mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-09 10:10:57 +01:00
Merge branch 'master' of github.com:feld/testssl.sh
This commit is contained in:
commit
69dfc1f322
106
testssl.sh
106
testssl.sh
@ -270,11 +270,11 @@ wait_kill(){
|
|||||||
pid=$1
|
pid=$1
|
||||||
maxsleep=$2
|
maxsleep=$2
|
||||||
while true; do
|
while true; do
|
||||||
if ! ps $pid >/dev/null 2>&1; then
|
if ! ps $pid 2>&1 >/dev/null ; then
|
||||||
return 0 # didn't reach maxsleep yet
|
return 0 # didn't reach maxsleep yet
|
||||||
fi
|
fi
|
||||||
sleep 1
|
sleep 1
|
||||||
maxsleep=$(expr $maxsleep - 1)
|
maxsleep=$(($maxsleep - 1))
|
||||||
test $maxsleep -eq 0 && break
|
test $maxsleep -eq 0 && break
|
||||||
done # needs to be killed:
|
done # needs to be killed:
|
||||||
kill $pid >&2 2>/dev/null
|
kill $pid >&2 2>/dev/null
|
||||||
@ -686,7 +686,7 @@ std_cipherlists() {
|
|||||||
# ARG2: sleep
|
# ARG2: sleep
|
||||||
socksend() {
|
socksend() {
|
||||||
# the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do
|
# the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do
|
||||||
data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\\/g' | tr -d '\n')
|
data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n')
|
||||||
[[ $DEBUG -ge 4 ]] && echo "\"$data\""
|
[[ $DEBUG -ge 4 ]] && echo "\"$data\""
|
||||||
printf -- "$data" >&5 2>/dev/null &
|
printf -- "$data" >&5 2>/dev/null &
|
||||||
sleep $2
|
sleep $2
|
||||||
@ -702,17 +702,17 @@ sockread() {
|
|||||||
pid=$!
|
pid=$!
|
||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
if ! ps $pid >/dev/null 2>&1; then
|
if ! ps $pid 2>&1 >/dev/null ; then
|
||||||
break # didn't reach maxsleep yet
|
break # didn't reach maxsleep yet
|
||||||
kill $pid >&2 2>/dev/null
|
kill $pid >&2 2>/dev/null
|
||||||
fi
|
fi
|
||||||
sleep 1
|
sleep 1
|
||||||
maxsleep=$(expr $maxsleep - 1)
|
maxsleep=$(($maxsleep - 1))
|
||||||
test $maxsleep -eq 0 && break
|
test $maxsleep -eq 0 && break
|
||||||
done
|
done
|
||||||
#FIXME: cleanup, we have extra function for this now
|
#FIXME: cleanup, we have extra function for this now
|
||||||
|
|
||||||
if ps $pid >/dev/null 2&>1; then
|
if ps $pid 2&>1 >/dev/null ; then
|
||||||
# time's up and dd is still alive --> timeout
|
# time's up and dd is still alive --> timeout
|
||||||
kill $pid
|
kill $pid
|
||||||
wait $pid 2>/dev/null
|
wait $pid 2>/dev/null
|
||||||
@ -1024,7 +1024,7 @@ server_preference() {
|
|||||||
proto[i]=""
|
proto[i]=""
|
||||||
cipher[i]=""
|
cipher[i]=""
|
||||||
fi
|
fi
|
||||||
i=$(expr $i + 1)
|
i=$(($i + 1))
|
||||||
done
|
done
|
||||||
|
|
||||||
if spdy_pre ; then # is NPN/SPDY supported and is this no STARTTLS?
|
if spdy_pre ; then # is NPN/SPDY supported and is this no STARTTLS?
