mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
- FIX of output whene there's no CBC cipher in BEAST
- FIX: 2 occurrances of OPENSSL calls had a hostname instead of an IP address - FIX: starttls protocol correctly displayed - NEW added duplicate detection for header flags - NEW: added four GOST cipher to standard socket handshake - recommends if openssl 1.0.2 is used and results were strange and IIS6 --> run wqith openssl 1.0.1 - declared some global vars as readonly
This commit is contained in:
parent
7741d99cc8
commit
6e74b3bd5c
192
testssl.sh
192
testssl.sh
@ -52,8 +52,11 @@ SWCONTACT="dirk aet testssl dot sh"
|
|||||||
# Don't worry if feature X is not available you'll get a warning about this missing feature!
|
# Don't worry if feature X is not available you'll get a warning about this missing feature!
|
||||||
|
|
||||||
|
|
||||||
|
readonly PROG_NAME=$(basename "$0")
|
||||||
|
PROG_DIR=$(readlink "$BASH_SOURCE") 2>/dev/null
|
||||||
|
readonly RUN_DIR=$(dirname $0)
|
||||||
|
|
||||||
# following variables make useA of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
|
# following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
|
||||||
# 0 means (normally) true here. Some of the variables are also accessible with a command line switch
|
# 0 means (normally) true here. Some of the variables are also accessible with a command line switch
|
||||||
|
|
||||||
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
||||||
@ -77,20 +80,19 @@ USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
|
|||||||
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
||||||
|
|
||||||
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
||||||
HSTS_MIN=179 # >179 days is ok for HSTS
|
readonly HSTS_MIN=179 # >179 days is ok for HSTS
|
||||||
HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints?
|
readonly HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints?
|
||||||
CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
||||||
DAYS2WARN1=60 # days to warn before cert expires, threshold 1
|
readonly DAYS2WARN1=60 # days to warn before cert expires, threshold 1
|
||||||
DAYS2WARN2=30 # days to warn before cert expires, threshold 2
|
readonly DAYS2WARN2=30 # days to warn before cert expires, threshold 2
|
||||||
|
|
||||||
# more global vars, here just declared
|
# more global vars, here just declared
|
||||||
ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
|
readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
|
||||||
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future costum line wrapping
|
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future costum line wrapping
|
||||||
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
|
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
|
||||||
SYSTEM=$(uname -s) # OS
|
readonly SYSTEM=$(uname -s) # OS
|
||||||
|
|
||||||
NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
||||||
RUN_DIR=$(dirname $0)
|
|
||||||
TEMPDIR=""
|
TEMPDIR=""
|
||||||
TLS_PROTO_OFFERED=""
|
TLS_PROTO_OFFERED=""
|
||||||
DETECTED_TLS_VERSION=""
|
DETECTED_TLS_VERSION=""
|
||||||
@ -108,7 +110,7 @@ OSSL_VER_MINOR=0
|
|||||||
OSSL_VER_APPENDIX="none"
|
OSSL_VER_APPENDIX="none"
|
||||||
NODEIP=""
|
NODEIP=""
|
||||||
VULN_COUNT=0
|
VULN_COUNT=0
|
||||||
VULN_THRESHLD=1 # if bigger than this no we show a separate header in blue
|
readonly VULN_THRESHLD=1 # if bigger than this no we show a separate header in blue
|
||||||
IPS=""
|
IPS=""
|
||||||
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
|
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
|
||||||
URI=""
|
URI=""
|
||||||
@ -117,20 +119,20 @@ OPTIMAL_PROTO="" # we need this for IIS6 (sigh) and OpenSSL 1.02, otherwise som
|
|||||||
|
|
||||||
TLS_TIME=""
|
TLS_TIME=""
|
||||||
TLS_NOW=""
|
TLS_NOW=""
|
||||||
|
HTTP_TIME=""
|
||||||
GET_REQ11=""
|
GET_REQ11=""
|
||||||
HEAD_REQ10=""
|
HEAD_REQ10=""
|
||||||
UA_SNEAKY="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
|
readonly UA_SNEAKY="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
|
||||||
UA_STD="Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0"
|
readonly UA_STD="Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0"
|
||||||
HTTP_TIME=""
|
|
||||||
# Devel stuff, see -q below
|
# Devel stuff, see -q below
|
||||||
TLS_LOW_BYTE=""
|
TLS_LOW_BYTE=""
|
||||||
HEX_CIPHER=""
|
HEX_CIPHER=""
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# debugging help:
|
# debugging help:
|
||||||
#PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
#PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
||||||
PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
||||||
|
|
||||||
# make sure that temporary files are cleaned up after use
|
# make sure that temporary files are cleaned up after use
|
||||||
trap "cleanup" QUIT EXIT
|
trap "cleanup" QUIT EXIT
|
||||||
@ -144,12 +146,11 @@ HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:pr
|
|||||||
|
|
||||||
###### some hexbytes for bash network sockets ######
|
###### some hexbytes for bash network sockets ######
|
||||||
|
|
||||||
#FIME: GOST cipher x80-x83
|
# 133 standard cipher + 4x GOST for TLS 1.2 and SPDY/NPN
|
||||||
# 133 standard cipher for TLS 1.2 and SPDY/NPN
|
readonly TLS12_CIPHER="
|
||||||
TLS12_CIPHER="
|
|
||||||
cc,14, cc,13, cc,15, c0,30, c0,2c, c0,28, c0,24, c0,14,
|
cc,14, cc,13, cc,15, c0,30, c0,2c, c0,28, c0,24, c0,14,
|
||||||
c0,0a, c0,22, c0,21, c0,20, 00,a5, 00,a3, 00,a1, 00,9f,
|
c0,0a, c0,22, c0,21, c0,20, 00,a5, 00,a3, 00,a1, 00,9f,
|
||||||
00, 6b, 00, 6a, 00, 69, 00, 68, 00, 39, 00, 38, 00, 37, 00, 36,
|
00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, 00,80, 00,81, 00,82, 00,83,
|
||||||
c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87,
|
c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87,
|
||||||
00,86, 00,85, c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05,
|
00,86, 00,85, c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05,
|
||||||
c0,79, c0,75, 00,9d, 00,3d, 00,35, 00,c0, 00,84, c0,2f,
|
c0,79, c0,75, 00,9d, 00,3d, 00,35, 00,c0, 00,84, c0,2f,
|
||||||
@ -165,11 +166,11 @@ c0, 12, c0, 08, c0, 1c, c0, 1b, c0, 1a, 00, 16, 00, 13, 00, 10,
|
|||||||
00,0c, 00,62, 00,09, 00,65, 00,64, 00,14, 00,11, 00,0e,
|
00,0c, 00,62, 00,09, 00,65, 00,64, 00,14, 00,11, 00,0e,
|
||||||
00,0b, 00,08, 00,06, 00,03, 00,ff"
|
00,0b, 00,08, 00,06, 00,03, 00,ff"
|
||||||
|
|
||||||
# 76 standard cipher for SSLv3, TLS 1, TLS 1.1
|
# 76 standard cipher +4x GOST for SSLv3, TLS 1, TLS 1.1
|
||||||
TLS_CIPHER="
|
readonly TLS_CIPHER="
|
||||||
c0,14, c0,0a, c0,22, c0,21, c0,20, 00,39, 00,38, 00,37,
|
c0,14, c0,0a, c0,22, c0,21, c0,20, 00,39, 00,38, 00,37,
|
||||||
00,36, 00,88, 00,87, 00,86, 00,85, c0,0f, c0,05, 00,35,
|
00,36, 00,88, 00,87, 00,86, 00,85, c0,0f, c0,05, 00,35,
|
||||||
00, 84, c0, 13, c0, 09, c0, 1f, c0, 1e, c0, 1d, 00, 33, 00, 32,
|
00,84, c0,13, c0,09, c0,1f, c0,1e, c0,1d, 00,33, 00,32, 00,80, 00,81, 00,82, 00,83,
|
||||||
00,31, 00,30, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44,
|
00,31, 00,30, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44,
|
||||||
00,43, 00,42, c0,0e, c0,04, 00,2f, 00,96, 00,41, 00,07,
|
00,43, 00,42, c0,0e, c0,04, 00,2f, 00,96, 00,41, 00,07,
|
||||||
c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, c0,12,
|
c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, c0,12,
|
||||||
@ -178,7 +179,7 @@ c0, 0d, c0, 03, 00, 0a, 00, 63, 00, 15, 00, 12, 00, 0f, 00, 0c,
|
|||||||
00,62, 00,09, 00,65, 00,64, 00,14, 00,11, 00,0e, 00,0b,
|
00,62, 00,09, 00,65, 00,64, 00,14, 00,11, 00,0e, 00,0b,
|
||||||
00,08, 00,06, 00,03, 00,ff"
|
00,08, 00,06, 00,03, 00,ff"
|
||||||
|
|
||||||
SSLv2_CLIENT_HELLO="
|
readonly SSLv2_CLIENT_HELLO="
|
||||||
,80,34 # length (here: 52)
|
,80,34 # length (here: 52)
|
||||||
,01 # Client Hello
|
,01 # Client Hello
|
||||||
,00,02 # SSLv2
|
,00,02 # SSLv2
|
||||||
@ -396,7 +397,7 @@ wait_kill(){
|
|||||||
# arg1 could be the protocol determined as "working". IIS6 needs that
|
# arg1 could be the protocol determined as "working". IIS6 needs that
|
||||||
runs_HTTP() {
|
runs_HTTP() {
|
||||||
# SNI is nonsense for !HTTPS but fortunately other protocols don't seem to care
|
# SNI is nonsense for !HTTPS but fortunately other protocols don't seem to care
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $1 -quiet -connect $NODE:$PORT $SNI &>$TMPFILE &
|
printf "$GET_REQ11" | $OPENSSL s_client $1 -quiet -connect $NODEIP:$PORT $SNI &>$TMPFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
head $TMPFILE | grep -aq ^HTTP && SERVICE=HTTP
|
head $TMPFILE | grep -aq ^HTTP && SERVICE=HTTP
|
||||||
head $TMPFILE | grep -aq SMTP && SERVICE=SMTP
|
head $TMPFILE | grep -aq SMTP && SERVICE=SMTP
|
||||||
@ -702,11 +703,17 @@ moreflags() {
|
|||||||
for f2t in $good_flags2test; do
|
for f2t in $good_flags2test; do
|
||||||
result_str=$(grep -i "^$f2t" $TMPFILE)
|
result_str=$(grep -i "^$f2t" $TMPFILE)
|
