mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
commit
948118c927
63
testssl.sh
63
testssl.sh
@ -20,11 +20,11 @@
|
|||||||
# license permitted.
|
# license permitted.
|
||||||
# If you enclose this script or parts of it in your software, it has to
|
# If you enclose this script or parts of it in your software, it has to
|
||||||
# be accompanied by the same license (see link) and the place where to get
|
# be accompanied by the same license (see link) and the place where to get
|
||||||
# the recent version of this program. Do not violate the license andif
|
# the recent version of this program. Do not violate the license and if
|
||||||
# you do not agree to all of these terms, do not use it in the first place.
|
# you do not agree to all of these terms, do not use it in the first place.
|
||||||
#
|
#
|
||||||
# OpenSSL which is being used and maybe distributed via one of this projects'
|
# OpenSSL, which is being used and maybe distributed via one of this projects'
|
||||||
# web site is subject to their licensing: https://www.openssl.org/source/license.txt
|
# web sites, is subject to their licensing: https://www.openssl.org/source/license.txt
|
||||||
#
|
#
|
||||||
# The client simulation data comes from SSLlabs and is licensed to the 'Qualys SSL Labs
|
# The client simulation data comes from SSLlabs and is licensed to the 'Qualys SSL Labs
|
||||||
# Terms of Use' (v2.2), see https://www.ssllabs.com/downloads/Qualys_SSL_Labs_Terms_of_Use.pdf,
|
# Terms of Use' (v2.2), see https://www.ssllabs.com/downloads/Qualys_SSL_Labs_Terms_of_Use.pdf,
|
||||||
@ -42,7 +42,7 @@
|
|||||||
# wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist
|
# wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist
|
||||||
# wrapping some shell commands around it, which I used for my pen tests. This is how
|
# wrapping some shell commands around it, which I used for my pen tests. This is how
|
||||||
# everything started.
|
# everything started.
|
||||||
# Now it has grown up, it has bash socket support for some features which basically replacing
|
# Now it has grown up, it has bash socket support for some features, which is basically replacing
|
||||||
# more and more functions of OpenSSL and will serve as some kind of library in the future.
|
# more and more functions of OpenSSL and will serve as some kind of library in the future.
|
||||||
# The socket checks in bash may sound cool and unique -- they are -- but probably you
|
# The socket checks in bash may sound cool and unique -- they are -- but probably you
|
||||||
# can achieve e.g. the same result with my favorite interactive shell: zsh (zmodload zsh/net/socket
|
# can achieve e.g. the same result with my favorite interactive shell: zsh (zmodload zsh/net/socket
|
||||||
@ -204,7 +204,6 @@ HAS_SSL2=false
|
|||||||
HAS_SSL3=false
|
HAS_SSL3=false
|
||||||
HAS_ALPN=false
|
HAS_ALPN=false
|
||||||
HAS_SPDY=false
|
HAS_SPDY=false
|
||||||
HAS_SSL2=false
|
|
||||||
ADD_RFC_STR="rfc" # display RFC ciphernames
|
ADD_RFC_STR="rfc" # display RFC ciphernames
|
||||||
PORT=443 # unless otherwise auto-determined, see below
|
PORT=443 # unless otherwise auto-determined, see below
|
||||||
NODE=""
|
NODE=""
|
||||||
@ -225,7 +224,7 @@ URI=""
|
|||||||
CERT_FINGERPRINT_SHA2=""
|
CERT_FINGERPRINT_SHA2=""
|
||||||
SHOW_CENSYS_LINK=${SHOW_CENSYS_LINK:-true}
|
SHOW_CENSYS_LINK=${SHOW_CENSYS_LINK:-true}
|
||||||
STARTTLS_PROTOCOL=""
|
STARTTLS_PROTOCOL=""
|
||||||
OPTIMAL_PROTO="" # we need this for IIS6 (sigh) and OpenSSL 1.02, otherwise some handshakes
|
OPTIMAL_PROTO="" # we need this for IIS6 (sigh) and OpenSSL 1.0.2, otherwise some handshakes
|
||||||
# will fail, see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
# will fail, see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
||||||
STARTTLS_OPTIMAL_PROTO="" # same for STARTTLS, see https://github.com/drwetter/testssl.sh/issues/188
|
STARTTLS_OPTIMAL_PROTO="" # same for STARTTLS, see https://github.com/drwetter/testssl.sh/issues/188
