2) # bad but not worst
|
2) # bad but not worst
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_svrty_high "offered (NOT ok)"
|
pr_svrty_high "offered (NOT ok)"
|
||||||
fileout "std_$4" "NOT ok" "$2 offered (NOT ok) - bad"
|
fileout "std_$4" "HIGH" "$2 offered (NOT ok) - bad"
|
||||||
else
|
else
|
||||||
pr_done_good "not offered (OK)"
|
pr_done_good "not offered (OK)"
|
||||||
fileout "std_$4" "OK" "$2 not offered (OK)"
|
fileout "std_$4" "OK" "$2 not offered (OK)"
|
||||||
@ -3034,11 +3177,11 @@ run_protocols() {
|
|||||||
add_tls_offered "ssl2"
|
add_tls_offered "ssl2"
|
||||||
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
||||||
pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
|
pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
|
||||||
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197"
|
fileout "sslv2" "HIGH" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197"
|
||||||
else
|
else
|
||||||
pr_svrty_critical "offered (NOT ok), also VULNERABLE to DROWN attack";
|
pr_svrty_critical "offered (NOT ok), also VULNERABLE to DROWN attack";
|
||||||
outln " -- $nr_ciphers_detected ciphers"
|
outln " -- $nr_ciphers_detected ciphers"
|
||||||
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to DROWN attack. Detected ciphers: $nr_ciphers_detected"
|
fileout "sslv2" "CRITICAL" "SSLv2 offered (NOT ok), vulnerable to DROWN attack. Detected ciphers: $nr_ciphers_detected"
|
||||||
fi
|
fi
|
||||||
fi ;;
|
fi ;;
|
||||||
esac
|
esac
|
||||||
@ -3049,7 +3192,7 @@ run_protocols() {
|
|||||||
case $? in
|
case $? in
|
||||||
0)
|
0)
|
||||||
pr_svrty_criticalln "offered (NOT ok)"
|
pr_svrty_criticalln "offered (NOT ok)"
|
||||||
fileout "sslv2" "NOT ok" "SSLv2 is offered (NOT ok)"
|
fileout "sslv2" "CRITICAL" "SSLv2 is offered (NOT ok)"
|
||||||
add_tls_offered "ssl2"
|
add_tls_offered "ssl2"
|
||||||
;;
|
;;
|
||||||
1)
|
1)
|
||||||
@ -3058,7 +3201,7 @@ run_protocols() {
|
|||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
pr_svrty_high "CVE-2015-3197: $supported_no_ciph2";
|
pr_svrty_high "CVE-2015-3197: $supported_no_ciph2";
|
||||||
fileout "sslv2" "WARN" "CVE-2015-3197: SSLv2 is $supported_no_ciph2"
|
fileout "sslv2" "HIGH" "CVE-2015-3197: SSLv2 is $supported_no_ciph2"
|
||||||
add_tls_offered "ssl2"
|
add_tls_offered "ssl2"
|
||||||
;;
|
;;
|
||||||
7)
|
7)
|
||||||
@ -3076,7 +3219,7 @@ run_protocols() {
|
|||||||
case $? in
|
case $? in
|
||||||
0)
|
0)
|
||||||
pr_svrty_highln "offered (NOT ok)"
|
pr_svrty_highln "offered (NOT ok)"
|
||||||
fileout "sslv3" "NOT ok" "SSLv3 is offered (NOT ok)"
|
fileout "sslv3" "HIGH" "SSLv3 is offered (NOT ok)"
|
||||||
latest_supported="0300"
|
latest_supported="0300"
|
||||||
latest_supported_string="SSLv3"
|
latest_supported_string="SSLv3"
|
||||||
add_tls_offered "ssl3"
|
add_tls_offered "ssl3"
|
||||||
@ -3089,15 +3232,15 @@ run_protocols() {
|
|||||||
if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
|
if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
|
||||||
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
|
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
|
||||||
pr_svrty_criticalln "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
pr_svrty_criticalln "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
||||||
fileout "sslv3" "NOT ok" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
fileout "sslv3" "CRITICAL" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
pr_svrty_criticalln "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
||||||
fileout "sslv3" "NOT ok" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
fileout "sslv3" "CRITICAL" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1"
|
|
||||||
pr_svrty_high "$supported_no_ciph2"
|
pr_svrty_high "$supported_no_ciph2"
|
||||||
|
fileout "sslv3" "HIGH" "SSLv3 is $supported_no_ciph1"
|
||||||
outln "(may need debugging)"
|
outln "(may need debugging)"
|
||||||
add_tls_offered "ssl3"
|
add_tls_offered "ssl3"
|
||||||
;;
|
;;
|
||||||
@ -3127,7 +3270,7 @@ run_protocols() {
|
|||||||
fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad
|
fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
||||||
fileout "tls1" "NOT ok" "TLSv1.0: connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
fileout "tls1" "CRITICAL" "TLSv1.0: connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
@ -3139,10 +3282,10 @@ run_protocols() {
|
|||||||
elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
|
elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
|
||||||
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
|
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
|
||||||
pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client"
|
pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client"
|
||||||
fileout "tls1" "NOT ok" "TLSv1.0: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
fileout "tls1" "CRITICAL" "TLSv1.0: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
|
pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
|
||||||
fileout "tls1" "NOT ok" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
fileout "tls1" "CRITICAL" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
@ -3176,7 +3319,7 @@ run_protocols() {
|
|||||||
fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad
|
fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
|
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
|