||||||
[ -z "$result_str" ] && continue
|
[ -z "$result_str" ] && continue
|
||||||
if $first; then
|
if ! $first; then
|
||||||
pr_litegreenln "$result_str"
|
out "$blanks" # output leading spaces if the first header
|
||||||
first=false
|
|
||||||
else
|
else
|
||||||
out "$blanks"; pr_litegreenln "$result_str"
|
first=false
|
||||||
|
fi
|
||||||
|
if [ $(echo "$result_str" | wc -l | sed 's/ //g') -eq 1 ]; then
|
||||||
|
pr_litegreenln "$result_str"
|
||||||
|
else # for the case we hace two times the same header:
|
||||||
|
# exchange the linefeeds between the two lines only:
|
||||||
|
pr_litecyan "double -->" ; echo "$result_str" | tr '\n\r' ' | ' | sed 's/| $//g'
|
||||||
|
pr_litecyanln "<-- double"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# now the same with other flags
|
# now the same with other flags
|
||||||
@ -913,7 +920,7 @@ test_just_one(){
|
|||||||
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad
|
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad
|
||||||
allciphers(){
|
allciphers(){
|
||||||
nr_ciphers=$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' | sed 's/:/ /g' | wc -w)
|
nr_ciphers=$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' | sed 's/:/ /g' | wc -w)
|
||||||
pr_blue "--> Testing all locally available $nr_ciphers ciphers against the server"; outln "\n"
|
pr_blue "--> Testing all locally available $nr_ciphers ciphers against the server"; outln "(ordered by encryption strength)\n"
|
||||||
neat_header
|
neat_header
|
||||||
|
|
||||||
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode n ciph sslvers kx auth enc mac export; do
|
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode n ciph sslvers kx auth enc mac export; do
|
||||||
@ -944,7 +951,7 @@ cipher_per_proto(){
|
|||||||
local hexcode n ciph sslvers kx auth enc mac export
|
local hexcode n ciph sslvers kx auth enc mac export
|
||||||
local ret
|
local ret
|
||||||
|
|
||||||
pr_blue "--> Testing all locally available ciphers per protocol against the server"; outln "\n"
|
pr_blue "--> Testing all locally available ciphers per protocol against the server"; outln "(ordered by encryption strength)\n"
|
||||||
neat_header
|
neat_header
|
||||||
outln " -ssl2 SSLv2\n -ssl3 SSLv3\n -tls1 TLS 1\n -tls1_1 TLS 1.1\n -tls1_2 TLS 1.2"| while read proto proto_text; do
|
outln " -ssl2 SSLv2\n -ssl3 SSLv3\n -tls1 TLS 1\n -tls1_1 TLS 1.1\n -tls1_2 TLS 1.2"| while read proto proto_text; do
|
||||||
locally_supported "$proto" "$proto_text" || continue
|
locally_supported "$proto" "$proto_text" || continue
|
||||||
@ -1142,7 +1149,7 @@ server_preference() {
|
|||||||
*TLSv1) outln $default_proto ;;
|
*TLSv1) outln $default_proto ;;
|
||||||
*SSLv2) pr_redln $default_proto ;;
|
*SSLv2) pr_redln $default_proto ;;
|
||||||
*SSLv3) pr_redln $default_proto ;;
|
*SSLv3) pr_redln $default_proto ;;
|
||||||
"") pr_litemagentaln "default proto empty, IIS6+openssl 1.02??" ;; # maybe you can try to use openssl 1.01 here
|
"") pr_litemagenta "default proto empty"; [[ $OSSL_VER == 1.0.2* ]] && outln "(IIS6+OpenSSL 1.02?)" ;; # maybe you can try to use openssl 1.01 here
|
||||||
*) outln "$default_proto" ;;
|
*) outln "$default_proto" ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -1155,7 +1162,7 @@ server_preference() {
|
|||||||
*GCM*) pr_green "$default_cipher" ;; # best ones
|
*GCM*) pr_green "$default_cipher" ;; # best ones
|
||||||
*CHACHA20*) pr_green "$default_cipher" ;; # best ones
|
*CHACHA20*) pr_green "$default_cipher" ;; # best ones
|
||||||
ECDHE*AES*) pr_yellow "$default_cipher" ;; # it's CBC. --> lucky13
|
ECDHE*AES*) pr_yellow "$default_cipher" ;; # it's CBC. --> lucky13
|
||||||
"") pr_litemagenta "default cipher empty, IIS6+openssl 1.02?" ;; # maybe you can try to use openssl 1.01 here
|
"") pr_litemagenta "default cipher empty" ; [[ $OSSL_VER == 1.0.2* ]] && out "(IIS6+OpenSSL 1.02?)" ;; # maybe you can try to use openssl 1.01 here
|
||||||
*) out "$default_cipher" ;;
|
*) out "$default_cipher" ;;
|
||||||
esac
|
esac
|
||||||
outln "$remark4default_cipher"
|
outln "$remark4default_cipher"
|
||||||
@ -1192,16 +1199,16 @@ server_preference() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
for i in 1 2 3 4 5 6; do
|
for i in 1 2 3 4 5 6; do
|
||||||
if [[ -n "${cipher[i]}" ]]; then # cipher nicht leer
|
if [[ -n "${cipher[i]}" ]]; then # cipher not empty
|
||||||
if [[ -z "${cipher[i-1]}" ]]; then # der davor leer
|
if [[ -z "${cipher[i-1]}" ]]; then # previous one empty
