mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-10-31 22:05:26 +01:00
Dirk Wetter
79
testssl.sh
79
testssl.sh
@@ -3512,7 +3512,7 @@ prettyprint_local() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -z "$1" ]]; then
|
if [[ -z "$1" ]]; then
|
||||||
pr_headline " Displaying all $OPENSSL_NR_CIPHERS local ciphers ";
|
pr_headline " Displaying all $OPENSSL_NR_CIPHERS local OpenSSL ciphers ";
|
||||||
else
|
else
|
||||||
pr_headline " Displaying all local ciphers ";
|
pr_headline " Displaying all local ciphers ";
|
||||||
# pattern provided; which one?
|
# pattern provided; which one?
|
||||||
@@ -20397,6 +20397,7 @@ find_openssl_binary() {
|
|||||||
local openssl_location cwd=""
|
local openssl_location cwd=""
|
||||||
local ossl_wo_dev_info
|
local ossl_wo_dev_info
|
||||||
local curve
|
local curve
|
||||||
|
local ossl_line1="" yr=""
|
||||||
local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448" "brainpoolP256r1tls13" "brainpoolP384r1tls13" "brainpoolP512r1tls13" "ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192")
|
local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448" "brainpoolP256r1tls13" "brainpoolP384r1tls13" "brainpoolP512r1tls13" "ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192")
|
||||||
|
|
||||||
# 0. check environment variable whether it's executable
|
# 0. check environment variable whether it's executable
|
||||||
@@ -20432,25 +20433,25 @@ find_openssl_binary() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# https://www.openssl.org/news/changelog.html
|
$OPENSSL version -a 2>/dev/null >$TEMPDIR/openssl_version_all
|
||||||
# https://web.archive.org/web/20150815130800/http://openssl.org/news/openssl-notes.html
|
ossl_line1=$(head -1 $TEMPDIR/openssl_version_all)
|
||||||
OSSL_NAME=$($OPENSSL version 2>/dev/null | awk '{ print $1 }')
|
OSSL_NAME=$(awk '{ print $1 }' <<< "${ossl_line1}")
|
||||||
OSSL_VER=$($OPENSSL version 2>/dev/null | awk -F' ' '{ print $2 }')
|
OSSL_VER=$(awk -F' ' '{ print $2 }' <<< "${ossl_line1}")
|
||||||
OSSL_VER_MAJOR="${OSSL_VER%%\.*}"
|
OSSL_VER_MAJOR="${OSSL_VER%%\.*}"
|
||||||
ossl_wo_dev_info="${OSSL_VER%%-*}"
|
OSSL_VER_MINOR="${OSSL_VER%%-*}"
|
||||||
OSSL_VER_MINOR="${ossl_wo_dev_info#$OSSL_VER_MAJOR\.}"
|
OSSL_VER_MINOR="${OSSL_VER_MINOR#$OSSL_VER_MAJOR\.}"
|
||||||
OSSL_VER_MINOR="${OSSL_VER_MINOR%%[a-zA-Z]*}"
|
OSSL_VER_MINOR="${OSSL_VER_MINOR%%[a-zA-Z]*}"
|
||||||
|
# like -bad -fips etc:
|
||||||
OSSL_VER_APPENDIX="${OSSL_VER#$OSSL_VER_MAJOR\.$OSSL_VER_MINOR}"
|
OSSL_VER_APPENDIX="${OSSL_VER#$OSSL_VER_MAJOR\.$OSSL_VER_MINOR}"
|
||||||
OSSL_VER_PLATFORM=$($OPENSSL version -p 2>/dev/null | sed 's/^platform: //')
|
OSSL_VER_PLATFORM="$(awk '/^platform: / { print $2 }' < $TEMPDIR/openssl_version_all)"
|
||||||
OSSL_BUILD_DATE=$($OPENSSL version -a 2>/dev/null | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//')
|
OSSL_BUILD_DATE="$(awk '/^built on/' < $TEMPDIR/openssl_version_all)"
|
||||||
|