||||||
fileout "tls1_1" "NOT ok" "TLSv1.1: connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
fileout "tls1_1" "CRITICAL" "TLSv1.1: connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
@ -3184,17 +3327,17 @@ run_protocols() {
|
|||||||
if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
|
if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
|
||||||
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
||||||
outln
|
outln
|
||||||
fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, and downgraded to a weaker protocol (NOT ok)"
|
fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, and downgraded to a weaker protocol (NOT ok)"
|
||||||
elif [[ "$DETECTED_TLS_VERSION" == "0300" ]] && [[ "$latest_supported" == "0301" ]]; then
|
elif [[ "$DETECTED_TLS_VERSION" == "0300" ]] && [[ "$latest_supported" == "0301" ]]; then
|
||||||
pr_svrty_criticalln " -- server supports TLSv1.0, but downgraded to SSLv3 (NOT ok)"
|
pr_svrty_criticalln " -- server supports TLSv1.0, but downgraded to SSLv3 (NOT ok)"
|
||||||
fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, and downgraded to SSLv3 rather than TLSv1.0 (NOT ok)"
|
fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, and downgraded to SSLv3 rather than TLSv1.0 (NOT ok)"
|
||||||
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0302 ]]; then
|
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0302 ]]; then
|
||||||
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
|
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
|
||||||
pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
||||||
fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
||||||
fileout "tls1" "NOT ok" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
fileout "tls1" "CRITICAL" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
@ -3227,7 +3370,7 @@ run_protocols() {
|
|||||||
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
|
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
|
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
|
||||||
fileout "tls1_1" "NOT ok" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string"
|
fileout "tls1_1" "CRITICAL" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
@ -3243,13 +3386,13 @@ run_protocols() {
|
|||||||
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered and downgraded to a weaker protocol"
|
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered and downgraded to a weaker protocol"
|
||||||
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then
|
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then
|
||||||
pr_svrty_criticalln " -- server supports $latest_supported_string, but downgraded to $detected_version_string"
|
pr_svrty_criticalln " -- server supports $latest_supported_string, but downgraded to $detected_version_string"
|
||||||
fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered, and downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)"
|
fileout "tls1_2" "CRITICAL" "TLSv1.2 is not offered, and downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)"
|
||||||
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0303 ]]; then
|
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0303 ]]; then
|
||||||
pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client"
|
pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client"
|
||||||
fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
fileout "tls1_2" "CRITICAL" "TLSv1.2 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
|
pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
|
||||||
fileout "tls1" "NOT ok" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
fileout "tls1" "CRITICAL" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
@ -3273,17 +3416,17 @@ run_protocols() {
|
|||||||
case $? in
|
case $? in
|
||||||
0)
|
0)
|
||||||
pr_svrty_criticalln "server claims support for non-existent TLSv1.4"
|
pr_svrty_criticalln "server claims support for non-existent TLSv1.4"
|
||||||
fileout "TLS Version Negotiation" "NOT ok" "Server claims support for non-existent TLSv1.4 (NOT ok)"
|
fileout "TLS Version Negotiation" "CRITICAL" "Server claims support for non-existent TLSv1.4 (NOT ok)"
|
||||||
;;
|
;;
|
||||||
1)
|
1)
|
||||||
pr_svrty_criticalln "version negotiation did not work -- connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
pr_svrty_criticalln "version negotiation did not work -- connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
||||||
fileout "TLS Version Negotiation" "NOT ok" "Version negotiation did not work -- connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
fileout "TLS Version Negotiation" "CRITICAL" "Version negotiation did not work -- connection failed rather than downgrading to $latest_supported_string (NOT ok)"
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
case $DETECTED_TLS_VERSION in
|
case $DETECTED_TLS_VERSION in
|
||||||
0304)
|
0304)
|
||||||
pr_svrty_criticalln "server claims support for TLSv1.3, which is still a working draft (NOT ok)"
|
pr_svrty_criticalln "server claims support for TLSv1.3, which is still a working draft (NOT ok)"
|
||||||
fileout "TLS Version Negotiation" "NOT ok" "Server claims support for TLSv1.3, which is still a working draft (NOT ok)"
|
fileout "TLS Version Negotiation" "CRITICAL" "Server claims support for TLSv1.3, which is still a working draft (NOT ok)"
|
||||||
;;
|
;;
|
||||||
0303|0302|0301|0300)