|
||||||
outln
|
outln
|
||||||
printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # beides ausgeben
|
printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both
|
||||||
else # davor nihct leer
|
else # previous NOT empty
|
||||||
if [[ "${cipher[i-1]}" == "${cipher[i]}" ]]; then # und bei vorigem Protokoll selber cipher
|
if [[ "${cipher[i-1]}" == "${cipher[i]}" ]]; then # and previous protocol same cipher
|
||||||
out ", ${proto[i]}" # selber Cipher --> Nur Protokoll dahinter
|
out ", ${proto[i]}" # same cipher --> only print out protocol behind it
|
||||||
else
|
else
|
||||||
outln
|
outln
|
||||||
printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # beides ausgeben
|
printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -1274,14 +1281,19 @@ cipher_pref_check() {
|
|||||||
|
|
||||||
server_defaults() {
|
server_defaults() {
|
||||||
local proto
|
local proto
|
||||||
|
local gost_status_problem=false
|
||||||
local now difftime
|
local now difftime
|
||||||
local extensions local sessticket_str lifetime unit keysize algo
|
local extensions
|
||||||
|
local sessticket_str lifetime unit keysize algo
|
||||||
local expire ocsp_uri crl savedir startdate enddate issuer_c issuer_o issuer sans san cn cn_nosni
|
local expire ocsp_uri crl savedir startdate enddate issuer_c issuer_o issuer sans san cn cn_nosni
|
||||||
|
|
||||||
outln
|
outln
|
||||||
pr_blue "--> Testing server defaults (Server Hello)"; outln "\n"
|
pr_blue "--> Testing server defaults (Server Hello)"; outln "\n"
|
||||||
|
|
||||||
# first TLS time:
|
# first TLS time:
|
||||||
|
if [ -n "$STARTTLS" ] ; then
|
||||||
|
outln " TLS timestamp: (not yet implemented for STARTTLS) "
|
||||||
|
else
|
||||||
tls_sockets "03" "$TLS12_CIPHER"
|
tls_sockets "03" "$TLS12_CIPHER"
|
||||||
[ -z "$TLS_TIME" ] && tls_sockets "02" "$TLS_CIPHER"
|
[ -z "$TLS_TIME" ] && tls_sockets "02" "$TLS_CIPHER"
|
||||||
[ -z "$TLS_TIME" ] && tls_sockets "01" "$TLS_CIPHER"
|
[ -z "$TLS_TIME" ] && tls_sockets "01" "$TLS_CIPHER"
|
||||||
@ -1290,7 +1302,7 @@ server_defaults() {
|
|||||||
if [ -n "$TLS_TIME" ]; then
|
if [ -n "$TLS_TIME" ]; then
|
||||||
difftime=$(($TLS_NOW - $TLS_TIME))
|
difftime=$(($TLS_NOW - $TLS_TIME))
|
||||||
if [[ "${#difftime}" -gt 4 ]]; then
|
if [[ "${#difftime}" -gt 4 ]]; then
|
||||||
# openssl >= 1.0.1f doesn't have this field anymore
|
# openssl >= 1.0.1f fills this field with random values
|
||||||
out " TLS timestamp: random values, no fingerprinting possible "
|
out " TLS timestamp: random values, no fingerprinting possible "
|
||||||
else
|
else
|
||||||
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
||||||
@ -1301,10 +1313,14 @@ server_defaults() {
|
|||||||
else
|
else
|
||||||
out " TLS timestamp: "; pr_litemagentaln "SSLv3 through TLS 1.2 didn't return a timestamp"
|
out " TLS timestamp: "; pr_litemagentaln "SSLv3 through TLS 1.2 didn't return a timestamp"
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# HTTP date:
|
# HTTP date:
|
||||||
out " HTTP clock skew: "
|
out " HTTP clock skew: "
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO -ign_eof -connect $NODE:$PORT $SNI &>$TMPFILE
|
if [[ $SERVICE != "HTTP" ]] ; then
|
||||||
|
out "not tested as we're not tagetting HTTP"
|
||||||
|
else
|
||||||
|
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO -ign_eof -connect $NODEIP:$PORT $SNI &>$TMPFILE
|
||||||
now=$(date "+%s")
|
now=$(date "+%s")
|
||||||
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $TMPFILE)
|
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $TMPFILE)
|
||||||
if [ -n "$HTTP_TIME" ] ; then
|
if [ -n "$HTTP_TIME" ] ; then
|
||||||
@ -1319,20 +1335,28 @@ server_defaults() {
|
|||||||
out "Got no HTTP time, maybe try different URL?";
|
out "Got no HTTP time, maybe try different URL?";
|
||||||
fi
|
fi
|
||||||
debugme out "$HTTP_TIME"
|
debugme out "$HTTP_TIME"
|
||||||
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
#TLS extensions follow now
|
#TLS extensions follow now
|
||||||
# throwing 1st every cipher/protocol at the server to know what works
|
# throwing 1st every cipher/protocol at the server to know what works
|
||||||
for proto in tls1_2 tls1_1 tls1; do
|
for proto in tls1_2 tls1_1 tls1 ssl3; do
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI -$proto -tlsextdebug -status </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI -$proto -tlsextdebug -status </dev/null 2>/dev/null >$TMPFILE
|
||||||
ret=$?
|
ret=$?
