* Warning if LibreSSL is used #126

* FIX for screwed up output for fixed ciphers (FREAK, LOGJAM), see also #126
* GOST support now doesn't complain if MY confif file aleady exists (minor fix)
This commit is contained in:
Dirk 2015-07-02 16:39:41 +02:00
parent 1186bf4229
commit 80e26a75ef

View File

@ -1482,7 +1482,7 @@ server_preference() {
outln "$remark4default_cipher" outln "$remark4default_cipher"
if [ ! -z "$remark4default_cipher" ]; then if [ ! -z "$remark4default_cipher" ]; then
pr_bold " Negotiated cipher per proto"; out " $remark4default_cipher" pr_bold " Negotiated cipher per proto"; outln " $remark4default_cipher"
i=1 i=1
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
locally_supported -"$p" || continue locally_supported -"$p" || continue
@ -1490,7 +1490,7 @@ server_preference() {
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
[[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack! [[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack!
[[ $DEBUG -ge 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}" [[ $DEBUG -ge 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}"
else else
proto[i]="" proto[i]=""
@ -1501,7 +1501,7 @@ server_preference() {
[ -n "$PROXY" ] && arg=" SPDY/NPN is" [ -n "$PROXY" ] && arg=" SPDY/NPN is"
[ -n "$STARTTLS" ] && arg=" " [ -n "$STARTTLS" ] && arg=" "
if spdy_pre " $arg"; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY if spdy_pre " $arg"; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY
$OPENSSL s_client -host $NODE -port $PORT -nextprotoneg "$NPN_PROTOs" </dev/null 2>/dev/null >$TMPFILE $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg "$NPN_PROTOs" </dev/null 2>/dev/null >$TMPFILE
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g') proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g')
@ -1517,7 +1517,7 @@ server_preference() {
for i in 1 2 3 4 5 6; do for i in 1 2 3 4 5 6; do
if [[ -n "${cipher[i]}" ]]; then # cipher not empty if [[ -n "${cipher[i]}" ]]; then # cipher not empty
if [[ -z "${cipher[i-1]}" ]]; then # previous one empty if [[ -z "${cipher[i-1]}" ]]; then # previous one empty
outln #outln
printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both
else # previous NOT empty else # previous NOT empty
if [[ "${cipher[i-1]}" == "${cipher[i]}" ]]; then # and previous protocol same cipher if [[ "${cipher[i-1]}" == "${cipher[i]}" ]]; then # and previous protocol same cipher
@ -2877,11 +2877,11 @@ EOF
### two helper functions for vulnerabilities follow ### two helper functions for vulnerabilities follow
count_ciphers() { count_ciphers() {
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g' printf "$1" | sed 's/:/ /g' | wc -w | sed 's/ //g'
} }
actually_supported_ciphers() { actually_supported_ciphers() {
$OPENSSL ciphers "$1" $OPENSSL ciphers "$1" 2>/dev/null || echo ""
} }
# Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3 # Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3
@ -2967,6 +2967,7 @@ freak() {
pr_bold " FREAK"; out " (CVE-2015-0204), experimental " pr_bold " FREAK"; out " (CVE-2015-0204), experimental "
no_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportrsa_cipher_list)) no_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportrsa_cipher_list))
#echo "========= ${PIPESTATUS[*]}
case $no_supported_ciphers in case $no_supported_ciphers in
0) pr_magentaln "Local problem: your $OPENSSL doesn't have any EXPORT RSA ciphers configured" 0) pr_magentaln "Local problem: your $OPENSSL doesn't have any EXPORT RSA ciphers configured"
@ -3532,6 +3533,10 @@ cleanup () {
# for now only GOST engine # for now only GOST engine
initialize_engine(){ initialize_engine(){
if $OPENSSL version | grep -qi LibreSSL; then
outln
pr_litemagenta "Please note: LibreSSL is not a good choice for testing insecure features!"
fi
if ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then if ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then
outln outln
pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln
@ -3542,8 +3547,10 @@ initialize_engine(){
return 1 return 1
elif echo $osslver | grep -q LibreSSL; then elif echo $osslver | grep -q LibreSSL; then
return 1 return 1
elif grep -q '^# testssl config file' "$OPENSSL_CONF"; then
return 0
else else
if [ ! -z "$OPENSSL_CONF" ]; then if [ -n "$OPENSSL_CONF" ]; then
pr_litemagenta "For now I am providing the config file in to have GOST support"; outln pr_litemagenta "For now I am providing the config file in to have GOST support"; outln
else else
[ -z "$TEMPDIR" ] && maketempf [ -z "$TEMPDIR" ] && maketempf
@ -3552,6 +3559,8 @@ initialize_engine(){
cat >$OPENSSL_CONF << EOF cat >$OPENSSL_CONF << EOF
openssl_conf = openssl_def openssl_conf = openssl_def
# testssl config file
[ openssl_def ] [ openssl_def ]
engines = engine_section engines = engine_section
@ -4247,4 +4256,4 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.298 2015/06/29 21:28:36 dirkw Exp $ # $Id: testssl.sh,v 1.299 2015/07/02 14:39:40 dirkw Exp $