mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Better usability for TLS 1.3-only servers
In cases where TLS 1.3 is the only protocol supported by the server (as e.g. in #1312), testssl.sh has some limits with the supplied binary. For now (3.0) there's no perfect technical solution. This PR however improves the verbosity what's going on and recommends to use an openssl binary supporting TLS 1.3. And if the "secret" variable OSSL_SHORTCUT is set to true, it automatically chooses that if available (it's a hack to do so and not recommended. I just did it as a PoC). In the next development we should consider probing this upfront! Furthermore this PR removes some unnecessary quotes in double square brackets.
This commit is contained in:
parent
7b4eff3e58
commit
9c84129ff4
63
testssl.sh
63
testssl.sh
@ -287,7 +287,9 @@ NR_HEADER_FAIL=0 # .. for HTTP_GET
|
|||||||
PROTOS_OFFERED="" # This keeps which protocol is being offered. See has_server_protocol().
|
PROTOS_OFFERED="" # This keeps which protocol is being offered. See has_server_protocol().
|
||||||
CURVES_OFFERED="" # This keeps which curves have been detected. Just for error handling
|
CURVES_OFFERED="" # This keeps which curves have been detected. Just for error handling
|
||||||
KNOWN_OSSL_PROB=false # We need OpenSSL a few times. This variable is an indicator if we can't connect. Eases handling
|
KNOWN_OSSL_PROB=false # We need OpenSSL a few times. This variable is an indicator if we can't connect. Eases handling
|
||||||
DETECTED_TLS_VERSION=""
|
DETECTED_TLS_VERSION="" # .. as hex string, e.g. 0300 or 0303
|
||||||
|
TLS13_ONLY=false # Does the server support TLS 1.3 ONLY?
|
||||||
|
OSSL_SHORTCUT=${OSSL_SHORTCUT:-false} # Hack: if during the scan turns out the OpenSSL binary suports TLS 1.3 would be a better choice, this enables it.
|
||||||
TLS_EXTENSIONS=""
|
TLS_EXTENSIONS=""
|
||||||
declare -r NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
declare -r NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
||||||
# alpn_protos needs to be space-separated, not comma-seperated, including odd ones observed @ facebook and others, old ones like h2-17 omitted as they could not be found
|
# alpn_protos needs to be space-separated, not comma-seperated, including odd ones observed @ facebook and others, old ones like h2-17 omitted as they could not be found
|
||||||
@ -2078,7 +2080,11 @@ service_detection() {
|
|||||||
#
|
#
|
||||||
connectivity_problem() {
|
connectivity_problem() {
|
||||||
if [[ $1 -lt $2 ]]; then
|
if [[ $1 -lt $2 ]]; then
|
||||||
prln_warning " Oops: $3"
|
if "$TLS13_ONLY" && ! "$HAS_TLS13"; then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
prln_warning " Oops: $3"
|
||||||
|
fi
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
if [[ $1 -ge $2 ]]; then
|
if [[ $1 -ge $2 ]]; then
|
||||||
@ -5437,6 +5443,34 @@ run_protocols() {
|
|||||||
ignore_no_or_lame "You should not proceed as no protocol was detected. If you still really really want to, say \"YES\"" "YES"
|
ignore_no_or_lame "You should not proceed as no protocol was detected. If you still really really want to, say \"YES\"" "YES"
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ "$PROTOS_OFFERED" =~ tls1_3:yes ]]; then
|
||||||
|
if [[ ! "${PROTOS_OFFERED//tls1_3:yes /}" =~ yes ]]; then
|
||||||
|
TLS13_ONLY=true
|
||||||
|
if ! "$HAS_TLS13"; then
|
||||||
|
pr_magenta " $NODE:$PORT appears to support TLS 1.3 ONLY. You better use --openssl=<path_to_openssl_supporting_TLS_1.3>"
|
||||||
|
if [[ -x /usr/bin/openssl ]] && /usr/bin/openssl s_client -tls1_3 -connect x 2>&1 | grep -aq "unknown option"; then