OSSL_BUILD_DATE=${OSSL_BUILD_DATE#*: }
|
||||||
|
|
||||||
# Determine an OpenSSL short string for the banner
|
# MacOS' homebrew and Debian add a library string: OpenSSL 3.3.1 4 Jun 2024 (Library: OpenSSL 3.3.1 4 Jun 2024),
|
||||||
# E.g MacOS' homebrew and Debian add a library string: OpenSSL 3.3.1 4 Jun 2024 (Library: OpenSSL 3.3.1 4 Jun 2024),
|
|
||||||
# so we omit the part after the round bracket as it breaks formatting and doesn't provide more useful info
|
# so we omit the part after the round bracket as it breaks formatting and doesn't provide more useful info
|
||||||
OSSL_SHORT_STR=$($OPENSSL version 2>/dev/null)
|
OSSL_SHORT_STR=${ossl_line1%\(*}
|
||||||
OSSL_SHORT_STR=${OSSL_SHORT_STR%\(*}
|
# Now handle strings like "OpenSSL 1.1.1l-fips 24 Aug 2021 SUSE release 150500.17.34.1". So we look for
|
||||||
# Now handle strings like this: OpenSSL 1.1.1l-fips 24 Aug 2021 SUSE release 150500.17.34.1
|
# the year, remove it until the end and then re-add just the year
|
||||||
# we find the year, remove until first occurrence, re-add it
|
|
||||||
for yr in {2014..2029} ; do
|
for yr in {2014..2029} ; do
|
||||||
if [[ $OSSL_SHORT_STR =~ \ $yr ]] ; then
|
if [[ $OSSL_SHORT_STR =~ \ $yr ]] ; then
|
||||||
OSSL_SHORT_STR=${OSSL_SHORT_STR%%$yr*}
|
OSSL_SHORT_STR=${OSSL_SHORT_STR%%$yr*}
|
||||||
@@ -20458,6 +20459,22 @@ find_openssl_binary() {
|
|||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
# Now OSSL_SHORT_STR contains for newer binaries "OpenSSL 3.3.1 4 Jun 2024" and for the supplied "OpenSSL 1.0.2-bad".
|
||||||
|
# Now, determine the build date if there is one, Opensuse doesn't seem to have one, then we pick the date instead from the first line
|
||||||
|
if [[ -z ${OSSL_BUILD_DATE} ]]; then
|
||||||
|
# determine date from the form. And take that as a built date internally
|
||||||
|
OSSL_NAME=${OSSL_SHORT_STR/?? ??? 20??/}
|
||||||
|
OSSL_BUILD_DATE=${OSSL_SHORT_STR/$OSSL_NAME/}
|
||||||
|
else
|
||||||
|
# Remove TZ
|
||||||
|
OSSL_BUILD_DATE=${OSSL_BUILD_DATE/UTC/}
|
||||||
|
fi
|
||||||
|
# opensuse e.g. has also the version in the name which we don't want there
|
||||||
|
OSSL_NAME=${OSSL_NAME/$OSSL_VER/}
|
||||||
|
# Reduce double spaces to just one and remove trailing space
|
||||||
|
OSSL_BUILD_DATE=${OSSL_BUILD_DATE/ / }
|
||||||
|
OSSL_BUILD_DATE="$(strip_trailing_space "$OSSL_BUILD_DATE")"
|
||||||
|
OSSL_NAME=${OSSL_NAME// /}
|
||||||
|
|
||||||
# see #190, reverting logic: unless otherwise proved openssl has no dh bits
|
# see #190, reverting logic: unless otherwise proved openssl has no dh bits
|
||||||
case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
|
case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
|
||||||
@@ -20557,13 +20574,11 @@ find_openssl_binary() {
|
|||||||
$OPENSSL s_client -no_comp </dev/null 2>&1 | grep -aiq "unknown option" || HAS_NO_COMP=true
|
$OPENSSL s_client -no_comp </dev/null 2>&1 | grep -aiq "unknown option" || HAS_NO_COMP=true
