From 80e26a75ef62885d9fd187ad3ffe2df259580ff1 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 2 Jul 2015 16:39:41 +0200 Subject: [PATCH] * Warning if LibreSSL is used #126 * FIX for screwed up output for fixed ciphers (FREAK, LOGJAM), see also #126 * GOST support now doesn't complain if MY confif file aleady exists (minor fix) --- testssl.sh | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/testssl.sh b/testssl.sh index 69f178a..ce0de4e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1482,7 +1482,7 @@ server_preference() { outln "$remark4default_cipher" if [ ! -z "$remark4default_cipher" ]; then - pr_bold " Negotiated cipher per proto"; out " $remark4default_cipher" + pr_bold " Negotiated cipher per proto"; outln " $remark4default_cipher" i=1 for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do locally_supported -"$p" || continue @@ -1490,7 +1490,7 @@ server_preference() { if [ $? -eq 0 ]; then proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') - [[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack! + [[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack! [[ $DEBUG -ge 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}" else proto[i]="" @@ -1501,7 +1501,7 @@ server_preference() { [ -n "$PROXY" ] && arg=" SPDY/NPN is" [ -n "$STARTTLS" ] && arg=" " - if spdy_pre " $arg"; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY + if spdy_pre " $arg"; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg "$NPN_PROTOs" /dev/null >$TMPFILE if [ $? -eq 0 ]; then proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g') @@ -1517,7 +1517,7 @@ server_preference() { for i in 1 2 3 4 5 6; do if [[ -n "${cipher[i]}" ]]; then # cipher not empty if [[ -z "${cipher[i-1]}" ]]; then # previous one empty - outln + #outln printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both else # previous NOT empty if [[ "${cipher[i-1]}" == "${cipher[i]}" ]]; then # and previous protocol same cipher @@ -2877,11 +2877,11 @@ EOF ### two helper functions for vulnerabilities follow count_ciphers() { - echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g' + printf "$1" | sed 's/:/ /g' | wc -w | sed 's/ //g' } actually_supported_ciphers() { - $OPENSSL ciphers "$1" + $OPENSSL ciphers "$1" 2>/dev/null || echo "" } # Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3 @@ -2967,6 +2967,7 @@ freak() { pr_bold " FREAK"; out " (CVE-2015-0204), experimental " no_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportrsa_cipher_list)) + #echo "========= ${PIPESTATUS[*]} case $no_supported_ciphers in 0) pr_magentaln "Local problem: your $OPENSSL doesn't have any EXPORT RSA ciphers configured" @@ -3532,6 +3533,10 @@ cleanup () { # for now only GOST engine initialize_engine(){ + if $OPENSSL version | grep -qi LibreSSL; then + outln + pr_litemagenta "Please note: LibreSSL is not a good choice for testing insecure features!" + fi if ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then outln pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln @@ -3542,8 +3547,10 @@ initialize_engine(){ return 1 elif echo $osslver | grep -q LibreSSL; then return 1 + elif grep -q '^# testssl config file' "$OPENSSL_CONF"; then + return 0 else - if [ ! -z "$OPENSSL_CONF" ]; then + if [ -n "$OPENSSL_CONF" ]; then pr_litemagenta "For now I am providing the config file in to have GOST support"; outln else [ -z "$TEMPDIR" ] && maketempf @@ -3552,6 +3559,8 @@ initialize_engine(){ cat >$OPENSSL_CONF << EOF openssl_conf = openssl_def +# testssl config file + [ openssl_def ] engines = engine_section @@ -4247,4 +4256,4 @@ fi exit $ret -# $Id: testssl.sh,v 1.298 2015/06/29 21:28:36 dirkw Exp $ +# $Id: testssl.sh,v 1.299 2015/07/02 14:39:40 dirkw Exp $