Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2024-12-29 04:49:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Finalizing proxy support for OCSP checks

Browse Source 
As mentioned in #1106 proxying ocsp protocol doesn't work (yet)
This commit notifies the user that it is not possible. One
can ignore that and try by supplying IGN_OCSP_PROXY=true.

It also fixes a typo I probably introduced (pVULN_THRESHLD).
This commit is contained in:
Dirk 2018-08-24 15:43:25 +02:00
parent 3fdcd034f3
commit 8d7dd663f9
4 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/testssl.1
View File

@ -131,7 +131,7 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri
\fB\-\-ip <ip>\fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB<URI>\fR\. IPv6 addresses needs to be in square brackets\. \fB\-\-ip=one\fR means: just test the first DNS returns (useful for multiple IPs)\. If \fB\-6\fR was supplied too, an IPv6 address is being picked if available and supported by the openssl binary\. It might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\.
.
.P
\fB\-\-proxy <host>:<port>\fR does the whole check via the specified HTTP proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. Proxying via IPv6 addresses is not possible\. The hostname supplied will only be resolved to the first A record\. Authentication to the proxy is not supported\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\.
\fB\-\-proxy <host>:<port>\fR does ANY check via the specified proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported\. The hostname supplied will be resolved to the first A record\. Authentication to the proxy is not supported\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. OCSP revocation checking (\fB\-S \-\-phone\-out\fR) is not supported by OpenSSL via proxy\. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won\'t be performed\. However if \fBIGN_OCSP_PROXY=true\fR has been supplied it will be tried directly\.
.
.P
\fB\-6\fR does (also) IPv6 checks\. Please note if a supplied URI resolves (also) to an IPv6 address that testssl\.sh doesn\'t do checks on an IPv6 address automatically\. This is because testssl\.sh does no connectivity checks for IPv6\. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fB\-6\fR assumes both is the case\. If both conditions are met and you want in general enable IPv6 tests you might as well add \fBHAS_IPv6\fR to your shell environment\.

2
doc/testssl.1.html
View File

@ -183,7 +183,7 @@ host.example.com:631
<p><code>--ip &lt;ip></code> tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in <code>&lt;URI></code>. IPv6 addresses needs to be in square brackets.
<code>--ip=one</code> means: just test the first DNS returns (useful for multiple IPs). If <code>-6</code> was supplied too, an IPv6 address is being picked if available and supported by the openssl binary. It might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit <code>/etc/hosts</code> or <code>/c/Windows/System32/drivers/etc/hosts</code>. <code>--ip=proxy</code> tries a DNS resolution via proxy.</p>
<p><code>--proxy &lt;host>:&lt;port></code> does the whole check via the specified HTTP proxy. <code>--proxy=auto</code> inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify <code>DNS_VIA_PROXY=true</code>.</p>
<p><code>--proxy &lt;host>:&lt;port></code> does ANY check via the specified proxy. <code>--proxy=auto</code> inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported. The hostname supplied will be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify <code>DNS_VIA_PROXY=true</code>. OCSP revocation checking (<code>-S --phone-out</code>) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won't be performed. However if <code>IGN_OCSP_PROXY=true</code> has been supplied it will be tried directly.</p>
<p><code>-6</code> does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. <code>-6</code> assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add <code>HAS_IPv6</code> to your shell environment.</p>

2
doc/testssl.1.md
View File

@ -106,7 +106,7 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r
`--ip <ip>` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in `<URI>`. IPv6 addresses needs to be in square brackets.
`--ip=one` means: just test the first DNS returns (useful for multiple IPs). If `-6` was supplied too, an IPv6 address is being picked if available and supported by the openssl binary. It might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy.
`--proxy <host>:<port>` does the whole check via the specified HTTP proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`.
`--proxy <host>:<port>` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported. The hostname supplied will be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly.
`-6` does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `-6` assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add `HAS_IPv6` to your shell environment.

12
testssl.sh
View File

@ -226,6 +226,8 @@ OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulne
#
EXPERIMENTAL=${EXPERIMENTAL:-false}
PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy
DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip=proxy reverses this
IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate
MAX_OSSL_FAIL=${MAX_OSSL_FAIL:-2} # If this many failures for s_client connects are reached we terminate
@ -243,8 +245,7 @@ HPKP_MIN=${HPKP_MIN:-30} # >=30 days should be ok for HPKP_MIN, p
HPKP_MIN=$((HPKP_MIN * 86400)) # correct to seconds
DAYS2WARN1=${DAYS2WARN1:-60} # days to warn before cert expires, threshold 1
DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2
pVULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check
DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip=proxy reverses this
VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
NO_ENGINE=${NO_ENGINE:-false} # if there are problems finding the (external) openssl engine set this to true
declare -r CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
@ -1573,6 +1574,13 @@ check_revocation_ocsp() {
"$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
[[ -n "$GOOD_CA_BUNDLE" ]] || return 0
if [[ -n "$PROXY" ]] && ! "$IGN_OCSP_PROXY"; then
# see #1106 and https://github.com/openssl/openssl/issues/6965
out ", "
pr_warning "revocation not tested as \"openssl ocsp\" doesn't support a proxy"
fileout "$jsonID" "WARN" "Revocation not tested as openssl ocsp doesn't support a proxy"
return 0
fi
grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem || return 0
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
if [[ -n "$stapled_response" ]]; then