mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-23 08:59:31 +01:00
Merge branch '2.9dev' into openssl_location
This commit is contained in:
commit
7747d965d4
131
testssl.sh
131
testssl.sh
@ -2471,6 +2471,7 @@ run_cipher_match(){
|
|||||||
local -i nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0
|
local -i nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0
|
||||||
local -i num_bundles mod_check bundle_size bundle end_of_bundle
|
local -i num_bundles mod_check bundle_size bundle end_of_bundle
|
||||||
local addcmd dhlen has_dh_bits="$HAS_DH_BITS"
|
local addcmd dhlen has_dh_bits="$HAS_DH_BITS"
|
||||||
|
local available
|
||||||
local -i sclient_success
|
local -i sclient_success
|
||||||
local re='^[0-9A-Fa-f]+$'
|
local re='^[0-9A-Fa-f]+$'
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
@ -2710,16 +2711,21 @@ run_cipher_match(){
|
|||||||
done
|
done
|
||||||
|
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
|
"${ciphers_found[i]}" || "$SHOW_EACH_C" || continue
|
||||||
export="${export2[i]}"
|
export="${export2[i]}"
|
||||||
neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${ciphers_found[i]}"
|
neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}" "${ciphers_found[i]}"
|
||||||
|
available=""
|
||||||
|
if "$SHOW_EACH_C"; then
|
||||||
if "${ciphers_found[i]}"; then
|
if "${ciphers_found[i]}"; then
|
||||||
pr_cyan " available"
|
available="available"
|
||||||
fileout "cipher_${normalized_hexcode[i]}" "INFO" "$(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}") available"
|
pr_cyan "available"
|
||||||
else
|
else
|
||||||
pr_deemphasize " not a/v"
|
available="not a/v"
|
||||||
fileout "cipher_${normalized_hexcode[i]}" "INFO" "$(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}") not a/v"
|
pr_deemphasize "not a/v"
|
||||||
fi
|
fi
|
||||||
outln
|
fi
|
||||||
|
outln "${sigalg[i]}"
|
||||||
|
fileout "cipher_${normalized_hexcode[i]}" "INFO" "$(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}") $available"
|
||||||
done
|
done
|
||||||
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
||||||
exit
|
exit
|
||||||
@ -3016,9 +3022,12 @@ run_cipher_per_proto() {
|
|||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
neat_header
|
neat_header
|
||||||
tm_out " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n" | while read proto proto_hex proto_text; do
|
echo -e " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2" | while read proto proto_hex proto_text; do
|
||||||
"$using_sockets" || locally_supported "$proto" "$proto_text" || continue
|
pr_underline "$(printf "%s" "$proto_text")"
|
||||||
"$using_sockets" && out "$proto_text "
|
out " "; # for local problem if it happens
|
||||||
|
if ! "$using_sockets" && ! locally_supported "$proto"; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
outln
|
outln
|
||||||
has_server_protocol "${proto:1}" || continue
|
has_server_protocol "${proto:1}" || continue
|
||||||
|
|
||||||
@ -3066,7 +3075,7 @@ run_cipher_per_proto() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else # no sockets, openssl!
