diff --git a/testssl.sh b/testssl.sh
index 883c267..585e062 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -226,6 +226,7 @@ HAS_SPDY=false
HAS_FALLBACK_SCSV=false
HAS_PROXY=false
HAS_XMPP=false
+HAS_POSTGRES=false
ADD_RFC_STR="rfc" # display RFC ciphernames
PORT=443 # unless otherwise auto-determined, see below
NODE=""
@@ -6227,6 +6228,16 @@ starttls_nntp_dialog() {
return $ret
}
+starttls_postgres_dialog() {
+ debugme echo "=== starting postgres STARTTLS dialog ==="
+ local reINITTLS="\x00\x00\x00\x08\x04\xD2\x16\x2F"
+ starttls_just_send "${reINITTLS}" && debugme echo "initiated STARTTLS" &&
+ starttls_full_read '' '' 'S' && debugme echo "received ack for STARTTLS"
+ local ret=$?
+ debugme echo "=== finished postgres STARTTLS dialog with ${ret} ==="
+ return $ret
+}
+
# arg for a fd doesn't work here
fd_socket() {
local jabber=""
@@ -6301,6 +6312,9 @@ EOF
starttls_line "" "proceed"
# BTW: https://xmpp.net !
;;
+ postgres|postgress) # Postgres SQL, see http://www.postgresql.org/docs/devel/static/protocol-message-formats.html
+ starttls_postgres_dialog
+ ;;
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not yet supported" -4
esac
@@ -6476,14 +6490,17 @@ parse_sslv2_serverhello() {
# [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY!
local ret=3
+ local parse_complete="false"
+
if [[ "$2" == "true" ]]; then
- echo "======================================" > $TMPFILE
+ parse_complete=true
fi
+ "$parse_complete" && echo "======================================" > $TMPFILE
v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
[[ "$DEBUG" -ge 5 ]] && echo "$v2_hello_ascii"
if [[ -z "$v2_hello_ascii" ]]; then
- ret=0 # 1 line without any blanks: no server hello received
+ ret=0 # 1 line without any blanks: no server hello received
debugme echo "server hello empty"
else
# now scrape two bytes out of the reply per byte
@@ -6514,20 +6531,22 @@ parse_sslv2_serverhello() {
fi
fi
- certificate_len=2*$(hex2dec "$v2_hello_cert_length")
- [[ -e $HOSTCERT ]] && rm $HOSTCERT
- [[ -e $TEMPDIR/intermediatecerts.pem ]] && rm $TEMPDIR/intermediatecerts.pem
- if [[ "$2" == "true" ]] && [[ "$v2_cert_type" == "01" ]] && [[ "$v2_hello_cert_length" != "00" ]]; then
- tmp_der_certfile=$(mktemp $TEMPDIR/der_cert.XXXXXX) || return $ret
- asciihex_to_binary_file "${v2_hello_ascii:26:certificate_len}" "$tmp_der_certfile"
- $OPENSSL x509 -inform DER -in $tmp_der_certfile -outform PEM -out $HOSTCERT
- rm $tmp_der_certfile
- get_pub_key_size
- echo "======================================" >> $TMPFILE
- fi
+ "$parse_complete" || return $ret
- # Output list of supported ciphers
- if [[ "$2" == "true" ]]; then
+ rm -f $HOSTCERT $TEMPDIR/intermediatecerts.pem
+ if [[ $ret -eq 3 ]]; then
+ certificate_len=2*$(hex2dec "$v2_hello_cert_length")
+
+ if [[ "$v2_cert_type" == "01" ]] && [[ "$v2_hello_cert_length" != "00" ]]; then
+ tmp_der_certfile=$(mktemp $TEMPDIR/der_cert.XXXXXX) || return $ret
+ asciihex_to_binary_file "${v2_hello_ascii:26:certificate_len}" "$tmp_der_certfile"
+ $OPENSSL x509 -inform DER -in $tmp_der_certfile -outform PEM -out $HOSTCERT
+ rm $tmp_der_certfile
+ get_pub_key_size
+ echo "======================================" >> $TMPFILE
+ fi
+
+ # Output list of supported ciphers
let offset=26+$certificate_len
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
for (( i=0 ; i$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE >$ERRFILE)
fi
- if [[ $sclient_success -eq 0 ]]; then
+
+ if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]]; then
+ sslv2_sockets "${sslv2_ciphers_hex:2}" "true"
+ if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
+ supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
+ "$WIDE" && "$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
+ for (( i=0 ; i$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE
- else
- $OPENSSL s_client -cipher $rc4_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $TMPFILE 2>$ERRFILE
- fi
- sclient_connect_successful $? $TMPFILE
- sclient_success=$? # here we may have a fp with openssl < 1.0, TBC
- if [[ $sclient_success -ne 0 ]] && ! "$SHOW_EACH_C"; then
+ for (( i=0 ; i$s_client_has
+ $OPENSSL s_client -starttls foo 2>$s_client_starttls_has
+
grep -qw '\-alpn' $s_client_has && \
HAS_ALPN=true
@@ -9226,6 +9408,9 @@ find_openssl_binary() {
grep -q '\-xmpp' $s_client_has && \
HAS_XMPP=true
+ grep -q 'postgres' $s_client_starttls_has && \
+ HAS_POSTGRES=true
+
if [[ "$OPENSSL_TIMEOUT" != "" ]]; then
if which timeout >&2 2>/dev/null ; then
# there are different "timeout". Check whether --preserve-status is supported
@@ -9307,7 +9492,7 @@ help() {
"$PROG_NAME URI", where is:
-t, --starttls does a default run against a STARTTLS enabled (latter two require supplied openssl)
+ protocol is (latter three require supplied openssl)
--xmpphost for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
--mx tests MX records from high to low priority (STARTTLS, port 25)
--file mass testing option: Reads command lines from , one line per instance.
