Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-08 09:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #689 from dcooper16/run_server_defaults_cleanup

Browse Source 
Cleanup variable definitions in run_server_defaults()
This commit is contained in:
Dirk Wetter 2017-03-31 12:53:46 +02:00 committed by GitHub
commit 75c794546d
1 changed files with 98 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

196
testssl.sh
View File

@ -6123,18 +6123,16 @@ certificate_info() {
run_server_defaults() { run_server_defaults() {
local ciph match_found newhostcert sni local ciph newhostcert sni
local sessticket_str="" local match_found
local lifetime unit local sessticket_str="" lifetime unit
local line
local -i i n local -i i n
local -i certs_found=0 local -i certs_found=0
local -a previous_hostcert previous_intermediates keysize cipher local -a previous_hostcert previous_intermediates keysize cipher
local -a ocsp_response ocsp_response_status sni_used local -a ocsp_response ocsp_response_status sni_used
local -a ciphers_to_test success local -a ciphers_to_test
local -a -i success
local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions
local alpn_proto alpn="" alpn_list_len_hex alpn_extn_len_hex success
local -i alpn_list_len alpn_extn_len
# Try each public key type once: # Try each public key type once:
# ciphers_to_test[1]: cipher suites using certificates with RSA signature public keys # ciphers_to_test[1]: cipher suites using certificates with RSA signature public keys
@ -6147,11 +6145,11 @@ run_server_defaults() {
ciphers_to_test[1]="" ciphers_to_test[1]=""
ciphers_to_test[2]="" ciphers_to_test[2]=""
for ciph in $(colon_to_spaces $($OPENSSL ciphers "aRSA")); do for ciph in $(colon_to_spaces $($OPENSSL ciphers "aRSA")); do
if grep -q "\-RSA\-" <<<$ciph; then if grep -q "\-RSA\-" <<<$ciph; then
ciphers_to_test[1]="${ciphers_to_test[1]}:$ciph" ciphers_to_test[1]="${ciphers_to_test[1]}:$ciph"
else else
ciphers_to_test[2]="${ciphers_to_test[2]}:$ciph" ciphers_to_test[2]="${ciphers_to_test[2]}:$ciph"
fi fi
done done
[[ -n "${ciphers_to_test[1]}" ]] && ciphers_to_test[1]="${ciphers_to_test[1]:1}" [[ -n "${ciphers_to_test[1]}" ]] && ciphers_to_test[1]="${ciphers_to_test[1]:1}"
[[ -n "${ciphers_to_test[2]}" ]] && ciphers_to_test[2]="${ciphers_to_test[2]:1}" [[ -n "${ciphers_to_test[2]}" ]] && ciphers_to_test[2]="${ciphers_to_test[2]:1}"
@ -6162,94 +6160,96 @@ run_server_defaults() {
ciphers_to_test[7]="aGOST" ciphers_to_test[7]="aGOST"
for (( n=1; n <= 14 ; n++ )); do for (( n=1; n <= 14 ; n++ )); do
# Some servers use a different certificate if the ClientHello # Some servers use a different certificate if the ClientHello
# specifies TLSv1.1 and doesn't include a server name extension. # specifies TLSv1.1 and doesn't include a server name extension.
# So, for each public key type for which a certificate was found, # So, for each public key type for which a certificate was found,
# try again, but only with TLSv1.1 and without SNI. # try again, but only with TLSv1.1 and without SNI.
if [[ $n -ge 8 ]]; then if [[ $n -ge 8 ]]; then
ciphers_to_test[n]="" ciphers_to_test[n]=""
[[ ${success[n-7]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-7]}" [[ ${success[n-7]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-7]}"
fi fi
if [[ -n "${ciphers_to_test[n]}" ]] && [[ $(count_ciphers $($OPENSSL ciphers "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]]; then if [[ -n "${ciphers_to_test[n]}" ]] && [[ $(count_ciphers $($OPENSSL ciphers "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]]; then
if [[ $n -ge 8 ]]; then if [[ $n -ge 8 ]]; then
sni="$SNI" sni="$SNI"
SNI="" SNI=""
get_server_certificate "-cipher ${ciphers_to_test[n]}" "tls1_1" get_server_certificate "-cipher ${ciphers_to_test[n]}" "tls1_1"
success[n]=$? success[n]=$?
SNI="$sni" SNI="$sni"
else else
get_server_certificate "-cipher ${ciphers_to_test[n]}" get_server_certificate "-cipher ${ciphers_to_test[n]}"
success[n]=$? success[n]=$?
fi fi
if [[ ${success[n]} -eq 0 ]]; then if [[ ${success[n]} -eq 0 ]]; then
cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE
>$ERRFILE >$ERRFILE
if [[ -z "$sessticket_str" ]]; then if [[ -z "$sessticket_str" ]]; then
sessticket_str=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime) sessticket_str=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime)
fi fi
# check whether the host's certificate has been seen before # check whether the host's certificate has been seen before
match_found=false match_found=false
i=1 i=1
newhostcert=$(cat $HOSTCERT) newhostcert=$(cat $HOSTCERT)
while [[ $i -le $certs_found ]]; do while [[ $i -le $certs_found ]]; do
if [[ "$newhostcert" == "${previous_hostcert[i]}" ]]; then if [[ "$newhostcert" == "${previous_hostcert[i]}" ]]; then
match_found=true match_found=true
break; break;
fi fi
i=$((i + 1)) i=$((i + 1))
done done
if ! "$match_found" && [[ $n -ge 8 ]] && [[ $certs_found -ne 0 ]]; then if ! "$match_found" && [[ $n -ge 8 ]] && [[ $certs_found -ne 0 ]]; then