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI -$proto 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI -$proto 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT
|
||||||
[ $? -eq 0 ] && [ $ret -eq 0 ] && break
|
[ $? -eq 0 ] && [ $ret -eq 0 ] && break
|
||||||
ret=7
|
ret=7
|
||||||
done # this loop was need while testing a windows 2003 server
|
done # this loop is need for testing IIS/6
|
||||||
if [ $ret -eq 7 ]; then
|
if [ $ret -eq 7 ]; then
|
||||||
pr_magenta "$OPENSSL returned an error. This shouldn't happen. "
|
# "-status" kills GOST only servers, so we do another test without it and see whether that works then:
|
||||||
|
if ! $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI -$proto -tlsextdebug </dev/null 2>/dev/null >$TMPFILE; then
|
||||||
|
pr_magentaln "$OPENSSL returned an error around line $LINENO".
|
||||||
|
tmpfile_handle tlsextdebug+status.txt
|
||||||
|
return 7 # this is ugly, I know
|
||||||
else
|
else
|
||||||
|
gost_status_problem=true
|
||||||
|
fi
|
||||||
|
fi
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -$proto 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -$proto 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
||||||
out " TLS server extensions "
|
out " TLS server extensions "
|
||||||
extensions=$(grep -aw "^TLS server extension" $TMPFILE | sed -e 's/^TLS server extension \"//' -e 's/\".*$/,/g')
|
extensions=$(grep -aw "^TLS server extension" $TMPFILE | sed -e 's/^TLS server extension \"//' -e 's/\".*$/,/g')
|
||||||
@ -1387,7 +1411,7 @@ server_defaults() {
|
|||||||
|
|
||||||
cn_nosni=$($OPENSSL x509 -in $HOSTCERT.nosni -noout -subject | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//')
|
cn_nosni=$($OPENSSL x509 -in $HOSTCERT.nosni -noout -subject | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//')
|
||||||
[[ $DEBUG -ge 2 ]] && out "\'$NODE\' | \'$cn\' | \'$cn_nosni\'"
|
[[ $DEBUG -ge 2 ]] && out "\'$NODE\' | \'$cn\' | \'$cn_nosni\'"
|
||||||
if [[ $NODE == $CN_nosni ]]; then
|
if [[ $NODE == $cn_nosni ]]; then
|
||||||
if [[ $SERVICE != "HTTP" ]] ; then
|
if [[ $SERVICE != "HTTP" ]] ; then
|
||||||
outln " (matches certificate directly)"
|
outln " (matches certificate directly)"
|
||||||
else
|
else
|
||||||
@ -1482,6 +1506,10 @@ server_defaults() {
|
|||||||
else
|
else
|
||||||
if grep "OCSP Response Status" $TMPFILE | grep -q successful; then
|
if grep "OCSP Response Status" $TMPFILE | grep -q successful; then
|
||||||
pr_litegreen " OCSP stapling offered"
|
pr_litegreen " OCSP stapling offered"
|
||||||
|
else
|
||||||
|
if [ $gost_status_problem = "true" ]; then
|
||||||
|
outln " (GOST servers make problems here, sorry)"
|
||||||
|
ret=0
|
||||||
else
|
else
|
||||||
outln " not sure what's going on here, debug:"
|
outln " not sure what's going on here, debug:"
|
||||||
grep -A 20 "OCSP response" $TMPFILE
|
grep -A 20 "OCSP response" $TMPFILE
|
||||||
@ -1577,7 +1605,7 @@ pfs() {
|
|||||||
|
|
||||||
spdy_pre(){
|
spdy_pre(){
|
||||||
if [ ! -z "$STARTTLS" ]; then
|
if [ ! -z "$STARTTLS" ]; then
|
||||||
outln "(is a HTTP protocol thus not tested)"
|
out "\n (SPDY is a HTTP protocol and thus not tested here)"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
# first, does the current openssl support it?
|
# first, does the current openssl support it?
|
||||||
@ -1945,21 +1973,22 @@ tls_sockets() {
|
|||||||
local ret save
|
local ret save
|
||||||
local lines
|
local lines
|
||||||
local tls_low_byte
|
local tls_low_byte
|
||||||
|
local cipher_list_2send
|
||||||
|
|
||||||
tls_low_byte="$1"
|
tls_low_byte="$1"
|
||||||
if [ ! -z "$2" ] ; then # use std ciphers then
|
if [ -n "$2" ]; then # use supplied arg2 if there
|
||||||
TLS_CIPHER="$2"
|
cipher_list_2send="$2"
|
||||||
TLS12_CIPHER="$2"
|
else # otherwise use std ciphers then
|
||||||
|
if [ "$tls_low_byte" = "03" ]; then
|
||||||
|
cipher_list_2send="$TLS12_CIPHER"
|
||||||
|
else
|
||||||
|
cipher_list_2send="$TLS_CIPHER"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[[ "$DEBUG" -ge 2 ]] && echo "sending client hello..."
|
[[ "$DEBUG" -ge 2 ]] && echo "sending client hello..."
