FIX #648 (retrieve cipher and protocol from ServerHello) --> saves ~1 second and makes code better to read

other readabilty improvements
This commit is contained in:
Dirk 2017-03-18 22:24:35 +01:00
parent 8be47e484b
commit 73a094fcc7

View File

@ -818,37 +818,17 @@ fileout_json_footer() {
fileout_json_section() { fileout_json_section() {
case $1 in case $1 in
1) 1) echo -e " \"protocols\" : [" ;;
echo -e " \"protocols\" : [" 2) echo -e ",\n \"ciphers\" : [" ;;
;; 3) echo -e ",\n \"pfs\" : [" ;;
2) 4) echo -e ",\n \"serverPreferences\" : [" ;;
echo -e ",\n \"ciphers\" : [" 5) echo -e ",\n \"serverDefaults\" : [" ;;
;; 6) echo -e ",\n \"headerResponse\" : [" ;;
3) 7) echo -e ",\n \"vulnerabilities\" : [" ;;
echo -e ",\n \"pfs\" : [" 8) echo -e ",\n \"cipherTests\" : [" ;;
;; 9) echo -e ",\n \"browserSimulations\": [" ;;
4) *) echo "invalid section" ;;
echo -e ",\n \"serverPreferences\" : [" esac
;;
5)
echo -e ",\n \"serverDefaults\" : ["
;;
6)
echo -e ",\n \"headerResponse\" : ["
;;
7)
echo -e ",\n \"vulnerabilities\" : ["
;;
8)
echo -e ",\n \"cipherTests\" : ["
;;
9)
echo -e ",\n \"browserSimulations\": ["
;;
*)
echo "invalid section"
;;
esac
} }
fileout_section_header(){ fileout_section_header(){
@ -923,9 +903,8 @@ is_json_format() {
( [[ -f "$JSONFILE" ]] && ("$do_json" || "$do_pretty_json") ) ( [[ -f "$JSONFILE" ]] && ("$do_json" || "$do_pretty_json") )
} }
################# JSON FILE FORMATING END ####################
##################### FILE FORMATING ######################### ##################### FILE FORMATING #########################
fileout_header() { fileout_header() {
if "$APPEND"; then if "$APPEND"; then
if [[ -f "$JSONFILE" ]]; then if [[ -f "$JSONFILE" ]]; then
@ -969,7 +948,8 @@ fileout() { # ID, SEVERITY, FINDING, CVE, CWE, HINT
"$FIRST_FINDING" && FIRST_FINDING=false "$FIRST_FINDING" && FIRST_FINDING=false
fi fi
} }
################### FILE FORMATING END #########################
################# JSON FILE FORMATING END. HTML START ####################
html_header() { html_header() {
local fname_prefix local fname_prefix
@ -1034,6 +1014,10 @@ html_footer() {
return 0 return 0
} }
################# HTML FILE FORMATING END ####################
################### FILE FORMATING END #########################
###### helper function definitions ###### ###### helper function definitions ######
if [[ $(uname) == "Linux" ]] ; then if [[ $(uname) == "Linux" ]] ; then
@ -1115,8 +1099,7 @@ out_row_aligned() {
} }
# prints text over multiple lines, trying to make no line longer than $max_width. # prints text over multiple lines, trying to make no line longer than $max_width.
# Each line is indented with $spaces and each word in $text is printed using # Each line is indented with $spaces and each word in $text is printed using $print_function.
