mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
- removed VERBERR (is now DEBUG=2)
- hex2dec uses now internal echo instead of printf (which has problems with some chars if unexpected content if not properly used)
This commit is contained in:
parent
b5818f6034
commit
9b718d39d0
36
testssl.sh
36
testssl.sh
@ -100,14 +100,11 @@ SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just u
|
|||||||
QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner
|
QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner
|
||||||
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
|
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
|
||||||
ASSUMING_HTTP=${ASSUMING_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
|
ASSUMING_HTTP=${ASSUMING_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
|
||||||
DEBUG=${DEBUG:-0} # if 1 the temp files won't be erased. 2: list more what's going on (formerly: eq VERBOSE=1),
|
DEBUG=${DEBUG:-0} # 1.: the temp files won't be erased.
|
||||||
# 3: slight hexdumps + other info, 4: send bytes via sockets, 5: received, 6: whole 9 yards
|
# 2: list more what's going on (formerly: eq VERBOSE=1, VERBERR=true), lists some errors of connections
|
||||||
# FIXME: still to be filled with (more) sense or following to be included:
|
# 3: slight hexdumps + other info,
|
||||||
VERBERR=${VERBERR:-false} # true means to be more verbose (handshake errors to be displayed so that one can tell better
|
# 4: display bytes sent via sockets, 5: display bytes received via sockets, 6: whole 9 yards
|
||||||
# whether handshake succeeded or not. While testing individual ciphers you also need to have SHOW_EACH_C=1
|
|
||||||
#FIXME: only a few functions support this
|
|
||||||
WIDE=${WIDE:-false} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc.
|
WIDE=${WIDE:-false} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc.
|
||||||
|
|
||||||
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
||||||
readonly MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
|
readonly MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
|
||||||
readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each)
|
readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each)
|
||||||
@ -359,8 +356,8 @@ debugme() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
hex2dec() {
|
hex2dec() {
|
||||||
/usr/bin/printf -- "%d" 0x"$1"
|
#/usr/bin/printf -- "%d" 0x"$1"
|
||||||
#echo $((16#$1))
|
echo $((16#$1))
|
||||||
}
|
}
|
||||||
|
|
||||||
dec2hex() {
|
dec2hex() {
|
||||||
@ -1313,8 +1310,9 @@ run_prototest_openssl() {
|
|||||||
|
|
||||||
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $PROXY $sni &>$TMPFILE </dev/null
|
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $PROXY $sni &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
# FIXME: here FreeBSD9 returns always 0 --> need to read the error
|
# FIXME: here FreeBSD9/openssl 0.9.8 returns always 0 --> need to read the error but for now we DO NOT SUPPORT this platform.
|
||||||
$VERBERR && egrep "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
# that's where the binaries are for!
|
||||||
|
[[ $DEBUG -eq 2 ]] && egrep "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
|
|
||||||
if ! locally_supported "$1" "$2" ; then
|
if ! locally_supported "$1" "$2" ; then
|
||||||
ret=7
|
ret=7
|
||||||
@ -1764,9 +1762,9 @@ run_server_defaults() {
|
|||||||
ret=7
|
ret=7
|
||||||
done # this loop is needed for IIS/6
|
done # this loop is needed for IIS/6
|
||||||
if [ $ret -eq 7 ]; then
|
if [ $ret -eq 7 ]; then
|
||||||
# "-status" kills GOST only servers, so we do another test without it and see whether that works then:
|
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
||||||
if ! $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug </dev/null 2>>$ERRFILE >$TMPFILE; then
|
if ! $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug </dev/null 2>>$ERRFILE >$TMPFILE; then
|
||||||
pr_magentaln "$OPENSSL returned an error around line $LINENO".
|
pr_magentaln "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
|
||||||
tmpfile_handle tlsextdebug+status.txt
|
tmpfile_handle tlsextdebug+status.txt
|
||||||
return 7 # this is ugly, I know
|
return 7 # this is ugly, I know
|
||||||
else
|
else
|
||||||
@ -3087,8 +3085,7 @@ run_crime() {
|
|||||||
# fi
|
# fi
|
||||||
# fi
|
# fi
|
||||||
# fi
|
# fi
|
||||||
$VERBERR && outln "$STR"
|
# [[ $DEBUG -eq 2 ]] outln "$STR"
|
||||||
#echo
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
@ -3166,7 +3163,7 @@ run_ssl_poodle() {
|
|||||||
debugme echo $cbc_ciphers
|
debugme echo $cbc_ciphers
|
||||||
$OPENSSL s_client -ssl3 $STARTTLS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null
|
$OPENSSL s_client -ssl3 $STARTTLS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
$VERBERR && egrep -q "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
[[ $DEBUG -eq 2 ]] && egrep -q "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
|
pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
|
||||||
else
|
else
|
||||||
@ -3267,7 +3264,7 @@ run_freak() {
|
|||||||
esac
|
esac
|
||||||
$OPENSSL s_client $STARTTLS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
$VERBERR && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
pr_red "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers"
|
pr_red "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers"
|
||||||
else
|
else
|
||||||
@ -3304,7 +3301,7 @@ run_logjam() {
|
|||||||
esac
|
esac
|
||||||
$OPENSSL s_client $STARTTLS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
$VERBERR && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
addtl_warning="$addtl_warning, common primes not checked."
|
addtl_warning="$addtl_warning, common primes not checked."
|
||||||
if $HAS_DH_BITS; then
|
if $HAS_DH_BITS; then
|
||||||
if ! $do_allciphers && ! $do_cipher_per_proto && $HAS_DH_BITS; then
|
if ! $do_allciphers && ! $do_cipher_per_proto && $HAS_DH_BITS; then
|
||||||
@ -3844,7 +3841,6 @@ SSL_NATIVE: $SSL_NATIVE
|
|||||||
ASSUMING_HTTP $ASSUMING_HTTP
|
ASSUMING_HTTP $ASSUMING_HTTP
|
||||||
SNEAKY: $SNEAKY
|
SNEAKY: $SNEAKY
|
||||||
|
|
||||||
VERBERR: $VERBERR
|
|
||||||
DEBUG: $DEBUG
|
DEBUG: $DEBUG
|
||||||
|
|
||||||
HSTS_MIN: $HSTS_MIN
|
HSTS_MIN: $HSTS_MIN
|
||||||
@ -4818,4 +4814,4 @@ fi
|
|||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.362 2015/08/27 22:15:50 dirkw Exp $
|
# $Id: testssl.sh,v 1.363 2015/08/28 12:59:03 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user