|
0303|0302|0301|0300)
|
||||||
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
|
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
|
||||||
@ -3293,7 +3436,7 @@ run_protocols() {
|
|||||||
fi
|
fi
|
||||||
if [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then
|
if [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then
|
||||||
pr_svrty_criticalln "server supports $latest_supported_string, but downgraded to $detected_version_string (NOT ok)"
|
pr_svrty_criticalln "server supports $latest_supported_string, but downgraded to $detected_version_string (NOT ok)"
|
||||||
fileout "TLS Version Negotiation" "NOT ok" "Downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)"
|
fileout "TLS Version Negotiation" "CRITICAL" "Downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_done_bestln "downgraded to $detected_version_string (OK)"
|
pr_done_bestln "downgraded to $detected_version_string (OK)"
|
||||||
fileout "TLS Version Negotiation" "OK" "Downgraded to $detected_version_string"
|
fileout "TLS Version Negotiation" "OK" "Downgraded to $detected_version_string"
|
||||||
@ -3301,12 +3444,12 @@ run_protocols() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
pr_svrty_criticalln "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
pr_svrty_criticalln "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
||||||
fileout "TLS Version Negotiation" "NOT ok" "TLSv1.4: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
fileout "TLS Version Negotiation" "CRITICAL" "TLSv1.4: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
|
||||||
;;
|
;;
|
||||||
esac ;;
|
esac ;;
|
||||||
5)
|
5)
|
||||||
pr_svrty_criticalln "server claims support for non-existent TLSv1.4 (NOT ok)"
|
pr_svrty_criticalln "server claims support for non-existent TLSv1.4 (NOT ok)"
|
||||||
fileout "TLS Version Negotiation" "NOT ok" "Server claims support for non-existent TLSv1.4 (NOT ok)"
|
fileout "TLS Version Negotiation" "CRITICAL" "Server claims support for non-existent TLSv1.4 (NOT ok)"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
@ -3468,7 +3611,7 @@ run_server_preference() {
|
|||||||
if [[ "$cipher1" != "$cipher2" ]]; then
|
if [[ "$cipher1" != "$cipher2" ]]; then
|
||||||
pr_svrty_high "nope (NOT ok)"
|
pr_svrty_high "nope (NOT ok)"
|
||||||
remark4default_cipher=" (limited sense as client will pick)"
|
remark4default_cipher=" (limited sense as client will pick)"
|
||||||
fileout "order" "NOT ok" "Server does NOT set a cipher order (NOT ok)"
|
fileout "order" "HIGH" "Server does NOT set a cipher order (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_done_best "yes (OK)"
|
pr_done_best "yes (OK)"
|
||||||
remark4default_cipher=""
|
remark4default_cipher=""
|
||||||
@ -3500,11 +3643,11 @@ run_server_preference() {
|
|||||||
;;
|
;;
|
||||||
*SSLv2)
|
*SSLv2)
|
||||||
pr_svrty_criticalln $default_proto
|
pr_svrty_criticalln $default_proto
|
||||||
fileout "order_proto" "NOT ok" "Default protocol SSLv2"
|
fileout "order_proto" "CRITICAL" "Default protocol SSLv2"
|
||||||
;;
|
;;
|
||||||
*SSLv3)
|
*SSLv3)
|
||||||
pr_svrty_criticalln $default_proto
|
pr_svrty_criticalln $default_proto
|
||||||
fileout "order_proto" "NOT ok" "Default protocol SSLv3"
|
fileout "order_proto" "CRITICAL" "Default protocol SSLv3"
|
||||||
;;
|
;;
|
||||||
"")
|
"")
|
||||||
pr_warning "default proto empty"
|
pr_warning "default proto empty"
|
||||||
@ -3526,11 +3669,11 @@ run_server_preference() {
|
|||||||
case "$default_cipher" in
|
case "$default_cipher" in
|
||||||
*NULL*|*EXP*)
|
*NULL*|*EXP*)
|
||||||
pr_svrty_critical "$default_cipher"
|
pr_svrty_critical "$default_cipher"
|
||||||
fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
|
fileout "order_cipher" "CRITICAL" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
|
||||||
;;
|
;;
|
||||||
*RC4*)
|
*RC4*)
|
||||||
pr_svrty_high "$default_cipher"
|
pr_svrty_high "$default_cipher"
|
||||||
fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher"
|
fileout "order_cipher" "HIGH" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher"
|
||||||
;;
|
;;
|
||||||
*CBC*)
|
*CBC*)
|
||||||
pr_svrty_medium "$default_cipher"
|
pr_svrty_medium "$default_cipher"
|
||||||
@ -3542,7 +3685,7 @@ run_server_preference() {
|
|||||||
;; # best ones
|
;; # best ones
|
||||||
ECDHE*AES*)
|
ECDHE*AES*)
|
||||||
pr_svrty_minor "$default_cipher"
|
pr_svrty_minor "$default_cipher"
|
||||||
fileout "order_cipher" "WARN" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher"
|
fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher"
|
||||||
;; # it's CBC. --> lucky13
|
;; # it's CBC. --> lucky13
|
||||||
"")
|
"")
|
||||||
pr_warning "default cipher empty" ;
|
pr_warning "default cipher empty" ;
|
||||||
@ -3907,7 +4050,7 @@ determine_trust() {
|
|||||||
# all failed (we assume with the same issue), we're displaying the reason
|
# all failed (we assume with the same issue), we're displaying the reason
|
||||||
out " "
|
out " "
|
||||||
verify_retcode_helper "${verify_retcode[1]}"
|
verify_retcode_helper "${verify_retcode[1]}"
|
||||||
fileout "${json_prefix}chain_of_trust" "NOT ok" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[1]}"). $addtl_warning"
|
fileout "${json_prefix}chain_of_trust" "CRITICAL" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[1]}"). $addtl_warning"
|
||||||
else
|
else
|
||||||
# is one ok and the others not ==> display the culprit store
|