# $print_function.
out_row_aligned_max_width() { out_row_aligned_max_width() {
local text="$1" local text="$1"
local spaces="$2" local spaces="$2"
@ -1173,6 +1156,17 @@ out_row_aligned_max_width() {
return 0 return 0
} }
# retrieve cipher from ServerHello (via openssl)
get_cipher() {
awk '/Cipher *:/ { print $3 }' "$1"
#awk '/\<Cipher\>/ && !/Cipher is/ && !/^New/ { print $3 }' "$1"
}
# retrieve protocol from ServerHello (via openssl)
get_protocol() {
awk '/Protocol *:/ { print $3 }' "$1"
}
is_number() { is_number() {
[[ "$1" =~ ^[1-9][0-9]*$ ]] && \ [[ "$1" =~ ^[1-9][0-9]*$ ]] && \
return 0 || \ return 0 || \
@ -1354,11 +1348,13 @@ service_detection() {
HTTP) HTTP)
out " $SERVICE" out " $SERVICE"
fileout "service" "INFO" "Service detected: $SERVICE" fileout "service" "INFO" "Service detected: $SERVICE"
ret=0 ;; ret=0
;;
IMAP|POP|SMTP|NNTP) IMAP|POP|SMTP|NNTP)
out " $SERVICE, thus skipping HTTP specific checks" out " $SERVICE, thus skipping HTTP specific checks"
fileout "service" "INFO" "Service detected: $SERVICE, thus skipping HTTP specific checks" fileout "service" "INFO" "Service detected: $SERVICE, thus skipping HTTP specific checks"
ret=0 ;; ret=0
;;
*) if $CLIENT_AUTH; then *) if $CLIENT_AUTH; then
out "certificate based authentication => skipping all HTTP checks" out "certificate based authentication => skipping all HTTP checks"
echo "certificate based authentication => skipping all HTTP checks" >$TMPFILE echo "certificate based authentication => skipping all HTTP checks" >$TMPFILE
@ -3576,9 +3572,9 @@ run_client_simulation() {
outln outln
if "$using_sockets"; then if "$using_sockets"; then
pr_headlineln " Running browser simulations via sockets (experimental) " pr_headlineln " Running browser simulations via sockets "
else else
pr_headline " Running browser simulations via openssl (experimental) " pr_headline " Running browser simulations via openssl "
fi fi
outln outln
@ -3619,9 +3615,10 @@ run_client_simulation() {
outln "No connection" outln "No connection"
fileout "client_${short[i]}" "INFO" "$(strip_spaces "${names[i]}") client simulation: No connection" fileout "client_${short[i]}" "INFO" "$(strip_spaces "${names[i]}") client simulation: No connection"
else else
#FIXME: awk proto=$(get_protocol $TMPFILE)
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') # hack:
[[ "$proto" == TLSv1 ]] && proto="TLSv1.0" [[ "$proto" == TLSv1 ]] && proto="TLSv1.0"
[[ "$proto" == SSLv3 ]] && proto="SSLv3 "
if [[ "$proto" == TLSv1.2 ]] && ( ! "$using_sockets" || [[ -z "${handshakebytes[i]}" ]] ); then if [[ "$proto" == TLSv1.2 ]] && ( ! "$using_sockets" || [[ -z "${handshakebytes[i]}" ]] ); then
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is... # OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
for tls in ${tlsvers[i]}; do for tls in ${tlsvers[i]}; do
@ -3646,14 +3643,13 @@ run_client_simulation() {
fi fi
done done
fi fi
#FiXME: awk cipher=$(get_cipher $TMPFILE)
cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://')
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && ( [[ "$cipher" == TLS_* ]] || [[ "$cipher" == SSL_* ]] ); then if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && ( [[ "$cipher" == TLS_* ]] || [[ "$cipher" == SSL_* ]] ); then
cipher="$(rfc2openssl "$cipher")" cipher="$(rfc2openssl "$cipher")"
[[ -z "$cipher" ]] && cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://') [[ -z "$cipher" ]] && cipher=$(get_cipher $TMPFILE)
elif [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then elif [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then
cipher="$(openssl2rfc "$cipher")" cipher="$(openssl2rfc "$cipher")"
