mirror of
https://github.com/drwetter/testssl.sh.git
synced 2026-07-15 03:27:38 +02:00
Fix confusion when scanning TLS-1.3-only hosts
When scanning hosts which offer only TLS 1.3 under some circumstances (e.g. using MacOS) the scan stopped and prompted the user . It happened always when $OPENSSL supported TLS 1.3. It did not when this was not the case. This fixes that (see #3083) for 3.3dev by just skipping the rest in determine_optimal_proto() when TLS13_ONLY is true. Also it fixes missing line feeds for servoce detecttion and order in which DNS HTTPS RR are displayed.
This commit is contained in:
+71
-75
@@ -2623,13 +2623,13 @@ service_detection() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
jsonID="service"
|
jsonID="service"
|
||||||
|
if [[ $SERVICE == HTTP ]] || "$ASSUME_HTTP" || [[ -n "$MTLS" ]]; then
|
||||||
|
dns_https_rr
|
||||||
|
fi
|
||||||
case $SERVICE in
|
case $SERVICE in
|
||||||
HTTP)
|
HTTP)
|
||||||
if [[ $SERVICE == HTTP ]]; then
|
|
||||||
dns_https_rr
|
|
||||||
fi
|
|
||||||
pr_bold " Service detected"
|
pr_bold " Service detected"
|
||||||
out ": $CORRECT_SPACES $SERVICE"
|
outln ": $CORRECT_SPACES $SERVICE"
|
||||||
fileout "${jsonID}" "INFO" "$SERVICE"
|
fileout "${jsonID}" "INFO" "$SERVICE"
|
||||||
;;
|
;;
|
||||||
IMAP|POP|SMTP|NNTP|MongoDB)
|
IMAP|POP|SMTP|NNTP|MongoDB)
|
||||||
@@ -2637,32 +2637,28 @@ service_detection() {
|
|||||||
out ": $CORRECT_SPACES $SERVICE, thus skipping HTTP specific checks"
|
out ": $CORRECT_SPACES $SERVICE, thus skipping HTTP specific checks"
|
||||||
fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
|
fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
|
||||||
;;
|
;;
|
||||||
#FIXME: \/ \/ dns_https_rr
|
|
||||||
*) pr_bold " Service detected:"; out " $CORRECT_SPACES"
|
*) pr_bold " Service detected:"; out " $CORRECT_SPACES"
|
||||||
if [[ ! -z $MTLS ]]; then
|
if [[ -n "$MTLS" ]]; then
|
||||||
out " not identified, but mTLS authentication is set ==> trying HTTP checks"
|
outln " not identified, but mTLS authentication is set ==> trying HTTP checks"
|
||||||
SERVICE=HTTP
|
SERVICE=HTTP
|
||||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
||||||
dns_https_rr
|
|
||||||
elif [[ "$CLIENT_AUTH" == required ]] && [[ -z $MTLS ]]; then
|
elif [[ "$CLIENT_AUTH" == required ]] && [[ -z $MTLS ]]; then
|
||||||
out " certificate-based authentication without providing client certificate and private key => skipping all HTTP checks" | tee $TMPFILE
|
outln " certificate-based authentication without providing client certificate and private key => skipping all HTTP checks" | tee $TMPFILE
|
||||||
fileout "${jsonID}" "INFO" "certificate-based authentication without providing client certificate and private key => skipping all HTTP checks"