|
||||||
if [ "$tls_low_byte" = "03" ] ; then
|
socksend_tls_clienthello "$tls_low_byte" "$cipher_list_2send"
|
||||||
socksend_tls_clienthello "$tls_low_byte" "$TLS12_CIPHER"
|
|
||||||
ret=$? # 6 means opening socket didn't succeed, e.g. timeout
|
ret=$? # 6 means opening socket didn't succeed, e.g. timeout
|
||||||
else
|
|
||||||
socksend_tls_clienthello "$tls_low_byte" "$TLS_CIPHER"
|
|
||||||
ret=$? # 6 means opening socket didn't succeed, e.g. timeout
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
# if sending didn't succeed we don't bother
|
# if sending didn't succeed we don't bother
|
||||||
@ -2501,6 +2530,7 @@ beast(){
|
|||||||
local -i ret=0
|
local -i ret=0
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
local cr=$'\n'
|
local cr=$'\n'
|
||||||
|
local first=true
|
||||||
|
|
||||||
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for BEAST vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for BEAST vulnerability" && outln "\n"
|
||||||
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
||||||
@ -2511,7 +2541,6 @@ beast(){
|
|||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
continue # protocol no supported, so we do not need to check each cipher with that protocol
|
continue # protocol no supported, so we do not need to check each cipher with that protocol
|
||||||
fi
|
fi
|
||||||
#FIXME: doesn't work on with openssl 0.98, we won't fix though
|
|
||||||
while read hexcode dash cbc_cipher sslvers kx auth enc mac export ; do
|
while read hexcode dash cbc_cipher sslvers kx auth enc mac export ; do
|
||||||
$OPENSSL s_client -cipher "$cbc_cipher" -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI >$TMPFILE 2>/dev/null </dev/null
|
$OPENSSL s_client -cipher "$cbc_cipher" -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI >$TMPFILE 2>/dev/null </dev/null
|
||||||
#normalize_ciphercode $hexcode
|
#normalize_ciphercode $hexcode
|
||||||
@ -2524,14 +2553,16 @@ beast(){
|
|||||||
|
|
||||||
#detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g')
|
#detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g')
|
||||||
if [ -z "$detected_cbc_cipher" ]; then
|
if [ -z "$detected_cbc_cipher" ]; then
|
||||||
[[ $proto == "tls1" ]] && printf "$spaces"
|
[[ $proto == "tls1" ]] && ! $first && printf "$spaces"
|
||||||
pr_litegreenln "no CBC ciphers for $(echo $proto | tr '[a-z]' '[A-Z]') (OK)"
|
pr_litegreenln "no CBC ciphers for $(echo $proto | tr '[a-z]' '[A-Z]') (OK)"
|
||||||
|
first=false
|
||||||
else
|
else
|
||||||
detected_cbc_cipher=$(echo "$detected_cbc_cipher" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
detected_cbc_cipher=$(echo "$detected_cbc_cipher" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
||||||
[ $ret -eq 1 ] && out "$spaces"
|
[ $ret -eq 1 ] && out "$spaces"
|
||||||
out "$(echo $proto | tr '[a-z]' '[A-Z]'):"; pr_brownln "$detected_cbc_cipher"
|
out "$(echo $proto | tr '[a-z]' '[A-Z]'):"; pr_brownln "$detected_cbc_cipher"
|
||||||
ret=1
|
ret=1
|
||||||
detected_cbc_cipher=""
|
detected_cbc_cipher=""
|
||||||
|
first=false
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2670,7 +2701,7 @@ find_openssl_binary() {
|
|||||||
# http://www.openssl.org/news/openssl-notes.html
|
# http://www.openssl.org/news/openssl-notes.html
|
||||||
OSSL_VER=$($OPENSSL version | awk -F' ' '{ print $2 }')
|
OSSL_VER=$($OPENSSL version | awk -F' ' '{ print $2 }')
|
||||||
OSSL_VER_MAJOR=$(echo "$OSSL_VER" | sed 's/\..*$//')
|
OSSL_VER_MAJOR=$(echo "$OSSL_VER" | sed 's/\..*$//')
|
||||||
OSSL_VER_MINOR=$(echo "$OSSL_VER" | sed -e 's/^.\.//' | tr -d i'[a-zA-Z]')
|
OSSL_VER_MINOR=$(echo "$OSSL_VER" | sed -e 's/^.\.//' | tr -d '[a-zA-Z]')
|
||||||
OSSL_VER_APPENDIX=$(echo "$OSSL_VER" | tr -d '[0-9.]')
|
OSSL_VER_APPENDIX=$(echo "$OSSL_VER" | tr -d '[0-9.]')
|
||||||
OSSL_VER_PLATFORM=$($OPENSSL version -p | sed 's/^platform: //')
|
OSSL_VER_PLATFORM=$($OPENSSL version -p | sed 's/^platform: //')
|
||||||
OSSL_BUILD_DATE=$($OPENSSL version -a | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//')
|
OSSL_BUILD_DATE=$($OPENSSL version -a | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//')
|
||||||
@ -2687,7 +2718,7 @@ openssl_age() {
|
|||||||
0.9.8)
|
0.9.8)
|
||||||
case $OSSL_VER_APPENDIX in
|
case $OSSL_VER_APPENDIX in
|
||||||
a|b|c|d|e) old_fart;; # no SNI!
|
a|b|c|d|e) old_fart;; # no SNI!
