Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

protocol check via sockets now also for SSLv3

Browse Source
This commit is contained in:
Dirk
2015-03-31 10:34:30 +02:00
parent 9ed58b6202
commit 940f51e74b
1 changed files with 64 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
testssl.sh
View File

@@ -897,9 +897,20 @@ testprotohelper() {
runprotocols() { runprotocols() {
pr_blue "--> Testing Protocols"; outln "\n" local using_sockets=0
pr_blue "--> Testing Protocols";
if [ $SSL_NATIVE -eq 1 ] || [ -n "$STARTTLS" ]; then if [ $SSL_NATIVE -eq 1 ] || [ -n "$STARTTLS" ]; then
testprotohelper "-ssl2" " SSLv2 " using_sockets=1
outln "(via native openssl)\n"
else
outln "(via sockets for SSLv2, SSLv3)\n"
fi
out " SSLv2 ";
if [ $SSL_NATIVE -eq 1 ] || [ -n "$STARTTLS" ]; then
testprotohelper "-ssl2"
case $? in case $? in
0) ok 1 1 ;; # pr_red 0) ok 1 1 ;; # pr_red
1) ok 0 1 ;; # pr_green "not offered (ok)" 1) ok 0 1 ;; # pr_green "not offered (ok)"
@@ -907,26 +918,39 @@ runprotocols() {
7) ;; # no local support 7) ;; # no local support
esac esac
else else
sslv2_sockets sslv2_sockets #FIXME: --> Umschreiben, Interpretation mit CASE wie native
fi fi
testprotohelper "-ssl3" " SSLv3 " out " SSLv3 ";
if [ $SSL_NATIVE -eq 1 ] || [ -n "$STARTTLS" ]; then
testprotohelper "-ssl3"
else
tls_sockets "00" "$TLS_CIPHER"
fi
case $? in case $? in
0) ok 6 0 ;; # poodle hack" 0) ok 6 0 ;; # pr_litered offered (NOT ok)
1) ok 0 1 ;; # pr_green "not offered (ok)" 1) ok 0 1 ;; # pr_green "not offered (ok)"
2) ok 0 1 ;; #FIXME: downgraded. still missing a testcase here
5) ok 5 5 ;; # protocol ok, but no cipher 5) ok 5 5 ;; # protocol ok, but no cipher
7) ;; # no local support 7) ;; # no local support
esac esac
testprotohelper "-tls1" " TLSv1 " out " TLS 1 ";
#if [ $SSL_NATIVE -eq 1 ] || [ -n "$STARTTLS" ]; then
testprotohelper "-tls1"
#else
#tls_sockets "01" "$TLS_CIPHER"
#fi
case $? in case $? in
0) ok 2 0 ;; # no GCM, thus only normal print 0) ok 2 0 ;; # no GCM, thus only normal print
1) ok 0 0 ;; 1) ok 0 0 ;;
# 2) ok 0 0 ;; downgraded
5) ok 5 5 ;; # protocol ok, but no cipher 5) ok 5 5 ;; # protocol ok, but no cipher
7) ;; # no local support 7) ;; # no local support
esac esac
testprotohelper "-tls1_1" " TLSv1.1 " out " TLS 1.1 ";
testprotohelper "-tls1_1"
case $? in case $? in
0) ok 2 0 ;; # normal print 0) ok 2 0 ;; # normal print
1) ok 7 0 ;; # no GCM, penalty 1) ok 7 0 ;; # no GCM, penalty
@@ -934,7 +958,8 @@ runprotocols() {
7) ;; # no local support 7) ;; # no local support
esac esac
testprotohelper "-tls1_2" " TLSv1.2 " out " TLS 1.2 ";
testprotohelper "-tls1_2"
case $? in case $? in
0) ok 1 0 ;; 0) ok 1 0 ;;
1) ok 7 0 ;; # no GCM, penalty 1) ok 7 0 ;; # no GCM, penalty
@@ -1627,7 +1652,7 @@ display_tls_serverhello() {
# now scrape two bytes out of the reply per byte # now scrape two bytes out of the reply per byte
tls_hello_initbyte="${tls_hello_ascii:0:2}" # normally this is x16 tls_hello_initbyte="${tls_hello_ascii:0:2}" # normally this is x16
tls_hello_protocol="${tls_hello_ascii:2:4}" tls_hello_protocol="${tls_hello_ascii:2:4}"
tls_len_all=$(printf "%d\n" ${tls_hello_ascii:6:4}) tls_len_all=${tls_hello_ascii:6:4}
if [[ $tls_hello_initbyte != "16" ]] ; then if [[ $tls_hello_initbyte != "16" ]] ; then
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
@@ -1675,15 +1700,13 @@ display_tls_serverhello() {
sslv2_sockets() { sslv2_sockets() {
local ciphers_detected local ciphers_detected
out " SSLv2 ";
fd_socket 5 || return 6 fd_socket 5 || return 6
[[ "$DEBUG" -ge 2 ]] && outln "sending client hello... " [[ "$DEBUG" -ge 2 ]] && outln "sending client hello... "
socksend_sslv2_clienthello socksend_sslv2_clienthello
sockread_serverhello 32768 0 sockread_serverhello 32768 0
[[ "$DEBUG" -ge 2 ]] && outln "reading server hello... " [[ "$DEBUG" -ge 2 ]] && outln "reading server hello... "
