mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
- FIX #318
- minor code housekeeping - increased amount of buffer read for sockets, real fix follows. #313
This commit is contained in:
parent
cf7fb4f773
commit
942359c8c1
45
testssl.sh
45
testssl.sh
@ -736,6 +736,10 @@ run_http_header() {
|
|||||||
fileout "status_code" "INFO" \
|
fileout "status_code" "INFO" \
|
||||||
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
|
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
|
||||||
;;
|
;;
|
||||||
|
204)
|
||||||
|
fileout "status_code" "INFO" \
|
||||||
|
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
|
||||||
|
;;
|
||||||
206)
|
206)
|
||||||
out " -- WTF?"
|
out " -- WTF?"
|
||||||
fileout "status_code" "INFO" \
|
fileout "status_code" "INFO" \
|
||||||
@ -765,7 +769,7 @@ run_http_header() {
|
|||||||
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
|
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
pr_warning ". Oh, didn't expect a $status_code$msg_thereafter"
|
pr_warning ". Oh, didn't expect \"$status_code$msg_thereafter\""
|
||||||
fileout "status_code" "WARN" \
|
fileout "status_code" "WARN" \
|
||||||
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter"
|
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter"
|
||||||
;;
|
;;
|
||||||
@ -1014,7 +1018,7 @@ run_hpkp() {
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
out "--"
|
out "--"
|
||||||
fileout "hpkp" "WARN" "No support for HTTP Public Key Pinning"
|
fileout "hpkp" "INFO" "No support for HTTP Public Key Pinning"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
@ -2418,7 +2422,7 @@ run_server_preference() {
|
|||||||
remark4default_cipher=""
|
remark4default_cipher=""
|
||||||
fileout "order" "OK" "Server sets a cipher order (OK)"
|
fileout "order" "OK" "Server sets a cipher order (OK)"
|
||||||
fi
|
fi
|
||||||
[[ $DEBUG -ge 2 ]] && out " $cipher1 | $cipher2"
|
debugme out " $cipher1 | $cipher2"
|
||||||
outln
|
outln
|
||||||
|
|
||||||
pr_bold " Negotiated protocol "
|
pr_bold " Negotiated protocol "
|
||||||
@ -2684,6 +2688,7 @@ verify_retcode_helper() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# arg1: number of certificate if provided >1
|
||||||
determine_trust() {
|
determine_trust() {
|
||||||
local json_prefix=$1
|
local json_prefix=$1
|
||||||
local -i i=1
|
local -i i=1
|
||||||
@ -2704,10 +2709,7 @@ determine_trust() {
|
|||||||
# and the output should should be indented by two more spaces.
|
# and the output should should be indented by two more spaces.
|
||||||
[[ -n $json_prefix ]] && spaces=" "
|
[[ -n $json_prefix ]] && spaces=" "
|
||||||
|
|
||||||
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
|
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]]; then
|
||||||
addtl_warning="(Your openssl 1.1.0 might be too new for a reliable check)"
|
|
||||||
fileout "${json_prefix}trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
|
|
||||||
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then
|
|
||||||
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
|
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
|
||||||
fileout "${json_prefix}trust_warn" "WARN" "$addtl_warning"
|
fileout "${json_prefix}trust_warn" "WARN" "$addtl_warning"
|
||||||
fi
|
fi
|
||||||
@ -2927,7 +2929,7 @@ certificate_info() {
|
|||||||
local cnfinding
|
local cnfinding
|
||||||
local cnok="OK"
|
local cnok="OK"
|
||||||
local expfinding expok="OK"
|
local expfinding expok="OK"
|
||||||
local json_prefix="" # string to place at begging of JSON IDs when there is more than one certificate
|
local json_prefix="" # string to place at beginng of JSON IDs when there is more than one certificate
|
||||||
local indent=""
|
local indent=""
|
||||||
|
|
||||||
if [[ $number_of_certificates -gt 1 ]]; then
|
if [[ $number_of_certificates -gt 1 ]]; then
|
||||||
@ -3997,11 +3999,11 @@ sslv2_sockets() {
|
|||||||
local nr_ciphers_detected
|
local nr_ciphers_detected
|
||||||
|
|
||||||
fd_socket 5 || return 6
|
fd_socket 5 || return 6
|
||||||
[[ "$DEBUG" -ge 2 ]] && outln "sending client hello... "
|
debugme outln "sending client hello... "
|
||||||
socksend_sslv2_clienthello "$SSLv2_CLIENT_HELLO"
|
socksend_sslv2_clienthello "$SSLv2_CLIENT_HELLO"
|
||||||
|
|
||||||
sockread_serverhello 32768
|
sockread_serverhello 32768
|
||||||
[[ "$DEBUG" -ge 2 ]] && outln "reading server hello... "
|
debugme outln "reading server hello... "
|
||||||
if [[ "$DEBUG" -ge 4 ]]; then
|
if [[ "$DEBUG" -ge 4 ]]; then
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -6
|
hexdump -C "$SOCK_REPLY_FILE" | head -6
|
||||||
outln
|
outln
|
||||||
@ -4205,7 +4207,7 @@ tls_sockets() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[[ "$DEBUG" -ge 2 ]] && echo "sending client hello..."