# is one ok and the others not ==> display the culprit store
|
||||||
if $some_ok ; then
|
if $some_ok ; then
|
||||||
@ -3930,7 +4073,7 @@ determine_trust() {
|
|||||||
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
||||||
pr_done_good "OK: $ok_was"
|
pr_done_good "OK: $ok_was"
|
||||||
fi
|
fi
|
||||||
fileout "${json_prefix}chain_of_trust" "NOT ok" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
fileout "${json_prefix}chain_of_trust" "CRITICAL" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
||||||
fi
|
fi
|
||||||
[[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_warning "$addtl_warning"
|
[[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_warning "$addtl_warning"
|
||||||
fi
|
fi
|
||||||
@ -4365,15 +4508,15 @@ certificate_info() {
|
|||||||
;;
|
;;
|
||||||
md2*)
|
md2*)
|
||||||
pr_svrty_criticalln "MD2"
|
pr_svrty_criticalln "MD2"
|
||||||
fileout "${json_prefix}algorithm" "NOT ok" "Signature Algorithm: MD2 (NOT ok)"
|
fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD2 (NOT ok)"
|
||||||
;;
|
;;
|
||||||
md4*)
|
md4*)
|
||||||
pr_svrty_criticalln "MD4"
|
pr_svrty_criticalln "MD4"
|
||||||
fileout "${json_prefix}algorithm" "NOT ok" "Signature Algorithm: MD4 (NOT ok)"
|
fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD4 (NOT ok)"
|
||||||
;;
|
;;
|
||||||
md5*)
|
md5*)
|
||||||
pr_svrty_criticalln "MD5"
|
pr_svrty_criticalln "MD5"
|
||||||
fileout "${json_prefix}algorithm" "NOT ok" "Signature Algorithm: MD5 (NOT ok)"
|
fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD5 (NOT ok)"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
out "$cert_sig_algo ("
|
out "$cert_sig_algo ("
|
||||||
@ -4404,10 +4547,10 @@ certificate_info() {
|
|||||||
if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then
|
if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then
|
||||||
if [[ "$cert_keysize" -le 110 ]]; then # a guess
|
if [[ "$cert_keysize" -le 110 ]]; then # a guess
|
||||||
pr_svrty_critical "$cert_keysize"
|
pr_svrty_critical "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "CRITICAL" "Server keys $cert_keysize EC bits (NOT ok)"
|
||||||
elif [[ "$cert_keysize" -le 123 ]]; then # a guess
|
elif [[ "$cert_keysize" -le 123 ]]; then # a guess
|
||||||
pr_svrty_high "$cert_keysize"
|
pr_svrty_high "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "HIGH" "Server keys $cert_keysize EC bits (NOT ok)"
|
||||||
elif [[ "$cert_keysize" -le 163 ]]; then
|
elif [[ "$cert_keysize" -le 163 ]]; then
|
||||||
pr_svrty_medium "$cert_keysize"
|
pr_svrty_medium "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize EC bits"
|
fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize EC bits"
|
||||||
@ -4427,11 +4570,11 @@ certificate_info() {
|
|||||||
if [[ "$cert_keysize" -le 512 ]]; then
|
if [[ "$cert_keysize" -le 512 ]]; then
|
||||||
pr_svrty_critical "$cert_keysize"
|
pr_svrty_critical "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize bits (NOT ok)"
|
fileout "${json_prefix}key_size" "CRITICAL" "Server keys $cert_keysize bits (NOT ok)"
|
||||||
elif [[ "$cert_keysize" -le 768 ]]; then
|
elif [[ "$cert_keysize" -le 768 ]]; then
|
||||||
pr_svrty_high "$cert_keysize"
|
pr_svrty_high "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize bits (NOT ok)"
|
fileout "${json_prefix}key_size" "HIGH" "Server keys $cert_keysize bits (NOT ok)"
|
||||||
elif [[ "$cert_keysize" -le 1024 ]]; then
|
elif [[ "$cert_keysize" -le 1024 ]]; then
|
||||||
pr_svrty_medium "$cert_keysize"
|
pr_svrty_medium "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
@ -4541,7 +4684,7 @@ certificate_info() {
|
|||||||
|
|
||||||
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$cn" ]]; then
|
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$cn" ]]; then
|
||||||
pr_svrty_criticalln "self-signed (NOT ok)"
|
pr_svrty_criticalln "self-signed (NOT ok)"
|
||||||
fileout "${json_prefix}issuer" "NOT ok" "Issuer: selfsigned (NOT ok)"
|
fileout "${json_prefix}issuer" "CRITICAL" "Issuer: selfsigned (NOT ok)"
|
||||||
else
|
else
|
||||||
issuerfinding="$(pr_dquoted "$issuer_CN")"
|
issuerfinding="$(pr_dquoted "$issuer_CN")"
|
||||||
if [[ -z "$issuer_O" ]] && [[ -n "$issuer_DC" ]]; then
|
if [[ -z "$issuer_O" ]] && [[ -n "$issuer_DC" ]]; then
|
||||||
@ -4695,7 +4838,7 @@ certificate_info() {
|
|||||||
if ! echo $expire | grep -qw not; then
|
if ! echo $expire | grep -qw not; then
|
||||||
pr_svrty_critical "expired!"
|
pr_svrty_critical "expired!"
|
||||||
expfinding="expired!"
|
expfinding="expired!"
|
||||||
expok="NOT ok"
|
expok="CRITICAL"
|
||||||
else
|
else
|
||||||
secs2warn=$((24 * 60 * 60 * days2warn2)) # low threshold first
|
secs2warn=$((24 * 60 * 60 * days2warn2)) # low threshold first
|
||||||
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $secs2warn 2>>$ERRFILE)
|
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $secs2warn 2>>$ERRFILE)
|
||||||
@ -4708,12 +4851,12 @@ certificate_info() {
|
|||||||
else
|
else
|
||||||
pr_svrty_medium "expires < $days2warn1 days ($days2expire)"
|
pr_svrty_medium "expires < $days2warn1 days ($days2expire)"
|
||||||
expfinding+="expires < $days2warn1 days ($days2expire)"
|
expfinding+="expires < $days2warn1 days ($days2expire)"
|
||||||
expok="WARN"
|
expok="MEDIUM"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
pr_svrty_high "expires < $days2warn2 days ($days2expire) !"