|
||||||
# other than that we leave this for MacOSX and FREEBSD but it's a pain and likely gives false negatives/positives
|
# other than that we leave this for MacOSX and FreeBSD but it's a pain and likely gives false negatives/positives
|
||||||
esac
|
esac
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -2707,18 +2738,17 @@ openssl_age() {
|
|||||||
|
|
||||||
|
|
||||||
help() {
|
help() {
|
||||||
PRG=$(basename "$0")
|
|
||||||
cat << EOF
|
cat << EOF
|
||||||
|
|
||||||
$PRG <options>
|
$PROG_NAME <options>
|
||||||
|
|
||||||
<-h|--help> what you're looking at
|
<-h|--help> what you're looking at
|
||||||
<-b|--banner> displays banner + version of $PRG
|
<-b|--banner> displays banner + version of $PROG_NAME
|
||||||
<-v|--version> same as previous
|
<-v|--version> same as previous
|
||||||
<-V|--local> pretty print all local ciphers
|
<-V|--local> pretty print all local ciphers
|
||||||
<-V|--local> <pattern> what local cipher with <pattern> is a/v?
|
<-V|--local> <pattern> what local cipher with <pattern> is a/v?
|
||||||
|
|
||||||
$PRG <options> URI ("$PRG URI" does everything except ciphers per proto)
|
$PROG_NAME <options> URI ("$PROG_NAME URI" does everything except ciphers per proto/each cipher)
|
||||||
|
|
||||||
<-e|--each-cipher> checks each local cipher remotely
|
<-e|--each-cipher> checks each local cipher remotely
|
||||||
<-E|--cipher-per-proto> checks those per protocol
|
<-E|--cipher-per-proto> checks those per protocol
|
||||||
@ -2739,10 +2769,12 @@ $PRG <options> URI ("$PRG URI" does everything except ciphers per proto)
|
|||||||
<-A|--beast> tests BEAST vulnerability
|
<-A|--beast> tests BEAST vulnerability
|
||||||
<-s|--pfs|--fs|--nsa> checks (perfect) forward secrecy settings
|
<-s|--pfs|--fs|--nsa> checks (perfect) forward secrecy settings
|
||||||
<-4|--rc4|--appelbaum> which RC4 ciphers are being offered?
|
<-4|--rc4|--appelbaum> which RC4 ciphers are being offered?
|
||||||
<-H|--header|--headers> checks HSTS, HPKP and server/application banner string
|
<-H|--header|--headers> tests HSTS, HPKP, server/app banner, security headers, cookie
|
||||||
|
|
||||||
|
special invocations:
|
||||||
|
|
||||||
<-t|--starttls> protocol does a default run against a STARTTLS enabled service
|
<-t|--starttls> protocol does a default run against a STARTTLS enabled service
|
||||||
<--mx> tests MX records from high to low priority (STARTTLS, port 25)
|
<--mx> domain/host tests MX records from high to low priority (STARTTLS, port 25)
|
||||||
|
|
||||||
|
|
||||||
partly mandatory parameters:
|
partly mandatory parameters:
|
||||||
@ -2764,7 +2796,7 @@ tuning options:
|
|||||||
|
|
||||||
Need HTML output? Just pipe through "aha" (Ansi HTML Adapter: github.com/theZiz/aha) like
|
Need HTML output? Just pipe through "aha" (Ansi HTML Adapter: github.com/theZiz/aha) like
|
||||||
|
|
||||||
"$PRG <options> <URI> | aha >output.html"
|
"$PROG_NAME <options> <URI> | aha >output.html"
|
||||||
EOF
|
EOF
|
||||||
exit $1
|
exit $1
|
||||||
}
|
}
|
||||||
@ -2805,7 +2837,7 @@ outln " Using \"$osslver\" [~$nr_ciphers ciphers] on
|
|||||||
maketempf() {
|
maketempf() {
|
||||||
TEMPDIR=$(mktemp -d /tmp/ssltester.XXXXXX) || exit 6
|
TEMPDIR=$(mktemp -d /tmp/ssltester.XXXXXX) || exit 6
|
||||||
TMPFILE=$TEMPDIR/tempfile.txt || exit 6
|
TMPFILE=$TEMPDIR/tempfile.txt || exit 6
|
||||||
HOSTCERT=$TEMPDIR/host_cerificate.txt
|
HOSTCERT=$TEMPDIR/host_certificate.txt
|
||||||
HEADERFILE=$TEMPDIR/http_header.txt
|
HEADERFILE=$TEMPDIR/http_header.txt
|
||||||
HEADERFILE_BREACH=$TEMPDIR/http_header_breach.txt
|
HEADERFILE_BREACH=$TEMPDIR/http_header_breach.txt
|
||||||
LOGFILE=$TEMPDIR/logfile.txt
|
LOGFILE=$TEMPDIR/logfile.txt
|
||||||
@ -2824,6 +2856,8 @@ built: "$OSSL_BUILD_DATE", platform: "$OSSL_VER_PLATFORM"
|
|||||||
$idtag
|
$idtag
|
||||||
|
|
||||||
PATH: $PATH
|
PATH: $PATH
|
||||||
|
PROG_NAME: $PROG_NAME
|
||||||
|
PROG_DIR: $PROG_DIR
|
||||||
RUN_DIR: $RUN_DIR
|
RUN_DIR: $RUN_DIR
|
||||||
|
|
||||||
CAPATH: $CAPATH
|
CAPATH: $CAPATH
|
||||||
@ -2977,13 +3011,13 @@ parse_hn_port() {
|
|||||||
