mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-09 18:20:59 +01:00
color codes for protocols and default ciphers reflect better a rating
- fix: heartbleed function needed a $TMPFILE for determining the TLS protocol - version bumped to 2.1rc2
This commit is contained in:
parent
db17669b99
commit
80079edf41
33
testssl.sh
33
testssl.sh
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
# Program for spotting weak SSL encryption, ciphers, version and some vulnerablities or features
|
# Program for spotting weak SSL encryption, ciphers, version and some vulnerablities or features
|
||||||
|
|
||||||
VERSION="2.1rc1"
|
VERSION="2.1rc2"
|
||||||
SWURL="https://testssl.sh"
|
SWURL="https://testssl.sh"
|
||||||
SWCONTACT="dirk aet testssl dot sh"
|
SWCONTACT="dirk aet testssl dot sh"
|
||||||
|
|
||||||
@ -217,11 +217,12 @@ ok(){
|
|||||||
esac
|
esac
|
||||||
else
|
else
|
||||||
case $1 in
|
case $1 in
|
||||||
|
7) brownln "not offered" ;; # 7 0
|
||||||
6) literedln "offered (NOT ok)" ;; # 6 0
|
6) literedln "offered (NOT ok)" ;; # 6 0
|
||||||
5) litered "supported but couldn't detect a cipher"; outln "(check manually)" ;; # 5 5
|
5) litered "supported but couldn't detect a cipher"; outln "(check manually)" ;; # 5 5
|
||||||
4) litegreenln "offered (OK)" ;; # 4 0
|
4) litegreenln "offered (OK)" ;; # 4 0
|
||||||
3) brownln "offered" ;; # 3 0
|
3) brownln "offered" ;; # 3 0
|
||||||
2) boldln "offered" ;; # 2 0
|
2) outln "offered" ;; # 2 0
|
||||||
1) greenln "offered (OK)" ;; # 1 0
|
1) greenln "offered (OK)" ;; # 1 0
|
||||||
0) boldln "not offered" ;; # 0 0
|
0) boldln "not offered" ;; # 0 0
|
||||||
esac
|
esac
|
||||||
@ -740,7 +741,7 @@ runprotocols() {
|
|||||||
|
|
||||||
testprotohelper "-tls1" " TLSv1 "
|
testprotohelper "-tls1" " TLSv1 "
|
||||||
case $? in
|
case $? in
|
||||||
0) ok 4 0 ;; # no GCM, thus in litegreen
|
0) ok 4 0 ;; # no GCM, thus only in litegreen
|
||||||
1) ok 0 0 ;;
|
1) ok 0 0 ;;
|
||||||
5) ok 5 5 ;; # protocol ok, but no cipher
|
5) ok 5 5 ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
@ -749,7 +750,7 @@ runprotocols() {
|
|||||||
testprotohelper "-tls1_1" " TLSv1.1 "
|
testprotohelper "-tls1_1" " TLSv1.1 "
|
||||||
case $? in
|
case $? in
|
||||||
0) ok 1 0 ;;
|
0) ok 1 0 ;;
|
||||||
1) ok 0 0 ;;
|
1) ok 7 0 ;; # no GCM, penalty
|
||||||
5) ok 5 5 ;; # protocol ok, but no cipher
|
5) ok 5 5 ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
esac
|
esac
|
||||||
@ -757,7 +758,7 @@ runprotocols() {
|
|||||||
testprotohelper "-tls1_2" " TLSv1.2 "
|
testprotohelper "-tls1_2" " TLSv1.2 "
|
||||||
case $? in
|
case $? in
|
||||||
0) ok 1 0 ;;
|
0) ok 1 0 ;;
|
||||||
1) ok 0 0 ;;
|
1) ok 7 0 ;; # no GCM, penalty
|
||||||
5) ok 5 5 ;; # protocol ok, but no cipher
|
5) ok 5 5 ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
esac
|
esac
|
||||||
@ -794,7 +795,7 @@ simple_preference() {
|
|||||||
ret=6
|
ret=6
|
||||||
else
|
else
|
||||||
out " Negotiated protocol "
|
out " Negotiated protocol "
|
||||||
TLS_PROTO_OFFERED=`grep -w "Protocol" $TMPFILE | sed -e 's/^ \+Protocol \+://' -e 's/ //g'`
|
TLS_PROTO_OFFERED=`grep -w "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g'`
|
||||||
case "$TLS_PROTO_OFFERED" in
|
case "$TLS_PROTO_OFFERED" in
|
||||||
*TLSv1.2) greenln $TLS_PROTO_OFFERED ;;
|
*TLSv1.2) greenln $TLS_PROTO_OFFERED ;;
|
||||||
*TLSv1.1) litegreenln $TLS_PROTO_OFFERED ;;
|
*TLSv1.1) litegreenln $TLS_PROTO_OFFERED ;;
|
||||||
@ -805,12 +806,13 @@ simple_preference() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
out " Negotiated cipher "
|
out " Negotiated cipher "
|
||||||