|
||||||
TLS_TIME=""
|
TLS_TIME=""
|
||||||
@ -966,7 +965,7 @@ run_hpkp() {
|
|||||||
out "# of keys: "
|
out "# of keys: "
|
||||||
if [[ $hpkp_nr_keys -eq 1 ]]; then
|
if [[ $hpkp_nr_keys -eq 1 ]]; then
|
||||||
pr_svrty_high "1 (NOT ok), "
|
pr_svrty_high "1 (NOT ok), "
|
||||||
fileout "hpkp_keys" "NOT ok" "Only one key pinned in HPKP header, this means the site may become unavaiable if the key is revoked"
|
fileout "hpkp_keys" "NOT ok" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked"
|
||||||
else
|
else
|
||||||
out "$hpkp_nr_keys, "
|
out "$hpkp_nr_keys, "
|
||||||
fileout "hpkp_keys" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked"
|
fileout "hpkp_keys" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked"
|
||||||
@ -1077,9 +1076,9 @@ run_server_banner() {
|
|||||||
emphasize_stuff_in_headers "$serverbanner"
|
emphasize_stuff_in_headers "$serverbanner"
|
||||||
fileout "serverbanner" "INFO" "Server banner identified: $serverbanner"
|
fileout "serverbanner" "INFO" "Server banner identified: $serverbanner"
|
||||||
if [[ "$serverbanner" = *Microsoft-IIS/6.* ]] && [[ $OSSL_VER == 1.0.2* ]]; then
|
if [[ "$serverbanner" = *Microsoft-IIS/6.* ]] && [[ $OSSL_VER == 1.0.2* ]]; then
|
||||||
pr_warningln " It's recommended to run another test w/ OpenSSL 1.01 !"
|
pr_warningln " It's recommended to run another test w/ OpenSSL 1.0.1 !"
|
||||||
# see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
# see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
||||||
fileout "IIS6_openssl_mismatch" "WARN" "It is recommended to rerun this test w/ OpenSSL 1.01\nSee https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892"
|
fileout "IIS6_openssl_mismatch" "WARN" "It is recommended to rerun this test w/ OpenSSL 1.0.1\nSee https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# mozilla.github.io/server-side-tls/ssl-config-generator/
|
# mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||||
@ -1492,7 +1491,7 @@ neat_list(){
|
|||||||
|
|
||||||
#printf -- "%q" "$kx" | xxd | head -1
|
#printf -- "%q" "$kx" | xxd | head -1
|
||||||
# length correction for color escape codes (printf counts the escape color codes!!)
|
# length correction for color escape codes (printf counts the escape color codes!!)
|
||||||
if printf -- "%q" "$kx" | egrep -aq '.;3.m|E\[1m' ; then # here's a color code which screws up the formatting with prinf below
|
if printf -- "%q" "$kx" | egrep -aq '.;3.m|E\[1m' ; then # here's a color code which screws up the formatting with printf below
|
||||||
while [[ ${#kx} -lt 20 ]]; do
|
while [[ ${#kx} -lt 20 ]]; do
|
||||||
kx="$kx "
|
kx="$kx "
|
||||||
done
|
done
|
||||||
@ -1567,7 +1566,7 @@ test_just_one(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad
|
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad)
|
||||||
run_allciphers() {
|
run_allciphers() {
|
||||||
local tmpfile
|
local tmpfile
|
||||||
local -i nr_ciphers=0
|
local -i nr_ciphers=0
|
||||||
@ -2038,7 +2037,7 @@ run_client_simulation() {
|
|||||||
ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5")
|
ciphers+=("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5")
|
||||||
tlsvers+=("-tls1_2 -tls1_1 -tls1")
|
tlsvers+=("-tls1_2 -tls1_1 -tls1")
|
||||||
sni+=("$SNI")
|
sni+=("$SNI")
|
||||||
#warning+=("Tests are based on OpenSSL 1.01, therefore ciphers 0xe and 0xb are missing")
|
#warning+=("Tests are based on OpenSSL 1.0.1, therefore ciphers 0xe and 0xb are missing")
|
||||||
warning+=("")
|
warning+=("")
|
||||||
|
|
||||||
names+=("Safari 5.1.9/ OSX 10.6.8 ")
|
names+=("Safari 5.1.9/ OSX 10.6.8 ")
|
||||||
@ -2132,7 +2131,7 @@ run_client_simulation() {
|
|||||||
#FIXME: awk
|
#FIXME: awk
|
||||||
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
||||||
if [[ "$proto" == TLSv1.2 ]]; then
|
if [[ "$proto" == TLSv1.2 ]]; then
|
||||||
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0 Need to figure out which one it is...