|
pr_svrty_high "expires < $days2warn2 days ($days2expire) !"
|
||||||
expfinding+="expires < $days2warn2 days ($days2expire) !"
|
expfinding+="expires < $days2warn2 days ($days2expire) !"
|
||||||
expok="NOT ok"
|
expok="HIGH"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln " ($startdate --> $enddate)"
|
outln " ($startdate --> $enddate)"
|
||||||
@ -4727,7 +4870,7 @@ certificate_info() {
|
|||||||
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
|
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
|
||||||
if [[ -z "$crl" ]]; then
|
if [[ -z "$crl" ]]; then
|
||||||
pr_svrty_highln "--"
|
pr_svrty_highln "--"
|
||||||
fileout "${json_prefix}crl" "NOT ok" "No CRL provided (NOT ok)"
|
fileout "${json_prefix}crl" "HIGH" "No CRL provided (NOT ok)"
|
||||||
elif grep -q http <<< "$crl"; then
|
elif grep -q http <<< "$crl"; then
|
||||||
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
||||||
outln "$crl"
|
outln "$crl"
|
||||||
@ -4745,7 +4888,7 @@ certificate_info() {
|
|||||||
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
||||||
if [[ -z "$ocsp_uri" ]]; then
|
if [[ -z "$ocsp_uri" ]]; then
|
||||||
pr_svrty_highln "--"
|
pr_svrty_highln "--"
|
||||||
fileout "${json_prefix}ocsp_uri" "NOT ok" "OCSP URI : -- (NOT ok)"
|
fileout "${json_prefix}ocsp_uri" "HIGH" "OCSP URI : -- (NOT ok)"
|
||||||
else
|
else
|
||||||
outln "$ocsp_uri"
|
outln "$ocsp_uri"
|
||||||
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
||||||
@ -4754,7 +4897,7 @@ certificate_info() {
|
|||||||
out "$indent"; pr_bold " OCSP stapling "
|
out "$indent"; pr_bold " OCSP stapling "
|
||||||
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
||||||
pr_svrty_minor "--"
|
pr_svrty_minor "--"
|
||||||
fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered"
|
||||||
else
|
else
|
||||||
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
||||||
pr_done_good "offered"
|
pr_done_good "offered"
|
||||||
@ -4952,7 +5095,7 @@ run_server_defaults() {
|
|||||||
unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g')
|
unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g')
|
||||||
out "$lifetime $unit "
|
out "$lifetime $unit "
|
||||||
pr_svrty_minorln "(PFS requires session ticket keys to be rotated <= daily)"
|
pr_svrty_minorln "(PFS requires session ticket keys to be rotated <= daily)"
|
||||||
fileout "session_ticket" "INFO" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)"
|
fileout "session_ticket" "LOW" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " SSL Session ID support "
|
pr_bold " SSL Session ID support "
|
||||||
@ -5064,7 +5207,7 @@ run_pfs() {
|
|||||||
|
|
||||||
if ! "$pfs_offered"; then
|
if ! "$pfs_offered"; then
|
||||||
pr_svrty_medium "WARN: no PFS ciphers found"
|
pr_svrty_medium "WARN: no PFS ciphers found"
|
||||||
fileout "pfs_ciphers" "NOT ok" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
|
fileout "pfs_ciphers" "MEDIUM" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
|
||||||
else
|
else
|
||||||
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
|
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
|
||||||
fi
|
fi
|
||||||
@ -6396,7 +6539,7 @@ run_heartbleed(){
|
|||||||
else
|
else
|
||||||
rm "$SOCK_REPLY_FILE"
|
rm "$SOCK_REPLY_FILE"
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)$append"
|
fileout "heartbleed" "CRITICAL" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)$append"
|
||||||
ret=1
|
ret=1
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
@ -6422,7 +6565,7 @@ run_heartbleed(){
|
|||||||
out "likely "
|
out "likely "
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
[[ $DEBUG -ge 1 ]] && out " use debug >=2 to confirm"
|
[[ $DEBUG -ge 1 ]] && out " use debug >=2 to confirm"
|
||||||
fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): likely VULNERABLE (NOT ok)$append"
|
fileout "heartbleed" "CRITICAL" "Heartbleed (CVE-2014-0160): likely VULNERABLE (NOT ok)$append"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# for the repeated tries we did that already
|
# for the repeated tries we did that already
|
||||||
@ -6557,9 +6700,9 @@ run_ccs_injection(){
|
|||||||
else
|
else
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
if [[ $retval -eq 3 ]]; then
|
if [[ $retval -eq 3 ]]; then
|
||||||
fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok) (timed out)"
|
fileout "ccs" "CRITICAL" "CCS (CVE-2014-0224): VULNERABLE (NOT ok) (timed out)"
|
||||||
else
|
else
|
||||||
fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok)"