|
||||||
|
|
||||||
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
||||||
|
|
||||||
# The following statement works with OpenSSL 1.0.2, 1.1.1 and 3.0 and LibreSSL 3.4
|
# The following statement works with OpenSSL 1.0.2, 1.1.1 and 3.0 and LibreSSL 3.4
|
||||||
if $OPENSSL s_client -curves </dev/null 2>&1 | grep -aiq "unknown option"; then
|
if $OPENSSL s_client -curves </dev/null 2>&1 | grep -aiq "unknown option"; then
|
||||||
# This is e.g. for LibreSSL (tested with version 3.4.1): WSL users will get "127.0.0.1:0" here,
|
# LibreSSL (tested with version 3.4.1 and 3.0.2) need -groups instead of -curve
|
||||||
# all other "invalid.:0". We need a port here, in any case!
|
# WSL users connect to "127.0.0.1:0", others to "invalid." or "invalid.:0"
|
||||||
# The $OPENSSL connect call deliberately fails: when the curve isn't available with
|
# The $OPENSSL connect call deliberately fails: when the curve isn't available with the described error messages
|
||||||
# "getaddrinfo: Name or service not known", newer LibreSSL with "Failed to set groups".
|
|
||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
$OPENSSL s_client -groups $curve -connect ${NXCONNECT%:*}:0 </dev/null 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups"
|
$OPENSSL s_client -groups $curve -connect ${NXCONNECT%:*}:0 </dev/null 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups"
|
||||||
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
|
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
|
||||||
@@ -20572,7 +20587,8 @@ find_openssl_binary() {
|
|||||||
HAS_CURVES=true
|
HAS_CURVES=true
|
||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
# Same as above, we just don't need a port for invalid.
|
# Same as above, we just don't need a port for invalid.
|
||||||
$OPENSSL s_client -curves $curve -connect $NXCONNECT </dev/null 2>&1 | grep -Eiaq "Error with command|unknown option|Call to SSL_CONF_cmd(.*) failed"
|
#FIXME: openssl 3 sometimes seems to hang when using '-connect invalid.' for up to 10 seconds
|
||||||
|
$OPENSSL s_client -curves $curve -connect $NXCONNECT </dev/null 2>&1 | grep -Eiaq "Error with command|unknown option|Call to SSL_CONF_cmd(.*) failed|cannot be set"
|
||||||
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
|
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@@ -20799,7 +20815,7 @@ help() {
|
|||||||
and [options] is/are:
|
and [options] is/are:
|
||||||
|
|
||||||
-t, --starttls <protocol> Does a run against a STARTTLS enabled service which is one of ftp, smtp, lmtp, pop3, imap,
|
-t, --starttls <protocol> Does a run against a STARTTLS enabled service which is one of ftp, smtp, lmtp, pop3, imap,
|
||||||
sieve, xmpp, xmpp-server, telnet, ldap, nntp, postgres, mysql
|
xmpp, xmpp-server, telnet, ldap, nntp, sieve, postgres, mysql
|
||||||
--xmpphost <to_domain> For STARTTLS xmpp or xmpp-server checks it supplies the domainname (like SNI)
|
--xmpphost <to_domain> For STARTTLS xmpp or xmpp-server checks it supplies the domainname (like SNI)
|
||||||
--mx <domain/host> Tests MX records from high to low priority (STARTTLS, port 25)
|
--mx <domain/host> Tests MX records from high to low priority (STARTTLS, port 25)
|
||||||
--file/-iL <fname> Mass testing option: Reads one testssl.sh command line per line from <fname>.
|
--file/-iL <fname> Mass testing option: Reads one testssl.sh command line per line from <fname>.
