Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-07 17:20:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Multiple IP scan fix (no --file) + single cipher scan works with multiple IPs

Browse Source 
This PR addresses the problem (#1037) that if a hostname resolves to multiple IP
addresses only the first one is being scanned as this IP isn't reachable and the
scan terminated here and didn't continue with the 2nd, 3rd etc.

Same applied to scans with --mx.

This based on the global MULTIPLE_CHECKS which is set to true whenever
such a scan is started.

One minor point: Also if the last IP isn't reachable the output will say
"proceeding with next:". I guess that should be clear looking at the (different outputs).

This PR also fixes a scan problem with a single cipher/pattern (-x/--single-cipher):
previously where only one IP was scanned.

Furthermore some redundant quotes were removed.
This commit is contained in:
Dirk Wetter 2019-01-24 17:57:29 +01:00
parent ef6deb037e
commit 966f414a2b
1 changed files with 147 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

262
testssl.sh
View File

@ -158,7 +158,7 @@ HAS_OPENBSDDATE=false
if date -d @735275209 >/dev/null 2>&1; then if date -d @735275209 >/dev/null 2>&1; then
if date -r @735275209 >/dev/null 2>&1; then if date -r @735275209 >/dev/null 2>&1; then
# it can't do any conversion from a plain date output # it can't do any conversion from a plain date output
HAS_OPENBSDDATE=true HAS_OPENBSDDATE=true
else else
HAS_GNUDATE=true HAS_GNUDATE=true
fi fi
@ -277,6 +277,7 @@ HTMLHEADER=true # same for HTML
SECTION_FOOTER_NEEDED=false # kludge for tracking whether we need to close the JSON section object SECTION_FOOTER_NEEDED=false # kludge for tracking whether we need to close the JSON section object
GIVE_HINTS=false # give an additional info to findings GIVE_HINTS=false # give an additional info to findings
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs) SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
MULTIPLE_CHECKS=false # need to know whether an MX record or a hostname resolves to multiple IPs to check
CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false} CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false}
HAD_SLEPT=0 HAD_SLEPT=0
NR_SOCKET_FAIL=0 # Counter for socket failures NR_SOCKET_FAIL=0 # Counter for socket failures
@ -1937,7 +1938,7 @@ service_detection() {
# #
connectivity_problem() { connectivity_problem() {
if [[ $1 -lt $2 ]]; then if [[ $1 -lt $2 ]]; then
prln_warning "Oops: $3" prln_warning " Oops: $3"
return 0 return 0
fi fi
if [[ $1 -ge $2 ]]; then if [[ $1 -ge $2 ]]; then
@ -3241,7 +3242,7 @@ neat_list(){
[[ "$DISPLAY_CIPHERNAMES" != openssl-only ]] && tls_cipher="$(show_rfc_style "$hexcode")" [[ "$DISPLAY_CIPHERNAMES" != openssl-only ]] && tls_cipher="$(show_rfc_style "$hexcode")"
if [[ "$5" != "true" ]]; then if [[ "$5" != true ]]; then
if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then
line="$(printf -- " %-7s %-49s %-10s %-12s%-8s" "$hexcode" "$tls_cipher" "$kx" "$enc" "$strength")" line="$(printf -- " %-7s %-49s %-10s %-12s%-8s" "$hexcode" "$tls_cipher" "$kx" "$enc" "$strength")"
[[ "$DISPLAY_CIPHERNAMES" != rfc-only ]] && line+="$(printf -- " %-33s${SHOW_EACH_C:+ %-0s}" "$ossl_cipher")" [[ "$DISPLAY_CIPHERNAMES" != rfc-only ]] && line+="$(printf -- " %-33s${SHOW_EACH_C:+ %-0s}" "$ossl_cipher")"
@ -3601,15 +3602,6 @@ run_cipher_match(){
done done