|
debugme echo "sending client hello..."
|
||||||
socksend_tls_clienthello "$tls_low_byte" "$cipher_list_2send"
|
socksend_tls_clienthello "$tls_low_byte" "$cipher_list_2send"
|
||||||
ret=$? # 6 means opening socket didn't succeed, e.g. timeout
|
ret=$? # 6 means opening socket didn't succeed, e.g. timeout
|
||||||
|
|
||||||
@ -4213,8 +4215,8 @@ tls_sockets() {
|
|||||||
if [[ $ret -eq 0 ]]; then
|
if [[ $ret -eq 0 ]]; then
|
||||||
sockread_serverhello 32768
|
sockread_serverhello 32768
|
||||||
TLS_NOW=$(LC_ALL=C date "+%s")
|
TLS_NOW=$(LC_ALL=C date "+%s")
|
||||||
[[ "$DEBUG" -ge 2 ]] && outln "reading server hello..."
|
debugme outln "reading server hello..."
|
||||||
if [[ "$DEBUG" -ge 3 ]]; then
|
if [[ "$DEBUG" -ge 4 ]]; then
|
||||||
hexdump -C $SOCK_REPLY_FILE | head -6
|
hexdump -C $SOCK_REPLY_FILE | head -6
|
||||||
echo
|
echo
|
||||||
fi
|
fi
|
||||||
@ -4224,7 +4226,7 @@ tls_sockets() {
|
|||||||
|
|
||||||
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
|
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
|
||||||
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>$ERRFILE)")
|
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>$ERRFILE)")
|
||||||
[[ "$DEBUG" -ge 2 ]] && out " (returned $lines lines) "
|
debugme out " (returned $lines lines) "
|
||||||
|
|
||||||
# determine the return value for higher level, so that they can tell what the result is
|
# determine the return value for higher level, so that they can tell what the result is
|
||||||
if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then
|
if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then
|
||||||
@ -4334,12 +4336,12 @@ run_heartbleed(){
|
|||||||
|
|
||||||
fd_socket 5 || return 6
|
fd_socket 5 || return 6
|
||||||
|
|
||||||
[[ $DEBUG -ge 2 ]] && outln "\nsending client hello (TLS version $tls_hexcode)"
|
debugme outln "\nsending client hello (TLS version $tls_hexcode)"
|
||||||
socksend "$client_hello" 1
|
socksend "$client_hello" 1
|
||||||
sockread 16384
|
|
||||||
|
|
||||||
[[ $DEBUG -ge 2 ]] && outln "\nreading server hello"
|
debugme outln "\nreading server hello"
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
sockread 32768
|
||||||
|
if [[ $DEBUG -ge 4 ]]; then
|
||||||
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
|
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
|
||||||
outln "[...]"
|
outln "[...]"
|
||||||
outln "\nsending payload with TLS version $tls_hexcode:"
|
outln "\nsending payload with TLS version $tls_hexcode:"
|
||||||
@ -4446,10 +4448,10 @@ run_ccs_injection(){
|
|||||||
# we now make a standard handshake ...
|
# we now make a standard handshake ...
|
||||||
debugme out "\nsending client hello, "
|
debugme out "\nsending client hello, "
|
||||||
socksend "$client_hello" 1
|
socksend "$client_hello" 1
|
||||||
sockread 16384
|
|
||||||
|
|
||||||
debugme outln "\nreading server hello"
|
debugme outln "\nreading server hello"
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
sockread 32768
|
||||||
|
if [[ $DEBUG -ge 4 ]]; then
|
||||||
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
|
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
|
||||||
outln "[...]"
|
outln "[...]"
|
||||||
outln "\npayload #1 with TLS version $tls_hexcode:"
|
outln "\npayload #1 with TLS version $tls_hexcode:"
|
||||||
@ -5008,6 +5010,7 @@ run_drown() {
|
|||||||
else
|
else
|
||||||
cert_fingerprint_sha2="$CERT_FINGERPRINT_SHA2"
|
cert_fingerprint_sha2="$CERT_FINGERPRINT_SHA2"
|
||||||
fi
|
fi
|
||||||
|
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
|
||||||
outln "$spaces https://censys.io/ipv4?q=$cert_fingerprint_sha2 could help you to find out"
|
outln "$spaces https://censys.io/ipv4?q=$cert_fingerprint_sha2 could help you to find out"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -6890,4 +6893,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.473 2016/03/05 20:35:27 dirkw Exp $
|
# $Id: testssl.sh,v 1.474 2016/03/12 16:08:42 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user