if [[ "$DEBUG" -eq 4 ]]; then if [[ "$DEBUG" -ge 4 ]]; then
hexdump -C $SOCK_REPLY_FILE | head -6 hexdump -C $SOCK_REPLY_FILE | head -6
outln outln
fi fi
@@ -1763,11 +1786,20 @@ socksend_tls_clienthello() {
len_ciph_suites_word="$LEN_STR" len_ciph_suites_word="$LEN_STR"
#[[ $DEBUG -ge 3 ]] && echo $len_ciph_suites_word #[[ $DEBUG -ge 3 ]] && echo $len_ciph_suites_word
# RFC 3546 doesn't specify SSLv3 to have SNI, openssl just ignores the switch if supplied
if [ "$tls_low_byte" == "00" ]; then
len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x27)))
else
len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x27 + 0x$len_extension_hex + 0x2))) len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x27 + 0x$len_extension_hex + 0x2)))
fi
len_client_hello_word="$LEN_STR" len_client_hello_word="$LEN_STR"
#[[ $DEBUG -ge 3 ]] && echo $len_client_hello_word #[[ $DEBUG -ge 3 ]] && echo $len_client_hello_word
if [ "$tls_low_byte" == "00" ]; then
len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x2b)))
else
len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x2b + 0x$len_extension_hex + 0x2))) len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x2b + 0x$len_extension_hex + 0x2)))
fi
len_all_word="$LEN_STR" len_all_word="$LEN_STR"
#[[ $DEBUG -ge 3 ]] && echo $len_all_word #[[ $DEBUG -ge 3 ]] && echo $len_all_word
@@ -1790,6 +1822,9 @@ socksend_tls_clienthello() {
,01 # Compression methods length ,01 # Compression methods length
,00" # Compression method (x00 for NULL) ,00" # Compression method (x00 for NULL)
if [ "$tls_low_byte" == "00" ]; then
EXTENSION_CONTAINING_SNI="" # RFC 3546 doesn't specify SSLv3 to have SNI, openssl just ignores the switch if supplied
else
EXTENSION_CONTAINING_SNI=" EXTENSION_CONTAINING_SNI="
,00, $len_extension_hex # first the len of all (here: 1) extentions. We assume len(hostname) < FF - 9 ,00, $len_extension_hex # first the len of all (here: 1) extentions. We assume len(hostname) < FF - 9
,00, 00 # extension server_name ,00, 00 # extension server_name
@@ -1798,7 +1833,7 @@ socksend_tls_clienthello() {
,00 # server_name type (hostname) ,00 # server_name type (hostname)
,00, $len_servername_hex # server_name length ,00, $len_servername_hex # server_name length
,$servername_hexstr" # server_name target ,$servername_hexstr" # server_name target
fi
fd_socket 5 || return 6 fd_socket 5 || return 6
code2network "$TLS_CLIENT_HELLO$EXTENSION_CONTAINING_SNI" code2network "$TLS_CLIENT_HELLO$EXTENSION_CONTAINING_SNI"
@@ -1843,24 +1878,17 @@ tls_sockets() {
lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l) lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l)
[[ "$DEBUG" -ge 2 ]] && out " (returned $lines lines) " [[ "$DEBUG" -ge 2 ]] && out " (returned $lines lines) "
# case $tls_low_byte in
# 00) tls_str="SSLv3" ;;
# 01) tls_str="TLS 1" ;;
# 02) tls_str="TLS 1.1" ;;
# 03) tls_str="TLS 1.2" ;;
# esac
# printf "Protokoll "; tput bold; printf "$tls_low_byte = $tls_str"; tput sgr0; printf ": " # printf "Protokoll "; tput bold; printf "$tls_low_byte = $tls_str"; tput sgr0; printf ": "
if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]] ; then if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]] ; then
outln "NOT available" #outln "NOT available"
ret=1 ret=1
else else
if [[ 03$tls_low_byte -eq $DETECTED_TLS_VERSION ]]; then if [[ 03$tls_low_byte -eq $DETECTED_TLS_VERSION ]]; then
outln "available" #outln "available"
ret=0 ret=0
else else
out "NOT available " #out "NOT available "
[[ $DEBUG -ge 2 ]] && echo -n "send: 0x03$tls_low_byte, returned: 0x$DETECTED_TLS_VERSION" [[ $DEBUG -ge 2 ]] && echo -n "send: 0x03$tls_low_byte, returned: 0x$DETECTED_TLS_VERSION"
ret=2 ret=2
echo echo
@@ -3056,5 +3084,5 @@ case "$1" in
esac esac
# $Id: testssl.sh,v 1.216 2015/03/30 21:09:18 dirkw Exp $ # $Id: testssl.sh,v 1.217 2015/03/31 08:34:29 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5