mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
- centralized some HAS_* vars from s_client
This commit is contained in:
parent
9afbba1e04
commit
802a6da92c
60
testssl.sh
60
testssl.sh
@ -218,6 +218,9 @@ HAS_SSL3=false
|
|||||||
HAS_NO_SSL2=false
|
HAS_NO_SSL2=false
|
||||||
HAS_ALPN=false
|
HAS_ALPN=false
|
||||||
HAS_SPDY=false
|
HAS_SPDY=false
|
||||||
|
HAS_FALLBACK_SCSV=false
|
||||||
|
HAS_PROXY=false
|
||||||
|
HAS_XMPP=false
|
||||||
ADD_RFC_STR="rfc" # display RFC ciphernames
|
ADD_RFC_STR="rfc" # display RFC ciphernames
|
||||||
PORT=443 # unless otherwise auto-determined, see below
|
PORT=443 # unless otherwise auto-determined, see below
|
||||||
NODE=""
|
NODE=""
|
||||||
@ -1800,7 +1803,8 @@ run_cipher_per_proto() {
|
|||||||
has_server_protocol "${proto:1}" || continue
|
has_server_protocol "${proto:1}" || continue
|
||||||
|
|
||||||
# The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
|
# The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
|
||||||
if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]]; then
|
if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || \
|
||||||
|
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then
|
||||||
ossl_ciphers_proto="$proto"
|
ossl_ciphers_proto="$proto"
|
||||||
else
|
else
|
||||||
ossl_ciphers_proto="-tls1"
|
ossl_ciphers_proto="-tls1"
|
||||||
@ -3823,7 +3827,9 @@ determine_trust() {
|
|||||||
# and the output should should be indented by two more spaces.
|
# and the output should should be indented by two more spaces.
|
||||||
[[ -n $json_prefix ]] && spaces=" "
|
[[ -n $json_prefix ]] && spaces=" "
|
||||||
|
|
||||||
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]]; then
|
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && \
|
||||||
|
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]] && \
|
||||||
|
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1" ]]; then
|
||||||
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
|
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
|
||||||
fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning"
|
fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning"
|
||||||
fi
|
fi
|
||||||
@ -6499,8 +6505,7 @@ run_crime() {
|
|||||||
# return $ret
|
# return $ret
|
||||||
# esac
|
# esac
|
||||||
|
|
||||||
# $OPENSSL s_client -help 2>&1 | grep -qw nextprotoneg
|
# if "$HAS_NPN"; then
|
||||||
# if [[ $? -eq 0 ]]; then
|
|
||||||
# $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE
|
# $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE
|
||||||
# if [[ $? -eq 0 ]]; then
|
# if [[ $? -eq 0 ]]; then
|
||||||
# echo
|
# echo
|
||||||
@ -6629,7 +6634,7 @@ run_tls_fallback_scsv() {
|
|||||||
# the countermeasure to protect against protocol downgrade attacks.
|
# the countermeasure to protect against protocol downgrade attacks.
|
||||||
|
|
||||||
# First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
|
# First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
|
||||||
if ! $OPENSSL s_client -help 2>&1 | grep -q "\-fallback_scsv"; then
|
if ! "$HAS_FALLBACK_SCSV"; then
|
||||||
local_problem_ln "$OPENSSL lacks TLS_FALLBACK_SCSV support"
|
local_problem_ln "$OPENSSL lacks TLS_FALLBACK_SCSV support"
|
||||||
return 4
|
return 4
|
||||||
fi
|
fi
|
||||||
@ -7195,6 +7200,8 @@ test_openssl_suffix() {
|
|||||||
|
|
||||||
|
|
||||||
find_openssl_binary() {
|
find_openssl_binary() {
|
||||||
|
local s_client_has=$TEMPDIR/s_client_has.txt
|
||||||
|
|
||||||
# 0. check environment variable whether it's executable
|
# 0. check environment variable whether it's executable
|
||||||
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
||||||
pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary."
|
pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary."