|
||||||
@ -1139,7 +1139,7 @@ server_defaults() {
|
|||||||
SAN=$($OPENSSL x509 -in $HOSTCERT -noout -text | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
|
SAN=$($OPENSSL x509 -in $HOSTCERT -noout -text | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
|
||||||
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/\n/g' -e 's/othername:<unsupported>//g')
|
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/\n/g' -e 's/othername:<unsupported>//g')
|
||||||
# ^^^ CACert
|
# ^^^ CACert
|
||||||
[ x"$SAN" != "x" ] && SAN=$(echo "$SAN" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g) && outln " subjectAltName (SAN) $SAN"
|
[ x"$SAN" != "x" ] && SAN=$(echo "$SAN" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') && outln " subjectAltName (SAN) $SAN"
|
||||||
# replace line feed by " "
|
# replace line feed by " "
|
||||||
|
|
||||||
out " Issuer "
|
out " Issuer "
|
||||||
@ -1163,10 +1163,10 @@ server_defaults() {
|
|||||||
if ! echo $expire | grep -qw not; then
|
if ! echo $expire | grep -qw not; then
|
||||||
pr_red "expired!"
|
pr_red "expired!"
|
||||||
else
|
else
|
||||||
SECS2WARN=$(expr 24 \* 60 \* 60 \* $DAYS2WARN2) # low threshold first
|
SECS2WARN=$((24 * 60 * 60 * $DAYS2WARN2)) # low threshold first
|
||||||
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN)
|
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN)
|
||||||
if echo "$expire" | grep -qw not; then
|
if echo "$expire" | grep -qw not; then
|
||||||
SECS2WARN=$(expr 24 \* 60 \* 60 \* $DAYS2WARN2)
|
SECS2WARN=$((24 * 60 * 60 * $DAYS2WARN2))
|
||||||
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN)
|
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN)
|
||||||
if echo "$expire" | grep -qw not; then
|
if echo "$expire" | grep -qw not; then
|
||||||
pr_litegreen ">= $DAYS2WARN1 days"
|
pr_litegreen ">= $DAYS2WARN1 days"
|
||||||
@ -1216,7 +1216,7 @@ server_defaults() {
|
|||||||
#remotetime=$(grep -w "Start Time" $TMPFILE | sed 's/[A-Za-z:() ]//g')
|
#remotetime=$(grep -w "Start Time" $TMPFILE | sed 's/[A-Za-z:() ]//g')
