Merge branch 'master' of github.com:feld/testssl.sh

This commit is contained in:
Mark Felder 2015-03-13 15:12:45 -05:00
commit 69dfc1f322

View File

@ -270,11 +270,11 @@ wait_kill(){
pid=$1 pid=$1
maxsleep=$2 maxsleep=$2
while true; do while true; do
if ! ps $pid >/dev/null 2>&1; then if ! ps $pid 2>&1 >/dev/null ; then
return 0 # didn't reach maxsleep yet return 0 # didn't reach maxsleep yet
fi fi
sleep 1 sleep 1
maxsleep=$(expr $maxsleep - 1) maxsleep=$(($maxsleep - 1))
test $maxsleep -eq 0 && break test $maxsleep -eq 0 && break
done # needs to be killed: done # needs to be killed:
kill $pid >&2 2>/dev/null kill $pid >&2 2>/dev/null
@ -686,7 +686,7 @@ std_cipherlists() {
# ARG2: sleep # ARG2: sleep
socksend() { socksend() {
# the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do # the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do
data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\\/g' | tr -d '\n') data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n')
[[ $DEBUG -ge 4 ]] && echo "\"$data\"" [[ $DEBUG -ge 4 ]] && echo "\"$data\""
printf -- "$data" >&5 2>/dev/null & printf -- "$data" >&5 2>/dev/null &
sleep $2 sleep $2
@ -702,17 +702,17 @@ sockread() {
pid=$! pid=$!
while true; do while true; do
if ! ps $pid >/dev/null 2>&1; then if ! ps $pid 2>&1 >/dev/null ; then
break # didn't reach maxsleep yet break # didn't reach maxsleep yet
kill $pid >&2 2>/dev/null kill $pid >&2 2>/dev/null
fi fi
sleep 1 sleep 1
maxsleep=$(expr $maxsleep - 1) maxsleep=$(($maxsleep - 1))
test $maxsleep -eq 0 && break test $maxsleep -eq 0 && break
done done
#FIXME: cleanup, we have extra function for this now #FIXME: cleanup, we have extra function for this now
if ps $pid >/dev/null 2&>1; then if ps $pid 2&>1 >/dev/null ; then
# time's up and dd is still alive --> timeout # time's up and dd is still alive --> timeout
kill $pid kill $pid
wait $pid 2>/dev/null wait $pid 2>/dev/null
@ -1024,7 +1024,7 @@ server_preference() {
proto[i]="" proto[i]=""
cipher[i]="" cipher[i]=""
fi fi
i=$(expr $i + 1) i=$(($i + 1))
done done
if spdy_pre ; then # is NPN/SPDY supported and is this no STARTTLS? if spdy_pre ; then # is NPN/SPDY supported and is this no STARTTLS?
@ -1139,7 +1139,7 @@ server_defaults() {
SAN=$($OPENSSL x509 -in $HOSTCERT -noout -text | grep -A3 "Subject Alternative Name" | grep "DNS:" | \ SAN=$($OPENSSL x509 -in $HOSTCERT -noout -text | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/\n/g' -e 's/othername:<unsupported>//g') sed -e 's/DNS://g' -e 's/ //g' -e 's/,/\n/g' -e 's/othername:<unsupported>//g')
# ^^^ CACert # ^^^ CACert
[ x"$SAN" != "x" ] && SAN=$(echo "$SAN" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g) && outln " subjectAltName (SAN) $SAN" [ x"$SAN" != "x" ] && SAN=$(echo "$SAN" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') && outln " subjectAltName (SAN) $SAN"
# replace line feed by " " # replace line feed by " "
out " Issuer " out " Issuer "
@ -1163,10 +1163,10 @@ server_defaults() {
if ! echo $expire | grep -qw not; then if ! echo $expire | grep -qw not; then
pr_red "expired!" pr_red "expired!"