|
||||||
@ -7226,7 +7233,7 @@ find_openssl_binary() {
|
|||||||
|
|
||||||
# see #190, reverting logic: unless otherwise proved openssl has no dh bits
|
# see #190, reverting logic: unless otherwise proved openssl has no dh bits
|
||||||
case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
|
case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
|
||||||
1.0.2|1.1.0) HAS_DH_BITS=true ;;
|
1.0.2|1.1.0|1.1.1) HAS_DH_BITS=true ;;
|
||||||
esac
|
esac
|
||||||
# libressl does not have "Server Temp Key" (SSL_get_server_tmp_key)
|
# libressl does not have "Server Temp Key" (SSL_get_server_tmp_key)
|
||||||
|
|
||||||
@ -7235,6 +7242,8 @@ find_openssl_binary() {
|
|||||||
pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!"
|
pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
initialize_engine
|
||||||
|
|
||||||
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
|
||||||
|
|
||||||
$OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \
|
||||||
@ -7246,12 +7255,23 @@ find_openssl_binary() {
|
|||||||
$OPENSSL s_client -no_ssl2 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -no_ssl2 2>&1 | grep -aq "unknown option" || \
|
||||||
HAS_NO_SSL2=true
|
HAS_NO_SSL2=true
|
||||||
|
|
||||||
$OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \
|
$OPENSSL s_client -help 2>$s_client_has
|
||||||
|
|
||||||
|
grep -qw '\-alpn' $s_client_has && \
|
||||||
HAS_ALPN=true
|
HAS_ALPN=true
|
||||||
|
|
||||||
$OPENSSL s_client -help 2>&1 | grep -qw '\-nextprotoneg' && \
|
grep -qw '\-nextprotoneg' $s_client_has && \
|
||||||
HAS_SPDY=true
|
HAS_SPDY=true
|
||||||
|
|
||||||
|
grep -qw '\-fallback_scsv' $s_client_has && \
|
||||||
|
HAS_FALLBACK_SCSV=true
|
||||||
|
|
||||||
|
grep -q '\-proxy' $s_client_has && \
|
||||||
|
HAS_PROXY=true
|
||||||
|
|
||||||
|
grep -q '\-xmpp' $s_client_has && \
|
||||||
|
HAS_XMPP=true
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -7401,10 +7421,13 @@ maketempf() {
|
|||||||
ERRFILE=$TEMPDIR/errorfile.txt || exit -6
|
ERRFILE=$TEMPDIR/errorfile.txt || exit -6
|
||||||
fi
|
fi
|
||||||
HOSTCERT=$TEMPDIR/host_certificate.txt
|
HOSTCERT=$TEMPDIR/host_certificate.txt
|
||||||
initialize_engine
|
}
|
||||||
|
|
||||||
|
prepare_debug() {
|
||||||
if [[ $DEBUG -ne 0 ]]; then
|
if [[ $DEBUG -ne 0 ]]; then
|
||||||
cat >$TEMPDIR/environment.txt << EOF
|
cat >$TEMPDIR/environment.txt << EOF
|
||||||
|
|
||||||
|
|
||||||
CVS_REL: $CVS_REL
|
CVS_REL: $CVS_REL
|
||||||
GIT_REL: $GIT_REL
|
GIT_REL: $GIT_REL
|
||||||
|
|
||||||
@ -7432,6 +7455,9 @@ HAS_SSL3: $HAS_SSL3
|
|||||||
HAS_NO_SSL2: $HAS_NO_SSL2
|
HAS_NO_SSL2: $HAS_NO_SSL2
|
||||||
HAS_SPDY: $HAS_SPDY
|
HAS_SPDY: $HAS_SPDY
|
||||||
HAS_ALPN: $HAS_ALPN
|
HAS_ALPN: $HAS_ALPN
|
||||||
|
HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV
|
||||||
|
HAS_PROXY: $HAS_PROXY
|
||||||
|
HAS_XMPP: $HAS_XMPP
|
||||||
|
|
||||||
PATH: $PATH
|
PATH: $PATH
|
||||||
PROG_NAME: $PROG_NAME
|
PROG_NAME: $PROG_NAME
|
||||||
@ -7468,11 +7494,11 @@ CCS_MAX_WAITSOCK: $CCS_MAX_WAITSOCK
|
|||||||