"$using_sockets" && HAS_DH_BITS="$has_dh_bits" "$using_sockets" && HAS_DH_BITS="$has_dh_bits"
tmpfile_handle ${FUNCNAME[0]}.txt tmpfile_handle ${FUNCNAME[0]}.txt
stopwatch run_cipher_match
fileout_section_footer true
outln
calc_scantime
datebanner " Done"
"$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME"
[[ -e "$MEASURE_TIME_FILE" ]] && echo "Total : $SCAN_TIME " >> "$MEASURE_TIME_FILE"
exit
done done
outln outln
@ -9438,6 +9430,9 @@ fd_socket() {
imap|imaps) # IMAP, https://tools.ietf.org/html/rfc2595, https://tools.ietf.org/html/rfc3501 imap|imaps) # IMAP, https://tools.ietf.org/html/rfc2595, https://tools.ietf.org/html/rfc3501
starttls_imap_dialog starttls_imap_dialog
;; ;;
irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
;;
ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511 ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
fatal "FIXME: LDAP+STARTTLS over sockets not yet supported (try \"--ssl-native\")" $ERR_NOSUPPORT fatal "FIXME: LDAP+STARTTLS over sockets not yet supported (try \"--ssl-native\")" $ERR_NOSUPPORT
;; ;;
@ -9459,7 +9454,7 @@ fd_socket() {
esac esac
fi fi
[[ $? -eq 0 ]] && return 0 [[ $? -eq 0 ]] && return 0
prln_warning "STARTTLS handshake failed" prln_warning " STARTTLS handshake failed"
return 1 return 1
} }
@ -16246,9 +16241,11 @@ child_error() {
exit $ERR_CHILD exit $ERR_CHILD
} }
# Program terminates prematurely, with error code
# arg1: string to print / to write to file # arg1: string to print / to write to file
# arg2: error code, is a global, see ERR_* above # arg2: global error code, see ERR_* above
# arg3: an optional string # arg3: an optional hint (string)
# #
fatal() { fatal() {
outln outln
@ -16262,6 +16259,18 @@ fatal() {
exit $2 exit $2
} }
# This OTOH doesn't exit but puts a fatal error to the screen but continues with the next
# IP/hostname. It should only be used if a single IP/Hostname in a scan is not reachable.
# arg1: string to print / to write to file
#
ip_fatal() {
outln
prln_magenta "Fatal error: $1, proceeding with next IP (if any)" >&2
[[ -n "$LOGFILE" ]] && prln_magenta "Fatal error: $1, proceeding with next IP (if any)" >>$LOGFILE
outln
fileout "scanProblem" "FATAL" "$1, proceeding with next IP (if any)"
return 0
}
initialize_engine(){ initialize_engine(){
# for now only GOST engine # for now only GOST engine
@ -16895,21 +16904,26 @@ determine_optimal_proto() {
} }
# arg1: ftp smtp, lmtp, pop3, imap, xmpp, telnet, ldap, postgres, mysql (maybe with trailing s) # arg1: ftp smtp, lmtp, pop3, imap, xmpp, telnet, ldap, postgres, mysql, irc, nntp (maybe with trailing s)
determine_service() { determine_service() {
local ua local ua
local protocol local protocol error_msg
if ! fd_socket 5; then # check if we can connect to $NODEIP:$PORT # check if we can connect to $NODEIP:$PORT
if ! fd_socket 5; then
if [[ -n "$PROXY" ]]; then if [[ -n "$PROXY" ]]; then
fatal "You're sure $PROXYNODE:$PROXYPORT allows tunneling here? Can't connect to \"$NODEIP:$PORT\"" $ERR_CONNECT fatal "You're sure $PROXYNODE:$PROXYPORT allows tunneling here? Can't connect to \"$NODEIP:$PORT\"" $ERR_CONNECT
else else
fatal "Can't connect to \"$NODEIP:$PORT\"\nMake sure a firewall is not between you and your scanning target!" $ERR_CONNECT if "$MULTIPLE_CHECKS"; then
ip_fatal "Couldn't connect to $NODEIP:$PORT"
return 1
else
fatal "Can't connect to \"$NODEIP:$PORT\"\nMake sure a firewall is not between you and your scanning target!" $ERR_CONNECT
fi
fi fi
fi fi
close_socket close_socket
datebanner " Start"