else else
SECS2WARN=$(expr 24 \* 60 \* 60 \* $DAYS2WARN2) # low threshold first SECS2WARN=$((24 * 60 * 60 * $DAYS2WARN2)) # low threshold first
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN) expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN)
if echo "$expire" | grep -qw not; then if echo "$expire" | grep -qw not; then
SECS2WARN=$(expr 24 \* 60 \* 60 \* $DAYS2WARN2) SECS2WARN=$((24 * 60 * 60 * $DAYS2WARN2))
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN) expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN)
if echo "$expire" | grep -qw not; then if echo "$expire" | grep -qw not; then
pr_litegreen ">= $DAYS2WARN1 days" pr_litegreen ">= $DAYS2WARN1 days"
@ -1216,7 +1216,7 @@ server_defaults() {
#remotetime=$(grep -w "Start Time" $TMPFILE | sed 's/[A-Za-z:() ]//g') #remotetime=$(grep -w "Start Time" $TMPFILE | sed 's/[A-Za-z:() ]//g')
#if [ ! -z "$remotetime" ]; then #if [ ! -z "$remotetime" ]; then
# remotetime_stdformat=$(date --date="@$remotetime" "+%Y-%m-%d %r") # remotetime_stdformat=$(date --date="@$remotetime" "+%Y-%m-%d %r")
# difftime=$(expr $localtime - $remotetime) # difftime=$(($localtime - $remotetime))
# [ $difftime -gt 0 ] && difftime="+"$difftime # [ $difftime -gt 0 ] && difftime="+"$difftime
# difftime=$difftime" s" # difftime=$difftime" s"
# outln " remotetime? : $remotetime ($difftime) = $remotetime_stdformat" # outln " remotetime? : $remotetime ($difftime) = $remotetime_stdformat"
@ -1460,7 +1460,7 @@ sockread_serverhello() {
[[ $maxsleep -le 0 ]] && break [[ $maxsleep -le 0 ]] && break
done done
if ps $pid >/dev/null 2>&1; then if ps $pid 2>&1 >/dev/null ; then
# time's up and dd is still alive --> timeout # time's up and dd is still alive --> timeout
kill $pid >&2 2>/dev/null kill $pid >&2 2>/dev/null
wait $pid 2>/dev/null wait $pid 2>/dev/null
@ -2171,10 +2171,10 @@ crime() {
# STR=$(grep Compression $TMPFILE ) # STR=$(grep Compression $TMPFILE )
# if echo $STR | grep -q NONE >/dev/null; then # if echo $STR | grep -q NONE >/dev/null; then
# pr_green "not vulnerable (OK)" # pr_green "not vulnerable (OK)"
# ret=$(expr $ret + 0) # ret=$(($ret + 0))
# else # else
# pr_red "VULNERABLE (NOT ok)" # pr_red "VULNERABLE (NOT ok)"
# ret=$(expr $ret + 1) # ret=$(($ret + 1))
# fi # fi
# fi # fi
# fi # fi
@ -2393,27 +2393,27 @@ starttls() {
# of the cmdline e.g. with getopts. # of the cmdline e.g. with getopts.
STARTTLS="-starttls $protocol" STARTTLS="-starttls $protocol"
export STARTTLS export STARTTLS
runprotocols ; ret=$(expr $? + $ret) runprotocols ; ret=$(($? + $ret))
run_std_cipherlists ; ret=$(expr $? + $ret) run_std_cipherlists ; ret=$(($? + $ret))
server_preference ; ret=$(expr $? + $ret) server_preference ; ret=$(($? + $ret))
server_defaults ; ret=$(expr $? + $ret) server_defaults ; ret=$(($? + $ret))
outln; pr_blue "--> Testing specific vulnerabilities" ; outln "\n" outln; pr_blue "--> Testing specific vulnerabilities" ; outln "\n"
#FIXME: heartbleed + CCS won't work this way yet #FIXME: heartbleed + CCS won't work this way yet
# heartbleed ; ret=$(expr $? + $ret) # heartbleed ; ret=$(($? + $ret))
# ccs_injection ; ret=$(expr $? + $ret) # ccs_injection ; ret=$(($? + $ret))
renego ; ret=$(expr $? + $ret) renego ; ret=$(($? + $ret))
crime ; ret=$(expr $? + $ret) crime ; ret=$(($? + $ret))
ssl_poodle ; ret=$(expr $? + $ret) ssl_poodle ; ret=$(($? + $ret))
freak ; ret=$(expr $? + $ret) freak ; ret=$(($? + $ret))
beast ; ret=$(expr $? + $ret) beast ; ret=$(($? + $ret))
rc4 ; ret=$(expr $? + $ret) rc4 ; ret=$(($? + $ret))
pfs ; ret=$(expr $? + $ret) pfs ; ret=$(($? + $ret))
outln outln
#cipher_per_proto ; ret=$(expr $? + $ret) #cipher_per_proto ; ret=$(($? + $ret))
allciphers ; ret=$(expr $? + $ret) allciphers ; ret=$(($? + $ret))
fi fi
;; ;;
*) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2 *) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2
@ -2846,7 +2846,7 @@ case "$1" in
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
runprotocols ; ret=$? runprotocols ; ret=$?