USLEEP_SND $USLEEP_SND
|
USLEEP_SND $USLEEP_SND
|
||||||
USLEEP_REC $USLEEP_REC
|
USLEEP_REC $USLEEP_REC
|
||||||
|
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
which locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt
|
which locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt
|
||||||
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' &>$TEMPDIR/all_local_ciphers.txt
|
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' &>$TEMPDIR/all_local_ciphers.txt
|
||||||
fi
|
fi
|
||||||
|
# see also $TEMPDIR/s_client_has.txt from find_openssl_binary
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -7920,8 +7946,8 @@ get_mx_record() {
|
|||||||
#
|
#
|
||||||
check_proxy() {
|
check_proxy() {
|
||||||
if [[ -n "$PROXY" ]]; then
|
if [[ -n "$PROXY" ]]; then
|
||||||
if ! $OPENSSL s_client -help 2>&1 | grep -qw proxy; then
|
if ! "$HAS_PROXY"; then
|
||||||
fatal "Your $OPENSSL is too old to support the \"--proxy\" option" -5
|
fatal "Your $OPENSSL is too old to support the \"-proxy\" option" -5
|
||||||
fi
|
fi
|
||||||
PROXYNODE=${PROXY%:*}
|
PROXYNODE=${PROXY%:*}
|
||||||
PROXYPORT=${PROXY#*:}
|
PROXYPORT=${PROXY#*:}
|
||||||
@ -8064,7 +8090,7 @@ determine_service() {
|
|||||||
# for XMPP, openssl has a problem using -connect $NODEIP:$PORT. thus we use -connect $NODE:$PORT instead!
|
# for XMPP, openssl has a problem using -connect $NODEIP:$PORT. thus we use -connect $NODE:$PORT instead!
|
||||||
NODEIP="$NODE"
|
NODEIP="$NODE"
|
||||||
if [[ -n "$XMPP_HOST" ]]; then
|
if [[ -n "$XMPP_HOST" ]]; then
|
||||||
if ! $OPENSSL s_client --help 2>&1 | grep -q xmpphost; then
|
if ! "$HAS_XMPP"; then
|
||||||
fatal "Your $OPENSSL does not support the \"-xmpphost\" option" -5
|
fatal "Your $OPENSSL does not support the \"-xmpphost\" option" -5
|
||||||
fi
|
fi
|
||||||
STARTTLS="$STARTTLS -xmpphost $XMPP_HOST" # it's a hack -- instead of changing calls all over the place
|
STARTTLS="$STARTTLS -xmpphost $XMPP_HOST" # it's a hack -- instead of changing calls all over the place
|
||||||
@ -8350,8 +8376,9 @@ parse_cmd_line() {
|
|||||||
help 0
|
help 0
|
||||||
;;
|
;;
|
||||||
-b|--banner|-v|--version)
|
-b|--banner|-v|--version)
|
||||||
find_openssl_binary
|
|
||||||
maketempf
|
maketempf
|
||||||
|
find_openssl_binary
|
||||||
|
prepare_debug
|
||||||
mybanner
|
mybanner
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
@ -8754,8 +8781,9 @@ get_install_dir
|
|||||||
initialize_globals
|
initialize_globals
|
||||||
parse_cmd_line "$@"
|
parse_cmd_line "$@"
|
||||||
set_color_functions
|
set_color_functions
|
||||||
find_openssl_binary
|
|
||||||
maketempf
|
maketempf
|
||||||
|
find_openssl_binary
|
||||||
|
prepare_debug
|
||||||
mybanner
|
mybanner
|
||||||
check_proxy
|
check_proxy
|
||||||
check4openssl_oldfarts
|
check4openssl_oldfarts
|
||||||
@ -8817,4 +8845,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.543 2016/09/10 17:37:58 dirkw Exp $
|
# $Id: testssl.sh,v 1.545 2016/09/21 19:42:44 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user