|
||||||
# The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
|
# The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
|
||||||
if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || \
|
if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || \
|
||||||
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then
|
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then
|
||||||
@ -3096,7 +3105,8 @@ run_cipher_per_proto() {
|
|||||||
done < <($OPENSSL ciphers $ossl_ciphers_proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
|
done < <($OPENSSL ciphers $ossl_ciphers_proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$proto" == "-ssl2" ]] && "$using_sockets"; then
|
if [[ "$proto" == "-ssl2" ]]; then
|
||||||
|
if "$using_sockets"; then
|
||||||
sslv2_sockets "${sslv2_ciphers:2}" "true"
|
sslv2_sockets "${sslv2_ciphers:2}" "true"
|
||||||
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
|
||||||
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
||||||
@ -3108,7 +3118,7 @@ run_cipher_per_proto() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
elif [[ "$proto" == "-ssl2" ]]; then
|
else
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful "$?" "$TMPFILE"
|
sclient_connect_successful "$?" "$TMPFILE"
|
||||||
if [[ "$?" -eq 0 ]]; then
|
if [[ "$?" -eq 0 ]]; then
|
||||||
@ -3121,7 +3131,8 @@ run_cipher_per_proto() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
else
|
fi
|
||||||
|
else # no SSLv2
|
||||||
nr_ossl_ciphers=0
|
nr_ossl_ciphers=0
|
||||||
for (( i=0; i < nr_ciphers; i++ )); do
|
for (( i=0; i < nr_ciphers; i++ )); do
|
||||||
if "${ossl_supported[i]}"; then
|
if "${ossl_supported[i]}"; then
|
||||||
@ -3131,7 +3142,6 @@ run_cipher_per_proto() {
|
|||||||
nr_ossl_ciphers+=1
|
nr_ossl_ciphers+=1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [[ $nr_ossl_ciphers -eq 0 ]]; then
|
if [[ $nr_ossl_ciphers -eq 0 ]]; then
|
||||||
num_bundles=0
|
num_bundles=0
|
||||||
else
|
else
|
||||||
@ -3174,7 +3184,7 @@ run_cipher_per_proto() {
|
|||||||
kx[i]="${kx[i]} $dhlen"
|
kx[i]="${kx[i]} $dhlen"
|
||||||
fi
|
fi
|
||||||
"$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
|
"$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
|
||||||
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
sigalg[i]="$(read_sigalg_from_file "$HOSTCERT")"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -3240,7 +3250,7 @@ run_cipher_per_proto() {
|
|||||||
kx[i]="${kx[i]} $dhlen"
|
kx[i]="${kx[i]} $dhlen"
|
||||||
fi
|
fi
|
||||||
"$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && \
|
"$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && \
|
||||||
sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
sigalg[i]="$(read_sigalg_from_file "$HOSTCERT")"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -4149,6 +4159,12 @@ pr_cipher_quality() {
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# arg1: certificate file
|
||||||
|
read_sigalg_from_file() {
|
||||||
|
$OPENSSL x509 -noout -text -in "$1" | awk -F':' '/Signature Algorithm/ { print $2; exit; }'
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# arg1: file with input for grepping the bit length for ECDH/DHE
|
# arg1: file with input for grepping the bit length for ECDH/DHE
|
||||||
# arg2: whether to print warning "old fart" or not (empty: no)
|
# arg2: whether to print warning "old fart" or not (empty: no)
|
||||||
read_dhbits_from_file() {
|
read_dhbits_from_file() {
|
||||||
@ -4223,14 +4239,14 @@ read_dhbits_from_file() {
|
|||||||
run_server_preference() {
|
run_server_preference() {
|
||||||
local cipher1 cipher2 prev_cipher=""
|
local cipher1 cipher2 prev_cipher=""
|
||||||
local default_cipher default_cipher_ossl default_proto
|
local default_cipher default_cipher_ossl default_proto
|
||||||
local remark4default_cipher supported_sslv2_ciphers
|
local limitedsense supported_sslv2_ciphers
|
||||||
local -a cipher proto
|
local -a cipher proto
|
||||||
local p i
|
local proto i
|
||||||
