Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-07 17:20:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

- centralized some HAS_* vars from s_client

Browse Source
This commit is contained in:
Dirk Wetter 2016-09-21 21:42:45 +02:00
parent 9afbba1e04
commit 802a6da92c
1 changed files with 44 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
testssl.sh
View File

@ -218,6 +218,9 @@ HAS_SSL3=false
HAS_NO_SSL2=false HAS_NO_SSL2=false
HAS_ALPN=false HAS_ALPN=false
HAS_SPDY=false HAS_SPDY=false
HAS_FALLBACK_SCSV=false
HAS_PROXY=false
HAS_XMPP=false
ADD_RFC_STR="rfc" # display RFC ciphernames ADD_RFC_STR="rfc" # display RFC ciphernames
PORT=443 # unless otherwise auto-determined, see below PORT=443 # unless otherwise auto-determined, see below
NODE="" NODE=""
@ -1800,7 +1803,8 @@ run_cipher_per_proto() {
has_server_protocol "${proto:1}" || continue has_server_protocol "${proto:1}" || continue
# The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1. # The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]]; then if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || \
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then
ossl_ciphers_proto="$proto" ossl_ciphers_proto="$proto"
else else
ossl_ciphers_proto="-tls1" ossl_ciphers_proto="-tls1"
@ -3823,7 +3827,9 @@ determine_trust() {
# and the output should should be indented by two more spaces. # and the output should should be indented by two more spaces.
[[ -n $json_prefix ]] && spaces=" " [[ -n $json_prefix ]] && spaces=" "
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]]; then if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && \
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]] && \
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1" ]]; then
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)" addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning" fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning"
fi fi
@ -6499,8 +6505,7 @@ run_crime() {
# return $ret # return $ret
# esac # esac
# $OPENSSL s_client -help 2>&1 | grep -qw nextprotoneg # if "$HAS_NPN"; then
# if [[ $? -eq 0 ]]; then
# $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE # $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE
# if [[ $? -eq 0 ]]; then # if [[ $? -eq 0 ]]; then
# echo # echo
@ -6629,7 +6634,7 @@ run_tls_fallback_scsv() {
# the countermeasure to protect against protocol downgrade attacks. # the countermeasure to protect against protocol downgrade attacks.
# First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL # First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
if ! $OPENSSL s_client -help 2>&1 | grep -q "\-fallback_scsv"; then if ! "$HAS_FALLBACK_SCSV"; then
local_problem_ln "$OPENSSL lacks TLS_FALLBACK_SCSV support" local_problem_ln "$OPENSSL lacks TLS_FALLBACK_SCSV support"
return 4 return 4
fi fi
@ -7195,6 +7200,8 @@ test_openssl_suffix() {
find_openssl_binary() { find_openssl_binary() {
local s_client_has=$TEMPDIR/s_client_has.txt
# 0. check environment variable whether it's executable # 0. check environment variable whether it's executable
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary." pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary."
@ -7226,7 +7233,7 @@ find_openssl_binary() {
# see #190, reverting logic: unless otherwise proved openssl has no dh bits # see #190, reverting logic: unless otherwise proved openssl has no dh bits
case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
1.0.2|1.1.0) HAS_DH_BITS=true ;; 1.0.2|1.1.0|1.1.1) HAS_DH_BITS=true ;;
esac esac
# libressl does not have "Server Temp Key" (SSL_get_server_tmp_key) # libressl does not have "Server Temp Key" (SSL_get_server_tmp_key)
@ -7235,6 +7242,8 @@ find_openssl_binary() {
pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!" pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!"
fi fi
initialize_engine
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)") OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
$OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \
@ -7246,12 +7255,23 @@ find_openssl_binary() {
$OPENSSL s_client -no_ssl2 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -no_ssl2 2>&1 | grep -aq "unknown option" || \
HAS_NO_SSL2=true HAS_NO_SSL2=true
$OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \ $OPENSSL s_client -help 2>$s_client_has
grep -qw '\-alpn' $s_client_has && \
HAS_ALPN=true HAS_ALPN=true
$OPENSSL s_client -help 2>&1 | grep -qw '\-nextprotoneg' && \ grep -qw '\-nextprotoneg' $s_client_has && \
HAS_SPDY=true HAS_SPDY=true
grep -qw '\-fallback_scsv' $s_client_has && \
HAS_FALLBACK_SCSV=true
grep -q '\-proxy' $s_client_has && \
HAS_PROXY=true
grep -q '\-xmpp' $s_client_has && \
HAS_XMPP=true
return 0 return 0
} }
@ -7401,10 +7421,13 @@ maketempf() {
ERRFILE=$TEMPDIR/errorfile.txt || exit -6 ERRFILE=$TEMPDIR/errorfile.txt || exit -6
fi fi
HOSTCERT=$TEMPDIR/host_certificate.txt HOSTCERT=$TEMPDIR/host_certificate.txt
initialize_engine }
prepare_debug() {
if [[ $DEBUG -ne 0 ]]; then if [[ $DEBUG -ne 0 ]]; then
cat >$TEMPDIR/environment.txt << EOF cat >$TEMPDIR/environment.txt << EOF
CVS_REL: $CVS_REL CVS_REL: $CVS_REL
GIT_REL: $GIT_REL GIT_REL: $GIT_REL
@ -7432,6 +7455,9 @@ HAS_SSL3: $HAS_SSL3
HAS_NO_SSL2: $HAS_NO_SSL2 HAS_NO_SSL2: $HAS_NO_SSL2
HAS_SPDY: $HAS_SPDY HAS_SPDY: $HAS_SPDY
HAS_ALPN: $HAS_ALPN HAS_ALPN: $HAS_ALPN
HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV
HAS_PROXY: $HAS_PROXY
HAS_XMPP: $HAS_XMPP
PATH: $PATH PATH: $PATH
PROG_NAME: $PROG_NAME PROG_NAME: $PROG_NAME
@ -7468,11 +7494,11 @@ CCS_MAX_WAITSOCK: $CCS_MAX_WAITSOCK
USLEEP_SND $USLEEP_SND USLEEP_SND $USLEEP_SND
USLEEP_REC $USLEEP_REC USLEEP_REC $USLEEP_REC
EOF EOF
which locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt which locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' &>$TEMPDIR/all_local_ciphers.txt $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' &>$TEMPDIR/all_local_ciphers.txt
fi fi
# see also $TEMPDIR/s_client_has.txt from find_openssl_binary
} }
@ -7920,8 +7946,8 @@ get_mx_record() {
# #
check_proxy() { check_proxy() {
if [[ -n "$PROXY" ]]; then if [[ -n "$PROXY" ]]; then
if ! $OPENSSL s_client -help 2>&1 | grep -qw proxy; then if ! "$HAS_PROXY"; then
fatal "Your $OPENSSL is too old to support the \"--proxy\" option" -5 fatal "Your $OPENSSL is too old to support the \"-proxy\" option" -5
fi fi
PROXYNODE=${PROXY%:*} PROXYNODE=${PROXY%:*}
PROXYPORT=${PROXY#*:} PROXYPORT=${PROXY#*:}
@ -8064,7 +8090,7 @@ determine_service() {
# for XMPP, openssl has a problem using -connect $NODEIP:$PORT. thus we use -connect $NODE:$PORT instead! # for XMPP, openssl has a problem using -connect $NODEIP:$PORT. thus we use -connect $NODE:$PORT instead!
NODEIP="$NODE" NODEIP="$NODE"
if [[ -n "$XMPP_HOST" ]]; then if [[ -n "$XMPP_HOST" ]]; then
if ! $OPENSSL s_client --help 2>&1 | grep -q xmpphost; then if ! "$HAS_XMPP"; then
fatal "Your $OPENSSL does not support the \"-xmpphost\" option" -5 fatal "Your $OPENSSL does not support the \"-xmpphost\" option" -5
fi fi
STARTTLS="$STARTTLS -xmpphost $XMPP_HOST" # it's a hack -- instead of changing calls all over the place STARTTLS="$STARTTLS -xmpphost $XMPP_HOST" # it's a hack -- instead of changing calls all over the place
@ -8350,8 +8376,9 @@ parse_cmd_line() {
help 0 help 0
;; ;;
-b|--banner|-v|--version) -b|--banner|-v|--version)
find_openssl_binary
maketempf maketempf
find_openssl_binary
prepare_debug
mybanner mybanner
exit 0 exit 0
;; ;;
@ -8754,8 +8781,9 @@ get_install_dir
initialize_globals initialize_globals
parse_cmd_line "$@" parse_cmd_line "$@"
set_color_functions set_color_functions
find_openssl_binary
maketempf maketempf
find_openssl_binary
prepare_debug
mybanner mybanner
check_proxy check_proxy
check4openssl_oldfarts check4openssl_oldfarts
@ -8817,4 +8845,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.543 2016/09/10 17:37:58 dirkw Exp $ # $Id: testssl.sh,v 1.545 2016/09/21 19:42:44 dirkw Exp $