|
fileout "${jsonID}" "INFO" "certificate-based authentication without providing client certificate and private key => skipping all HTTP checks"
|
||||||
else
|
else
|
||||||
out " Couldn't determine what's running on port $PORT"
|
out " Couldn't determine what's running on port $PORT"
|
||||||
if "$ASSUME_HTTP"; then
|
if "$ASSUME_HTTP"; then
|
||||||
SERVICE=HTTP
|
SERVICE=HTTP
|
||||||
out " -- ASSUME_HTTP set though"
|
outln " -- ASSUME_HTTP set though"
|
||||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
||||||
dns_https_rr
|
|
||||||
else
|
else
|
||||||
out ", assuming no HTTP service => skipping all HTTP checks"
|
outln ", assuming no HTTP service => skipping all HTTP checks"
|
||||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
fileout "${jsonID}" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
outln
|
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
@@ -23891,80 +23887,80 @@ determine_optimal_proto() {
|
|||||||
TLS12_CIPHER_OFFERED="$(get_cipher $TMPFILE)"
|
TLS12_CIPHER_OFFERED="$(get_cipher $TMPFILE)"
|
||||||
TLS12_CIPHER_OFFERED="$(openssl2hexcode "$TLS12_CIPHER_OFFERED")"
|
TLS12_CIPHER_OFFERED="$(openssl2hexcode "$TLS12_CIPHER_OFFERED")"
|
||||||
[[ ${#TLS12_CIPHER_OFFERED} -eq 9 ]] && TLS12_CIPHER_OFFERED="${TLS12_CIPHER_OFFERED:2:2},${TLS12_CIPHER_OFFERED:7:2}" || TLS12_CIPHER_OFFERED=""
|
[[ ${#TLS12_CIPHER_OFFERED} -eq 9 ]] && TLS12_CIPHER_OFFERED="${TLS12_CIPHER_OFFERED:2:2},${TLS12_CIPHER_OFFERED:7:2}" || TLS12_CIPHER_OFFERED=""
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "$optimal_proto" == -ssl2 ]]; then
|
if [[ "$optimal_proto" == -ssl2 ]]; then
|
||||||
prln_magenta "$NODEIP:$PORT appears to only support SSLv2."
|
prln_magenta "$NODEIP:$PORT appears to only support SSLv2."
|
||||||
fileout "$jsonID" "WARN" "$NODEIP:$PORT appears to only support SSLv2."
|
fileout "$jsonID" "WARN" "$NODEIP:$PORT appears to only support SSLv2."
|
||||||
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
elif "$all_failed" && ! "$ALL_FAILED_SOCKETS"; then
|
elif "$all_failed" && ! "$ALL_FAILED_SOCKETS"; then
|
||||||
if ! "$HAS_TLS13" && "$TLS13_ONLY"; then
|
if ! "$HAS_TLS13" && "$TLS13_ONLY"; then
|
||||||
if "$HAS2_TLS13"; then
|
if "$HAS2_TLS13"; then
|
||||||
if "$OSSL_SHORTCUT" || [[ "$WARNINGS" == batch ]]; then
|
if "$OSSL_SHORTCUT" || [[ "$WARNINGS" == batch ]]; then
|
||||||
# switch w/o asking
|
# switch w/o asking
|
||||||
OPEN_MSG=" $NODE:$PORT appeared to support TLS 1.3 ONLY. Thus switched automagically from\n \"$OPENSSL\" to \"$OPENSSL2\"."
|
OPEN_MSG=" $NODE:$PORT appeared to support TLS 1.3 ONLY. Thus switched automagically from\n \"$OPENSSL\" to \"$OPENSSL2\"."
