From 43d5ad50714a10672fd4976c63b88f3358edbb1f Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 25 Jul 2016 16:42:04 -0400 Subject: [PATCH 1/2] SSLv2 fixes for run_rc4() This PR changes run_rc4() to correctly handle SSLv2 ciphers. It addresses the problem in which servers that do not implement SSLv2, but that implement SSLv3 ciphers that share an OpenSSL name with an SSLv2 cipher (RC4-MD5 and EXP-RC4-MD5), are not incorrectly shown as having implemented the SSLv2 cipher. It also addresses the problem that if a server does implement SSLv2 with an RC4 SSLv2-cipher suite, then that cipher suite it not shown as being implemented. --- testssl.sh | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index a2ee4c3..bb5f972 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6876,6 +6876,7 @@ run_rc4() { local -i sclient_success local hexcode dash rc4_cipher sslvers kx auth enc mac export local rc4_ciphers_list="ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:DHE-DSS-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:RSA-PSK-RC4-SHA:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP-ADH-RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5" + local rc4_ssl2_ciphers_list="RC4-MD5:RC4-64-MD5:EXP-RC4-MD5" local rc4_detected="" local available="" @@ -6889,7 +6890,14 @@ run_rc4() { pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808) " $OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE + if [[ "$sslvers" == "SSLv2" ]]; then + $OPENSSL s_client -cipher $rc4_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 $TMPFILE 2>$ERRFILE + else + $OPENSSL s_client -cipher $rc4_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $TMPFILE 2>$ERRFILE + fi sclient_connect_successful $? $TMPFILE sclient_success=$? # here we may have a fp with openssl < 1.0, TBC if [[ $sclient_success -ne 0 ]] && ! "$SHOW_EACH_C"; then From add75caf82addf19b4a5f7166971c3a3dcfae54b Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 25 Jul 2016 17:00:49 -0400 Subject: [PATCH 2/2] SSLv2 fixes for test_just_one() This PR changes test_just_one() to correctly handle SSLv2 ciphers. As with PR #424, this PR addresses the problem in which servers that do not implement SSLv2, but that implement RC4-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5, or NULL-MD5 are shown as implementing both the SSLv2 and SSLv3 versions of the ciphers, and that any SSLv2 ciphers that a server does implement are not shown as being implemented. --- testssl.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index a2ee4c3..99d68ec 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1591,7 +1591,11 @@ test_just_one(){ neat_list $HEXC $ciph $kx $enc | grep -qwai "$arg" fi if [[ $? -eq 0 ]]; then # string matches, so we can ssl to it: - $OPENSSL s_client -cipher $ciph $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>$ERRFILE >$TMPFILE $ERRFILE >$TMPFILE $ERRFILE >$TMPFILE