From 53ee37b046cffa5ed74e28e8369c071f3e41ba3c Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 1 May 2020 18:03:19 +0200 Subject: [PATCH 1/9] XMPP server --- CHANGELOG.md | 1 + CREDITS.md | 3 +++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 31f0325..36d0236 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ * Several display/output fixes * Security fix: DNS input * Don't use external pwd anymore +* STARTTLS: XMPP server support * Rating (SSL Labs, not complete) ### Features implemented / improvements in 3.0 diff --git a/CREDITS.md b/CREDITS.md index 884d8dd..3c0cd24 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -143,6 +143,9 @@ Full contribution, see git log. * Dmitri S - inspiration & help for Darwin port +* Jonas Schäfer + - XMPP server patch + * Marcin Szychowski - Quick'n'dirty client certificate support From 0e6fb44bd34ece23f610d12e55ec748bb85e1565 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 1 May 2020 18:31:35 +0200 Subject: [PATCH 2/9] add xmpp-server --- doc/testssl.1.html | 2 +- doc/testssl.1.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 662cfae..37fb4dc 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -189,7 +189,7 @@ The same can be achieved by setting the environment variable WARNINGSSPECIAL INVOCATIONS -

-t <protocol>, --starttls <protocol> does a default run against a STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3, imap, xmpp, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with --ssl-native. telnet and irc is WIP.

+

-t <protocol>, --starttls <protocol> does a default run against a STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3, imap, xmpp,xmpp-server, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with --ssl-native. telnet and irc is WIP.

--xmpphost <jabber_domain> is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.

diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 4cce65b..63cfa88 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -113,7 +113,7 @@ The same can be achieved by setting the environment variable `WARNINGS`. ### SPECIAL INVOCATIONS -`-t , --starttls ` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP. +`-t , --starttls ` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `xmpp-server`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP. `--xmpphost ` is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied. From 1d7adebb4e882949d457c3a8b3b7f1f99a741185 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 1 May 2020 18:32:22 +0200 Subject: [PATCH 3/9] Add HAS_XMPP_SERVER ... see also #1575 --- testssl.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index d5888d7..6520366 100755 --- a/testssl.sh +++ b/testssl.sh @@ -317,6 +317,7 @@ HAS_NPN=false HAS_FALLBACK_SCSV=false HAS_PROXY=false HAS_XMPP=false +HAS_XMPP_SERVER=false HAS_POSTGRES=false HAS_MYSQL=false HAS_LMTP=false @@ -18214,6 +18215,7 @@ find_openssl_binary() { HAS_FALLBACK_SCSV=false HAS_PROXY=false HAS_XMPP=false + HAS_XMPP_SERVER=false HAS_POSTGRES=false HAS_MYSQL=false HAS_LMTP=false @@ -18298,9 +18300,12 @@ find_openssl_binary() { grep -q '\-proxy' $s_client_has && \ HAS_PROXY=true - grep -q '\-xmpp' $s_client_has && \ + grep -q 'xmpp' $s_client_starttls_has && \ HAS_XMPP=true + grep -q 'xmpp-server' $s_client_starttls_has && \ + HAS_XMPP_SERVER=true + grep -q 'postgres' $s_client_starttls_has && \ HAS_POSTGRES=true @@ -18623,6 +18628,7 @@ HAS_PKEY: $HAS_PKEY HAS_PKUTIL: $HAS_PKUTIL HAS_PROXY: $HAS_PROXY HAS_XMPP: $HAS_XMPP +HAS_XMPP_SERVER: $HAS_XMPP_SERVER HAS_POSTGRES: $HAS_POSTGRES HAS_MYSQL: $HAS_MYSQL HAS_LMTP: $HAS_LMTP @@ -19811,6 +19817,9 @@ determine_service() { fi fi fi + if [[ "$protocol" == xmpp-server ]] && ! "$HAS_XMPP_SERVER"; then + fatal "Your $OPENSSL does not support the \"-xmpphost\" option" $ERR_OSSLBIN + fi elif [[ "$protocol" == postgres ]]; then # Check if openssl version supports postgres. if ! "$HAS_POSTGRES"; then From 191c69fbdde8cd90aa33f5cf914e071e3e0d1d8c Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 1 May 2020 18:39:36 +0200 Subject: [PATCH 4/9] Minor probe for STARTTLS xmpp-server ... don't know whether this gets through -- depends on the version openssl used (1.0.2 doesn't have that) --- t/25_baseline_starttls.t | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/t/25_baseline_starttls.t b/t/25_baseline_starttls.t index 0179e4a..18c9e27 100755 --- a/t/25_baseline_starttls.t +++ b/t/25_baseline_starttls.t @@ -99,6 +99,14 @@ $openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`; unlike($openssl_out, qr/$openssl_regex_bl/, ""); $tests++; +uri="jabber.ccc.de:5269" +printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ..."; +$openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`; +# $openssl_json = json('tmp.json'); +unlike($openssl_out, qr/$openssl_regex_bl/, ""); +$tests++; + + $uri="ldap.uni-rostock.de:21"; From 9e61d6605e87309f4ff6dfb8f92a9c264af4c55f Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 1 May 2020 19:17:58 +0200 Subject: [PATCH 5/9] Perl needs a semicolon ;-/ --- t/25_baseline_starttls.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/25_baseline_starttls.t b/t/25_baseline_starttls.t index 18c9e27..9537604 100755 --- a/t/25_baseline_starttls.t +++ b/t/25_baseline_starttls.t @@ -99,7 +99,7 @@ $openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`; unlike($openssl_out, qr/$openssl_regex_bl/, ""); $tests++; -uri="jabber.ccc.de:5269" +uri="jabber.ccc.de:5269"; printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ..."; $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`; # $openssl_json = json('tmp.json'); From 5da54b9ce8cdf1e49cde3de284820a458e911d4e Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 1 May 2020 21:42:41 +0200 Subject: [PATCH 6/9] fix var declaration --- t/25_baseline_starttls.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/25_baseline_starttls.t b/t/25_baseline_starttls.t index 9537604..0902b4c 100755 --- a/t/25_baseline_starttls.t +++ b/t/25_baseline_starttls.t @@ -99,7 +99,7 @@ $openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`; unlike($openssl_out, qr/$openssl_regex_bl/, ""); $tests++; -uri="jabber.ccc.de:5269"; +$uri="jabber.ccc.de:5269"; printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ..."; $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`; # $openssl_json = json('tmp.json'); From 485bcc1888e717b059166521a3d9d6fa874112f0 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 2 May 2020 18:34:10 +0200 Subject: [PATCH 7/9] Change Travis/CI environment to bionic ... as it comes with openssl 1.1.1 and we can check also XMPP S2S protocol --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 950e14b..d1d660b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,5 @@ language: perl +dist: bionic perl: - "5.26" addons: From 05c90d4c3ad5f63776fe227ed2f0e3a330f64603 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 2 May 2020 18:37:02 +0200 Subject: [PATCH 8/9] remove add_tls_offered --- testssl.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 6520366..ba67b8e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5182,7 +5182,6 @@ run_protocols() { 5) prln_svrty_high "CVE-2015-3197: $supported_no_ciph2"; fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310" add_proto_offered ssl2 yes - add_tls_offered ssl2 yes set_grade_cap "F" "SSLv2 is offered" ;; 7) prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\"" @@ -5211,7 +5210,6 @@ run_protocols() { latest_supported_string="SSLv3" fi add_proto_offered ssl3 yes - add_tls_offered ssl3 yes set_grade_cap "B" "SSLv3 is offered" ;; 1) prln_svrty_best "not offered (OK)" From 7981a238a5c7016833c40cbeb4ee029b7d3679e5 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 2 May 2020 19:40:45 +0200 Subject: [PATCH 9/9] Comment out S2S XMPP server test for now --- t/25_baseline_starttls.t | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/t/25_baseline_starttls.t b/t/25_baseline_starttls.t index 0902b4c..efb795e 100755 --- a/t/25_baseline_starttls.t +++ b/t/25_baseline_starttls.t @@ -99,13 +99,12 @@ $openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`; unlike($openssl_out, qr/$openssl_regex_bl/, ""); $tests++; -$uri="jabber.ccc.de:5269"; -printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ..."; -$openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`; -# $openssl_json = json('tmp.json'); -unlike($openssl_out, qr/$openssl_regex_bl/, ""); -$tests++; - +# $uri="jabber.ccc.de:5269"; +# printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ..."; +# $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`; +# # $openssl_json = json('tmp.json'); +# unlike($openssl_out, qr/$openssl_regex_bl/, ""); +# $tests++; $uri="ldap.uni-rostock.de:21";