Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-11-03 23:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1601 from drwetter/xmpp_server_polish

Browse Source 
STARTTLS xmpp-server polish
This commit is contained in:
Dirk Wetter
2020-05-02 19:41:24 +02:00
committed by GitHub
parent 2b174821e4 7981a238a5
commit 8e6c80ffba
7 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.travis.yml
View File

@@ -1,4 +1,5 @@
language: perl language: perl
dist: bionic
perl: perl:
- "5.26" - "5.26"
addons: addons:

1
CHANGELOG.md
View File

@@ -13,6 +13,7 @@
* Several display/output fixes * Several display/output fixes
* Security fix: DNS input * Security fix: DNS input
* Don't use external pwd anymore * Don't use external pwd anymore
* STARTTLS: XMPP server support
* Rating (SSL Labs, not complete) * Rating (SSL Labs, not complete)
### Features implemented / improvements in 3.0 ### Features implemented / improvements in 3.0

3
CREDITS.md
View File

@@ -143,6 +143,9 @@ Full contribution, see git log.
* Dmitri S * Dmitri S
- inspiration & help for Darwin port - inspiration & help for Darwin port
* Jonas Schäfer
- XMPP server patch
* Marcin Szychowski * Marcin Szychowski
- Quick'n'dirty client certificate support - Quick'n'dirty client certificate support

2
doc/testssl.1.html
View File

@@ -189,7 +189,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
<h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3> <h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
<p><code>-t &lt;protocol>, --starttls &lt;protocol></code> does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>, <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p> <p><code>-t &lt;protocol>, --starttls &lt;protocol></code> does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>, <code>pop3</code>, <code>imap</code>, <code>xmpp</code>,<code>xmpp-server<code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>
<p><code>--xmpphost &lt;jabber_domain></code> is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.</p> <p><code>--xmpphost &lt;jabber_domain></code> is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.</p>

2
doc/testssl.1.md
View File

@@ -113,7 +113,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
### SPECIAL INVOCATIONS ### SPECIAL INVOCATIONS
`-t <protocol>, --starttls <protocol>` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP. `-t <protocol>, --starttls <protocol>` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `xmpp-server`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP.
`--xmpphost <jabber_domain>` is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied. `--xmpphost <jabber_domain>` is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.

7
t/25_baseline_starttls.t
View File

@@ -99,6 +99,13 @@ $openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`;
unlike($openssl_out, qr/$openssl_regex_bl/, ""); unlike($openssl_out, qr/$openssl_regex_bl/, "");
$tests++; $tests++;
# $uri="jabber.ccc.de:5269";
# printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
# $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
# # $openssl_json = json('tmp.json');
# unlike($openssl_out, qr/$openssl_regex_bl/, "");
# $tests++;
$uri="ldap.uni-rostock.de:21"; $uri="ldap.uni-rostock.de:21";

13
testssl.sh
View File

@@ -317,6 +317,7 @@ HAS_NPN=false
HAS_FALLBACK_SCSV=false HAS_FALLBACK_SCSV=false
HAS_PROXY=false HAS_PROXY=false
HAS_XMPP=false HAS_XMPP=false
HAS_XMPP_SERVER=false
HAS_POSTGRES=false HAS_POSTGRES=false
HAS_MYSQL=false HAS_MYSQL=false
HAS_LMTP=false HAS_LMTP=false
@@ -5181,7 +5182,6 @@ run_protocols() {
5) prln_svrty_high "CVE-2015-3197: $supported_no_ciph2"; 5) prln_svrty_high "CVE-2015-3197: $supported_no_ciph2";
fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310" fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310"
add_proto_offered ssl2 yes add_proto_offered ssl2 yes
add_tls_offered ssl2 yes
set_grade_cap "F" "SSLv2 is offered" set_grade_cap "F" "SSLv2 is offered"
;; ;;
7) prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\"" 7) prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\""
@@ -5210,7 +5210,6 @@ run_protocols() {
latest_supported_string="SSLv3" latest_supported_string="SSLv3"
fi fi
add_proto_offered ssl3 yes add_proto_offered ssl3 yes
add_tls_offered ssl3 yes
set_grade_cap "B" "SSLv3 is offered" set_grade_cap "B" "SSLv3 is offered"
;; ;;
1) prln_svrty_best "not offered (OK)" 1) prln_svrty_best "not offered (OK)"
@@ -18214,6 +18213,7 @@ find_openssl_binary() {
HAS_FALLBACK_SCSV=false HAS_FALLBACK_SCSV=false
HAS_PROXY=false HAS_PROXY=false
HAS_XMPP=false HAS_XMPP=false
HAS_XMPP_SERVER=false
HAS_POSTGRES=false HAS_POSTGRES=false
HAS_MYSQL=false HAS_MYSQL=false
HAS_LMTP=false HAS_LMTP=false
@@ -18298,9 +18298,12 @@ find_openssl_binary() {
grep -q '\-proxy' $s_client_has && \ grep -q '\-proxy' $s_client_has && \
HAS_PROXY=true HAS_PROXY=true
grep -q '\-xmpp' $s_client_has && \ grep -q 'xmpp' $s_client_starttls_has && \
HAS_XMPP=true HAS_XMPP=true
grep -q 'xmpp-server' $s_client_starttls_has && \
HAS_XMPP_SERVER=true
grep -q 'postgres' $s_client_starttls_has && \ grep -q 'postgres' $s_client_starttls_has && \
HAS_POSTGRES=true HAS_POSTGRES=true
@@ -18623,6 +18626,7 @@ HAS_PKEY: $HAS_PKEY
HAS_PKUTIL: $HAS_PKUTIL HAS_PKUTIL: $HAS_PKUTIL
HAS_PROXY: $HAS_PROXY HAS_PROXY: $HAS_PROXY
HAS_XMPP: $HAS_XMPP HAS_XMPP: $HAS_XMPP
HAS_XMPP_SERVER: $HAS_XMPP_SERVER
HAS_POSTGRES: $HAS_POSTGRES HAS_POSTGRES: $HAS_POSTGRES
HAS_MYSQL: $HAS_MYSQL HAS_MYSQL: $HAS_MYSQL
HAS_LMTP: $HAS_LMTP HAS_LMTP: $HAS_LMTP
@@ -19811,6 +19815,9 @@ determine_service() {
fi fi
fi fi
fi fi
if [[ "$protocol" == xmpp-server ]] && ! "$HAS_XMPP_SERVER"; then
fatal "Your $OPENSSL does not support the \"-xmpphost\" option" $ERR_OSSLBIN
fi
elif [[ "$protocol" == postgres ]]; then elif [[ "$protocol" == postgres ]]; then
# Check if openssl version supports postgres. # Check if openssl version supports postgres.
if ! "$HAS_POSTGRES"; then if ! "$HAS_POSTGRES"; then