|
||||||
#if [ ! -z "$remotetime" ]; then
|
#if [ ! -z "$remotetime" ]; then
|
||||||
# remotetime_stdformat=$(date --date="@$remotetime" "+%Y-%m-%d %r")
|
# remotetime_stdformat=$(date --date="@$remotetime" "+%Y-%m-%d %r")
|
||||||
# difftime=$(expr $localtime - $remotetime)
|
# difftime=$(($localtime - $remotetime))
|
||||||
# [ $difftime -gt 0 ] && difftime="+"$difftime
|
# [ $difftime -gt 0 ] && difftime="+"$difftime
|
||||||
# difftime=$difftime" s"
|
# difftime=$difftime" s"
|
||||||
# outln " remotetime? : $remotetime ($difftime) = $remotetime_stdformat"
|
# outln " remotetime? : $remotetime ($difftime) = $remotetime_stdformat"
|
||||||
@ -1460,7 +1460,7 @@ sockread_serverhello() {
|
|||||||
[[ $maxsleep -le 0 ]] && break
|
[[ $maxsleep -le 0 ]] && break
|
||||||
done
|
done
|
||||||
|
|
||||||
if ps $pid >/dev/null 2>&1; then
|
if ps $pid 2>&1 >/dev/null ; then
|
||||||
# time's up and dd is still alive --> timeout
|
# time's up and dd is still alive --> timeout
|
||||||
kill $pid >&2 2>/dev/null
|
kill $pid >&2 2>/dev/null
|
||||||
wait $pid 2>/dev/null
|
wait $pid 2>/dev/null
|
||||||
@ -2171,10 +2171,10 @@ crime() {
|
|||||||
# STR=$(grep Compression $TMPFILE )
|
# STR=$(grep Compression $TMPFILE )
|
||||||
# if echo $STR | grep -q NONE >/dev/null; then
|
# if echo $STR | grep -q NONE >/dev/null; then
|
||||||
# pr_green "not vulnerable (OK)"
|
# pr_green "not vulnerable (OK)"
|
||||||
# ret=$(expr $ret + 0)
|
# ret=$(($ret + 0))
|
||||||
# else
|
# else
|
||||||
# pr_red "VULNERABLE (NOT ok)"
|
# pr_red "VULNERABLE (NOT ok)"
|
||||||
# ret=$(expr $ret + 1)
|
# ret=$(($ret + 1))
|
||||||
# fi
|
# fi
|
||||||
# fi
|
# fi
|
||||||
# fi
|
# fi
|
||||||
@ -2393,27 +2393,27 @@ starttls() {
|
|||||||
# of the cmdline e.g. with getopts.
|
# of the cmdline e.g. with getopts.
|
||||||
STARTTLS="-starttls $protocol"
|
STARTTLS="-starttls $protocol"
|
||||||
export STARTTLS
|
export STARTTLS
|
||||||
runprotocols ; ret=$(expr $? + $ret)
|
runprotocols ; ret=$(($? + $ret))
|
||||||
run_std_cipherlists ; ret=$(expr $? + $ret)
|
run_std_cipherlists ; ret=$(($? + $ret))
|
||||||
server_preference ; ret=$(expr $? + $ret)
|
server_preference ; ret=$(($? + $ret))
|
||||||
server_defaults ; ret=$(expr $? + $ret)
|
server_defaults ; ret=$(($? + $ret))
|
||||||
|
|
||||||
outln; pr_blue "--> Testing specific vulnerabilities" ; outln "\n"
|
outln; pr_blue "--> Testing specific vulnerabilities" ; outln "\n"
|
||||||
#FIXME: heartbleed + CCS won't work this way yet
|
#FIXME: heartbleed + CCS won't work this way yet
|
||||||
# heartbleed ; ret=$(expr $? + $ret)
|
# heartbleed ; ret=$(($? + $ret))
|
||||||
# ccs_injection ; ret=$(expr $? + $ret)
|
# ccs_injection ; ret=$(($? + $ret))
|
||||||
renego ; ret=$(expr $? + $ret)
|
renego ; ret=$(($? + $ret))
|
||||||
crime ; ret=$(expr $? + $ret)
|
crime ; ret=$(($? + $ret))
|
||||||
ssl_poodle ; ret=$(expr $? + $ret)
|
ssl_poodle ; ret=$(($? + $ret))
|
||||||
freak ; ret=$(expr $? + $ret)
|
freak ; ret=$(($? + $ret))
|
||||||
beast ; ret=$(expr $? + $ret)
|
beast ; ret=$(($? + $ret))
|
||||||
|
|
||||||
rc4 ; ret=$(expr $? + $ret)
|
rc4 ; ret=$(($? + $ret))
|
||||||
pfs ; ret=$(expr $? + $ret)
|
pfs ; ret=$(($? + $ret))
|
||||||
|
|
||||||
outln
|
outln
|
||||||
#cipher_per_proto ; ret=$(expr $? + $ret)
|
#cipher_per_proto ; ret=$(($? + $ret))
|
||||||
allciphers ; ret=$(expr $? + $ret)
|
allciphers ; ret=$(($? + $ret))
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2
|
*) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2
|
||||||
@ -2846,7 +2846,7 @@ case "$1" in
|
|||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
runprotocols ; ret=$?
|
runprotocols ; ret=$?
|
||||||
spdy ; ret=$(expr $? + $ret)
|
spdy ; ret=$(($? + $ret))
|
||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
-f|--ciphers)
|
-f|--ciphers)
|
||||||
maketempf
|
maketempf
|
||||||
@ -2903,7 +2903,7 @@ case "$1" in
|
|||||||
breach "$URL_PATH"
|
breach "$URL_PATH"
|
||||||
ret=$?
|
ret=$?
|
||||||
fi
|
fi
|
||||||
ret=$(expr $? + $ret)
|
ret=$(($? + $ret))
|
||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
-O|--ssl_poodle|poodle)
|
-O|--ssl_poodle|poodle)
|
||||||
maketempf
|
maketempf
|
||||||
@ -2941,11 +2941,11 @@ case "$1" in
|
|||||||
hpkp "$URL_PATH"
|
hpkp "$URL_PATH"
|
||||||
ret=$?
|
ret=$?