|
fileout "ccs" "CRITICAL" "CCS (CVE-2014-0224): VULNERABLE (NOT ok)"
|
||||||
fi
|
fi
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
@ -6590,7 +6733,7 @@ run_renego() {
|
|||||||
case $sec_renego in
|
case $sec_renego in
|
||||||
0)
|
0)
|
||||||
pr_svrty_criticalln "VULNERABLE (NOT ok)"
|
pr_svrty_criticalln "VULNERABLE (NOT ok)"
|
||||||
fileout "secure_renego" "NOT ok" "Secure Renegotiation (CVE-2009-3555) : VULNERABLE (NOT ok)"
|
fileout "secure_renego" "CRITICAL" "Secure Renegotiation (CVE-2009-3555) : VULNERABLE (NOT ok)"
|
||||||
;;
|
;;
|
||||||
1)
|
1)
|
||||||
pr_done_bestln "not vulnerable (OK)"
|
pr_done_bestln "not vulnerable (OK)"
|
||||||
@ -6648,7 +6791,7 @@ run_renego() {
|
|||||||
case "$sec_client_renego" in
|
case "$sec_client_renego" in
|
||||||
0)
|
0)
|
||||||
pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat"
|
pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat"
|
||||||
fileout "sec_client_renego" "NOT ok" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat"
|
fileout "sec_client_renego" "HIGH" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat"
|
||||||
;;
|
;;
|
||||||
1)
|
1)
|
||||||
pr_done_goodln "not vulnerable (OK)"
|
pr_done_goodln "not vulnerable (OK)"
|
||||||
@ -6703,7 +6846,7 @@ run_crime() {
|
|||||||
else
|
else
|
||||||
if [[ $SERVICE == "HTTP" ]]; then
|
if [[ $SERVICE == "HTTP" ]]; then
|
||||||
pr_svrty_high "VULNERABLE (NOT ok)"
|
pr_svrty_high "VULNERABLE (NOT ok)"
|
||||||
fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)"
|
fileout "crime" "HIGH" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_svrty_medium "VULNERABLE but not using HTTP: probably no exploit known"
|
pr_svrty_medium "VULNERABLE but not using HTTP: probably no exploit known"
|
||||||
fileout "crime" "MEDIUM" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (WARN), but not using HTTP: probably no exploit known"
|
fileout "crime" "MEDIUM" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (WARN), but not using HTTP: probably no exploit known"
|
||||||
@ -6804,7 +6947,7 @@ run_breach() {
|
|||||||
pr_svrty_high "potentially NOT ok, uses $result HTTP compression."
|
pr_svrty_high "potentially NOT ok, uses $result HTTP compression."
|
||||||
outln "$disclaimer"
|
outln "$disclaimer"
|
||||||
outln "$spaces$when_makesense"
|
outln "$spaces$when_makesense"
|
||||||
fileout "breach" "NOT ok" "BREACH (CVE-2013-3587) : potentially VULNERABLE, uses $result HTTP compression. $disclaimer ($when_makesense)"
|
fileout "breach" "HIGH" "BREACH (CVE-2013-3587) : potentially VULNERABLE, uses $result HTTP compression. $disclaimer ($when_makesense)"
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
# Any URL can be vulnerable. I am testing now only the given URL!
|
# Any URL can be vulnerable. I am testing now only the given URL!
|
||||||
@ -6830,7 +6973,7 @@ run_ssl_poodle() {
|
|||||||
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
|
pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
|
||||||
fileout "poodle_ssl" "NOT ok" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)"
|
fileout "poodle_ssl" "HIGH" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)"
|
||||||
else
|
else
|
||||||
pr_done_best "not vulnerable (OK)"
|
pr_done_best "not vulnerable (OK)"
|
||||||
fileout "poodle_ssl" "OK" "POODLE, SSL (CVE-2014-3566) : not vulnerable (OK)"
|
fileout "poodle_ssl" "OK" "POODLE, SSL (CVE-2014-3566) : not vulnerable (OK)"
|
||||||
@ -6951,7 +7094,7 @@ run_freak() {
|
|||||||
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers"
|
pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers"
|
||||||
fileout "freak" "NOT ok" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers"
|
fileout "freak" "CRITICAL" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers"
|
||||||
else
|
else
|
||||||
pr_done_best "not vulnerable (OK)"; out "$addtl_warning"
|
pr_done_best "not vulnerable (OK)"; out "$addtl_warning"
|
||||||
fileout "freak" "OK" "FREAK (CVE-2015-0204) : not vulnerable (OK) $addtl_warning"
|
fileout "freak" "OK" "FREAK (CVE-2015-0204) : not vulnerable (OK) $addtl_warning"
|
||||||
@ -7003,7 +7146,7 @@ run_logjam() {
|
|||||||
|
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked."
|
pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked."
|
||||||
fileout "logjam" "NOT ok" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked."
|
fileout "logjam" "CRITICAL" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked."