|
||||||
fileout "$jsonID" "INFO" "$NODE:$PORT appears to support TLS 1.3 ONLY, switching from $OPENSSL to $OPENSSL2 automagically"
|
fileout "$jsonID" "INFO" "$NODE:$PORT appears to support TLS 1.3 ONLY, switching from $OPENSSL to $OPENSSL2 automagically"
|
||||||
OPENSSL="$OPENSSL2"
|
|
||||||
find_openssl_binary
|
|
||||||
prepare_arrays
|
|
||||||
else
|
|
||||||
# now we need to ask the user
|
|
||||||
ignore_no_or_lame " Type \"yes\" to proceed with \"$OPENSSL2\" OR accept all scan problems" "yes"
|
|
||||||
if [[ $? -eq 0 ]]; then
|
|
||||||
fileout "$jsonID" "INFO" "$NODE:$PORT appears to support TLS 1.3 ONLY, switching from $OPENSSL to $OPENSSL2 by the user"
|
|
||||||
OPENSSL="$OPENSSL2"
|
OPENSSL="$OPENSSL2"
|
||||||
find_openssl_binary
|
find_openssl_binary
|
||||||
prepare_arrays
|
prepare_arrays
|
||||||
else
|
else
|
||||||
fileout "$jsonID" "WARN" "$NODE:$PORT appears to support TLS 1.3 ONLY, switching from $OPENSSL to $OPENSSL2 was denied by user"
|
# now we need to ask the user
|
||||||
|
ignore_no_or_lame " Type \"yes\" to proceed with \"$OPENSSL2\" OR accept all scan problems" "yes"
|
||||||
|
if [[ $? -eq 0 ]]; then
|
||||||
|
fileout "$jsonID" "INFO" "$NODE:$PORT appears to support TLS 1.3 ONLY, switching from $OPENSSL to $OPENSSL2 by the user"
|
||||||
|
OPENSSL="$OPENSSL2"
|
||||||
|
find_openssl_binary
|
||||||
|
prepare_arrays
|
||||||
|
else
|
||||||
|
fileout "$jsonID" "WARN" "$NODE:$PORT appears to support TLS 1.3 ONLY, switching from $OPENSSL to $OPENSSL2 was denied by user"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
elif ! "$HAS_SSL3" && [[ "$(has_server_protocol "ssl3")" -eq 0 ]] && [[ "$(has_server_protocol "tls1_3")" -ne 0 ]] && \
|
||||||
elif ! "$HAS_SSL3" && [[ "$(has_server_protocol "ssl3")" -eq 0 ]] && [[ "$(has_server_protocol "tls1_3")" -ne 0 ]] && \
|
[[ "$(has_server_protocol "tls1_2")" -ne 0 ]] && [[ "$(has_server_protocol "tls1_1")" -ne 0 ]] &&
|
||||||
[[ "$(has_server_protocol "tls1_2")" -ne 0 ]] && [[ "$(has_server_protocol "tls1_1")" -ne 0 ]] &&
|
[[ "$(has_server_protocol "tls1")" -ne 0 ]]; then
|
||||||
[[ "$(has_server_protocol "tls1")" -ne 0 ]]; then
|
prln_warning " $NODE:$PORT appears to support SSLv3 ONLY. You better use --openssl=<path_to_openssl_supporting_SSL_3>"
|
||||||
prln_warning " $NODE:$PORT appears to support SSLv3 ONLY. You better use --openssl=<path_to_openssl_supporting_SSL_3>"
|
fileout "$jsonID" "WARN" "$NODE:$PORT appears to support SSLv3 ONLY, but $OPENSSL does not support SSLv3."
|
||||||
fileout "$jsonID" "WARN" "$NODE:$PORT appears to support SSLv3 ONLY, but $OPENSSL does not support SSLv3."
|
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
|
||||||
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
MAX_OSSL_FAIL=10
|
||||||
MAX_OSSL_FAIL=10
|
|
||||||
else
|
|
||||||
outln
|
|
||||||
prln_warning " Your $OPENSSL cannot connect to $NODEIP:$PORT."
|
|
||||||
if [[ -x $OPENSSL2 ]] ; then
|
|
||||||
outln " Restarting with --openssl=$OPENSSL2 likely helps"
|
|
||||||
fileout "$jsonID" "WARN" "$OPENSSL cannot connect to $NODEIP:$PORT. Recommended using --openssl=$OPENSSL2"
|
|
||||||
else
|
else
|
||||||
fileout "$jsonID" "WARN" "Your $OPENSSL cannot connect to $NODEIP:$PORT."
|
outln
|
||||||
|
prln_warning " Your $OPENSSL cannot connect to $NODEIP:$PORT."