local -i ret=0 j
|
local -i ret=0 j
|
||||||
local list_fwd="DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256"
|
local list_fwd="DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256"
|
||||||
# now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 :
|
# now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 :
|
||||||
local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA"
|
local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA"
|
||||||
local has_cipher_order=true
|
local has_cipher_order=false
|
||||||
local addcmd="" addcmd2="" sni=""
|
local addcmd="" addcmd2="" sni=""
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
|
|
||||||
@ -4255,8 +4271,8 @@ run_server_preference() {
|
|||||||
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
|
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
|
||||||
pr_warning "no matching cipher in this list found (pls report this): "
|
pr_warning "no matching cipher in this list found (pls report this): "
|
||||||
outln "$list_fwd . "
|
outln "$list_fwd . "
|
||||||
has_cipher_order=false
|
tmpfile_handle $FUNCNAME.txt
|
||||||
ret=6
|
return 6
|
||||||
fileout "order_bug" "WARN" "Could not determine server cipher order, no matching cipher in this list found (pls report this): $list_fwd"
|
fileout "order_bug" "WARN" "Could not determine server cipher order, no matching cipher in this list found (pls report this): $list_fwd"
|
||||||
elif [[ -n "$STARTTLS_PROTOCOL" ]]; then
|
elif [[ -n "$STARTTLS_PROTOCOL" ]]; then
|
||||||
# now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188
|
# now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188
|
||||||
@ -4267,14 +4283,13 @@ run_server_preference() {
|
|||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
pr_warning "no matching cipher in this list found (pls report this): "
|
pr_warning "no matching cipher in this list found (pls report this): "
|
||||||
outln "$list_fwd . "
|
outln "$list_fwd . "
|
||||||
has_cipher_order=false
|
|
||||||
ret=6
|
|
||||||
fileout "order_bug" "WARN" "Could not determine server cipher order, no matching cipher in this list found (pls report this): $list_fwd"
|
fileout "order_bug" "WARN" "Could not determine server cipher order, no matching cipher in this list found (pls report this): $list_fwd"
|
||||||
|
tmpfile_handle $FUNCNAME.txt
|
||||||
|
return 6
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if "$has_cipher_order"; then
|
cipher1=$(get_cipher $TMPFILE) # cipher1 from 1st serverhello
|
||||||
cipher1=$(get_cipher $TMPFILE)
|
|
||||||
addcmd2=""
|
addcmd2=""
|
||||||
if [[ -n "$STARTTLS_OPTIMAL_PROTO" ]]; then
|
if [[ -n "$STARTTLS_OPTIMAL_PROTO" ]]; then
|
||||||
addcmd2="$STARTTLS_OPTIMAL_PROTO"
|
addcmd2="$STARTTLS_OPTIMAL_PROTO"
|
||||||
@ -4287,17 +4302,21 @@ run_server_preference() {
|
|||||||
fi
|
fi
|
||||||
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
|
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# second client hello with reverse list
|
||||||
$OPENSSL s_client $STARTTLS -cipher $list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS -cipher $list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
# that worked above so no error handling here
|
# first handshake worked above so no error handling here
|
||||||
cipher2=$(get_cipher $TMPFILE)
|
cipher2=$(get_cipher $TMPFILE) # cipher2 from 2nd serverhello
|
||||||
|
|
||||||
if [[ "$cipher1" != "$cipher2" ]]; then
|
if [[ "$cipher1" != "$cipher2" ]]; then
|
||||||
|
# server used the different ends (ciphers) from the client hello
|
||||||
pr_svrty_high "nope (NOT ok)"
|
pr_svrty_high "nope (NOT ok)"
|
||||||
remark4default_cipher=" (limited sense as client will pick)"
|
limitedsense=" (limited sense as client will pick)"
|
||||||
fileout "order" "HIGH" "Server does NOT set a cipher order"
|
fileout "order" "HIGH" "Server does NOT set a cipher order"
|
||||||
else
|
else
|
||||||
pr_done_best "yes (OK)"
|
pr_done_best "yes (OK)"
|
||||||
remark4default_cipher=""
