mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
CCS injection: better handling of TLS alert protocols
In certain situations while testting for CCS injection it could have happened that an error code was sent which was not interpreted properly by testssl.sh. (https://tools.ietf.org/html/rfc5246#section-7.2) This has now been fixed and thus addresses #906. Also it has been made sure that other error codes are reported appropiately. The case where this test failed before was a non-patched Ubuntu 12.04 with openssl/postfix on port 25.
This commit is contained in:
parent
39647d1703
commit
8149c2d5cf
25
testssl.sh
25
testssl.sh
@ -12156,17 +12156,34 @@ run_ccs_injection(){
|
|||||||
else
|
else
|
||||||
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
|
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
|
||||||
fi
|
fi
|
||||||
elif [[ "$byte6" == "15" ]] && [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
|
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
|
||||||
|
if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then
|
||||||
|
pr_warning "test failed "
|
||||||
|
out "no proper TLS repy (debug info: protocol sent: 1503${tlshexcode#x03, x}, reply: ${tls_hello_ascii:0:14}"
|
||||||
|
fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
|
||||||
|
ret=1
|
||||||
|
elif [[ "$byte6" == "15" ]]; then
|
||||||
# decryption failed received
|
# decryption failed received
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
|
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
|
||||||
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
|
elif [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
|
||||||
if [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
|
|
||||||
# Unexpected message / Handshake failure received
|
# Unexpected message / Handshake failure received
|
||||||
pr_warning "likely "
|
pr_warning "likely "
|
||||||
out "not vulnerable (OK)"
|
out "not vulnerable (OK)"
|
||||||
out " - alert description type: $byte6"
|
out " - alert description type: $byte6"
|
||||||
fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
|
fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
|
||||||
|
elif [[ "$byte6" == "14" ]]; then
|
||||||
|
# bad_record_mac -- this is not "not vulnerable"
|
||||||
|
out "likely "
|
||||||
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
|
out ", suspicious \"bad_record_mac\" ($byte6)"
|
||||||
|
fileout "$jsonID" "CRITICAL" "likely VULNERABLE" "$cve" "$cwe" "$hint"
|
||||||
|
else
|
||||||
|
# other errors, see https://tools.ietf.org/html/rfc5246#section-7.2
|
||||||
|
out "likely "
|
||||||
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
|
out ", suspicious error code \"$byte6\" returned. Please report"
|
||||||
|
fileout "$jsonID" "CRITICAL" "likely VULNERABLE with $byte6" "$cve" "$cwe" "$hint"
|
||||||
fi
|
fi
|
||||||
elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then
|
elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then
|
||||||
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
|
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
|
||||||
@ -12187,7 +12204,7 @@ run_ccs_injection(){
|
|||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE
|
tmpfile_handle ${FUNCNAME[0]}.dd $SOCK_REPLY_FILE
|
||||||
close_socket
|
close_socket
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user