|
||||||
else
|
else
|
||||||
pr_done_best "not vulnerable (OK)"; out "$addtl_warning"
|
pr_done_best "not vulnerable (OK)"; out "$addtl_warning"
|
||||||
fileout "logjam" "OK" "LOGJAM (CVE-2015-4000) : not vulnerable (OK) $addtl_warning"
|
fileout "logjam" "OK" "LOGJAM (CVE-2015-4000) : not vulnerable (OK) $addtl_warning"
|
||||||
@ -7040,7 +7183,7 @@ run_drown() {
|
|||||||
outln " (rerun with DEBUG >=2)"
|
outln " (rerun with DEBUG >=2)"
|
||||||
[[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1
|
[[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1
|
||||||
ret=7
|
ret=7
|
||||||
fileout "drown" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
fileout "drown" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
||||||
;;
|
;;
|
||||||
3) # vulnerable
|
3) # vulnerable
|
||||||
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
||||||
@ -7049,10 +7192,10 @@ run_drown() {
|
|||||||
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
||||||
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
||||||
pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)";
|
pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)";
|
||||||
fileout "drown" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher"
|
fileout "drown" "HIGH" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher"
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers";
|
pr_svrty_criticalln "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers";
|
||||||
fileout "drown" "NOT ok" "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"
|
fileout "drown" "CRITICAL" "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
ret=1
|
ret=1
|
||||||
@ -7230,7 +7373,7 @@ run_beast(){
|
|||||||
pr_svrty_minor "VULNERABLE"
|
pr_svrty_minor "VULNERABLE"
|
||||||
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
fi
|
fi
|
||||||
fileout "beast" "MINOR" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
fileout "beast" "LOW" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
else
|
else
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln
|
outln
|
||||||
@ -7326,7 +7469,7 @@ run_rc4() {
|
|||||||
done < <($OPENSSL ciphers -V $rc4_ciphers_list:@STRENGTH)
|
done < <($OPENSSL ciphers -V $rc4_ciphers_list:@STRENGTH)
|
||||||
outln
|
outln
|
||||||
"$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)"
|
"$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)"
|
||||||
fileout "rc4" "NOT ok" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected"
|
fileout "rc4" "HIGH" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected"
|
||||||
else
|
else
|
||||||
pr_done_goodln "no RC4 ciphers detected (OK)"
|
pr_done_goodln "no RC4 ciphers detected (OK)"
|
||||||
fileout "rc4" "OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : not vulnerable (OK)"
|
fileout "rc4" "OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : not vulnerable (OK)"
|
||||||
@ -7357,7 +7500,7 @@ run_tls_truncation() {
|
|||||||
|
|
||||||
old_fart() {
|
old_fart() {
|
||||||
outln "Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
|
outln "Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
|
||||||
fileout "old_fart" "ERROR" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
|
fileout "old_fart" "WARN" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
|
||||||
fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -5
|
fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -5
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -7638,9 +7781,12 @@ file output options (can also be preset via environment variables):
|
|||||||
--logfile <logfile> logs stdout to <file/NODE-YYYYMMDD-HHMM.log> if file is a dir or to specified log file
|
--logfile <logfile> logs stdout to <file/NODE-YYYYMMDD-HHMM.log> if file is a dir or to specified log file
|
||||||
--json additional output of findings to JSON file <NODE-YYYYMMDD-HHMM.json> in cwd
|
--json additional output of findings to JSON file <NODE-YYYYMMDD-HHMM.json> in cwd
|
||||||
--jsonfile <jsonfile> additional output to JSON and output JSON to the specified file
|
--jsonfile <jsonfile> additional output to JSON and output JSON to the specified file
|
||||||
|
--json-pretty additional pretty structed output of findings to JSON file <NODE-YYYYMMDD-HHMM.json> in cwd
|
||||||
|
--jsonfile-pretty <jsonfile> additional pretty structed output to JSON and output JSON to the specified file
|
||||||
--csv additional output of findings to CSV file <NODE-YYYYMMDD-HHMM.csv> in cwd
|
--csv additional output of findings to CSV file <NODE-YYYYMMDD-HHMM.csv> in cwd
|
||||||
--csvfile <csvfile> set output to CSV and output CSV to the specified file
|
--csvfile <csvfile> set output to CSV and output CSV to the specified file
|
||||||
--append if <csvfile> or <jsonfile> exists rather append then overwrite
|
--append if <csvfile> or <jsonfile> exists rather append then overwrite
|
||||||
|
--severity <severity> severities with lower level will be filtered
|
||||||
|
|
||||||
All options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
|
All options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
|
||||||
|
|
||||||
@ -8308,7 +8454,7 @@ prepare_logging() {
|
|||||||
#exec 2> >(tee -a ${LOGFILE} >&2)
|
#exec 2> >(tee -a ${LOGFILE} >&2)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if "$do_json"; then
|
if "$do_json" || "$do_pretty_json"; then
|
||||||
if [[ -z "$JSONFILE" ]]; then
|
if [[ -z "$JSONFILE" ]]; then
|
||||||
JSONFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".json)
|
JSONFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".json)
|
||||||
elif [[ -d "$JSONFILE" ]]; then
|
elif [[ -d "$JSONFILE" ]]; then
|
||||||
@ -8896,6 +9042,7 @@ initialize_globals() {
|
|||||||
do_mass_testing=false
|
do_mass_testing=false
|
||||||
do_logging=false
|