|
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
|
||||||
for tls in ${tlsvers[i]}; do
|
for tls in ${tlsvers[i]}; do
|
||||||
$OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
|
$OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
|
||||||
debugme echo "$OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
|
debugme echo "$OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
|
||||||
@ -2187,7 +2186,7 @@ locally_supported() {
|
|||||||
# 1) we need to have a variable where the results are being stored so that every other test doesn't have to do this again.
|
# 1) we need to have a variable where the results are being stored so that every other test doesn't have to do this again.
|
||||||
# 2) the code is too old and one can do that way better
|
# 2) the code is too old and one can do that way better
|
||||||
# 3) HAS_SSL3/2 does already exist
|
# 3) HAS_SSL3/2 does already exist
|
||||||
# we should do what's available and faster (openssl vs. sockets) . Keep in mind that the socket reply for SSLv2 returns the number # of ciphers!
|
# we should do what's available and faster (openssl vs. sockets). Keep in mind that the socket reply for SSLv2 returns the number # of ciphers!
|
||||||
#
|
#
|
||||||
# arg1: -ssl2|-ssl3|-tls1
|
# arg1: -ssl2|-ssl3|-tls1
|
||||||
# arg2: doesn't seem to be used in calling, seems to be a textstring with the protocol though
|
# arg2: doesn't seem to be used in calling, seems to be a textstring with the protocol though
|
||||||
@ -2562,8 +2561,8 @@ run_server_preference() {
|
|||||||
"")
|
"")
|
||||||
pr_warning "default proto empty"
|
pr_warning "default proto empty"
|
||||||
if [[ $OSSL_VER == 1.0.2* ]]; then
|
if [[ $OSSL_VER == 1.0.2* ]]; then
|
||||||
outln " (Hint: if IIS6 give OpenSSL 1.01 a try)"
|
outln " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
||||||
fileout "order_proto" "WARN" "Default protocol empty (Hint: if IIS6 give OpenSSL 1.01 a try)"
|
fileout "order_proto" "WARN" "Default protocol empty (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
||||||
else
|
else
|
||||||
fileout "order_proto" "WARN" "Default protocol empty"
|
fileout "order_proto" "WARN" "Default protocol empty"
|
||||||
fi
|
fi
|
||||||
@ -2601,8 +2600,8 @@ run_server_preference() {
|
|||||||
"")
|
"")
|
||||||
pr_warning "default cipher empty" ;
|
pr_warning "default cipher empty" ;
|
||||||
if [[ $OSSL_VER == 1.0.2* ]]; then
|
if [[ $OSSL_VER == 1.0.2* ]]; then
|
||||||
out " (Hint: if IIS6 give OpenSSL 1.01 a try)"
|
out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
||||||
fileout "order_cipher" "WARN" "Default cipher empty (Hint: if IIS6 give OpenSSL 1.01 a try) $remark4default_cipher"
|
fileout "order_cipher" "WARN" "Default cipher empty (Hint: if IIS6 give OpenSSL 1.0.1 a try) $remark4default_cipher"
|
||||||
else
|
else
|
||||||
fileout "order_cipher" "WARN" "Default cipher empty $remark4default_cipher"
|
fileout "order_cipher" "WARN" "Default cipher empty $remark4default_cipher"
|
||||||
fi
|
fi
|
||||||
@ -2621,11 +2620,11 @@ run_server_preference() {
|
|||||||
i=1
|
i=1
|
||||||
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
|
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
|
||||||
if [[ $p == ssl2 ]] && ! "$HAS_SSL2"; then
|
if [[ $p == ssl2 ]] && ! "$HAS_SSL2"; then
|
||||||
out " (SSLv2: "; local_problem "/usr/bin/openssl doesn't support \"s_client -ssl2\""; outln ")";
|
