mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
parent
0463471c40
commit
8ff39c5028
58
testssl.sh
58
testssl.sh
@ -147,6 +147,7 @@ TMPFILE=""
|
|||||||
ERRFILE=""
|
ERRFILE=""
|
||||||
CLIENT_AUTH=false
|
CLIENT_AUTH=false
|
||||||
CLIENT_AUTH_MSG=" cannot determine -- certificate based authentication"
|
CLIENT_AUTH_MSG=" cannot determine -- certificate based authentication"
|
||||||
|
NO_SSL_SESSIONID=false
|
||||||
HOSTCERT=""
|
HOSTCERT=""
|
||||||
HEADERFILE=""
|
HEADERFILE=""
|
||||||
LOGFILE=""
|
LOGFILE=""
|
||||||
@ -323,7 +324,6 @@ pr_reverse_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[7m\033[1m$1" || out "$1";
|
|||||||
|
|
||||||
#pr_headline() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m\033[47m$1" || out "$1"; pr_off; }
|
#pr_headline() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m\033[47m$1" || out "$1"; pr_off; }
|
||||||
pr_headline() { [[ "$COLOR" -ne 0 ]] && out "\033[1m\033[4m$1" || out "$1"; pr_off; }
|
pr_headline() { [[ "$COLOR" -ne 0 ]] && out "\033[1m\033[4m$1" || out "$1"; pr_off; }
|
||||||
#pr_headline() { pr_underline "$1"; }
|
|
||||||
pr_headlineln() { pr_headline "$1" ; outln; }
|
pr_headlineln() { pr_headline "$1" ; outln; }
|
||||||
|
|
||||||
pr_squoted() { out "'$1'"; }
|
pr_squoted() { out "'$1'"; }
|
||||||
@ -1981,11 +1981,11 @@ tls_time() {
|
|||||||
#
|
#
|
||||||
sclient_connect_successful() {
|
sclient_connect_successful() {
|
||||||
[[ $1 -eq 0 ]] && return 0
|
[[ $1 -eq 0 ]] && return 0
|
||||||
[[ -z $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 1
|
[[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0
|
||||||
[[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]] && return 1
|
# second check saved like
|
||||||
# what's left now is: master key not empty and Session-ID not empty ==> probably client based auth with x509 certificate
|
# fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1
|
||||||
CLIENT_AUTH=true
|
# what's left now is: master key empty and Session-ID not empty ==> probably client based auth with x509 certificate
|
||||||
return 0
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -2059,6 +2059,13 @@ run_server_defaults() {
|
|||||||
outln "$lifetime $unit"
|
outln "$lifetime $unit"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
pr_bold " SSL Session ID support "
|
||||||
|
if $NO_SSL_SESSIONID; then
|
||||||
|
outln "no"
|
||||||
|
else
|
||||||
|
outln "yes"
|
||||||
|
fi
|
||||||
|
|
||||||
pr_bold " Server key size "
|
pr_bold " Server key size "
|
||||||
keysize=$(grep -aw "^Server public key is" $TMPFILE | sed -e 's/^Server public key is //' -e 's/bit//' -e 's/ //')
|
keysize=$(grep -aw "^Server public key is" $TMPFILE | sed -e 's/^Server public key is //' -e 's/bit//' -e 's/ //')
|
||||||
sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u )
|
sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u )
|
||||||
@ -4559,9 +4566,32 @@ check_proxy() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# this function determines OPTIMAL_PROTO. It is a workaround function as under certain circumstances (e.g. IIS6.0)
|
# this is only being called from determine_optimal_proto in order to check whether we have a server
|
||||||
# openssl 1.0.2 (as opposed to 1.0.1) needs a protocol otherwise s_client -connect will fail!
|
# with client authentication, a server with no SSL session ID switched off
|
||||||
# Circumstances so far: 1.) IIS 6 2.) starttls + dovecot imap
|
#
|
||||||
|
sclient_auth() {
|
||||||
|
[[ $1 -eq 0 ]] && return 0 # no client auth (CLIENT_AUTH=false is preset globally)
|
||||||
|
if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then # connect succeeded
|
||||||
|
if grep -q '^<<< .*CertificateRequest' "$2"; then # CertificateRequest message in -msg
|
||||||
|
CLIENT_AUTH=true
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session
|
||||||
|
if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then # do another sanity check to be sure
|
||||||
|
CLIENT_AUTH=false
|
||||||
|
NO_SSL_SESSIONID=true # NO_SSL_SESSIONI is preset globally to false for all other cases
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
# what's left now is: master key empty, handshake returned not successful, session ID empty --> not sucessful
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# this function determines OPTIMAL_PROTO. It is a workaround function as under certain circumstances
|
||||||
|
# (e.g. IIS6.0 and openssl 1.0.2 as opposed to 1.0.1) needs a protocol otherwise s_client -connect will fail!
|
||||||
|
# Circumstances observed so far: 1.) IIS 6 2.) starttls + dovecot imap
|
||||||
# The first try in the loop is empty as we prefer not to specify always a protocol if it works w/o.
|
# The first try in the loop is empty as we prefer not to specify always a protocol if it works w/o.
|
||||||
#
|
#
|
||||||
determine_optimal_proto() {
|
determine_optimal_proto() {
|
||||||
@ -4575,8 +4605,8 @@ determine_optimal_proto() {
|
|||||||
# starttls workaround needed see https://github.com/drwetter/testssl.sh/issues/188
|
# starttls workaround needed see https://github.com/drwetter/testssl.sh/issues/188
|
||||||
# kind of odd
|
# kind of odd
|
||||||
for STARTTLS_OPTIMAL_PROTO in -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do
|
for STARTTLS_OPTIMAL_PROTO in -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do
|
||||||
$OPENSSL s_client $STARTTLS_OPTIMAL_PROTO -connect "$NODEIP:$PORT" $PROXY -starttls $1 </dev/null >$TMPFILE 2>>$ERRFILE
|
$OPENSSL s_client $STARTTLS_OPTIMAL_PROTO -connect "$NODEIP:$PORT" $PROXY -msg -starttls $1 </dev/null >$TMPFILE 2>>$ERRFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_auth $? $TMPFILE; then
|
||||||
all_failed=1
|
all_failed=1
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
@ -4585,8 +4615,8 @@ determine_optimal_proto() {
|
|||||||
debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO"
|
debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO"
|
||||||
else
|
else
|
||||||
for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2 ''; do
|
for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2 ''; do
|
||||||
$OPENSSL s_client $OPTIMAL_PROTO -connect "$NODEIP:$PORT" $PROXY $SNI </dev/null >$TMPFILE 2>>$ERRFILE
|
$OPENSSL s_client $OPTIMAL_PROTO -connect "$NODEIP:$PORT" -msg $PROXY $SNI </dev/null >$TMPFILE 2>>$ERRFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_auth $? $TMPFILE; then
|
||||||
all_failed=1
|
all_failed=1
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
@ -5278,4 +5308,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.411 2015/10/15 13:14:36 dirkw Exp $
|
# $Id: testssl.sh,v 1.415 2015/11/03 12:13:09 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user