do_logging=false
|
||||||
do_json=false
|
do_json=false
|
||||||
|
do_pretty_json=false
|
||||||
do_csv=false
|
do_csv=false
|
||||||
do_pfs=false
|
do_pfs=false
|
||||||
do_protocols=false
|
do_protocols=false
|
||||||
@ -9236,6 +9383,18 @@ parse_cmd_line() {
|
|||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
do_json=true
|
do_json=true
|
||||||
;;
|
;;
|
||||||
|
--json-pretty)
|
||||||
|
do_pretty_json=true
|
||||||
|
;;
|
||||||
|
--jsonfile-pretty|--jsonfile-pretty=*)
|
||||||
|
JSONFILE=$(parse_opt_equal_sign "$1" "$2")
|
||||||
|
[[ $? -eq 0 ]] && shift
|
||||||
|
do_pretty_json=true
|
||||||
|
;;
|
||||||
|
--severity|--severity=*)
|
||||||
|
set_severity_level "$(parse_opt_equal_sign "$1" "$2")"
|
||||||
|
[[ $? -eq 0 ]] && shift
|
||||||
|
;;
|
||||||
--csv)
|
--csv)
|
||||||
do_csv=true
|
do_csv=true
|
||||||
;; # DEFINITION of CSVFILE is not arg specified: automagically in parse_hn_port()
|
;; # DEFINITION of CSVFILE is not arg specified: automagically in parse_hn_port()
|
||||||
@ -9330,11 +9489,16 @@ reset_hostdepended_vars() {
|
|||||||
|
|
||||||
lets_roll() {
|
lets_roll() {
|
||||||
local ret
|
local ret
|
||||||
|
local section_number=1
|
||||||
|
|
||||||
[[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" 2
|
[[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" 2
|
||||||
nodeip_to_proper_ip6
|
nodeip_to_proper_ip6
|
||||||
reset_hostdepended_vars
|
reset_hostdepended_vars
|
||||||
determine_rdns
|
determine_rdns
|
||||||
|
|
||||||
|
START_TIME=$(date +%s)
|
||||||
|
|
||||||
|
fileout_section_header $section_number false && ((section_number++))
|
||||||
determine_service "$1" # any starttls service goes here
|
determine_service "$1" # any starttls service goes here
|
||||||
|
|
||||||
$do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets "" "true"; echo "$?" ; exit 0; }
|
$do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets "" "true"; echo "$?" ; exit 0; }
|
||||||
@ -9342,16 +9506,26 @@ lets_roll() {
|
|||||||
$do_test_just_one && test_just_one ${single_cipher}
|
$do_test_just_one && test_just_one ${single_cipher}
|
||||||
|
|
||||||
# all top level functions now following have the prefix "run_"
|
# all top level functions now following have the prefix "run_"
|
||||||
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
$do_protocols && { run_protocols; ret=$(($? + ret)); }
|
$do_protocols && { run_protocols; ret=$(($? + ret)); }
|
||||||
$do_spdy && { run_spdy; ret=$(($? + ret)); }
|
$do_spdy && { run_spdy; ret=$(($? + ret)); }
|
||||||
$do_http2 && { run_http2; ret=$(($? + ret)); }
|
$do_http2 && { run_http2; ret=$(($? + ret)); }
|
||||||
|
|
||||||
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
$do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); }
|
$do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); }
|
||||||
|
|
||||||
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
$do_pfs && { run_pfs; ret=$(($? + ret)); }
|
$do_pfs && { run_pfs; ret=$(($? + ret)); }
|
||||||
|
|
||||||
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
$do_server_preference && { run_server_preference; ret=$(($? + ret)); }
|
$do_server_preference && { run_server_preference; ret=$(($? + ret)); }
|
||||||
|
|
||||||
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
$do_server_defaults && { run_server_defaults; ret=$(($? + ret)); }
|
$do_server_defaults && { run_server_defaults; ret=$(($? + ret)); }
|
||||||
|
|
||||||
if $do_header; then
|
if $do_header; then
|
||||||
#TODO: refactor this into functions
|
#TODO: refactor this into functions
|
||||||
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
if [[ $SERVICE == "HTTP" ]]; then
|
if [[ $SERVICE == "HTTP" ]]; then
|
||||||
run_http_header "$URL_PATH"
|
run_http_header "$URL_PATH"
|
||||||
run_http_date "$URL_PATH"
|
run_http_date "$URL_PATH"
|
||||||
@ -9363,6 +9537,8 @@ lets_roll() {
|
|||||||
run_more_flags "$URL_PATH"
|
run_more_flags "$URL_PATH"
|
||||||
run_rp_banner "$URL_PATH"
|
run_rp_banner "$URL_PATH"
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
((section_number++))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# vulnerabilities
|
# vulnerabilities
|
||||||
@ -9370,6 +9546,8 @@ lets_roll() {
|
|||||||
outln; pr_headlineln " Testing vulnerabilities "
|
outln; pr_headlineln " Testing vulnerabilities "
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
$do_heartbleed && { run_heartbleed; ret=$(($? + ret)); }
|
$do_heartbleed && { run_heartbleed; ret=$(($? + ret)); }
|
||||||
$do_ccs_injection && { run_ccs_injection; ret=$(($? + ret)); }
|
$do_ccs_injection && { run_ccs_injection; ret=$(($? + ret)); }
|
||||||
$do_renego && { run_renego; ret=$(($? + ret)); }
|
$do_renego && { run_renego; ret=$(($? + ret)); }
|
||||||
@ -9383,11 +9561,17 @@ lets_roll() {
|
|||||||
$do_beast && { run_beast; ret=$(($? + ret)); }
|
$do_beast && { run_beast; ret=$(($? + ret)); }
|
||||||
$do_rc4 && { run_rc4; ret=$(($? + ret)); }
|
$do_rc4 && { run_rc4; ret=$(($? + ret)); }
|
||||||
|
|
||||||
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
$do_allciphers && { run_allciphers; ret=$(($? + ret)); }
|
$do_allciphers && { run_allciphers; ret=$(($? + ret)); }
|
||||||
$do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); }
|
$do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); }
|
||||||
|
|
||||||
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
$do_client_simulation && { run_client_simulation; ret=$(($? + ret)); }
|
$do_client_simulation && { run_client_simulation; ret=$(($? + ret)); }
|
||||||
|
|
||||||
|
fileout_section_footer
|
||||||
|
|
||||||
outln
|
outln
|
||||||
|
END_TIME=$(date +%s)
|
||||||
datebanner " Done"
|
datebanner " Done"
|
||||||
|
|
||||||
return $ret
|
return $ret
|
||||||
|
Loading…
Reference in New Issue
Block a user