# A new certificate was found using TLSv1.1 without SNI. # A new certificate was found using TLSv1.1 without SNI.
# Check to see if the new certificate should be displayed. # Check to see if the new certificate should be displayed.
# It should be displayed if it is either a match for the # It should be displayed if it is either a match for the
# $NODE being tested or if it has the same subject # $NODE being tested or if it has the same subject
# (CN and SAN) as other certificates for this host. # (CN and SAN) as other certificates for this host.
compare_server_name_to_cert "$NODE" "$HOSTCERT" compare_server_name_to_cert "$NODE" "$HOSTCERT"
[[ $? -ne 0 ]] && success[n]=0 || success[n]=1 [[ $? -ne 0 ]] && success[n]=0 || success[n]=1
if [[ ${success[n]} -ne 0 ]]; then if [[ ${success[n]} -ne 0 ]]; then
cn_nosni="$(toupper "$(get_cn_from_cert $HOSTCERT)")" cn_nosni="$(toupper "$(get_cn_from_cert $HOSTCERT)")"
sans_nosni="$(toupper "$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ sans_nosni="$(toupper "$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
tr ',' '\n' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')")" grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')")"
echo "${previous_hostcert[1]}" > $HOSTCERT echo "${previous_hostcert[1]}" > $HOSTCERT
cn_sni="$(toupper "$(get_cn_from_cert $HOSTCERT)")" cn_sni="$(toupper "$(get_cn_from_cert $HOSTCERT)")"
# FIXME: Not sure what the matching rule should be. At # FIXME: Not sure what the matching rule should be. At
# the moment, the no SNI certificate is considered a # the moment, the no SNI certificate is considered a
# match if the CNs are the same and the SANs (if # match if the CNs are the same and the SANs (if
# present) contain at least one DNS name in common. # present) contain at least one DNS name in common.
if [[ "$cn_nosni" == "$cn_sni" ]]; then if [[ "$cn_nosni" == "$cn_sni" ]]; then
sans_sni="$(toupper "$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ sans_sni="$(toupper "$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
tr ',' '\n' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')")" grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \
if [[ "$sans_nosni" == "$sans_sni" ]]; then sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')")"
success[n]=0 if [[ "$sans_nosni" == "$sans_sni" ]]; then
else success[n]=0
for san in $sans_nosni; do else
[[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break for san in $sans_nosni; do
done [[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break
done
fi
fi fi
fi fi
fi # If the certificate found for TLSv1.1 w/o SNI appears to
# If the certificate found for TLSv1.1 w/o SNI appears to # be for a different host, then set match_found to true so
# be for a different host, then set match_found to true so # that the new certificate will not be included in the output.
# that the new certificate will not be included in the output. [[ ${success[n]} -ne 0 ]] && match_found=true
[[ ${success[n]} -ne 0 ]] && match_found=true fi
fi if ! "$match_found"; then
if ! "$match_found"; then certs_found=$(($certs_found + 1))
certs_found=$(($certs_found + 1)) cipher[certs_found]=${ciphers_to_test[n]}
cipher[certs_found]=${ciphers_to_test[n]} keysize[certs_found]=$(grep -aw "^Server public key is" $TMPFILE | sed -e 's/^Server public key is //' -e 's/bit//' -e 's/ //')
keysize[certs_found]=$(grep -aw "^Server public key is" $TMPFILE | sed -e 's/^Server public key is //' -e 's/bit//' -e 's/ //') ocsp_response[certs_found]=$(grep -aA 20 "OCSP response" $TMPFILE)
ocsp_response[certs_found]=$(grep -aA 20 "OCSP response" $TMPFILE) ocsp_response_status[certs_found]=$(grep -a "OCSP Response Status" $TMPFILE)
ocsp_response_status[certs_found]=$(grep -a "OCSP Response Status" $TMPFILE) previous_hostcert[certs_found]=$newhostcert
previous_hostcert[certs_found]=$newhostcert previous_intermediates[certs_found]=$(cat $TEMPDIR/intermediatecerts.pem)
previous_intermediates[certs_found]=$(cat $TEMPDIR/intermediatecerts.pem) [[ $n -ge 8 ]] && sni_used[certs_found]="" || sni_used[certs_found]="$SNI"
[[ $n -ge 8 ]] && sni_used[certs_found]="" || sni_used[certs_found]="$SNI" fi
fi fi
fi fi
fi
done done
determine_tls_extensions determine_tls_extensions
@ -6292,7 +6292,7 @@ run_server_defaults() {
unit=$(grep -a lifetime <<< "$sessticket_str" | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g') unit=$(grep -a lifetime <<< "$sessticket_str" | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g')
out "$lifetime $unit " out "$lifetime $unit "
prln_svrty_low "(PFS requires session ticket keys to be rotated <= daily)" prln_svrty_low "(PFS requires session ticket keys to be rotated <= daily)"
fileout "session_ticket" "LOW" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)" fileout "session_ticket" "LOW" "TLS session ticket RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)"
fi fi
pr_bold " SSL Session ID support " pr_bold " SSL Session ID support "
@ -6308,10 +6308,10 @@ run_server_defaults() {
i=1 i=1
while [[ $i -le $certs_found ]]; do while [[ $i -le $certs_found ]]; do
echo "${previous_hostcert[i]}" > $HOSTCERT echo "${previous_hostcert[i]}" > $HOSTCERT
echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem
certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}" "${sni_used[i]}" certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}" "${sni_used[i]}"
i=$((i + 1)) i=$((i + 1))
done done
} }