[[ -z "$cipher" ]] && cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://') [[ -z "$cipher" ]] && cipher=$(get_cipher $TMPFILE)
fi fi
out "$proto $cipher" out "$proto $cipher"
"$using_sockets" && [[ -n "${handshakebytes[i]}" ]] && has_dh_bits=$HAS_DH_BITS && HAS_DH_BITS=true "$using_sockets" && [[ -n "${handshakebytes[i]}" ]] && has_dh_bits=$HAS_DH_BITS && HAS_DH_BITS=true
@ -3800,22 +3796,18 @@ run_protocols() {
else else
run_prototest_openssl "-ssl2" run_prototest_openssl "-ssl2"
case $? in case $? in
0) 0) prln_svrty_critical "offered (NOT ok)"
prln_svrty_critical "offered (NOT ok)"
fileout "sslv2" "CRITICAL" "SSLv2 is offered" fileout "sslv2" "CRITICAL" "SSLv2 is offered"
add_tls_offered "ssl2" add_tls_offered "ssl2"
;; ;;
1) 1) prln_done_best "not offered (OK)"
prln_done_best "not offered (OK)"
fileout "sslv2" "OK" "SSLv2 is not offered" fileout "sslv2" "OK" "SSLv2 is not offered"
;; ;;
5) 5) pr_svrty_high "CVE-2015-3197: $supported_no_ciph2";
pr_svrty_high "CVE-2015-3197: $supported_no_ciph2";
fileout "sslv2" "HIGH" "CVE-2015-3197: SSLv2 is $supported_no_ciph2" fileout "sslv2" "HIGH" "CVE-2015-3197: SSLv2 is $supported_no_ciph2"
add_tls_offered "ssl2" add_tls_offered "ssl2"
;; ;;
7) 7) fileout "sslv2" "INFO" "SSLv2 is not tested due to lack of local support"
fileout "sslv2" "INFO" "SSLv2 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
fi fi
@ -3827,19 +3819,16 @@ run_protocols() {
run_prototest_openssl "-ssl3" run_prototest_openssl "-ssl3"
fi fi
case $? in case $? in
0) 0) prln_svrty_high "offered (NOT ok)"
prln_svrty_high "offered (NOT ok)"
fileout "sslv3" "HIGH" "SSLv3 is offered" fileout "sslv3" "HIGH" "SSLv3 is offered"
latest_supported="0300" latest_supported="0300"
latest_supported_string="SSLv3" latest_supported_string="SSLv3"
add_tls_offered "ssl3" add_tls_offered "ssl3"
;; ;;
1) 1) prln_done_best "not offered (OK)"
prln_done_best "not offered (OK)"
fileout "sslv3" "OK" "SSLv3 is not offered" fileout "sslv3" "OK" "SSLv3 is not offered"
;; ;;
2) 2) if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
prln_svrty_critical "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" prln_svrty_critical "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
fileout "sslv3" "CRITICAL" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client" fileout "sslv3" "CRITICAL" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client"
@ -3848,14 +3837,12 @@ run_protocols() {
fileout "sslv3" "CRITICAL" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "sslv3" "CRITICAL" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fi fi
;; ;;
5) 5) pr_svrty_high "$supported_no_ciph2"
pr_svrty_high "$supported_no_ciph2"
fileout "sslv3" "HIGH" "SSLv3 is $supported_no_ciph1" fileout "sslv3" "HIGH" "SSLv3 is $supported_no_ciph1"
outln "(may need debugging)" outln "(may need debugging)"
add_tls_offered "ssl3" add_tls_offered "ssl3"
;; ;;
7) 7) fileout "sslv3" "INFO" "SSLv3 is not tested due to lack of local support"
fileout "sslv3" "INFO" "SSLv3 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
@ -3866,15 +3853,13 @@ run_protocols() {
run_prototest_openssl "-tls1" run_prototest_openssl "-tls1"
fi fi
case $? in case $? in
0) 0) outln "offered"
outln "offered"
fileout "tls1" "INFO" "TLSv1.0 is offered" fileout "tls1" "INFO" "TLSv1.0 is offered"
latest_supported="0301" latest_supported="0301"
latest_supported_string="TLSv1.0" latest_supported_string="TLSv1.0"
add_tls_offered "tls1" add_tls_offered "tls1"
;; # nothing wrong with it -- per se ;; # nothing wrong with it -- per se
1) 1) out "not offered"
out "not offered"
