mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-09 18:20:59 +01:00
* added ocsp stapling in server defaults test
* non-working prototype of testing a single cipher via hexcode
This commit is contained in:
parent
cb9c0b3b85
commit
6aeec03427
68
testssl.sh
68
testssl.sh
@ -491,6 +491,43 @@ neat_list(){
|
|||||||
[ -r $MAP_RFC_FNAME ] && show_rfc_style $HEXC 73
|
[ -r $MAP_RFC_FNAME ] && show_rfc_style $HEXC 73
|
||||||
}
|
}
|
||||||
|
|
||||||
|
test_just_one(){
|
||||||
|
|
||||||
|
ciph=""
|
||||||
|
for arg in $@; do
|
||||||
|
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph restofline; do
|
||||||
|
normalize_ciphercode $hexcode
|
||||||
|
grep arg
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
neat_header
|
||||||
|
|
||||||
|
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslversmin kx auth enc mac export; do
|
||||||
|
for ciph in $@; do
|
||||||
|
$OPENSSL s_client -cipher $ciph $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
||||||
|
ret=$?
|
||||||
|
if [ $ret -ne 0 ] && [ "$SHOW_EACH_C" -eq 0 ]; then
|
||||||
|
continue # no successful connect AND not verbose displaying each cipher
|
||||||
|
fi
|
||||||
|
normalize_ciphercode $hexcode
|
||||||
|
neat_list $HEXC $ciph $kx $enc
|
||||||
|
if [ "$SHOW_EACH_C" -ne 0 ]; then
|
||||||
|
[ -r $MAP_RFC_FNAME ] && go2_column 114
|
||||||
|
if [ $ret -eq 0 ]; then
|
||||||
|
cyan " available"
|
||||||
|
else
|
||||||
|
out " not a/v"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
outln
|
||||||
|
rm $TMPFILE
|
||||||
|
done
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad
|
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad
|
||||||
allciphers(){
|
allciphers(){
|
||||||
@ -641,7 +678,7 @@ simple_preference() {
|
|||||||
outln
|
outln
|
||||||
blue "--> Testing server defaults (Server Hello)"; outln "\n"
|
blue "--> Testing server defaults (Server Hello)"; outln "\n"
|
||||||
# throwing every cipher/protocol at the server and displaying its pick
|
# throwing every cipher/protocol at the server and displaying its pick
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI -tlsextdebug </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI -tlsextdebug -status </dev/null 2>/dev/null >$TMPFILE
|
||||||
localtime=`date "+%s"`
|
localtime=`date "+%s"`
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
magentaln "This shouldn't happen. "
|
magentaln "This shouldn't happen. "
|
||||||
@ -683,7 +720,7 @@ simple_preference() {
|
|||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out " TLS server extensions: "
|
out " TLS server extensions "
|
||||||
extensions=`grep -w "^TLS server extension" $TMPFILE | sed -e 's/^TLS server extension \"//' -e 's/\".*$/,/g'`
|
extensions=`grep -w "^TLS server extension" $TMPFILE | sed -e 's/^TLS server extension \"//' -e 's/\".*$/,/g'`
|
||||||
if [ -z "$extensions" ]; then
|
if [ -z "$extensions" ]; then
|
||||||
outln "(none)"
|
outln "(none)"
|
||||||
@ -700,7 +737,22 @@ simple_preference() {
|
|||||||
unit=`echo $sessticket_str | grep lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g'`
|
unit=`echo $sessticket_str | grep lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g'`
|
||||||
outln "$lifetime $unit"
|
outln "$lifetime $unit"
|
||||||
fi
|
fi
|
||||||
ret=0
|
|
||||||
|
out " OCSP stapling "
|
||||||
|
if grep "OCSP response" $TMPFILE | grep -q "no response sent" ; then
|
||||||
|
out " not offered"
|
||||||
|
else
|
||||||
|
if grep "OCSP Response Status" $TMPFILE | grep -q successful; then
|
||||||
|
litegreen " OCSP stapling offered"
|
||||||
|
else
|
||||||
|
outln " not sure what's going on here, debug:"
|
||||||
|
grep -A 20 "OCSP response" $TMPFILE
|
||||||
|
ret=2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
outln
|
||||||
|
|
||||||
|
|
||||||
#gmt_unix_time, removed since 1.0.1f
|
#gmt_unix_time, removed since 1.0.1f
|
||||||
#
|
#
|
||||||
@ -715,7 +767,6 @@ simple_preference() {
|
|||||||
# outln " $localtime"
|
# outln " $localtime"
|
||||||
#fi
|
#fi
|
||||||
#http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
|
#http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
|
||||||
fi
|
|
||||||
|
|
||||||
rm $TMPFILE
|
rm $TMPFILE
|
||||||
return $ret
|
return $ret
|
||||||
@ -1641,6 +1692,13 @@ case "$1" in
|
|||||||
initialize_engine # GOST support
|
initialize_engine # GOST support
|
||||||
prettyprint_local "$2"
|
prettyprint_local "$2"
|
||||||
exit $? ;;
|
exit $? ;;
|
||||||
|
-x|--single-test)
|
||||||
|
parse_hn_port "$3"
|
||||||
|
maketempf
|
||||||
|
test_just_one $2
|
||||||
|
ret=$?
|
||||||
|
cleanup
|
||||||
|
exit $ret ;;
|
||||||
-t|--starttls)
|
-t|--starttls)
|
||||||
parse_hn_port "$2" "$3" # here comes hostname:port and protocol to signal starttls
|
parse_hn_port "$2" "$3" # here comes hostname:port and protocol to signal starttls
|
||||||
maketempf
|
maketempf
|
||||||
@ -1783,7 +1841,7 @@ case "$1" in
|
|||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.112 2014/07/16 16:54:10 dirkw Exp $
|
# $Id: testssl.sh,v 1.114 2014/08/29 12:56:35 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user