out " (SSLv2: "; local_problem "$OPENSSL doesn't support \"s_client -ssl2\""; outln ")";
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
if [[ $p == ssl3 ]] && ! "$HAS_SSL3"; then
|
if [[ $p == ssl3 ]] && ! "$HAS_SSL3"; then
|
||||||
out " (SSLv3: "; local_problem "/usr/bin/openssl doesn't support \"s_client -ssl3\"" ; outln ")";
|
out " (SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\"" ; outln ")";
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
@ -2696,11 +2695,11 @@ cipher_pref_check() {
|
|||||||
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
|
for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do
|
||||||
order=""
|
order=""
|
||||||
if [[ $p == ssl2 ]] && ! "$HAS_SSL2"; then
|
if [[ $p == ssl2 ]] && ! "$HAS_SSL2"; then
|
||||||
out "\n SSLv2: "; local_problem "/usr/bin/openssl doesn't support \"s_client -ssl2\"";
|
out "\n SSLv2: "; local_problem "$OPENSSL doesn't support \"s_client -ssl2\"";
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
if [[ $p == ssl3 ]] && ! "$HAS_SSL3"; then
|
if [[ $p == ssl3 ]] && ! "$HAS_SSL3"; then
|
||||||
out "\n SSLv3: "; local_problem "/usr/bin/openssl doesn't support \"s_client -ssl3\"";
|
out "\n SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
@ -2899,7 +2898,7 @@ tls_time() {
|
|||||||
local now difftime
|
local now difftime
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
|
|
||||||
tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (mostfrequently used protocol)
|
tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (most frequently used protocol)
|
||||||
[[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2
|
[[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2
|
||||||
[[ -z "$TLS_TIME" ]] && tls_sockets "02" "$TLS_CIPHER" # TLS 1.1
|
[[ -z "$TLS_TIME" ]] && tls_sockets "02" "$TLS_CIPHER" # TLS 1.1
|
||||||
[[ -z "$TLS_TIME" ]] && tls_sockets "00" "$TLS_CIPHER" # SSL 3
|
[[ -z "$TLS_TIME" ]] && tls_sockets "00" "$TLS_CIPHER" # SSL 3
|
||||||
@ -3115,7 +3114,7 @@ certificate_info() {
|
|||||||
out "keysize: $cert_keysize (not expected, FIXME)"
|
out "keysize: $cert_keysize (not expected, FIXME)"
|
||||||
fileout "${json_prefix}key_size" "WARN" "Server keys $cert_keysize bits (not expected)"
|
fileout "${json_prefix}key_size" "WARN" "Server keys $cert_keysize bits (not expected)"
|
||||||
fi
|
fi
|
||||||
outln " bit"
|
outln " bits"
|
||||||
elif [[ $cert_sig_algo = *RSA* ]]; then
|
elif [[ $cert_sig_algo = *RSA* ]]; then
|
||||||
if [[ "$cert_keysize" -le 512 ]]; then
|
if [[ "$cert_keysize" -le 512 ]]; then
|
||||||
pr_svrty_critical "$cert_keysize"
|
pr_svrty_critical "$cert_keysize"
|
||||||
@ -3385,7 +3384,7 @@ certificate_info() {
|
|||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
out "(response status unknown)"
|
out "(response status unknown)"
|
||||||
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: grep -aA 20 "OCSP response" <<<"$ocsp_response""
|
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: $ocsp_response"
|
||||||
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
|
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
|
||||||
ret=2
|
ret=2
|
||||||
fi
|
fi
|
||||||
@ -3709,8 +3708,8 @@ run_spdy() {
|
|||||||
fileout "spdy_npn" "INFO" "SPDY/NPN : $tmpstr (advertised)"
|
fileout "spdy_npn" "INFO" "SPDY/NPN : $tmpstr (advertised)"
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
pr_cyanln "please check manually, server response was ambigious ..."