|
has_cipher_order=true
|
||||||
|
limitedsense=""
|
||||||
fileout "order" "OK" "Server sets a cipher order"
|
fileout "order" "OK" "Server sets a cipher order"
|
||||||
fi
|
fi
|
||||||
debugme tm_out " $cipher1 | $cipher2"
|
debugme tm_out " $cipher1 | $cipher2"
|
||||||
@ -4357,36 +4376,37 @@ run_server_preference() {
|
|||||||
fi
|
fi
|
||||||
pr_cipher_quality "$default_cipher"
|
pr_cipher_quality "$default_cipher"
|
||||||
case $? in
|
case $? in
|
||||||
1) fileout "order_cipher" "CRITICAL" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
|
1) fileout "order_cipher" "CRITICAL" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||||
;;
|
;;
|
||||||
2) fileout "order_cipher" "HIGH" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
|
2) fileout "order_cipher" "HIGH" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||||
;;
|
;;
|
||||||
3) fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
|
3) fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||||
;;
|
;;
|
||||||
6|7) fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
|
6|7) fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||||
;; # best ones
|
;; # best ones
|
||||||
4) fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") (cbc) $remark4default_cipher"
|
4) fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") (cbc) $limitedsense"
|
||||||
;; # it's CBC. --> lucky13
|
;; # it's CBC. --> lucky13
|
||||||
0) pr_warning "default cipher empty" ;
|
0) pr_warning "default cipher empty" ;
|
||||||
if [[ $OSSL_VER == 1.0.2* ]]; then
|
if [[ $OSSL_VER == 1.0.2* ]]; then
|
||||||
out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
||||||
fileout "order_cipher" "WARN" "Default cipher empty (Hint: if IIS6 give OpenSSL 1.0.1 a try) $remark4default_cipher"
|
fileout "order_cipher" "WARN" "Default cipher empty (Hint: if IIS6 give OpenSSL 1.0.1 a try) $limitedsense"
|
||||||
else
|
else
|
||||||
fileout "order_cipher" "WARN" "Default cipher empty $remark4default_cipher"
|
fileout "order_cipher" "WARN" "Default cipher empty $limitedsense"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*) fileout "order_cipher" "INFO" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $remark4default_cipher"
|
*) fileout "order_cipher" "INFO" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
read_dhbits_from_file "$TMPFILE"
|
read_dhbits_from_file "$TMPFILE"
|
||||||
outln "$remark4default_cipher"
|
outln "$limitedsense"
|
||||||
|
|
||||||
if [[ ! -z "$remark4default_cipher" ]]; then
|
if "$has_cipher_order"; then
|
||||||
# no cipher order
|
cipher_pref_check
|
||||||
pr_bold " Negotiated cipher per proto"; outln " $remark4default_cipher"
|
else
|
||||||
|
pr_bold " Negotiated cipher per proto"; outln " $limitedsense"
|
||||||
i=1
|
i=1
|
||||||
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
|
for proto in ssl2 ssl3 tls1 tls1_1 tls1_2; do
|
||||||
if [[ $p == ssl2 ]] && ! "$HAS_SSL2"; then
|
if [[ $proto == ssl2 ]] && ! "$HAS_SSL2"; then
|
||||||
if ! "$using_sockets" || [[ $TLS_NR_CIPHERS -eq 0 ]]; then
|
if ! "$using_sockets" || [[ $TLS_NR_CIPHERS -eq 0 ]]; then
|
||||||
out " (SSLv2: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl2\""; outln ")";
|
out " (SSLv2: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl2\""; outln ")";
|
||||||
continue
|
continue
|
||||||
@ -4416,7 +4436,7 @@ run_server_preference() {
|
|||||||
cipher[i]=""
|
cipher[i]=""
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
elif [[ $p == ssl3 ]] && ! "$HAS_SSL3"; then
|
elif [[ $proto == ssl3 ]] && ! "$HAS_SSL3"; then
|
||||||
if ! "$using_sockets"; then
|
if ! "$using_sockets"; then
|
||||||
out " (SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"" ; outln ")";
|
out " (SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"" ; outln ")";
|
||||||
continue
|
continue
|
||||||
@ -4425,7 +4445,7 @@ run_server_preference() {
|
|||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
proto[i]="SSLv3"
|
proto[i]="SSLv3"
|
||||||