|
||||||
serverbanner "$URL_PATH"
|
serverbanner "$URL_PATH"
|
||||||
ret=$(expr $? + $ret)
|
ret=$(($? + $ret))
|
||||||
applicationbanner "$URL_PATH"
|
applicationbanner "$URL_PATH"
|
||||||
ret=$(expr $? + $ret)
|
ret=$(($? + $ret))
|
||||||
cookieflags "$URL_PATH"
|
cookieflags "$URL_PATH"
|
||||||
ret=$(expr $? + $ret)
|
ret=$(($? + $ret))
|
||||||
else
|
else
|
||||||
pr_litemagentaln " Wrong usage: You're not targetting a HTTP service"
|
pr_litemagentaln " Wrong usage: You're not targetting a HTTP service"
|
||||||
ret=2
|
ret=2
|
||||||
@ -2958,34 +2958,34 @@ case "$1" in
|
|||||||
|
|
||||||
outln
|
outln
|
||||||
runprotocols ; ret=$?
|
runprotocols ; ret=$?
|
||||||
spdy ; ret=$(expr $? + $ret)
|
spdy ; ret=$(($? + $ret))
|
||||||
run_std_cipherlists ; ret=$(expr $? + $ret)
|
run_std_cipherlists ; ret=$(($? + $ret))
|
||||||
server_preference ; ret=$(expr $? + $ret)
|
server_preference ; ret=$(($? + $ret))
|
||||||
server_defaults ; ret=$(expr $? + $ret)
|
server_defaults ; ret=$(($? + $ret))
|
||||||
|
|
||||||
if [[ $SERVICE == "HTTP" ]]; then
|
if [[ $SERVICE == "HTTP" ]]; then
|
||||||
outln; pr_blue "--> Testing HTTP Header response"
|
outln; pr_blue "--> Testing HTTP Header response"
|
||||||
outln "\n"
|
outln "\n"
|
||||||
hsts "$URL_PATH" ; ret=$(expr $? + $ret)
|
hsts "$URL_PATH" ; ret=$(($? + $ret))
|
||||||
hpkp "$URL_PATH" ; ret=$(expr $? + $ret)
|
hpkp "$URL_PATH" ; ret=$(($? + $ret))
|
||||||
serverbanner "$URL_PATH" ; ret=$(expr $? + $ret)
|
serverbanner "$URL_PATH" ; ret=$(($? + $ret))
|
||||||
applicationbanner "$URL_PATH" ; ret=$(expr $? + $ret)
|
applicationbanner "$URL_PATH" ; ret=$(($? + $ret))
|
||||||
cookieflags "$URL_PATH" ; ret=$(expr $? + $ret)
|
cookieflags "$URL_PATH" ; ret=$(($? + $ret))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
outln; pr_blue "--> Testing specific vulnerabilities"
|
outln; pr_blue "--> Testing specific vulnerabilities"
|
||||||
outln "\n"
|
outln "\n"
|
||||||
heartbleed ; ret=$(expr $? + $ret)
|
heartbleed ; ret=$(($? + $ret))
|
||||||
ccs_injection ; ret=$(expr $? + $ret)
|
ccs_injection ; ret=$(($? + $ret))
|
||||||
renego ; ret=$(expr $? + $ret)
|
renego ; ret=$(($? + $ret))
|
||||||
crime ; ret=$(expr $? + $ret)
|
crime ; ret=$(($? + $ret))
|
||||||
[[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=$(expr $? + $ret)
|
[[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=$(($? + $ret))
|
||||||
ssl_poodle ; ret=$(expr $? + $ret)
|
ssl_poodle ; ret=$(($? + $ret))
|
||||||
freak ; ret=$(expr $? + $ret)
|
freak ; ret=$(($? + $ret))
|
||||||
beast ; ret=$(expr $? + $ret)
|
beast ; ret=$(($? + $ret))
|
||||||
|
|
||||||
rc4 ; ret=$(expr $? + $ret)
|
rc4 ; ret=$(($? + $ret))
|
||||||
pfs ; ret=$(expr $? + $ret)
|
pfs ; ret=$(($? + $ret))
|
||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user