spdy ; ret=$(expr $? + $ret) spdy ; ret=$(($? + $ret))
exit $ret ;; exit $ret ;;
-f|--ciphers) -f|--ciphers)
maketempf maketempf
@ -2903,7 +2903,7 @@ case "$1" in
breach "$URL_PATH" breach "$URL_PATH"
ret=$? ret=$?
fi fi
ret=$(expr $? + $ret) ret=$(($? + $ret))
exit $ret ;; exit $ret ;;
-O|--ssl_poodle|poodle) -O|--ssl_poodle|poodle)
maketempf maketempf
@ -2941,11 +2941,11 @@ case "$1" in
hpkp "$URL_PATH" hpkp "$URL_PATH"
ret=$? ret=$?
serverbanner "$URL_PATH" serverbanner "$URL_PATH"
ret=$(expr $? + $ret) ret=$(($? + $ret))
applicationbanner "$URL_PATH" applicationbanner "$URL_PATH"
ret=$(expr $? + $ret) ret=$(($? + $ret))
cookieflags "$URL_PATH" cookieflags "$URL_PATH"
ret=$(expr $? + $ret) ret=$(($? + $ret))
else else
pr_litemagentaln " Wrong usage: You're not targetting a HTTP service" pr_litemagentaln " Wrong usage: You're not targetting a HTTP service"
ret=2 ret=2
@ -2958,34 +2958,34 @@ case "$1" in
outln outln
runprotocols ; ret=$? runprotocols ; ret=$?
spdy ; ret=$(expr $? + $ret) spdy ; ret=$(($? + $ret))
run_std_cipherlists ; ret=$(expr $? + $ret) run_std_cipherlists ; ret=$(($? + $ret))
server_preference ; ret=$(expr $? + $ret) server_preference ; ret=$(($? + $ret))
server_defaults ; ret=$(expr $? + $ret) server_defaults ; ret=$(($? + $ret))
if [[ $SERVICE == "HTTP" ]]; then if [[ $SERVICE == "HTTP" ]]; then
outln; pr_blue "--> Testing HTTP Header response" outln; pr_blue "--> Testing HTTP Header response"
outln "\n" outln "\n"
hsts "$URL_PATH" ; ret=$(expr $? + $ret) hsts "$URL_PATH" ; ret=$(($? + $ret))
hpkp "$URL_PATH" ; ret=$(expr $? + $ret) hpkp "$URL_PATH" ; ret=$(($? + $ret))
serverbanner "$URL_PATH" ; ret=$(expr $? + $ret) serverbanner "$URL_PATH" ; ret=$(($? + $ret))
applicationbanner "$URL_PATH" ; ret=$(expr $? + $ret) applicationbanner "$URL_PATH" ; ret=$(($? + $ret))
cookieflags "$URL_PATH" ; ret=$(expr $? + $ret) cookieflags "$URL_PATH" ; ret=$(($? + $ret))
fi fi
outln; pr_blue "--> Testing specific vulnerabilities" outln; pr_blue "--> Testing specific vulnerabilities"
outln "\n" outln "\n"
heartbleed ; ret=$(expr $? + $ret) heartbleed ; ret=$(($? + $ret))
ccs_injection ; ret=$(expr $? + $ret) ccs_injection ; ret=$(($? + $ret))
renego ; ret=$(expr $? + $ret) renego ; ret=$(($? + $ret))
crime ; ret=$(expr $? + $ret) crime ; ret=$(($? + $ret))
[[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=$(expr $? + $ret) [[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=$(($? + $ret))
ssl_poodle ; ret=$(expr $? + $ret) ssl_poodle ; ret=$(($? + $ret))
freak ; ret=$(expr $? + $ret) freak ; ret=$(($? + $ret))
beast ; ret=$(expr $? + $ret) beast ; ret=$(($? + $ret))
rc4 ; ret=$(expr $? + $ret) rc4 ; ret=$(($? + $ret))
pfs ; ret=$(expr $? + $ret) pfs ; ret=$(($? + $ret))
exit $ret ;; exit $ret ;;
esac esac