|
pr_cyanln "please check manually, server response was ambiguous ..."
|
||||||
fileout "spdy_npn" "INFO" "SPDY/NPN : please check manually, server response was ambigious ..."
|
fileout "spdy_npn" "INFO" "SPDY/NPN : please check manually, server response was ambiguous ..."
|
||||||
ret=10
|
ret=10
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -4024,7 +4023,7 @@ parse_tls_serverhello() {
|
|||||||
# byte 5: handshake type (2=hello) TLS alert: level (2=fatal), descr (0x28=handshake failure)
|
# byte 5: handshake type (2=hello) TLS alert: level (2=fatal), descr (0x28=handshake failure)
|
||||||
# byte 6+7+8: length server hello
|
# byte 6+7+8: length server hello
|
||||||
# byte 9+10: 03, TLS version word see byte 1+2
|
# byte 9+10: 03, TLS version word see byte 1+2
|
||||||
# byte 11-14: TLS timestamp for OpenSSL <1.01f
|
# byte 11-14: TLS timestamp for OpenSSL <1.0.1f
|
||||||
# byte 15-42: random, 28 bytes
|
# byte 15-42: random, 28 bytes
|
||||||
# byte 43: session id length
|
# byte 43: session id length
|
||||||
# byte 44+45+sid-len: cipher suite!
|
# byte 44+45+sid-len: cipher suite!
|
||||||
@ -4124,7 +4123,7 @@ sslv2_sockets() {
|
|||||||
outln " (rerun with DEBUG >=2)"
|
outln " (rerun with DEBUG >=2)"
|
||||||
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
|
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
|
||||||
ret=7
|
ret=7
|
||||||
fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 replay (rerun with DEBUG>=2)"
|
fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
||||||
;;
|
;;
|
||||||
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
|
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
|
||||||
pr_done_bestln "not offered (OK)"
|
pr_done_bestln "not offered (OK)"
|
||||||
@ -5090,7 +5089,7 @@ run_drown() {
|
|||||||
outln " (rerun with DEBUG >=2)"
|
outln " (rerun with DEBUG >=2)"
|
||||||
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
|
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
|
||||||
ret=7
|
ret=7
|
||||||
fileout "DROWN" "MINOR_ERROR" "SSLv2: received a strange SSLv2 replay (rerun with DEBUG>=2)"
|
fileout "DROWN" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
||||||
;;
|
;;
|
||||||
3) # vulnerable
|
3) # vulnerable
|
||||||
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)")
|
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)")
|
||||||
@ -5387,7 +5386,7 @@ old_fart() {
|
|||||||
fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -2
|
fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -2
|
||||||
}
|
}
|
||||||
|
|
||||||
# try very hard to determine th install path to get ahold of the mapping file
|
# try very hard to determine the install path to get ahold of the mapping file
|
||||||
# it provides "keycode/ RFC style name", see RFCs, cipher(1), www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_simple_table_all.htm
|
# it provides "keycode/ RFC style name", see RFCs, cipher(1), www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_simple_table_all.htm
|
||||||
get_install_dir() {
|
get_install_dir() {
|
||||||
#INSTALL_DIR=$(cd "$(dirname "$0")" && pwd)/$(basename "$0")
|
#INSTALL_DIR=$(cd "$(dirname "$0")" && pwd)/$(basename "$0")
|
||||||
@ -6165,7 +6164,7 @@ sclient_auth() {
|
|||||||
if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session
|
if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session
|
||||||
if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then # do another sanity check to be sure
|
if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then # do another sanity check to be sure
|
||||||
CLIENT_AUTH=false
|
CLIENT_AUTH=false
|
||||||
NO_SSL_SESSIONID=true # NO_SSL_SESSIONI is preset globally to false for all other cases
|
NO_SSL_SESSIONID=true # NO_SSL_SESSIONID is preset globally to false for all other cases
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user