mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
Added HAS_ZLIB in run_crime(), declaration of CERT_COMPRESSION fixed
CERT_COMPRESSION was declared always with fast in ... so that the variable was always false. This PR fixes that. In addition a informational line that the new TLS extension has been added (if $DEBUG >3). Also determine_optimal_proto() is not being run if devel mode ($do_tls_sockets) is enabled. Furthermore as David added HAS_ZLIB as a global run_crime() now makes use of it too.
This commit is contained in:
parent
53ecacfcbb
commit
7a1fb0b3b9
12
testssl.sh
12
testssl.sh
@ -299,7 +299,7 @@ ERRFILE=""
|
|||||||
CLIENT_AUTH=false
|
CLIENT_AUTH=false
|
||||||
TLS_TICKETS=false
|
TLS_TICKETS=false
|
||||||
NO_SSL_SESSIONID=false
|
NO_SSL_SESSIONID=false
|
||||||
CERT_COMPRESSION=false # secret flag to set in addition to --devel for certificate compression
|
CERT_COMPRESSION=${CERT_COMPRESSION:-false} # secret flag to set in addition to --devel for certificate compression
|
||||||
HOSTCERT="" # File with host certificate, without intermediate certificate
|
HOSTCERT="" # File with host certificate, without intermediate certificate
|
||||||
HEADERFILE=""
|
HEADERFILE=""
|
||||||
HEADERVALUE=""
|
HEADERVALUE=""
|
||||||
@ -14163,9 +14163,7 @@ run_crime() {
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln
|
||||||
pr_bold " CRIME, TLS " ; out "($cve) "
|
pr_bold " CRIME, TLS " ; out "($cve) "
|
||||||
|
|
||||||
# first we need to test whether OpenSSL binary has zlib support
|
if ! "$HAS_ZLIB"; then
|
||||||
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
|
|
||||||
if [[ $? -eq 0 ]]; then
|
|
||||||
if "$SSL_NATIVE"; then
|
if "$SSL_NATIVE"; then
|
||||||
prln_local_problem "$OPENSSL lacks zlib support"
|
prln_local_problem "$OPENSSL lacks zlib support"
|
||||||
fileout "CRIME_TLS" "WARN" "CRIME, TLS: Not tested. $OPENSSL lacks zlib support" "$cve" "$cwe"
|
fileout "CRIME_TLS" "WARN" "CRIME, TLS: Not tested. $OPENSSL lacks zlib support" "$cve" "$cwe"
|
||||||
@ -17730,6 +17728,8 @@ determine_optimal_proto() {
|
|||||||
local tmp=""
|
local tmp=""
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
|
|
||||||
|
"$do_tls_sockets" && return 0
|
||||||
|
|
||||||
>$ERRFILE
|
>$ERRFILE
|
||||||
"$SSL_NATIVE" && using_sockets=false
|
"$SSL_NATIVE" && using_sockets=false
|
||||||
|
|
||||||
@ -18999,6 +18999,7 @@ parse_cmd_line() {
|
|||||||
# arg2: list of cipher suites / hostname/ip
|
# arg2: list of cipher suites / hostname/ip
|
||||||
# arg3: hostname/ip
|
# arg3: hostname/ip
|
||||||
HEX_CIPHER="$TLS12_CIPHER"
|
HEX_CIPHER="$TLS12_CIPHER"
|
||||||
|
# DEBUG=3 ./testssl.sh --devel 04 "13,02, 13,01" google.com --> TLS 1.3
|
||||||
# DEBUG=3 ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de --> TLS 1.2, old CHACHA/POLY
|
# DEBUG=3 ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de --> TLS 1.2, old CHACHA/POLY
|
||||||
# DEBUG=3 ./testssl.sh --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com --> new CHACHA/POLY
|
# DEBUG=3 ./testssl.sh --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com --> new CHACHA/POLY
|
||||||
# DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0
|
# DEBUG=3 ./testssl.sh --devel 01 yandex.ru --> TLS 1.0
|
||||||
@ -19011,7 +19012,7 @@ parse_cmd_line() {
|
|||||||
fi
|
fi
|
||||||
shift
|
shift
|
||||||
do_tls_sockets=true
|
do_tls_sockets=true
|
||||||
outln "\nTLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}"
|
outln "\nTLS_LOW_BYTE, HEX_CIPHER: \"${TLS_LOW_BYTE}\", \"${HEX_CIPHER}\""
|
||||||
;;
|
;;
|
||||||
--wide)
|
--wide)
|
||||||
WIDE=true
|
WIDE=true
|
||||||
@ -19355,6 +19356,7 @@ lets_roll() {
|
|||||||
if [[ "$TLS_LOW_BYTE" == 04 ]]; then
|
if [[ "$TLS_LOW_BYTE" == 04 ]]; then
|
||||||
if "$CERT_COMPRESSION"; then
|
if "$CERT_COMPRESSION"; then
|
||||||
# See PR #1279
|
# See PR #1279
|
||||||
|
[[ $DEBUG -eq 3 ]] && tmln_out "including TLS extension certificate compression"
|
||||||
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01"
|
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01"
|
||||||
else
|
else
|
||||||
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"
|
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"
|
||||||
|
Loading…
Reference in New Issue
Block a user