mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-11-04 07:45:27 +01:00
Final check to make sure fileout and pr*warning correlates
Made sure that if fileout has a WARN or DEBUG flag it is consistent with pr*warning. FIX #518
This commit is contained in:
Dirk
20
testssl.sh
20
testssl.sh
@@ -1576,7 +1576,7 @@ run_http_header() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
pr_warning ". Oh, didn't expect \"$HTTP_STATUS_CODE$msg_thereafter\""
|
pr_warning ". Oh, didn't expect \"$HTTP_STATUS_CODE$msg_thereafter\""
|
||||||
fileout "HTTP_STATUS_CODE" "DEBUG" "$HTTP_STATUS_CODE$msg_thereafter (\"$URL_PATH\" tested) -- Oops, didn't expect a \"$HTTP_STATUS_CODE$msg_thereafter\""
|
fileout "HTTP_STATUS_CODE" "WARN" "$HTTP_STATUS_CODE$msg_thereafter (\"$URL_PATH\" tested) -- Oops, didn't expect a \"$HTTP_STATUS_CODE$msg_thereafter\""
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
outln
|
outln
|
||||||
@@ -5454,7 +5454,7 @@ determine_trust() {
|
|||||||
done
|
done
|
||||||
num_ca_bundles=$((i - 1))
|
num_ca_bundles=$((i - 1))
|
||||||
debugme tm_out " "
|
debugme tm_out " "
|
||||||
if $all_ok; then
|
if "$all_ok"; then
|
||||||
# all stores ok
|
# all stores ok
|
||||||
pr_done_good "Ok "; pr_warning "$addtl_warning"
|
pr_done_good "Ok "; pr_warning "$addtl_warning"
|
||||||
# we did to stdout the warning above already, so we could stay here with INFO:
|
# we did to stdout the warning above already, so we could stay here with INFO:
|
||||||
@@ -5462,7 +5462,7 @@ determine_trust() {
|
|||||||
else
|
else
|
||||||
# at least one failed
|
# at least one failed
|
||||||
pr_svrty_critical "NOT ok"
|
pr_svrty_critical "NOT ok"
|
||||||
if ! $some_ok; then
|
if ! "$some_ok"; then
|
||||||
# all failed (we assume with the same issue), we're displaying the reason
|
# all failed (we assume with the same issue), we're displaying the reason
|
||||||
out " "
|
out " "
|
||||||
code="$(verify_retcode_helper "${verify_retcode[1]}")"
|
code="$(verify_retcode_helper "${verify_retcode[1]}")"
|
||||||
@@ -5474,7 +5474,7 @@ determine_trust() {
|
|||||||
fileout "${json_prefix}chain_of_trust" "CRITICAL" "All certificate trust checks failed: $code. $addtl_warning"
|
fileout "${json_prefix}chain_of_trust" "CRITICAL" "All certificate trust checks failed: $code. $addtl_warning"
|
||||||
else
|
else
|
||||||
# is one ok and the others not ==> display the culprit store
|
# is one ok and the others not ==> display the culprit store
|
||||||
if $some_ok ; then
|
if "$some_ok"; then
|
||||||
pr_svrty_critical ":"
|
pr_svrty_critical ":"
|
||||||
for ((i=1;i<=num_ca_bundles;i++)); do
|
for ((i=1;i<=num_ca_bundles;i++)); do
|
||||||
if ${trust[i]}; then
|
if ${trust[i]}; then
|
||||||
@@ -5534,7 +5534,7 @@ tls_time() {
|
|||||||
debugme tm_out "$TLS_TIME"
|
debugme tm_out "$TLS_TIME"
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
prln_warning "SSLv3 through TLS 1.2 didn't return a timestamp"
|
outln "SSLv3 through TLS 1.2 didn't return a timestamp"
|
||||||
fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2"
|
fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2"
|
||||||
fi
|
fi
|
||||||
TLS_DIFFTIME_SET=false # reset the switch to save calls to date and friend in tls_sockets()
|
TLS_DIFFTIME_SET=false # reset the switch to save calls to date and friend in tls_sockets()
|
||||||
@@ -10228,12 +10228,12 @@ run_ccs_injection(){
|
|||||||
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then