outln outln
if [[ -z "$1" ]]; then if [[ -z "$1" ]]; then
# no STARTTLS. # no STARTTLS.
@ -16926,6 +16940,7 @@ determine_service() {
else else
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
fi fi
case "$protocol" in case "$protocol" in
ftp|smtp|lmtp|pop3|imap|xmpp|telnet|ldap|postgres|mysql|nntp) ftp|smtp|lmtp|pop3|imap|xmpp|telnet|ldap|postgres|mysql|nntp)
STARTTLS="-starttls $protocol" STARTTLS="-starttls $protocol"
@ -16973,12 +16988,20 @@ determine_service() {
fatal "Your $OPENSSL does not support the \"-starttls nntp\" option" $ERR_OSSLBIN fatal "Your $OPENSSL does not support the \"-starttls nntp\" option" $ERR_OSSLBIN
fi fi
fi fi
$OPENSSL s_client $(s_client_options "-connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS") 2>$ERRFILE >$TMPFILE </dev/null $OPENSSL s_client $(s_client_options "-connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS") 2>$ERRFILE >$TMPFILE </dev/null
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
error_msg="$OPENSSL couldn't connect to $NODEIP:$PORT via STARTTLS using $protocol"
debugme cat $TMPFILE | head -25 debugme cat $TMPFILE | head -25
outln outln
fatal " $OPENSSL couldn't establish STARTTLS via $protocol to $NODEIP:$PORT" $ERR_CONNECT if "$MULTIPLE_CHECKS"; then
ip_fatal "$error_msg"
return 1
else
fatal " $error_msg" $ERR_CONNECT
fi
fi fi
grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190 grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190
out " Service set:$CORRECT_SPACES STARTTLS via " out " Service set:$CORRECT_SPACES STARTTLS via "
out "$(toupper "$protocol")" out "$(toupper "$protocol")"
@ -16988,7 +17011,7 @@ determine_service() {
outln outln
;; ;;
*) outln *) outln
fatal "momentarily only ftp, smtp, lmtp, pop3, imap, xmpp, telnet, ldap, postgres, and mysql allowed" $ERR_CMDLINE fatal "momentarily only ftp, smtp, lmtp, pop3, imap, xmpp, telnet, ldap, nntp, postgres and mysql allowed" $ERR_CMDLINE
;; ;;
esac esac
fi fi
@ -17071,15 +17094,16 @@ run_mx_all_ips() {
prepare_logging "${FNAME_PREFIX}mx-$1" prepare_logging "${FNAME_PREFIX}mx-$1"
fi fi
if [[ -n "$mxs" ]] && [[ "$mxs" != ' ' ]]; then if [[ -n "$mxs" ]] && [[ "$mxs" != ' ' ]]; then
[[ $mxport == "465" ]] && \ [[ $(count_words "$mxs") -gt 1 ]] && MULTIPLE_CHECKS=true
STARTTLS_PROTOCOL="" # no starttls for tcp 465, all other ports are starttls
pr_bold "Testing all MX records (on port $mxport): "; outln "$mxs" pr_bold "Testing all MX records (on port $mxport): "; outln "$mxs"
[[ $mxport == 465 ]] && STARTTLS_PROTOCOL="" # no starttls for tcp 465, all other ports are starttls
for mx in $mxs; do for mx in $mxs; do
draw_line "-" $((TERM_WIDTH * 2 / 3)) draw_line "-" $((TERM_WIDTH * 2 / 3))
outln outln
parse_hn_port "$mx:$mxport" parse_hn_port "$mx:$mxport"
determine_ip_addresses || continue determine_ip_addresses || continue
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
MULTIPLE_CHECKS=true
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
for ip in $IPADDRs; do for ip in $IPADDRs; do
NODEIP="$ip" NODEIP="$ip"
@ -17218,7 +17242,7 @@ ports2starttls() {
local tcp_port=$1 local tcp_port=$1
local ret=0 local ret=0
# https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers # https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
case $tcp_port in case $tcp_port in
21) echo "-t ftp " ;; 21) echo "-t ftp " ;;
23) echo "-t telnet " ;; 23) echo "-t telnet " ;;
@ -17358,7 +17382,7 @@ run_mass_testing() {