|
||||||
|
if [[ -x $OPENSSL2 ]] ; then
|
||||||
|
outln " Restarting with --openssl=$OPENSSL2 likely helps"
|
||||||
|
fileout "$jsonID" "WARN" "$OPENSSL cannot connect to $NODEIP:$PORT. Recommended using --openssl=$OPENSSL2"
|
||||||
|
else
|
||||||
|
fileout "$jsonID" "WARN" "Your $OPENSSL cannot connect to $NODEIP:$PORT."
|
||||||
|
fi
|
||||||
|
outln
|
||||||
|
ignore_no_or_lame " If you continue the results are likely not correct. Really proceed ? (\"yes\" to continue)" "yes"
|
||||||
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
fi
|
fi
|
||||||
|
elif "$all_failed"; then
|
||||||
outln
|
outln
|
||||||
ignore_no_or_lame " If you continue the results are likely not correct. Really proceed ? (\"yes\" to continue)" "yes"
|
if "$IPv6_OK"; then
|
||||||
|
pr_bold " Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT "
|
||||||
|
fileout "$jsonID" "WARN" "Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT doesn't seem to be a TLS/SSL enabled server."
|
||||||
|
else
|
||||||
|
pr_bold " $NODEIP:$PORT "
|
||||||
|
fileout "$jsonID" "WARN" "$NODEIP:$PORT doesn't seem to be a TLS/SSL enabled server."
|
||||||
|
fi
|
||||||
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
|
prln_bold "doesn't seem to be a TLS/SSL enabled server";
|
||||||
|
ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes"
|
||||||
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
|
elif ! "$all_failed" && "$ALL_FAILED_SOCKETS" && ! "$SSL_NATIVE"; then
|
||||||
|
# Edge case: connecting with tls_sockets/sslv2_sockets didn't work, but connecting with $OPENSSL s_client did.
|
||||||
|
# See #2807
|
||||||
|
prln_warning "This shouldn't happen (pls report): Testing $NODE:$PORT only succeeded using $OPENSSL."
|
||||||
|
prln_warning "But testssl.sh also needs bash sockets to perform its checks correctly.\n"
|
||||||
|
outln "You can try to continue using the --ssl-native option but the results are likely not complete."
|
||||||
|
outln "Or you can restart using --ssl-native with another openssl version (--openssl <PATH>)."
|
||||||
|
fileout "$jsonID" "WARN" "Sockets didn't work. Testing NODE:$PORT only succeeded using $OPENSSL."
|
||||||
|
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
fi
|
fi
|
||||||
elif "$all_failed"; then
|
|
||||||
outln
|
|
||||||
if "$IPv6_OK"; then
|
|
||||||
pr_bold " Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT "
|
|
||||||
fileout "$jsonID" "WARN" "Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT doesn't seem to be a TLS/SSL enabled server."
|
|
||||||
else
|
|
||||||
pr_bold " $NODEIP:$PORT "
|
|
||||||
fileout "$jsonID" "WARN" "$NODEIP:$PORT doesn't seem to be a TLS/SSL enabled server."
|
|
||||||
fi
|
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
|
||||||
prln_bold "doesn't seem to be a TLS/SSL enabled server";
|
|
||||||
ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes"
|
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
|
||||||
elif ! "$all_failed" && "$ALL_FAILED_SOCKETS" && ! "$SSL_NATIVE"; then
|
|
||||||
# Edge case: connecting with tls_sockets/sslv2_sockets didn't work, but connecting with $OPENSSL s_client did.
|
|
||||||
# See #2807
|
|
||||||
prln_warning "This shouldn't happen (pls report): Testing $NODE:$PORT only succeeded using $OPENSSL."
|
|
||||||
prln_warning "But testssl.sh also needs bash sockets to perform its checks correctly.\n"
|
|
||||||
outln "You can try to continue using the --ssl-native option but the results are likely not complete."
|
|
||||||
outln "Or you can restart using --ssl-native with another openssl version (--openssl <PATH>)."
|
|
||||||
fileout "$jsonID" "WARN" "Sockets didn't work. Testing NODE:$PORT only succeeded using $OPENSSL."
|
|
||||||
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
|
|||||||
Reference in New Issue
Block a user