mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-09 18:20:59 +01:00
open fixes from Rechi (pull request $67)
This commit is contained in:
parent
77fd58e556
commit
9bd1b44270
34
testssl.sh
34
testssl.sh
@ -352,7 +352,7 @@ wait_kill(){
|
|||||||
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
|
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
|
||||||
runs_HTTP() {
|
runs_HTTP() {
|
||||||
# SNI is nonsense for !HTTP but fortunately SMTP and friends don't care
|
# SNI is nonsense for !HTTP but fortunately SMTP and friends don't care
|
||||||
printf "GET / HTTP/1.1\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nAccept: text/*\r\n\r\n" "$NODE" | $OPENSSL s_client -quiet -connect $NODE:$PORT $SNI &>$TMPFILE &
|
printf "GET / HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client -quiet -connect $NODE:$PORT $SNI &>$TMPFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
head $TMPFILE | grep -q ^HTTP && SERVICE=HTTP
|
head $TMPFILE | grep -q ^HTTP && SERVICE=HTTP
|
||||||
head $TMPFILE | grep -q SMTP && SERVICE=SMTP
|
head $TMPFILE | grep -q SMTP && SERVICE=SMTP
|
||||||
@ -1192,7 +1192,7 @@ server_defaults() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
case $(uname -s) in
|
case $(uname -s) in
|
||||||
*BSD|Mac*)
|
*BSD|Darwin*)
|
||||||
enddate=$(date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -enddate | cut -d= -f 2)" +"%F %H:%M %z")
|
enddate=$(date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -enddate | cut -d= -f 2)" +"%F %H:%M %z")
|
||||||
startdate=$(date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -startdate | cut -d= -f 2)" +"%F %H:%M")
|
startdate=$(date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -startdate | cut -d= -f 2)" +"%F %H:%M")
|
||||||
;;
|
;;
|
||||||
@ -1206,7 +1206,7 @@ server_defaults() {
|
|||||||
savedir=$(pwd); cd $TEMPDIR
|
savedir=$(pwd); cd $TEMPDIR
|
||||||
$OPENSSL s_client -showcerts $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null </dev/null | \
|
$OPENSSL s_client -showcerts $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null </dev/null | \
|
||||||
awk -v c=-1 '/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print > ("level" c ".crt")} /---END CERTIFICATE-----/{inc=0}'
|
awk -v c=-1 '/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print > ("level" c ".crt")} /---END CERTIFICATE-----/{inc=0}'
|
||||||
nrsaved=$(ls $TEMPDIR/level?.crt 2>/dev/null | wc -w)
|
nrsaved=$(ls $TEMPDIR/level?.crt 2>/dev/null | wc -w | sed 's/^ *//')
|
||||||
outln " # of certificates provided $nrsaved"
|
outln " # of certificates provided $nrsaved"
|
||||||
cd $savedir
|
cd $savedir
|
||||||
|
|
||||||
@ -2304,11 +2304,11 @@ beast(){
|
|||||||
|
|
||||||
#detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g')
|
#detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g')
|
||||||
if [ -z "$detected_cbc_cipher" ]; then
|
if [ -z "$detected_cbc_cipher" ]; then
|
||||||
pr_litegreenln "no CBC ciphers for $(echo $proto | tr 'a-z' 'A-Z') (OK)"
|
pr_litegreenln "no CBC ciphers for $(echo $proto | tr '[a-z]' '[A-Z]') (OK)"
|
||||||
else
|
else
|
||||||
detected_cbc_cipher=$(echo "$detected_cbc_cipher" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
detected_cbc_cipher=$(echo "$detected_cbc_cipher" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
||||||
[ $ret -eq 1 ] && out "$spaces"
|
[ $ret -eq 1 ] && out "$spaces"
|
||||||
out "$(echo $proto | tr 'a-z' 'A-Z'):"; pr_brownln "$detected_cbc_cipher"
|
out "$(echo $proto | tr '[a-z]' '[A-Z]'):"; pr_brownln "$detected_cbc_cipher"
|
||||||
ret=1
|
ret=1
|
||||||
detected_cbc_cipher=""
|
detected_cbc_cipher=""
|
||||||
fi
|
fi
|
||||||
@ -2407,7 +2407,7 @@ starttls() {
|
|||||||
protocol=$(echo "$1" | sed 's/s$//') # strip trailing s in ftp(s), smtp(s), pop3(s), imap(s), ldap(s), telnet(s)
|
protocol=$(echo "$1" | sed 's/s$//') # strip trailing s in ftp(s), smtp(s), pop3(s), imap(s), ldap(s), telnet(s)
|
||||||
case "$1" in
|
case "$1" in
|
||||||
ftp|smtp|pop3|imap|xmpp|telnet|ldap)
|
ftp|smtp|pop3|imap|xmpp|telnet|ldap)
|
||||||
outln " Trying STARTTLS via $(echo $protocol| tr 'a-z' 'A-Z')\n"
|
outln " Trying STARTTLS via $(echo $protocol| tr '[a-z]' '[A-Z]')\n"
|
||||||
$OPENSSL s_client -connect $NODEIP:$PORT $SNI -starttls $protocol </dev/null >$TMPFILE 2>&1
|
$OPENSSL s_client -connect $NODEIP:$PORT $SNI -starttls $protocol </dev/null >$TMPFILE 2>&1
|
||||||
ret=$?