cipher[i]=""
|
cipher[i]=""
|
||||||
cipher1=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
|
cipher1=$(awk '/Cipher *:/ { print $3 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
|
||||||
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && [[ $TLS_NR_CIPHERS -ne 0 ]]; then
|
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && [[ $TLS_NR_CIPHERS -ne 0 ]]; then
|
||||||
cipher[i]="$(rfc2openssl "$cipher1")"
|
cipher[i]="$(rfc2openssl "$cipher1")"
|
||||||
[[ -z "${cipher[i]}" ]] && cipher[i]="$cipher1"
|
[[ -z "${cipher[i]}" ]] && cipher[i]="$cipher1"
|
||||||
@ -4437,8 +4457,8 @@ run_server_preference() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
[[ "$p" =~ ssl ]] && sni="" || sni="$SNI"
|
[[ "$proto" =~ ssl ]] && sni="" || sni="$SNI"
|
||||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS -"$proto" $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
proto[i]=$(get_protocol $TMPFILE)
|
proto[i]=$(get_protocol $TMPFILE)
|
||||||
cipher[i]=$(get_cipher $TMPFILE)
|
cipher[i]=$(get_cipher $TMPFILE)
|
||||||
@ -4472,19 +4492,12 @@ run_server_preference() {
|
|||||||
fi
|
fi
|
||||||
prev_cipher="${cipher[i]}"
|
prev_cipher="${cipher[i]}"
|
||||||
fi
|
fi
|
||||||
fileout "order_${proto[i]}_cipher" "INFO" "Default cipher on ${proto[i]}: ${cipher[i]} $remark4default_cipher"
|
fileout "order_${proto[i]}_cipher" "INFO" "Default cipher on ${proto[i]}: ${cipher[i]} $limitedsense"
|
||||||
done
|
done
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
|
||||||
if [[ -z "$remark4default_cipher" ]]; then
|
|
||||||
cipher_pref_check
|
|
||||||
else
|
|
||||||
outln "\n No further cipher order check has been done as order is determined by the client"
|
outln "\n No further cipher order check has been done as order is determined by the client"
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
return 0
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
check_tls12_pref() {
|
check_tls12_pref() {
|
||||||
@ -6270,7 +6283,7 @@ run_pfs() {
|
|||||||
kx[i]="${kx[i]} $dhlen"
|
kx[i]="${kx[i]} $dhlen"
|
||||||
fi
|
fi
|
||||||
"$WIDE" && "$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
|
"$WIDE" && "$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
|
||||||
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
sigalg[i]="$(read_sigalg_from_file "$TMPFILE")"
|
||||||
done
|
done
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
while true; do
|
while true; do
|
||||||
@ -6296,7 +6309,7 @@ run_pfs() {
|
|||||||
kx[i]="${kx[i]} $dhlen"
|
kx[i]="${kx[i]} $dhlen"
|
||||||
fi
|
fi
|
||||||
"$WIDE" && "$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && \
|
"$WIDE" && "$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && \
|
||||||
sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
|
sigalg[i]="$(read_sigalg_from_file "$HOSTCERT")"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
for (( i=0; i < nr_supported_ciphers; i++ )); do
|
for (( i=0; i < nr_supported_ciphers; i++ )); do
|
||||||
@ -8186,7 +8199,7 @@ sslv2_sockets() {
|
|||||||
debugme tmln_out "reading server hello... "
|
debugme tmln_out "reading server hello... "
|
||||||
if [[ "$DEBUG" -ge 4 ]]; then
|
if [[ "$DEBUG" -ge 4 ]]; then
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -6
|
hexdump -C "$SOCK_REPLY_FILE" | head -6
|
||||||
outln
|
tmln_out
|
||||||
fi
|
fi
|
||||||
|
|
||||||
parse_sslv2_serverhello "$SOCK_REPLY_FILE" "$parse_complete"
|
parse_sslv2_serverhello "$SOCK_REPLY_FILE" "$parse_complete"
|
||||||
@ -8733,7 +8746,7 @@ run_heartbleed(){
|
|||||||
else
|
else
|
||||||
out "likely "
|
out "likely "
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
[[ $DEBUG -lt 3 ]] && out ", use debug >=3 to confirm"
|
[[ $DEBUG -lt 3 ]] && tm_out ", use debug >=3 to confirm"
|
||||||
fileout "heartbleed" "CRITICAL" "Heartbleed: VULNERABLE $cve" "$cwe" "$hint"
|
fileout "heartbleed" "CRITICAL" "Heartbleed: VULNERABLE $cve" "$cwe" "$hint"
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user