|
||||||
|
outln
|
||||||
|
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
|
||||||
|
MAX_OSSL_FAIL=10
|
||||||
|
else
|
||||||
|
if "$OSSL_SHORTCUT"; then
|
||||||
|
# dirty hack but an idea for the future to be implemented upfront: Now we know, we'll better off
|
||||||
|
# with the OS supplied openssl binary. We need to inittialize variables / arrays again though.
|
||||||
|
# And the service detection can't be made up for now
|
||||||
|
outln ", proceeding with /usr/bin/openssl"
|
||||||
|
OPENSSL=/usr/bin/openssl
|
||||||
|
find_openssl_binary
|
||||||
|
prepare_arrays
|
||||||
|
else
|
||||||
|
outln
|
||||||
|
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
|
||||||
|
MAX_OSSL_FAIL=10
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5966,24 +6000,24 @@ read_dhbits_from_file() {
|
|||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
if [[ "$2" == "quiet" ]]; then
|
if [[ "$2" == quiet ]]; then
|
||||||
tm_out "$bits"
|
tm_out "$bits"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
[[ -z "$2" ]] && [[ -n "$bits" ]] && out ", "
|
[[ -z "$2" ]] && [[ -n "$bits" ]] && out ", "
|
||||||
if [[ $what_dh == "DH" ]] || [[ $what_dh == "EDH" ]]; then
|
if [[ $what_dh == DH ]] || [[ $what_dh == EDH ]]; then
|
||||||
add="bit DH"
|
add="bit DH"
|
||||||
[[ -n "$curve" ]] && add+=" ($curve)"
|
[[ -n "$curve" ]] && add+=" ($curve)"
|
||||||
if [[ "$2" == "string" ]]; then
|
if [[ "$2" == string ]]; then
|
||||||
tm_out ", $bits $add"
|
tm_out ", $bits $add"
|
||||||
else
|
else
|
||||||
pr_dh_quality "$bits" "$bits $add"
|
pr_dh_quality "$bits" "$bits $add"
|
||||||
fi
|
fi
|
||||||
# https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography, http://www.keylength.com/en/compare/
|
# https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography, http://www.keylength.com/en/compare/
|
||||||
elif [[ $what_dh == "ECDH" ]]; then
|
elif [[ $what_dh == ECDH ]]; then
|
||||||
add="bit ECDH"
|
add="bit ECDH"
|
||||||
[[ -n "$curve" ]] && add+=" ($curve)"
|
[[ -n "$curve" ]] && add+=" ($curve)"
|
||||||
if [[ "$2" == "string" ]]; then
|
if [[ "$2" == string ]]; then
|
||||||
tm_out ", $bits $add"
|
tm_out ", $bits $add"
|
||||||
else
|
else
|
||||||
pr_ecdh_quality "$bits" "$bits $add"
|
pr_ecdh_quality "$bits" "$bits $add"
|
||||||
@ -6336,12 +6370,10 @@ run_server_preference() {
|
|||||||
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
|
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
|
||||||
|
|
||||||
pr_bold " Cipher order"
|
pr_bold " Cipher order"
|
||||||
|
|
||||||
while read proto_ossl proto_hex proto_txt; do
|
while read proto_ossl proto_hex proto_txt; do
|
||||||
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets"
|
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets"
|
||||||
done <<< "$(tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
|
done <<< "$(tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
|
||||||
outln
|
outln
|
||||||
|
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
pr_bold " Negotiated cipher per proto"; outln " $limitedsense"
|
pr_bold " Negotiated cipher per proto"; outln " $limitedsense"
|
||||||
@ -9171,7 +9203,14 @@ run_server_defaults() {
|
|||||||
fi
|
fi
|
||||||
elif [[ $certs_found -eq 0 ]] && [[ -s "$HOSTCERT" ]]; then
|
elif [[ $certs_found -eq 0 ]] && [[ -s "$HOSTCERT" ]]; then
|
||||||
outln
|
outln
|
||||||
generic_nonfatal "Client problem, shouldn't happen: Host certificate found but we can't continue with \"server defaults\""
|
generic_nonfatal "Client problem, shouldn't happen: Host certificate found but we can't continue with \"server defaults\"."
|
||||||
|
elif [[ $certs_found -eq 0 ]]; then
|
||||||
|
outln
|
||||||
|
if $TLS13_ONLY; then
|
||||||
|
generic_nonfatal "Client problem: We need openssl supporting TLS 1.3. We can't continue with \"server defaults\" as we cannot retrieve the certificate. "
|
||||||
|
else
|
||||||
|
generic_nonfatal "Client problem, No server cerificate could be retrieved. Thus we can't continue with \"server defaults\"."
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
[[ $DEBUG -ge 1 ]] && [[ -e $HOSTCERT.nosni ]] && $OPENSSL x509 -in $HOSTCERT.nosni -text -noout 2>>$ERRFILE > $HOSTCERT.nosni.txt
|
[[ $DEBUG -ge 1 ]] && [[ -e $HOSTCERT.nosni ]] && $OPENSSL x509 -in $HOSTCERT.nosni -text -noout 2>>$ERRFILE > $HOSTCERT.nosni.txt
|
||||||
|
|
||||||
@ -15616,8 +15655,8 @@ run_rc4() {
|
|||||||
done
|
done
|
||||||
|
|
||||||
for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
|
for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
|
||||||
[[ "$proto" != "-no_ssl2" ]] && [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
|
[[ "$proto" != -no_ssl2 ]] && [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
|
||||||
! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue
|
! "$HAS_SSL3" && [[ "$proto" == -ssl3 ]] && continue
|
||||||
while true; do
|
while true; do
|
||||||
ciphers_to_test=""
|
ciphers_to_test=""
|
||||||
for (( i=0; i < nr_ossl_ciphers; i++ )); do
|
for (( i=0; i < nr_ossl_ciphers; i++ )); do
|
||||||
|
Loading…
Reference in New Issue
Block a user