@@ -9405,7 +9590,7 @@ maketempf() {
}
prepare_debug() {
- local hexc ossl_ciph ossl_supported_tls="" ossl_supported_sslv2=""
+ local hexc mac ossl_ciph ossl_supported_tls="" ossl_supported_sslv2=""
if [[ $DEBUG -ne 0 ]]; then
cat >$TEMPDIR/environment.txt << EOF
@@ -9440,6 +9625,7 @@ HAS_ALPN: $HAS_ALPN
HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV
HAS_PROXY: $HAS_PROXY
HAS_XMPP: $HAS_XMPP
+HAS_POSTGRES: $HAS_POSTGRES
PATH: $PATH
PROG_NAME: $PROG_NAME
@@ -9484,7 +9670,7 @@ EOF
if [[ -e $CIPHERS_BY_STRENGTH_FILE ]]; then
"$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
ossl_supported_tls="$($OPENSSL ciphers -tls1 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
- while read hexc n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do
+ while read hexc n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] mac TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do
TLS_CIPHER_HEXCODE[TLS_NR_CIPHERS]="$hexc"
TLS_CIPHER_OSSL_SUPPORTED[TLS_NR_CIPHERS]=false
if [[ ${#hexc} -eq 9 ]]; then
@@ -9762,7 +9948,7 @@ get_local_aaaa() {
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
- ip6=$(grep -wh "$NODE" $etchosts 2>/dev/null | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
+ ip6=$(grep -wh "$1" $etchosts 2>/dev/null | grep ':' | egrep -v '^#|\.local' | egrep "[[:space:]]$1" | awk '{ print $1 }')
if is_ipv6addr "$ip6"; then
echo "$ip6"
else
@@ -9775,7 +9961,7 @@ get_local_a() {
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
- ip4=$(grep -wh "$1[^\.]" $etchosts 2>/dev/null | egrep -v ':|^#' | egrep "[[:space:]]$1" | awk '{ print $1 }')
+ ip4=$(grep -wh "$1" $etchosts 2>/dev/null | egrep -v ':|^#|\.local' | egrep "[[:space:]]$1" | awk '{ print $1 }')
if is_ipv4addr "$ip4"; then
echo "$ip4"
else
@@ -10070,7 +10256,7 @@ determine_optimal_proto() {
}
-# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap (maybe with trailing s)
+# arg1: ftp smtp, pop3, imap, xmpp, telnet, ldap, postgres (maybe with trailing s)
determine_service() {
local ua
local protocol
@@ -10097,9 +10283,13 @@ determine_service() {
service_detection $OPTIMAL_PROTO
else
# STARTTLS
- protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
+ if [[ "$1" == postgres ]]; then
+ protocol="postgres"
+ else
+ protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
+ fi
case "$protocol" in
- ftp|smtp|pop3|imap|xmpp|telnet|ldap)
+ ftp|smtp|pop3|imap|xmpp|telnet|ldap|postgres)
STARTTLS="-starttls $protocol"
SNI=""
if [[ "$protocol" == xmpp ]]; then
@@ -10113,6 +10303,12 @@ determine_service() {
# see http://xmpp.org/rfcs/rfc3920.html
fi
fi
+ if [[ "$protocol" == postgres ]]; then
+ # Check if openssl version supports postgres.
+ if ! "$HAS_POSTGRES"; then
+ fatal "Your $OPENSSL does not support the \"-starttls postgres\" option" -5
+ fi
+ fi
$OPENSSL s_client -connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS 2>$ERRFILE >$TMPFILE &2
help 1 ;;
esac