mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
- FIX #283 (regression from 1a8ed3d70a
)
- minor output fixes for BEAST - >4096 bit RSA keys labled in litemangenta now as it could have compatibility probs - -V 0x.. or -V 0X.. gives at least a warning
This commit is contained in:
parent
b8f2540541
commit
70cd658447
57
testssl.sh
57
testssl.sh
@ -1284,8 +1284,13 @@ prettyprint_local() {
|
|||||||
local hexcode dash ciph sslvers kx auth enc mac export
|
local hexcode dash ciph sslvers kx auth enc mac export
|
||||||
local re='^[0-9A-Fa-f]+$'
|
local re='^[0-9A-Fa-f]+$'
|
||||||
|
|
||||||
|
if [[ "$1" == 0x* ]] || [[ "$1" == 0X* ]]; then
|
||||||
|
fatal "pls supply x<number> instead" 2
|
||||||
|
fi
|
||||||
|
|
||||||
pr_headline " Displaying all local ciphers ";
|
pr_headline " Displaying all local ciphers ";
|
||||||
if [[ -n "$1" ]]; then
|
if [[ -n "$1" ]]; then
|
||||||
|
# pattern provided; which one?
|
||||||
[[ $1 =~ $re ]] && \
|
[[ $1 =~ $re ]] && \
|
||||||
pr_headline "matching number pattern \"$1\" " || \
|
pr_headline "matching number pattern \"$1\" " || \
|
||||||
pr_headline "matching word pattern "\"$1\"" (ignore case) "
|
pr_headline "matching word pattern "\"$1\"" (ignore case) "
|
||||||
@ -2973,24 +2978,27 @@ certificate_info() {
|
|||||||
elif [[ $sig_algo = *RSA* ]]; then
|
elif [[ $sig_algo = *RSA* ]]; then
|
||||||
if [[ "$keysize" -le 512 ]]; then
|
if [[ "$keysize" -le 512 ]]; then
|
||||||
pr_red "$keysize"
|
pr_red "$keysize"
|
||||||
|
outln " bits"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 768 ]]; then
|
elif [[ "$keysize" -le 768 ]]; then
|
||||||
pr_litered "$keysize"
|
pr_litered "$keysize"
|
||||||
|
outln " bits"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 1024 ]]; then
|
elif [[ "$keysize" -le 1024 ]]; then
|
||||||
pr_brown "$keysize"
|
pr_brown "$keysize"
|
||||||
|
outln " bits"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 2048 ]]; then
|
elif [[ "$keysize" -le 2048 ]]; then
|
||||||
out "$keysize"
|
outln "$keysize bits"
|
||||||
fileout "$heading key_size" "INFO" "Server keys $keysize bits"
|
fileout "$heading key_size" "INFO" "Server keys $keysize bits"
|
||||||
elif [[ "$keysize" -le 4096 ]]; then
|
elif [[ "$keysize" -le 4096 ]]; then
|
||||||
pr_litegreen "$keysize"
|
pr_litegreen "$keysize"
|
||||||
fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)"
|
fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)"
|
||||||
|
outln " bits"
|
||||||
else
|
else
|
||||||
out "weird keysize: $keysize (compatibility problems)"
|
pr_magenta "weird keysize: $keysize bits"; outln " (could cause compatibility problems)"
|
||||||
fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)"
|
fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)"
|
||||||
fi
|
fi
|
||||||
outln " bit"
|
|
||||||
else
|
else
|
||||||
out "$keysize bits ("
|
out "$keysize bits ("
|
||||||
pr_litemagenta "can't tell whether $keysize bits is good or not"
|
pr_litemagenta "can't tell whether $keysize bits is good or not"
|
||||||
@ -4650,7 +4658,7 @@ run_breach() {
|
|||||||
local url
|
local url
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
local disclaimer=""
|
local disclaimer=""
|
||||||
local when_makesense="Can be ignored for static pages or if no secrets in the page"
|
local when_makesense=" Can be ignored for static pages or if no secrets in the page"
|
||||||
|
|
||||||
[[ $SERVICE != "HTTP" ]] && return 7
|
[[ $SERVICE != "HTTP" ]] && return 7
|
||||||
|
|
||||||
@ -4923,7 +4931,6 @@ run_beast(){
|
|||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
||||||
"$WIDE" && outln
|
|
||||||
# output in wide mode if cipher doesn't exist is not ok
|
# output in wide mode if cipher doesn't exist is not ok
|
||||||
|
|
||||||
>$ERRFILE
|
>$ERRFILE
|
||||||
@ -4938,24 +4945,26 @@ run_beast(){
|
|||||||
|
|
||||||
for proto in ssl3 tls1; do
|
for proto in ssl3 tls1; do
|
||||||
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
||||||
if "$continued"; then # second round: we hit TLS1:
|
if "$continued"; then # second round: we hit TLS1
|
||||||
pr_litegreenln "no SSL3 or TLS1"
|
pr_litegreenln "no SSL3 or TLS1 (OK)"
|
||||||
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
|
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
|
||||||
return 0
|
return 0
|
||||||
else # protocol not succeeded but it's the first time
|
else # protocol not succeeded but it's the first time
|
||||||
continued=true
|
continued=true
|
||||||
continue # protocol not supported, so we do not need to check each cipher with that protocol
|
continue # protocol not supported, so we do not need to check each cipher with that protocol