# determine protocol which works (needed for IIS6). If we don't have IIS6, 1st try will succeed --> better because we use the variable
|
# determine protocol which works (needed for IIS6). If we don't have IIS6, 1st try will succeed --> better because we use the variable
|
||||||
# all over the place. Stupid thing that we need to do that stuff for IIS<=6
|
# all over the place. Stupid thing that we need to do that stuff for IIS<=6
|
||||||
for OPTIMAL_PROTO in "" "-tls1_2" "-tls1" "-ssl3" "-tls1_1" "-ssl2" ""; do
|
for OPTIMAL_PROTO in "" "-tls1_2" "-tls1" "-ssl3" "-tls1_1" "-ssl2" ""; do
|
||||||
$OPENSSL s_client $OPTIMAL_PROTO -connect "$NODE:$PORT" $SNI </dev/null &>/dev/null && all_failed=1 && break
|
$OPENSSL s_client $OPTIMAL_PROTO -connect "$NODEIP:$PORT" $SNI </dev/null &>/dev/null && all_failed=1 && break
|
||||||
all_failed=0
|
all_failed=0
|
||||||
done
|
done
|
||||||
debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO"
|
debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO"
|
||||||
if [ $all_failed -eq 0 ]; then
|
if [ $all_failed -eq 0 ]; then
|
||||||
outln
|
outln
|
||||||
pr_boldln " $NODE:$PORT doesn't seem a TLS/SSL enabled server or it requires a certificate";
|
pr_boldln " $NODEIP:$PORT doesn't seem a TLS/SSL enabled server or it requires a certificate";
|
||||||
ignore_no_or_lame " Note that the results might look ok but they are nonsense. Proceed ? "
|
ignore_no_or_lame " Note that the results might look ok but they are nonsense. Proceed ? "
|
||||||
[ $? -ne 0 ] && exit 3
|
[ $? -ne 0 ] && exit 3
|
||||||
fi
|
fi
|
||||||
@ -3006,7 +3040,8 @@ parse_hn_port() {
|
|||||||
debugme cat $TMPFILE
|
debugme cat $TMPFILE
|
||||||
exit 3
|
exit 3
|
||||||
fi
|
fi
|
||||||
outln " Service set: STARTTLS via " $(echo $protocol| tr '[a-z]' '[A-Z]')
|
out " Service set: STARTTLS via "
|
||||||
|
echo $protocol | tr '[a-z]' '[A-Z]'
|
||||||
;;
|
;;
|
||||||
*) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2
|
*) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2
|
||||||
exit 1
|
exit 1
|
||||||
@ -3106,10 +3141,10 @@ mx_allentries() {
|
|||||||
local mxs mx
|
local mxs mx
|
||||||
local mxport
|
local mxport
|
||||||
|
|
||||||
if which dig &> /dev/null; then
|
if which host &> /dev/null; then
|
||||||
mxs=$(dig +short -t MX "$1")
|
|
||||||
elif which host &> /dev/null; then
|
|
||||||
mxs=$(host -t MX "$1" | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//')
|
mxs=$(host -t MX "$1" | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//')
|
||||||
|
elif which dig &> /dev/null; then
|
||||||
|
mxs=$(dig +short -t MX "$1")
|
||||||
elif which nslookup &> /dev/null; then
|
elif which nslookup &> /dev/null; then
|
||||||
mxs=$(nslookup -type=MX "$1" 2> /dev/null | grep 'mail exchanger = ' | sed 's/^.*mail exchanger = //g')
|
mxs=$(nslookup -type=MX "$1" 2> /dev/null | grep 'mail exchanger = ' | sed 's/^.*mail exchanger = //g')
|
||||||
else
|
else
|
||||||
@ -3410,12 +3445,11 @@ lets_roll() {
|
|||||||
find_openssl_binary
|
find_openssl_binary
|
||||||
mybanner
|
mybanner
|
||||||
|
|
||||||
PATH_TO_TESTSSL=$(readlink "$BASH_SOURCE") 2>/dev/null
|
[ -z "$PROG_DIR" ] && PROG_DIR="."
|
||||||
[ -z "$PATH_TO_TESTSSL" ] && PATH_TO_TESTSSL="."
|
|
||||||
|
|
||||||
# mapping file provides a pair "keycode/ RFC style name", see the RFCs, cipher(1) and
|
# mapping file provides a pair "keycode/ RFC style name", see the RFCs, cipher(1) and
|
||||||
# www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_simple_table_all.htm
|
# www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_simple_table_all.htm
|
||||||
[ -r "$(dirname $PATH_TO_TESTSSL)/mapping-rfc.txt" ] && MAP_RFC_FNAME=$(dirname $PATH_TO_TESTSSL)"/mapping-rfc.txt"
|
[ -r "$(dirname $PROG_DIR)/mapping-rfc.txt" ] && MAP_RFC_FNAME=$(dirname $PROG_DIR)"/mapping-rfc.txt"
|
||||||
|
|
||||||
initialize_globals
|
initialize_globals
|
||||||
|
|
||||||
@ -3438,6 +3472,6 @@ fi
|
|||||||
|
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.248 2015/05/12 11:37:38 dirkw Exp $
|
# $Id: testssl.sh,v 1.249 2015/05/15 19:32:10 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
||||||
|
Loading…
Reference in New Issue
Block a user