get_next_message_testing_parallel_result() { get_next_message_testing_parallel_result() {
draw_line "=" $((TERM_WIDTH / 2)); outln; draw_line "=" $((TERM_WIDTH / 2)); outln;
outln "${PARALLEL_TESTING_CMDLINE[NEXT_PARALLEL_TEST_TO_FINISH]}" outln "${PARALLEL_TESTING_CMDLINE[NEXT_PARALLEL_TEST_TO_FINISH]}"
if [[ "$1" == "completed" ]]; then if [[ "$1" == completed ]]; then
cat "$TEMPDIR/term_output_$(printf "%08d" $NEXT_PARALLEL_TEST_TO_FINISH).log" cat "$TEMPDIR/term_output_$(printf "%08d" $NEXT_PARALLEL_TEST_TO_FINISH).log"
if "$JSONHEADER" && [[ -s "$TEMPDIR/jsonfile_$(printf "%08d" $NEXT_PARALLEL_TEST_TO_FINISH).json" ]]; then if "$JSONHEADER" && [[ -s "$TEMPDIR/jsonfile_$(printf "%08d" $NEXT_PARALLEL_TEST_TO_FINISH).json" ]]; then
# Need to ensure that a separator is only added if the test # Need to ensure that a separator is only added if the test
@ -17717,7 +17741,7 @@ parse_cmd_line() {
unset CMDLINE_IP unset CMDLINE_IP
fi fi
# normalize any IPv6 address # normalize any IPv6 address
CMDLINE_IP="${CMDLINE_IP//[/}" CMDLINE_IP="${CMDLINE_IP//[/}" # fix vim syntax highlighting "]
CMDLINE_IP="${CMDLINE_IP//]/}" CMDLINE_IP="${CMDLINE_IP//]/}"
;; ;;
-n|--nodns|-n=*|--nodns=*) -n|--nodns|-n=*|--nodns=*)
@ -18209,98 +18233,105 @@ lets_roll() {
stopwatch determine_rdns stopwatch determine_rdns
((SERVER_COUNTER++)) ((SERVER_COUNTER++))
determine_service "$1" # STARTTLS service? Other will be determined here too. Returns always 0 or has already exited if fatal error occurred datebanner " Start"
determine_service "$1" # STARTTLS service? Other will be determined here too. Returns 0 if test connect was ok or has already exited if fatal error occurred
# "secret" devel options --devel: # determine_service() can return 1, it indicates that this IP cannot be reached but there are more IPs to check
if "$do_tls_sockets"; then if [[ $? -eq 0 ]] ; then
if [[ "$TLS_LOW_BYTE" == 22 ]]; then # "secret" devel options --devel:
sslv2_sockets "" "true" if "$do_tls_sockets"; then
else if [[ "$TLS_LOW_BYTE" == 22 ]]; then
if [[ "$TLS_LOW_BYTE" == 04 ]]; then sslv2_sockets "" "true"
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"
else else
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all" if [[ "$TLS_LOW_BYTE" == 04 ]]; then
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"
else
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all"
fi
fi fi
echo $?
exit $ALLOK;
fi fi
echo $? if "$do_cipher_match"; then
exit $ALLOK; # we will have an invalid JSON with no if statement
fileout_section_header $section_number false
run_cipher_match ${single_cipher}
stopwatch run_cipher_match
else
((section_number++))
# all top level functions now following have the prefix "run_"
fileout_section_header $section_number false && ((section_number++))
"$do_protocols" && {
run_protocols; ret=$(($? + ret)); stopwatch run_protocols;
run_npn; ret=$(($? + ret)); stopwatch run_npn;
run_alpn; ret=$(($? + ret)); stopwatch run_alpn;
}
fileout_section_header $section_number true && ((section_number++))
"$do_grease" && { run_grease; ret=$(($? + ret)); stopwatch run_grease; }
fileout_section_header $section_number true && ((section_number++))
"$do_cipherlists" && { run_cipherlists; ret=$(($? + ret)); stopwatch run_cipherlists; }
fileout_section_header $section_number true && ((section_number++))
"$do_pfs" && { run_pfs; ret=$(($? + ret)); stopwatch run_pfs; }
fileout_section_header $section_number true && ((section_number++))
"$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; }