|
||||||
|
"$WIDE" && outln
|
||||||
fi
|
fi
|
||||||
fi # protocol succeeded
|
fi # protocol succeeded
|
||||||
|
|
||||||
|
|
||||||
# now we test in one shot with the precompiled ciphers
|
# now we test in one shot with the precompiled ciphers
|
||||||
$OPENSSL s_client -"$proto" -cipher "$cbc_cipher_list" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -"$proto" -cipher "$cbc_cipher_list" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE || continue
|
sclient_connect_successful $? $TMPFILE || continue
|
||||||
|
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln "\n $(toupper $proto):";
|
outln "\n $(toupper $proto):";
|
||||||
neat_header # NOT_THAT_NICE: we display the header also if in the end no cbc cipher is available on the client side
|
neat_header # NOT_THAT_NICE: we display the header also if in the end no cbc cipher is available on the client side
|
||||||
fi
|
fi
|
||||||
for ciph in $(colon_to_spaces "$cbc_cipher_list"); do
|
for ciph in $(colon_to_spaces "$cbc_cipher_list"); do
|
||||||
read hexcode dash cbc_cipher sslvers kx auth enc mac < <($OPENSSL ciphers -V "$ciph" 2>>$ERRFILE) # -V doesn't work with openssl < 1.0
|
read hexcode dash cbc_cipher sslvers kx auth enc mac < <($OPENSSL ciphers -V "$ciph" 2>>$ERRFILE) # -V doesn't work with openssl < 1.0
|
||||||
@ -4987,25 +4996,27 @@ run_beast(){
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [[ -n "$detected_cbc_ciphers" ]]; then
|
if ! "$WIDE"; then
|
||||||
fileout "cbc_$proto" "NOT OK" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
|
if [[ -n "$detected_cbc_ciphers" ]]; then
|
||||||
if ! "$WIDE"; then
|
|
||||||
detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
||||||
|
fileout "cbc_$proto" "NOT OK" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
|
||||||
! "$first" && out "$spaces"
|
! "$first" && out "$spaces"
|
||||||
out "$(toupper $proto):"
|
out "$(toupper $proto):"
|
||||||
[[ -n "$higher_proto_supported" ]] && \
|
[[ -n "$higher_proto_supported" ]] && \
|
||||||
pr_yellowln "$detected_cbc_ciphers" || \
|
pr_yellowln "$detected_cbc_ciphers" || \
|
||||||
pr_brownln "$detected_cbc_ciphers"
|
pr_brownln "$detected_cbc_ciphers"
|
||||||
detected_cbc_ciphers="" # empty for next round
|
detected_cbc_ciphers="" # empty for next round
|
||||||
|
first=false
|
||||||
|
else
|
||||||
|
[[ $proto == "tls1" ]] && ! $first && echo -n "$spaces "
|
||||||
|
pr_litegreenln "no CBC ciphers for $(toupper $proto) (OK)"
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
fileout "cbc_$proto" "OK" "BEAST (CVE-2011-3389) : No CBC ciphers for $(toupper $proto) (OK)"
|
if ! "$vuln_beast" ; then
|
||||||
if ! "$WIDE"; then
|
pr_litegreenln " no CBC ciphers for $(toupper $proto) (OK)"
|
||||||
[[ $proto == "tls1" ]] && ! $first && echo -n "$spaces "
|
fileout "cbc_$proto" "OK" "BEAST (CVE-2011-3389) : No CBC ciphers for $(toupper $proto) (OK)"
|
||||||
first=false
|
|
||||||
fi
|
fi
|
||||||
pr_litegreenln "no CBC ciphers for $(toupper $proto) (OK)"
|
|
||||||
fi
|
fi
|
||||||
done # for proto in ssl3 tls1
|
done # for proto in ssl3 tls1
|
||||||
|
|
||||||
@ -5013,11 +5024,11 @@ run_beast(){
|
|||||||
if [[ -n "$higher_proto_supported" ]]; then
|
if [[ -n "$higher_proto_supported" ]]; then
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln
|
outln
|
||||||
# BOT ok seems too harsh for me if we have TLS >1.0
|
# NOT ok seems too harsh for me if we have TLS >1.0
|
||||||
pr_yellow "VULNERABLE"
|
pr_yellow "VULNERABLE"
|
||||||
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
else
|
else
|
||||||
out "${spaces}"
|
out "$spaces"
|
||||||
pr_yellow "VULNERABLE"
|
pr_yellow "VULNERABLE"
|
||||||
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
fi
|
fi
|
||||||
@ -5026,14 +5037,14 @@ run_beast(){
|
|||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
out "${spaces}"
|
out "$spaces"
|
||||||
fi
|
fi
|
||||||
pr_brown "VULNERABLE (NOT ok)"
|
pr_brown "VULNERABLE (NOT ok)"
|
||||||
outln " -- and no higher protocols as mitigation supported"
|
outln " -- and no higher protocols as mitigation supported"
|
||||||
fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
|
fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
$first && pr_litegreenln "no CBC ciphers found for any protocol (OK)"
|
"$first" && ! "$vuln_beast" && pr_litegreenln "no CBC ciphers found for any protocol (OK)"
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return 0
|
return 0
|
||||||
@ -6744,4 +6755,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.462 2016/02/06 21:31:31 dirkw Exp $
|
# $Id: testssl.sh,v 1.464 2016/02/07 18:13:58 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user