CCS injection: better handling of TLS alert protocols
In certain situations while testting for CCS injection it could have happened that an error code was sent which was not interpreted properly by testssl.sh. (https://tools.ietf.org/html/rfc5246#section-7.2) This has now been fixed and thus addresses #906. Also it has been made sure that other error codes are reported appropiately. The case where this test failed before was a non-patched Ubuntu 12.04 with openssl/postfix on port 25.
This commit is contained in:
parent
39647d1703
commit
8149c2d5cf
29
testssl.sh
29
testssl.sh
|
@ -12156,17 +12156,34 @@ run_ccs_injection(){
|
|||
else
|
||||
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
|
||||
fi
|
||||
elif [[ "$byte6" == "15" ]] && [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
|
||||
# decryption failed received
|
||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
|
||||
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
|
||||
if [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
|
||||
if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then
|
||||
pr_warning "test failed "
|
||||
out "no proper TLS repy (debug info: protocol sent: 1503${tlshexcode#x03, x}, reply: ${tls_hello_ascii:0:14}"
|
||||
fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
|
||||
ret=1
|
||||
elif [[ "$byte6" == "15" ]]; then
|
||||
# decryption failed received
|
||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
|
||||
elif [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
|
||||
# Unexpected message / Handshake failure received
|
||||
pr_warning "likely "
|
||||
out "not vulnerable (OK)"
|
||||
out " - alert description type: $byte6"
|
||||
fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
|
||||
elif [[ "$byte6" == "14" ]]; then
|
||||
# bad_record_mac -- this is not "not vulnerable"
|
||||
out "likely "
|
||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||
out ", suspicious \"bad_record_mac\" ($byte6)"
|
||||
fileout "$jsonID" "CRITICAL" "likely VULNERABLE" "$cve" "$cwe" "$hint"
|
||||
else
|
||||
# other errors, see https://tools.ietf.org/html/rfc5246#section-7.2
|
||||
out "likely "
|
||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||
out ", suspicious error code \"$byte6\" returned. Please report"
|
||||
fileout "$jsonID" "CRITICAL" "likely VULNERABLE with $byte6" "$cve" "$cwe" "$hint"
|
||||
fi
|
||||
elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then
|
||||
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
|
||||
|
@ -12187,7 +12204,7 @@ run_ccs_injection(){
|
|||
fi
|
||||
outln
|
||||
|
||||
tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE
|
||||
tmpfile_handle ${FUNCNAME[0]}.dd $SOCK_REPLY_FILE
|
||||
close_socket
|
||||
return $ret
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue