Merge pull request #1601 from drwetter/xmpp_server_polish

STARTTLS xmpp-server polish
This commit is contained in:
Dirk Wetter 2020-05-02 19:41:24 +02:00 committed by GitHub
commit 8e6c80ffba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 24 additions and 5 deletions

View File

@ -1,4 +1,5 @@
language: perl
dist: bionic
perl:
- "5.26"
addons:

View File

@ -13,6 +13,7 @@
* Several display/output fixes
* Security fix: DNS input
* Don't use external pwd anymore
* STARTTLS: XMPP server support
* Rating (SSL Labs, not complete)
### Features implemented / improvements in 3.0

View File

@ -143,6 +143,9 @@ Full contribution, see git log.
* Dmitri S
- inspiration & help for Darwin port
* Jonas Schäfer
- XMPP server patch
* Marcin Szychowski
- Quick'n'dirty client certificate support

View File

@ -189,7 +189,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
<h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
<p><code>-t &lt;protocol>, --starttls &lt;protocol></code> does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>, <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>
<p><code>-t &lt;protocol>, --starttls &lt;protocol></code> does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>, <code>pop3</code>, <code>imap</code>, <code>xmpp</code>,<code>xmpp-server<code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>
<p><code>--xmpphost &lt;jabber_domain></code> is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.</p>

View File

@ -113,7 +113,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
### SPECIAL INVOCATIONS
`-t <protocol>, --starttls <protocol>` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP.
`-t <protocol>, --starttls <protocol>` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `xmpp-server`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP.
`--xmpphost <jabber_domain>` is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.

View File

@ -99,6 +99,13 @@ $openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`;
unlike($openssl_out, qr/$openssl_regex_bl/, "");
$tests++;
# $uri="jabber.ccc.de:5269";
# printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
# $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
# # $openssl_json = json('tmp.json');
# unlike($openssl_out, qr/$openssl_regex_bl/, "");
# $tests++;
$uri="ldap.uni-rostock.de:21";

View File

@ -317,6 +317,7 @@ HAS_NPN=false
HAS_FALLBACK_SCSV=false
HAS_PROXY=false
HAS_XMPP=false
HAS_XMPP_SERVER=false
HAS_POSTGRES=false
HAS_MYSQL=false
HAS_LMTP=false
@ -5181,7 +5182,6 @@ run_protocols() {
5) prln_svrty_high "CVE-2015-3197: $supported_no_ciph2";
fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310"
add_proto_offered ssl2 yes
add_tls_offered ssl2 yes
set_grade_cap "F" "SSLv2 is offered"
;;
7) prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\""
@ -5210,7 +5210,6 @@ run_protocols() {
latest_supported_string="SSLv3"
fi
add_proto_offered ssl3 yes
add_tls_offered ssl3 yes
set_grade_cap "B" "SSLv3 is offered"
;;
1) prln_svrty_best "not offered (OK)"
@ -18214,6 +18213,7 @@ find_openssl_binary() {
HAS_FALLBACK_SCSV=false
HAS_PROXY=false
HAS_XMPP=false
HAS_XMPP_SERVER=false
HAS_POSTGRES=false
HAS_MYSQL=false
HAS_LMTP=false
@ -18298,9 +18298,12 @@ find_openssl_binary() {
grep -q '\-proxy' $s_client_has && \
HAS_PROXY=true
grep -q '\-xmpp' $s_client_has && \
grep -q 'xmpp' $s_client_starttls_has && \
HAS_XMPP=true
grep -q 'xmpp-server' $s_client_starttls_has && \
HAS_XMPP_SERVER=true
grep -q 'postgres' $s_client_starttls_has && \
HAS_POSTGRES=true
@ -18623,6 +18626,7 @@ HAS_PKEY: $HAS_PKEY
HAS_PKUTIL: $HAS_PKUTIL
HAS_PROXY: $HAS_PROXY
HAS_XMPP: $HAS_XMPP
HAS_XMPP_SERVER: $HAS_XMPP_SERVER
HAS_POSTGRES: $HAS_POSTGRES
HAS_MYSQL: $HAS_MYSQL
HAS_LMTP: $HAS_LMTP
@ -19811,6 +19815,9 @@ determine_service() {
fi
fi
fi
if [[ "$protocol" == xmpp-server ]] && ! "$HAS_XMPP_SERVER"; then
fatal "Your $OPENSSL does not support the \"-xmpphost\" option" $ERR_OSSLBIN
fi
elif [[ "$protocol" == postgres ]]; then
# Check if openssl version supports postgres.
if ! "$HAS_POSTGRES"; then