mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Catch MySQL (yaSSL) server bug when testing standard cipher categories
Unfortunately, most categories were passing incorrectly, since a tls_socket() error was interpreted as a success for many of the cases. Now we explicitely check for the known yaSSL failure and raise a warning that the test is inconclusive. New output against --starttls=mysql looks like: Testing ~standard cipher categories ----------------------------------- NULL ciphers (no encryption) SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug. Anonymous NULL Ciphers (no authentication) SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug. Export ciphers (w/o ADH+NULL) SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug. LOW: 64 Bit + DES encryption (w/o export) offered (NOT ok) Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug. Triple DES Ciphers (Medium) offered High encryption (AES+Camellia, no AEAD) offered (OK) Strong encryption (AEAD ciphers) SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug. Partial workaround for #793
This commit is contained in:
parent
ad1dd01466
commit
72851c7e3f
117
testssl.sh
117
testssl.sh
@ -2294,59 +2294,72 @@ std_cipherlists() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
case $3 in
|
if [[ $sclient_success -ne 0 ]] && $BAD_SERVER_HELLO_CIPHER; then
|
||||||
2) if [[ $sclient_success -eq 0 ]]; then
|
# If server failed with a known error, raise it to the user.
|
||||||
# Strong is excellent to offer
|
if [[ $STARTTLS_PROTOCOL == "mysql" ]]; then
|
||||||
pr_done_best "offered (OK)"
|
pr_warning "SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug."
|
||||||
fileout "std_$4" "OK" "$2 offered"
|
fileout "std_$4" "WARN" "SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug."
|
||||||
else
|
else
|
||||||
pr_svrty_medium "not offered"
|
pr_warning "SERVER_ERROR: test inconclusive."
|
||||||
fileout "std_$4" "MEDIUM" "$2 not offered"
|
fileout "std_$4" "WARN" "SERVER_ERROR: test inconclusive."
|
||||||
fi
|
fi
|
||||||
;;
|
else
|
||||||
|
# Otherwise the error means the server doesn't support that cipher list.
|
||||||
|
case $3 in
|
||||||
|
2) if [[ $sclient_success -eq 0 ]]; then
|
||||||
|
# Strong is excellent to offer
|
||||||
|
pr_done_best "offered (OK)"
|
||||||
|
fileout "std_$4" "OK" "$2 offered"
|
||||||
|
else
|
||||||
|
pr_svrty_medium "not offered"
|
||||||
|
fileout "std_$4" "MEDIUM" "$2 not offered"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
1) if [[ $sclient_success -eq 0 ]]; then
|
1) if [[ $sclient_success -eq 0 ]]; then
|
||||||
# High is good to offer
|
# High is good to offer
|
||||||
pr_done_good "offered (OK)"
|
pr_done_good "offered (OK)"
|
||||||
fileout "std_$4" "OK" "$2 offered"
|
fileout "std_$4" "OK" "$2 offered"
|
||||||
else
|
else
|
||||||
# FIXME: the rating could be readjusted if we knew the result of STRONG before
|
# FIXME: the rating could be readjusted if we knew the result of STRONG before
|
||||||
pr_svrty_medium "not offered"
|
pr_svrty_medium "not offered"
|
||||||
fileout "std_$4" "MEDIUM" "$2 not offered"
|
fileout "std_$4" "MEDIUM" "$2 not offered"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
0) if [[ $sclient_success -eq 0 ]]; then
|
0) if [[ $sclient_success -eq 0 ]]; then
|
||||||
# medium is not that bad
|
# medium is not that bad
|
||||||
pr_svrty_medium "offered"
|
pr_svrty_medium "offered"
|
||||||
fileout "std_$4" "MEDIUM" "$2 offered - not too bad"
|
fileout "std_$4" "MEDIUM" "$2 offered - not too bad"
|
||||||
else
|
else
|
||||||
out "not offered (OK)"
|
out "not offered (OK)"
|
||||||
fileout "std_$4" "OK" "$2 not offered"
|
fileout "std_$4" "OK" "$2 not offered"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
-1) if [[ $sclient_success -eq 0 ]]; then
|
-1) if [[ $sclient_success -eq 0 ]]; then
|
||||||
# bad but there is worse
|
# bad but there is worse
|
||||||
pr_svrty_high "offered (NOT ok)"
|
pr_svrty_high "offered (NOT ok)"
|
||||||
fileout "std_$4" "HIGH" "$2 offered - bad"
|
fileout "std_$4" "HIGH" "$2 offered - bad"
|
||||||
else
|
else
|
||||||
pr_done_good "not offered (OK)"
|
# need a check for -eq 1 here
|
||||||
fileout "std_$4" "OK" "$2 not offered"
|
pr_done_good "not offered (OK)"
|
||||||
fi
|
fileout "std_$4" "OK" "$2 not offered"
|
||||||
;;
|
fi
|
||||||
-2) if [[ $sclient_success -eq 0 ]]; then
|
;;
|
||||||
# the ugly ones
|
-2) if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_svrty_critical "offered (NOT ok)"
|
# the ugly ones
|
||||||
fileout "std_$4" "CRITICAL" "$2 offered - ugly"
|
pr_svrty_critical "offered (NOT ok)"
|
||||||
else
|
fileout "std_$4" "CRITICAL" "$2 offered - ugly"
|
||||||
pr_done_best "not offered (OK)"
|
else
|
||||||
fileout "std_$4" "OK" "$2 not offered"
|
pr_done_best "not offered (OK)"
|
||||||
fi
|
fileout "std_$4" "OK" "$2 not offered"
|
||||||
;;
|
fi
|
||||||
*) # we shouldn't reach this
|
;;
|
||||||
pr_warning "?: $3 (please report this)"
|
*) # we shouldn't reach this
|
||||||
fileout "std_$4" "WARN" "return condition $3 unclear"
|
pr_warning "?: $3 (please report this)"
|
||||||
;;
|
fileout "std_$4" "WARN" "return condition $3 unclear"
|
||||||
esac
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
tmpfile_handle $FUNCNAME.$debugname.txt
|
tmpfile_handle $FUNCNAME.$debugname.txt
|
||||||
[[ $DEBUG -ge 1 ]] && tm_out " -- $1"
|
[[ $DEBUG -ge 1 ]] && tm_out " -- $1"
|
||||||
outln
|
outln
|
||||||
|
Loading…
Reference in New Issue
Block a user