fileout_section_header $section_number true && ((section_number++))
"$do_server_defaults" && { run_server_defaults; ret=$(($? + ret)); stopwatch run_server_defaults; }
if "$do_header"; then
#TODO: refactor this into functions
fileout_section_header $section_number true && ((section_number++))
if [[ $SERVICE == HTTP ]]; then
run_http_header "$URL_PATH"; ret=$(($? + ret))
run_http_date "$URL_PATH"; ret=$(($? + ret))
run_hsts "$URL_PATH"; ret=$(($? + ret))
run_hpkp "$URL_PATH"; ret=$(($? + ret))
run_server_banner "$URL_PATH"; ret=$(($? + ret))
run_appl_banner "$URL_PATH"; ret=$(($? + ret))
run_cookie_flags "$URL_PATH"; ret=$(($? + ret))
run_security_headers "$URL_PATH"; ret=$(($? + ret))
run_rp_banner "$URL_PATH"; ret=$(($? + ret))
stopwatch do_header
fi
else
((section_number++))
fi
# vulnerabilities
if [[ $VULN_COUNT -gt $VULN_THRESHLD ]] || "$do_vulnerabilities"; then
outln; pr_headlineln " Testing vulnerabilities "
outln
fi
fileout_section_header $section_number true && ((section_number++))
"$do_heartbleed" && { run_heartbleed; ret=$(($? + ret)); stopwatch run_heartbleed; }
"$do_ccs_injection" && { run_ccs_injection; ret=$(($? + ret)); stopwatch run_ccs_injection; }
"$do_ticketbleed" && { run_ticketbleed; ret=$(($? + ret)); stopwatch run_ticketbleed; }
"$do_robot" && { run_robot; ret=$(($? + ret)); stopwatch run_robot; }
"$do_renego" && { run_renego; ret=$(($? + ret)); stopwatch run_renego; }
"$do_crime" && { run_crime; ret=$(($? + ret)); stopwatch run_crime; }
"$do_breach" && { run_breach "$URL_PATH" ; ret=$(($? + ret)); stopwatch run_breach; }
"$do_ssl_poodle" && { run_ssl_poodle; ret=$(($? + ret)); stopwatch run_ssl_poodle; }
"$do_tls_fallback_scsv" && { run_tls_fallback_scsv; ret=$(($? + ret)); stopwatch run_tls_fallback_scsv; }
"$do_sweet32" && { run_sweet32; ret=$(($? + ret)); stopwatch run_sweet32; }
"$do_freak" && { run_freak; ret=$(($? + ret)); stopwatch run_freak; }
"$do_drown" && { run_drown ret=$(($? + ret)); stopwatch run_drown; }
"$do_logjam" && { run_logjam; ret=$(($? + ret)); stopwatch run_logjam; }
"$do_beast" && { run_beast; ret=$(($? + ret)); stopwatch run_beast; }
"$do_lucky13" && { run_lucky13; ret=$(($? + ret)); stopwatch run_lucky13; }
"$do_rc4" && { run_rc4; ret=$(($? + ret)); stopwatch run_rc4; }
fileout_section_header $section_number true && ((section_number++))
"$do_allciphers" && { run_allciphers; ret=$(($? + ret)); stopwatch run_allciphers; }
"$do_cipher_per_proto" && { run_cipher_per_proto; ret=$(($? + ret)); stopwatch run_cipher_per_proto; }
fileout_section_header $section_number true && ((section_number++))
"$do_client_simulation" && { run_client_simulation; ret=$(($? + ret)); stopwatch run_client_simulation; }
fi
fileout_section_footer true
fi fi
"$do_cipher_match" && { fileout_section_header $section_number false; run_cipher_match ${single_cipher}; }
((section_number++))
# all top level functions now following have the prefix "run_"
fileout_section_header $section_number false && ((section_number++))
"$do_protocols" && {
run_protocols; ret=$(($? + ret)); stopwatch run_protocols;
run_npn; ret=$(($? + ret)); stopwatch run_npn;
run_alpn; ret=$(($? + ret)); stopwatch run_alpn;
}
fileout_section_header $section_number true && ((section_number++))
"$do_grease" && { run_grease; ret=$(($? + ret)); stopwatch run_grease; }
fileout_section_header $section_number true && ((section_number++))
"$do_cipherlists" && { run_cipherlists; ret=$(($? + ret)); stopwatch run_cipherlists; }