if ! "$using_sockets" || [[ -z $latest_supported ]]; then if ! "$using_sockets" || [[ -z $latest_supported ]]; then
outln outln
fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad
@ -3883,8 +3868,7 @@ run_protocols() {
fileout "tls1" "CRITICAL" "TLSv1.0: connection failed rather than downgrading to $latest_supported_string" fileout "tls1" "CRITICAL" "TLSv1.0: connection failed rather than downgrading to $latest_supported_string"
fi fi
;; ;;
2) 2) pr_svrty_medium "not offered"
pr_svrty_medium "not offered"
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
[[ $DEBUG -eq 1 ]] && tm_out " -- downgraded" [[ $DEBUG -eq 1 ]] && tm_out " -- downgraded"
outln outln
@ -3898,13 +3882,11 @@ run_protocols() {
fileout "tls1" "CRITICAL" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "tls1" "CRITICAL" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fi fi
;; ;;
5) 5) outln "$supported_no_ciph1" # protocol ok, but no cipher
outln "$supported_no_ciph1" # protocol ok, but no cipher
fileout "tls1" "WARN" "TLSv1.0 is $supported_no_ciph1" fileout "tls1" "WARN" "TLSv1.0 is $supported_no_ciph1"
add_tls_offered "tls1" add_tls_offered "tls1"
;; ;;
7) 7) fileout "tlsv1" "INFO" "TLSv1.0 is not tested due to lack of local support"
fileout "tlsv1" "INFO" "TLSv1.0 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
@ -3915,15 +3897,13 @@ run_protocols() {
run_prototest_openssl "-tls1_1" run_prototest_openssl "-tls1_1"
fi fi
case $? in case $? in
0) 0) outln "offered"
outln "offered"
fileout "tls1_1" "INFO" "TLSv1.1 is offered" fileout "tls1_1" "INFO" "TLSv1.1 is offered"
latest_supported="0302" latest_supported="0302"
latest_supported_string="TLSv1.1" latest_supported_string="TLSv1.1"
add_tls_offered "tls1_1" add_tls_offered "tls1_1"
;; # nothing wrong with it ;; # nothing wrong with it
1) 1) out "not offered"
out "not offered"
if ! "$using_sockets" || [[ -z $latest_supported ]]; then if ! "$using_sockets" || [[ -z $latest_supported ]]; then
outln outln
fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad
@ -3932,8 +3912,7 @@ run_protocols() {
fileout "tls1_1" "CRITICAL" "TLSv1.1: connection failed rather than downgrading to $latest_supported_string" fileout "tls1_1" "CRITICAL" "TLSv1.1: connection failed rather than downgrading to $latest_supported_string"
fi fi
;; ;;
2) 2) out "not offered"
out "not offered"
if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
[[ $DEBUG -eq 1 ]] && tm_out " -- downgraded" [[ $DEBUG -eq 1 ]] && tm_out " -- downgraded"
outln outln
@ -3950,13 +3929,11 @@ run_protocols() {
fileout "tls1_1" "CRITICAL" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "tls1_1" "CRITICAL" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fi fi
;; ;;
5) 5) outln "$supported_no_ciph1"
outln "$supported_no_ciph1"
fileout "tls1_1" "WARN" "TLSv1.1 is $supported_no_ciph1" fileout "tls1_1" "WARN" "TLSv1.1 is $supported_no_ciph1"
add_tls_offered "tls1_1" add_tls_offered "tls1_1"
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) 7) fileout "tls1_1" "INFO" "TLSv1.1 is not tested due to lack of local support"
fileout "tls1_1" "INFO" "TLSv1.1 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
@ -3967,15 +3944,13 @@ run_protocols() {
run_prototest_openssl "-tls1_2" run_prototest_openssl "-tls1_2"
fi fi
case $? in case $? in
0) 0) prln_done_best "offered (OK)"
prln_done_best "offered (OK)"
fileout "tls1_2" "OK" "TLSv1.2 is offered" fileout "tls1_2" "OK" "TLSv1.2 is offered"
latest_supported="0303" latest_supported="0303"
latest_supported_string="TLSv1.2" latest_supported_string="TLSv1.2"
add_tls_offered "tls1_2" add_tls_offered "tls1_2"
;; # GCM cipher in TLS 1.2: very good! ;; # GCM cipher in TLS 1.2: very good!