|
ret=$?
|
||||||
if [ $ret -ne 0 ]; then
|
if [ $ret -ne 0 ]; then
|
||||||
@ -2604,10 +2604,12 @@ cleanup () {
|
|||||||
# for now only GOST engine
|
# for now only GOST engine
|
||||||
initialize_engine(){
|
initialize_engine(){
|
||||||
if ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then
|
if ! $OPENSSL engine gost -vvvv -t -c >/dev/null 2>&1; then
|
||||||
pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln "\n"
|
outln
|
||||||
|
pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln
|
||||||
return 1
|
return 1
|
||||||
elif $OPENSSL engine gost -vvvv -t -c 2>&1 | grep -iq "No such" ; then
|
elif $OPENSSL engine gost -vvvv -t -c 2>&1 | grep -iq "No such" ; then
|
||||||
pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln "\n"
|
outln
|
||||||
|
pr_litemagenta "No engine or GOST support via engine with your $OPENSSL"; outln
|
||||||
return 1
|
return 1
|
||||||
elif echo $osslver | grep -q LibreSSL; then
|
elif echo $osslver | grep -q LibreSSL; then
|
||||||
return 1
|
return 1
|
||||||
@ -2729,7 +2731,8 @@ get_dns_entries() {
|
|||||||
#FIXME: FreeBSD returns only one entry
|
#FIXME: FreeBSD returns only one entry
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -z "$IP4" ] ; then # getent returned nothing:
|
if which host &> /dev/null && [ -z "$IP4" ] ; then
|
||||||
|
# getent returned nothing:
|
||||||
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
||||||
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
|
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
|
||||||
pr_magenta "Can't proceed: No IP address for \"$NODE\" available"; outln "\n"
|
pr_magenta "Can't proceed: No IP address for \"$NODE\" available"; outln "\n"
|
||||||
@ -2765,8 +2768,13 @@ get_dns_entries() {
|
|||||||
|
|
||||||
# we can't do this as some checks and even openssl are not yet IPv6 safe. BTW: bash sockets do IPv6 transparently!
|
# we can't do this as some checks and even openssl are not yet IPv6 safe. BTW: bash sockets do IPv6 transparently!
|
||||||
#NODEIP=$(echo "$IP6" | head -1)
|
#NODEIP=$(echo "$IP6" | head -1)
|
||||||
rDNS=$(host -t PTR $NODEIP 2>/dev/null | grep -v "is an alias for" | sed -e 's/^.*pointer //' -e 's/\.$//')
|
if which host &> /dev/null; then
|
||||||
echo $rDNS | grep -q NXDOMAIN && rDNS=" - "
|
#rDNS=$(host -t PTR $NODEIP 2>/dev/null | grep -v "is an alias for" | sed -e 's/^.*pointer //' -e 's/\.$//')
|
||||||
|
rDNS=$(host -t PTR $NODEIP 2>/dev/null | grep 'pointer' | sed -e 's/^.*pointer //' -e 's/\.$//')
|
||||||
|
elif which nslookup &> /dev/null; then
|
||||||
|
rDNS=$(nslookup -type=PTR $NODEIP 2> /dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
|
||||||
|
fi
|
||||||
|
[ -z "$rDNS" ] && rDNS="---"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -2904,7 +2912,7 @@ case "$1" in
|
|||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
spdy
|
spdy
|
||||||
exit $? ;;
|
exit $? ;;
|
||||||
-B|--heartbleet)
|
-B|--heartbleed)
|
||||||
maketempf
|
maketempf
|
||||||
parse_hn_port "$2"
|
parse_hn_port "$2"
|
||||||
outln; pr_blue "--> Testing for heartbleed vulnerability"; outln "\n"
|
outln; pr_blue "--> Testing for heartbleed vulnerability"; outln "\n"
|
||||||
@ -3037,5 +3045,5 @@ case "$1" in
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.214 2015/03/17 21:12:24 dirkw Exp $
|
# $Id: testssl.sh,v 1.215 2015/03/30 12:59:10 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
Loading…
Reference in New Issue
Block a user