|
||||||
@@ -21099,11 +21115,11 @@ prepare_arrays() {
|
|||||||
mybanner() {
|
mybanner() {
|
||||||
local bb1 bb2 bb3
|
local bb1 bb2 bb3
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
local full="$1"
|
local full="$1" # we have a short version and a longer one (two liner vs 4 liner)
|
||||||
|
local short_built_date="" # a reduced version of the build date in the short banner
|
||||||
|
|
||||||
"$QUIET" && return
|
"$QUIET" && return
|
||||||
"$CHILD_MASS_TESTING" && return
|
"$CHILD_MASS_TESTING" && return
|
||||||
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL')")
|
|
||||||
bb1=$(cat <<EOF
|
bb1=$(cat <<EOF
|
||||||
|
|
||||||
#####################################################################
|
#####################################################################
|
||||||
@@ -21117,7 +21133,6 @@ EOF
|
|||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
bb3=$(cat <<EOF
|
bb3=$(cat <<EOF
|
||||||
|
|
||||||
#####################################################################
|
#####################################################################
|
||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
@@ -21134,8 +21149,14 @@ EOF
|
|||||||
pr_boldurl "https://testssl.sh/bugs/"; outln
|
pr_boldurl "https://testssl.sh/bugs/"; outln
|
||||||
pr_bold "$bb3"
|
pr_bold "$bb3"
|
||||||
outln "\n"
|
outln "\n"
|
||||||
|
|
||||||
|
# remove clock and dow if the first word is a dow and not a dom (suse)
|
||||||
|
short_built_date=${OSSL_BUILD_DATE/??:??:?? /}
|
||||||
|
if [[ ${short_built_date%% *} =~ [A-Za-z]{3} ]]; then
|
||||||
|
short_built_date=${short_built_date#* }
|
||||||
|
fi
|
||||||
out "${spaces}Using "
|
out "${spaces}Using "
|
||||||
pr_italic "$OSSL_SHORT_STR"
|
pr_italic "$OSSL_NAME $OSSL_VER ($short_built_date)"
|
||||||
outln " [~$OPENSSL_NR_CIPHERS ciphers]"
|
outln " [~$OPENSSL_NR_CIPHERS ciphers]"
|
||||||
out "${spaces}on $HNAME:"
|
out "${spaces}on $HNAME:"
|
||||||
outln "$OPENSSL_LOCATION"
|
outln "$OPENSSL_LOCATION"
|
||||||
@@ -22425,7 +22446,7 @@ check_msg() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# arg1 (optional): ftp smtp, lmtp, pop3, imap, sieve, xmpp, xmpp-server, telnet, ldap, postgres, mysql, irc, nntp (maybe with trailing s)
|
# arg1 (optional): ftp smtp, lmtp, pop3, imap, sieve, xmpp, xmpp-server, telnet, ldap, postgres, mysql, irc, nntp, sieve (maybe with trailing s)
|
||||||
#
|
#
|
||||||
determine_service() {
|
determine_service() {
|
||||||
local ua
|
local ua
|
||||||
@@ -22474,7 +22495,7 @@ determine_service() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
case "$protocol" in
|
case "$protocol" in
|
||||||
ftp|smtp|lmtp|pop3|imap|sieve|xmpp|xmpp-server|telnet|ldap|postgres|mysql|nntp)
|
ftp|smtp|lmtp|pop3|imap|xmpp|xmpp-server|telnet|ldap|nntp|sieve|postgres|mysql)
|
||||||
STARTTLS="-starttls $protocol"
|
STARTTLS="-starttls $protocol"
|
||||||
if [[ "$protocol" == xmpp ]] || [[ "$protocol" == xmpp-server ]]; then
|
if [[ "$protocol" == xmpp ]] || [[ "$protocol" == xmpp-server ]]; then
|
||||||
if [[ -n "$XMPP_HOST" ]]; then
|
if [[ -n "$XMPP_HOST" ]]; then
|
||||||
@@ -22544,7 +22565,7 @@ determine_service() {
|
|||||||
outln
|
outln
|
||||||
;;
|
;;
|
||||||
*) outln
|
*) outln
|
||||||
fatal "momentarily only ftp, smtp, lmtp, pop3, imap, sieve, xmpp, xmpp-server, telnet, ldap, nntp, postgres and mysql allowed" $ERR_CMDLINE
|
fatal "momentarily only ftp, smtp, lmtp, pop3, imap, xmpp, xmpp-server, telnet, ldap, nntp, sieve, postgres and mysql allowed" $ERR_CMDLINE
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
# It comes handy later also for STARTTLS injection to define this global. When we do banner grabbing
|
# It comes handy later also for STARTTLS injection to define this global. When we do banner grabbing
|
||||||
|
|||||||
Reference in New Issue
Block a user