|
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then
|
||||||
pr_warning "test failed"
|
pr_warning "test failed"
|
||||||
out ", probably read buffer too small (${tls_hello_ascii:0:14})"
|
out ", probably read buffer too small (${tls_hello_ascii:0:14})"
|
||||||
fileout "ccs" "WARN" "CCS: test failed, probably read buffer too small (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
|
fileout "ccs" "DEBUG" "CCS: test failed, probably read buffer too small (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
|
||||||
ret=7
|
ret=7
|
||||||
else
|
else
|
||||||
pr_warning "test failed "
|
pr_warning "test failed "
|
||||||
out "around line $LINENO (debug info: ${tls_hello_ascii:0:12},$byte6)"
|
out "around line $LINENO (debug info: ${tls_hello_ascii:0:12},$byte6)"
|
||||||
fileout "ccs" "WARN" "CCS: test failed, around line $LINENO, debug info (${tls_hello_ascii:0:12},$byte6)" "$cve" "$cwe" "$hint"
|
fileout "ccs" "DEBUG" "CCS: test failed, around line $LINENO, debug info (${tls_hello_ascii:0:12},$byte6)" "$cve" "$cwe" "$hint"
|
||||||
ret=7
|
ret=7
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
@@ -10469,7 +10469,7 @@ run_ticketbleed() {
|
|||||||
ret=7
|
ret=7
|
||||||
pr_warning "test failed"
|
pr_warning "test failed"
|
||||||
out " around line $LINENO (debug info: ${tls_hello_ascii:0:2}, ${tls_hello_ascii:2:10})"
|
out " around line $LINENO (debug info: ${tls_hello_ascii:0:2}, ${tls_hello_ascii:2:10})"
|
||||||
fileout "ticketbleed" "WARN" "Ticketbleed: test failed, around $LINENO (debug info: ${tls_hello_ascii:0:2}, ${tls_hello_ascii:2:10})" "$cve" "$cwe"
|
fileout "ticketbleed" "DEBUG" "Ticketbleed: test failed, around $LINENO (debug info: ${tls_hello_ascii:0:2}, ${tls_hello_ascii:2:10})" "$cve" "$cwe"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
debugme echo "sending close_notify..."
|
debugme echo "sending close_notify..."
|
||||||
@@ -10506,7 +10506,7 @@ run_ticketbleed() {
|
|||||||
pr_warning "test failed, non reproducible results!"
|
pr_warning "test failed, non reproducible results!"
|
||||||
out " Please run again w \"--debug=2\" (# of faked TLS SIDs detected: $nr_sid_detected)"
|
out " Please run again w \"--debug=2\" (# of faked TLS SIDs detected: $nr_sid_detected)"
|
||||||
fi
|
fi
|
||||||
fileout "ticketbleed" "WARN" "Ticketbleed: # of TLS Session IDs detected: $nr_sid_detected, ${sid_detected[1]},${sid_detected[2]},${sid_detected[3]}" "$cve" "$cwe"
|
fileout "ticketbleed" "DEBUG" "Ticketbleed: # of TLS Session IDs detected: $nr_sid_detected, ${sid_detected[1]},${sid_detected[2]},${sid_detected[3]}" "$cve" "$cwe"
|
||||||
ret=7
|
ret=7
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@@ -10738,7 +10738,7 @@ run_breach() {
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln
|
||||||
pr_bold " BREACH"; out " ($cve) "
|
pr_bold " BREACH"; out " ($cve) "
|
||||||
if "$CLIENT_AUTH"; then
|
if "$CLIENT_AUTH"; then
|
||||||
prln_warning "cannot be tested (server side requires x509 authentication)"
|
outln "cannot be tested (server side requires x509 authentication)"
|
||||||
fileout "breach" "INFO" "BREACH: cannot be tested (server side requires x509 authentication)" "$cve" "$cwe"
|
fileout "breach" "INFO" "BREACH: cannot be tested (server side requires x509 authentication)" "$cve" "$cwe"
|
||||||
return 7
|
return 7
|
||||||
fi
|
fi
|
||||||
|
|||||||
Reference in New Issue
Block a user