fileout_section_header $section_number true && ((section_number++))
"$do_pfs" && { run_pfs; ret=$(($? + ret)); stopwatch run_pfs; }
fileout_section_header $section_number true && ((section_number++))
"$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; }
fileout_section_header $section_number true && ((section_number++))
"$do_server_defaults" && { run_server_defaults; ret=$(($? + ret)); stopwatch run_server_defaults; }
if "$do_header"; then
#TODO: refactor this into functions
fileout_section_header $section_number true && ((section_number++))
if [[ $SERVICE == "HTTP" ]]; then
run_http_header "$URL_PATH"; ret=$(($? + ret))
run_http_date "$URL_PATH"; ret=$(($? + ret))
run_hsts "$URL_PATH"; ret=$(($? + ret))
run_hpkp "$URL_PATH"; ret=$(($? + ret))
run_server_banner "$URL_PATH"; ret=$(($? + ret))
run_appl_banner "$URL_PATH"; ret=$(($? + ret))
run_cookie_flags "$URL_PATH"; ret=$(($? + ret))
run_security_headers "$URL_PATH"; ret=$(($? + ret))
run_rp_banner "$URL_PATH"; ret=$(($? + ret))
stopwatch do_header
fi
else
((section_number++))
fi
# vulnerabilities
if [[ $VULN_COUNT -gt $VULN_THRESHLD ]] || "$do_vulnerabilities"; then
outln; pr_headlineln " Testing vulnerabilities "
outln
fi
fileout_section_header $section_number true && ((section_number++))
"$do_heartbleed" && { run_heartbleed; ret=$(($? + ret)); stopwatch run_heartbleed; }
"$do_ccs_injection" && { run_ccs_injection; ret=$(($? + ret)); stopwatch run_ccs_injection; }
"$do_ticketbleed" && { run_ticketbleed; ret=$(($? + ret)); stopwatch run_ticketbleed; }
"$do_robot" && { run_robot; ret=$(($? + ret)); stopwatch run_robot; }
"$do_renego" && { run_renego; ret=$(($? + ret)); stopwatch run_renego; }
"$do_crime" && { run_crime; ret=$(($? + ret)); stopwatch run_crime; }
"$do_breach" && { run_breach "$URL_PATH" ; ret=$(($? + ret)); stopwatch run_breach; }
"$do_ssl_poodle" && { run_ssl_poodle; ret=$(($? + ret)); stopwatch run_ssl_poodle; }
"$do_tls_fallback_scsv" && { run_tls_fallback_scsv; ret=$(($? + ret)); stopwatch run_tls_fallback_scsv; }
"$do_sweet32" && { run_sweet32; ret=$(($? + ret)); stopwatch run_sweet32; }
"$do_freak" && { run_freak; ret=$(($? + ret)); stopwatch run_freak; }
"$do_drown" && { run_drown ret=$(($? + ret)); stopwatch run_drown; }
"$do_logjam" && { run_logjam; ret=$(($? + ret)); stopwatch run_logjam; }
"$do_beast" && { run_beast; ret=$(($? + ret)); stopwatch run_beast; }
"$do_lucky13" && { run_lucky13; ret=$(($? + ret)); stopwatch run_lucky13; }
"$do_rc4" && { run_rc4; ret=$(($? + ret)); stopwatch run_rc4; }
fileout_section_header $section_number true && ((section_number++))
"$do_allciphers" && { run_allciphers; ret=$(($? + ret)); stopwatch run_allciphers; }
"$do_cipher_per_proto" && { run_cipher_per_proto; ret=$(($? + ret)); stopwatch run_cipher_per_proto; }
fileout_section_header $section_number true && ((section_number++))
"$do_client_simulation" && { run_client_simulation; ret=$(($? + ret)); stopwatch run_client_simulation; }
fileout_section_footer true
outln outln
calc_scantime calc_scantime
@ -18381,6 +18412,7 @@ lets_roll() {
fatal "No IP address could be determined" $ERR_DNSLOOKUP fatal "No IP address could be determined" $ERR_DNSLOOKUP
fi fi
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
MULTIPLE_CHECKS=true
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
for ip in $IPADDRs; do for ip in $IPADDRs; do
draw_line "-" $((TERM_WIDTH * 2 / 3)) draw_line "-" $((TERM_WIDTH * 2 / 3))