1) 1) pr_svrty_medium "not offered"
pr_svrty_medium "not offered"
if ! "$using_sockets" || [[ -z $latest_supported ]]; then if ! "$using_sockets" || [[ -z $latest_supported ]]; then
outln outln
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
@ -3984,8 +3959,7 @@ run_protocols() {
fileout "tls1_2" "CRITICAL" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string" fileout "tls1_2" "CRITICAL" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string"
fi fi
;; ;;
2) 2) pr_svrty_medium "not offered"
pr_svrty_medium "not offered"
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
detected_version_string="SSLv3" detected_version_string="SSLv3"
elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
@ -4006,13 +3980,11 @@ run_protocols() {
fileout "tls1_2" "CRITICAL" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "tls1_2" "CRITICAL" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fi fi
;; ;;
5) 5) outln "$supported_no_ciph1"
outln "$supported_no_ciph1"
fileout "tls1_2" "WARN" "TLSv1.2 is $supported_no_ciph1" fileout "tls1_2" "WARN" "TLSv1.2 is $supported_no_ciph1"
add_tls_offered "tls1_2" add_tls_offered "tls1_2"
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) 7) fileout "tls1_2" "INFO" "TLSv1.2 is not tested due to lack of local support"
fileout "tls1_2" "INFO" "TLSv1.2 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
return 0 return 0
@ -4351,7 +4323,7 @@ run_server_preference() {
fi fi
if "$has_cipher_order"; then if "$has_cipher_order"; then
cipher1=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g') cipher1=$(get_cipher $TMPFILE)
addcmd2="" addcmd2=""
if [[ -n "$STARTTLS_OPTIMAL_PROTO" ]]; then if [[ -n "$STARTTLS_OPTIMAL_PROTO" ]]; then
addcmd2="$STARTTLS_OPTIMAL_PROTO" addcmd2="$STARTTLS_OPTIMAL_PROTO"
@ -4366,7 +4338,7 @@ run_server_preference() {
fi fi
$OPENSSL s_client $STARTTLS -cipher $list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS -cipher $list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>>$ERRFILE >$TMPFILE
# that worked above so no error handling here # that worked above so no error handling here
cipher2=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g') cipher2=$(get_cipher $TMPFILE)
if [[ "$cipher1" != "$cipher2" ]]; then if [[ "$cipher1" != "$cipher2" ]]; then
pr_svrty_high "nope (NOT ok)" pr_svrty_high "nope (NOT ok)"
@ -4387,7 +4359,7 @@ run_server_preference() {
$OPENSSL s_client $STARTTLS $OPTIMAL_PROTO $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS $OPTIMAL_PROTO $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE || pr_warning "Handshake error!" sclient_connect_successful $? $TMPFILE || pr_warning "Handshake error!"
fi fi
default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') default_proto=$(get_protocol $TMPFILE)
case "$default_proto" in case "$default_proto" in
*TLSv1.2) *TLSv1.2)
prln_done_best $default_proto prln_done_best $default_proto
@ -4425,7 +4397,7 @@ run_server_preference() {
esac esac
pr_bold " Negotiated cipher " pr_bold " Negotiated cipher "
default_cipher_ossl=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') default_cipher_ossl=$(get_cipher $TMPFILE)
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
default_cipher="$default_cipher_ossl" default_cipher="$default_cipher_ossl"
else else
@ -4434,23 +4406,17 @@ run_server_preference() {
fi fi
pr_cipher_quality "$default_cipher" pr_cipher_quality "$default_cipher"
case $? in case $? in
1) 1) fileout "order_cipher" "CRITICAL" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
fileout "order_cipher" "CRITICAL" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
;; ;;
2) 2) fileout "order_cipher" "HIGH" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
fileout "order_cipher" "HIGH" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
;; ;;
3) 3) fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
;; ;;
6|7) 6|7) fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
;; # best ones ;; # best ones
4) 4) fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") (cbc) $remark4default_cipher"
fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") (cbc) $remark4default_cipher"
;; # it's CBC. --> lucky13 ;; # it's CBC. --> lucky13
0) 0) pr_warning "default cipher empty" ;
pr_warning "default cipher empty" ;
if [[ $OSSL_VER == 1.0.2* ]]; then if [[ $OSSL_VER == 1.0.2* ]]; then
out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)" out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
fileout "order_cipher" "WARN" "Default cipher empty (Hint: if IIS6 give OpenSSL 1.0.1 a try) $remark4default_cipher" fileout "order_cipher" "WARN" "Default cipher empty (Hint: if IIS6 give OpenSSL 1.0.1 a try) $remark4default_cipher"
@ -4458,8 +4424,7 @@ run_server_preference() {
fileout "order_cipher" "WARN" "Default cipher empty $remark4default_cipher" fileout "order_cipher" "WARN" "Default cipher empty $remark4default_cipher"
fi fi
;; ;;
*) *) fileout "order_cipher" "INFO" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
fileout "order_cipher" "INFO" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
;; ;;
esac esac
read_dhbits_from_file "$TMPFILE" read_dhbits_from_file "$TMPFILE"
@ -4524,12 +4489,12 @@ run_server_preference() {
[[ "$p" =~ ssl ]] && sni="" || sni="$SNI" [[ "$p" =~ ssl ]] && sni="" || sni="$SNI"
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') proto[i]=$(get_protocol $TMPFILE)
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') cipher[i]=$(get_cipher $TMPFILE)
[[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack! [[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack!