default=`grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g'`
|
default=`grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g'`
|
||||||
case "$default" in
|
case "$default" in
|
||||||
*NULL*|*EXP*) redln "$default" ;;
|
*NULL*|*EXP*) redln "$default" ;;
|
||||||
*RC4*) literedln "$default" ;;
|
*RC4*) literedln "$default" ;;
|
||||||
*CBC*) literedln "$default" ;; #FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
|
*CBC*) literedln "$default" ;; #FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
|
||||||
*GCM*) litegreenln "$default" ;; # best ones
|
*GCM*) greenln "$default" ;; # best ones
|
||||||
|
*CHACHA20*) greenln "$default" ;; # best ones
|
||||||
ECDHE*AES*) brownln "$default" ;; # it's CBC. so lucky13
|
ECDHE*AES*) brownln "$default" ;; # it's CBC. so lucky13
|
||||||
*) outln "$default" ;;
|
*) outln "$default" ;;
|
||||||
esac
|
esac
|
||||||
@ -983,7 +985,7 @@ rc4() {
|
|||||||
# https://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks
|
# https://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks
|
||||||
# http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
|
# http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
|
||||||
outln
|
outln
|
||||||
outln "RC4 is kind of broken, for e.g. IE6 consider 0x13 or 0x0a"
|
outln "RC4 is broken, for legacy support (IE6) rather consider x13 or x0a"
|
||||||
else
|
else
|
||||||
outln
|
outln
|
||||||
litegreenln "no RC4 ciphers detected (OK)"
|
litegreenln "no RC4 ciphers detected (OK)"
|
||||||
@ -1166,7 +1168,7 @@ ccs_injection(){
|
|||||||
red "VULNERABLE"
|
red "VULNERABLE"
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
[ $retval -eq 3 ] && out ", timed out"
|
[ $retval -eq 3 ] && out "(timed out)"
|
||||||
outln
|
outln
|
||||||
|
|
||||||
close_socket
|
close_socket
|
||||||
@ -1180,6 +1182,9 @@ heartbleed(){
|
|||||||
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
||||||
heartbleed_payload="\x18\x03\tls_version\x00\x03\x01\x40\x00"
|
heartbleed_payload="\x18\x03\tls_version\x00\x03\x01\x40\x00"
|
||||||
|
|
||||||
|
# determine TLS versions available:
|
||||||
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null
|
||||||
|
|
||||||
tls_hexcode=x01
|
tls_hexcode=x01
|
||||||
proto_offered=`grep -w Protocol $TMPFILE | sed -e 's/^ \+Protocol \+://'`
|
proto_offered=`grep -w Protocol $TMPFILE | sed -e 's/^ \+Protocol \+://'`
|
||||||
case $tls_proto_offered in
|
case $tls_proto_offered in
|
||||||
@ -1269,11 +1274,11 @@ heartbleed(){
|
|||||||
green "not vulnerable (OK)"
|
green "not vulnerable (OK)"
|
||||||
ret=0
|
ret=0
|
||||||
fi
|
fi
|
||||||
[ $retval -eq 3 ] && green ", timed out"
|
[ $retval -eq 3 ] && out "(timed out)"
|
||||||
outln
|
outln
|
||||||
|
|
||||||
close_socket
|
close_socket
|
||||||
# rm $TMPFILE
|
rm $TMPFILE
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1341,7 +1346,7 @@ crime() {
|
|||||||
# first we need to test whether OpenSSL binary has zlib support
|
# first we need to test whether OpenSSL binary has zlib support
|
||||||
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
|
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
magentaln "Seems your $OPENSSL hasn't zlib support, so you cannot test for CRIME"; echo
|
magentaln "Local Problem: Your $OPENSSL lacks zlib support"
|
||||||
return 0 #FIXME
|
return 0 #FIXME
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -1966,7 +1971,7 @@ case "$1" in
|
|||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.145 2014/11/19 21:23:12 dirkw Exp $
|
# $Id: testssl.sh,v 1.146 2014/11/20 09:46:54 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user