mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
* Warning if LibreSSL is used #126
* FIX for screwed up output for fixed ciphers (FREAK, LOGJAM), see also #126 * GOST support now doesn't complain if MY confif file aleady exists (minor fix)
This commit is contained in:
parent
1186bf4229
commit
80e26a75ef
21
testssl.sh
21
testssl.sh
@ -1482,7 +1482,7 @@ server_preference() {
|
||||
outln "$remark4default_cipher"
|
||||
|
||||
if [ ! -z "$remark4default_cipher" ]; then
|
||||
pr_bold " Negotiated cipher per proto"; out " $remark4default_cipher"
|
||||
pr_bold " Negotiated cipher per proto"; outln " $remark4default_cipher"
|
||||
i=1
|
||||
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
|
||||
locally_supported -"$p" || continue
|
||||
@ -1517,7 +1517,7 @@ server_preference() {
|
||||
for i in 1 2 3 4 5 6; do
|
||||
if [[ -n "${cipher[i]}" ]]; then # cipher not empty
|
||||
if [[ -z "${cipher[i-1]}" ]]; then # previous one empty
|
||||
outln
|
||||
#outln
|
||||
printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both
|
||||
else # previous NOT empty
|
||||
if [[ "${cipher[i-1]}" == "${cipher[i]}" ]]; then # and previous protocol same cipher
|
||||
@ -2877,11 +2877,11 @@ EOF
|
||||
|
||||
### two helper functions for vulnerabilities follow
|
||||
count_ciphers() {
|
||||
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g'
|
||||
printf "$1" | sed 's/:/ /g' | wc -w | sed 's/ //g'
|
||||
}
|
||||
|
||||
actually_supported_ciphers() {
|
||||
$OPENSSL ciphers "$1"
|
||||
$OPENSSL ciphers "$1" 2>/dev/null || echo ""
|
||||
}
|
||||
|
||||
# Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3
|
||||
@ -2967,6 +2967,7 @@ freak() {
|
||||
pr_bold " FREAK"; out " (CVE-2015-0204), experimental "
|
||||
|
||||
no_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportrsa_cipher_list))
|
||||
#echo "========= ${PIPESTATUS[*]}
|
||||
|
||||
case $no_supported_ciphers in
|
||||
0) pr_magentaln "Local problem: your $OPENSSL doesn't have any EXPORT RSA ciphers configured"
|
||||
@ -3532,6 +3533,10 @@ cleanup () {
|
||||
|
||||
# for now only GOST engine
|
||||
initialize_engine(){
|
||||
if $OPENSSL version | grep -qi LibreSSL; then
|
||||
outln
|
||||
pr_litemagenta "Please note: LibreSSL is not a good choice for testing insecure features!"
|
||||
fi
|
||||
if ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then
|
||||
outln
|
||||
pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln
|
||||
@ -3542,8 +3547,10 @@ initialize_engine(){
|
||||
return 1
|
||||
elif echo $osslver | grep -q LibreSSL; then
|
||||
return 1
|
||||
elif grep -q '^# testssl config file' "$OPENSSL_CONF"; then
|
||||
return 0
|
||||
else
|
||||
if [ ! -z "$OPENSSL_CONF" ]; then
|
||||
if [ -n "$OPENSSL_CONF" ]; then
|
||||
pr_litemagenta "For now I am providing the config file in to have GOST support"; outln
|
||||
else
|
||||
[ -z "$TEMPDIR" ] && maketempf
|
||||
@ -3552,6 +3559,8 @@ initialize_engine(){
|
||||
cat >$OPENSSL_CONF << EOF
|
||||
openssl_conf = openssl_def
|
||||
|
||||
# testssl config file
|
||||
|
||||
[ openssl_def ]
|
||||
engines = engine_section
|
||||
|
||||
@ -4247,4 +4256,4 @@ fi
|
||||
exit $ret
|
||||
|
||||
|
||||
# $Id: testssl.sh,v 1.298 2015/06/29 21:28:36 dirkw Exp $
|
||||
# $Id: testssl.sh,v 1.299 2015/07/02 14:39:40 dirkw Exp $
|
||||
|
Loading…
Reference in New Issue
Block a user