if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ -n "${cipher[i]}" ]]; then if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ -n "${cipher[i]}" ]]; then
cipher[i]="$(openssl2rfc "${cipher[i]}")" cipher[i]="$(openssl2rfc "${cipher[i]}")"
[[ -z "${cipher[i]}" ]] && cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') [[ -z "${cipher[i]}" ]] && cipher[i]=$(get_cipher $TMPFILE)
fi fi
[[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}" [[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}"
else else
@ -4550,10 +4515,10 @@ run_server_preference() {
if [[ -z "${proto[i]}" ]]; then if [[ -z "${proto[i]}" ]]; then
cipher[i]="" cipher[i]=""
else else
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') cipher[i]=$(get_cipher $TMPFILE)
if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ -n "${cipher[i]}" ]]; then if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ -n "${cipher[i]}" ]]; then
cipher[i]="$(openssl2rfc "${cipher[i]}")" cipher[i]="$(openssl2rfc "${cipher[i]}")"
[[ -z "${cipher[i]}" ]] && cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') [[ -z "${cipher[i]}" ]] && cipher[i]=$(get_cipher $TMPFILE)
fi fi
[[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}" [[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}"
fi fi
@ -8757,11 +8722,7 @@ run_heartbleed(){
# determine TLS versions offered <-- needs to come from another place # determine TLS versions offered <-- needs to come from another place
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -tlsextdebug >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -tlsextdebug >$TMPFILE 2>$ERRFILE </dev/null
if "$HAS_SED_E"; then tls_proto_offered=$(get_protocol $TMPFILE)
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
else
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -r 's/[^[:digit:]]//g')
fi
#FIXME: for SSLv3 only we need to set tls_hexcode and the record layer TLS version correctly #FIXME: for SSLv3 only we need to set tls_hexcode and the record layer TLS version correctly
case $tls_proto_offered in case $tls_proto_offered in
12) tls_hexcode="x03, x03" ;; 12) tls_hexcode="x03, x03" ;;
@ -8913,11 +8874,7 @@ run_ccs_injection(){
# determine TLS versions offered <-- needs to come from another place # determine TLS versions offered <-- needs to come from another place
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
if "$HAS_SED_E"; then tls_proto_offered=$(get_protocol $TMPFILE)
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
else
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -r 's/[^[:digit:]]//g')
fi
case "$tls_proto_offered" in case "$tls_proto_offered" in
12) tls_hexcode="x03, x03" ;; 12) tls_hexcode="x03, x03" ;;
11) tls_hexcode="x03, x02" ;; 11) tls_hexcode="x03, x02" ;;
@ -9067,16 +9024,13 @@ run_renego() {
sec_renego=$? # 0= Secure Renegotiation IS NOT supported sec_renego=$? # 0= Secure Renegotiation IS NOT supported
#FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported" #FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported"
case $sec_renego in case $sec_renego in
0) 0) prln_svrty_critical "VULNERABLE (NOT ok)"
prln_svrty_critical "VULNERABLE (NOT ok)"
fileout "secure_renego" "CRITICAL" "Secure Renegotiation: VULNERABLE" "$cve" "$cwe" "$hint" fileout "secure_renego" "CRITICAL" "Secure Renegotiation: VULNERABLE" "$cve" "$cwe" "$hint"
;; ;;
1) 1) prln_done_best "not vulnerable (OK)"
prln_done_best "not vulnerable (OK)"
fileout "secure_renego" "OK" "Secure Renegotiation: not vulnerable" "$cve" "$cwe" fileout "secure_renego" "OK" "Secure Renegotiation: not vulnerable" "$cve" "$cwe"
;; ;;
*) *) prln_warning "FIXME (bug): $sec_renego"
prln_warning "FIXME (bug): $sec_renego"
fileout "secure_renego" "WARN" "Secure Renegotiation: FIXME (bug) $sec_renego" "$cve" "$cwe" fileout "secure_renego" "WARN" "Secure Renegotiation: FIXME (bug) $sec_renego" "$cve" "$cwe"
;; ;;
esac esac
@ -9965,7 +9919,7 @@ run_beast(){
for proto in tls1_1 tls1_2; do for proto in tls1_1 tls1_2; do
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null $OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
higher_proto_supported="$higher_proto_supported ""$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol .*://' -e 's/ //g')" higher_proto_supported="$higher_proto_supported $(get_protocol $TMPFILE)"
fi fi
done done