mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
- more robust grep >=2.20, e.g Debian 8.0 (thx @stevenb18)
- FIX: false positive for breach while testing google.com (referer header was hardcoded to google.com)
This commit is contained in:
parent
683e9dccab
commit
9d5168dbb5
95
testssl.sh
95
testssl.sh
@ -374,10 +374,10 @@ runs_HTTP() {
|
|||||||
# SNI is nonsense for !HTTP but fortunately SMTP and friends don't care
|
# SNI is nonsense for !HTTP but fortunately SMTP and friends don't care
|
||||||
printf "GET / HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client -quiet -connect $NODE:$PORT $SNI &>$TMPFILE &
|
printf "GET / HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client -quiet -connect $NODE:$PORT $SNI &>$TMPFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
head $TMPFILE | grep -q ^HTTP && SERVICE=HTTP
|
head $TMPFILE | grep -aq ^HTTP && SERVICE=HTTP
|
||||||
head $TMPFILE | grep -q SMTP && SERVICE=SMTP
|
head $TMPFILE | grep -aq SMTP && SERVICE=SMTP
|
||||||
head $TMPFILE | grep -q POP && SERVICE=POP
|
head $TMPFILE | grep -aq POP && SERVICE=POP
|
||||||
head $TMPFILE | grep -q IMAP && SERVICE=IMAP
|
head $TMPFILE | grep -aq IMAP && SERVICE=IMAP
|
||||||
debugme head $TMPFILE
|
debugme head $TMPFILE
|
||||||
# $TMPFILE contains also a banner which we could use if there's a need for it
|
# $TMPFILE contains also a banner which we could use if there's a need for it
|
||||||
|
|
||||||
@ -432,7 +432,7 @@ EOF
|
|||||||
) &>$HEADERFILE &
|
) &>$HEADERFILE &
|
||||||
pid=$!
|
pid=$!
|
||||||
if wait_kill $pid $HEADER_MAXSLEEP; then
|
if wait_kill $pid $HEADER_MAXSLEEP; then
|
||||||
if ! egrep -iq "XML|HTML|DOCTYPE|HTTP|Connection" $HEADERFILE; then
|
if ! egrep -iaq "XML|HTML|DOCTYPE|HTTP|Connection" $HEADERFILE; then
|
||||||
pr_litemagenta "likely HTTP header requests failed (#lines: $(wc -l < $HEADERFILE))."
|
pr_litemagenta "likely HTTP header requests failed (#lines: $(wc -l < $HEADERFILE))."
|
||||||
outln "Rerun with DEBUG=1 and inspect \"http_header.txt\"\n"
|
outln "Rerun with DEBUG=1 and inspect \"http_header.txt\"\n"
|
||||||
debugme cat $HEADERFILE
|
debugme cat $HEADERFILE
|
||||||
@ -481,7 +481,7 @@ hsts() {
|
|||||||
pr_bold " HSTS "
|
pr_bold " HSTS "
|
||||||
grep -iaw '^Strict-Transport-Security' $HEADERFILE >$TMPFILE
|
grep -iaw '^Strict-Transport-Security' $HEADERFILE >$TMPFILE
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -wq "1" || out "(two HSTS header, using 1st one) "
|
grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -waq "1" || out "(two HSTS header, using 1st one) "
|
||||||
hsts_age_sec=$(sed -e 's/[^0-9]*//g' $TMPFILE | head -1)
|
hsts_age_sec=$(sed -e 's/[^0-9]*//g' $TMPFILE | head -1)
|
||||||
hsts_age_days=$(( hsts_age_sec / 86400))
|
hsts_age_days=$(( hsts_age_sec / 86400))
|
||||||
if [ $hsts_age_days -gt $HSTS_MIN ]; then
|
if [ $hsts_age_days -gt $HSTS_MIN ]; then
|
||||||
@ -514,9 +514,9 @@ hpkp() {
|
|||||||
pr_bold " HPKP "
|
pr_bold " HPKP "
|
||||||
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
|
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -wq "1" || out "(two HPKP header, using 1st one) "
|
egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -waq "1" || out "(two HPKP header, using 1st one) "
|
||||||
# dirty trick so that grep -c really counts occurances and not lines w/ occurances:
|
# dirty trick so that grep -c really counts occurances and not lines w/ occurances:
|
||||||
hpkp_nr_keys=$(sed 's/pin-sha/pin-sha\n/g' < $TMPFILE | grep -c pin-sha)
|
hpkp_nr_keys=$(sed 's/pin-sha/pin-sha\n/g' < $TMPFILE | grep -ac pin-sha)
|
||||||
if [ $hpkp_nr_keys -eq 1 ]; then
|
if [ $hpkp_nr_keys -eq 1 ]; then
|
||||||
pr_brown "One key is not sufficent, "
|
pr_brown "One key is not sufficent, "
|
||||||
fi
|
fi
|
||||||
@ -914,7 +914,7 @@ cipher_per_proto(){
|
|||||||
|
|
||||||
locally_supported() {
|
locally_supported() {
|
||||||
[ ! -z "$2" ] && out "$2 "
|
[ ! -z "$2" ] && out "$2 "
|
||||||
$OPENSSL s_client "$1" 2>&1 | grep -q "unknown option"
|
$OPENSSL s_client "$1" 2>&1 | grep -aq "unknown option"
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
pr_magentaln "Local problem: $OPENSSL doesn't support \"s_client $1\""
|
pr_magentaln "Local problem: $OPENSSL doesn't support \"s_client $1\""
|
||||||
ret=7
|
ret=7
|
||||||
@ -930,9 +930,9 @@ testversion() {
|
|||||||
|
|
||||||
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $sni &>$TMPFILE </dev/null
|
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $sni &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
[ "$VERBERR" -eq 0 ] && egrep "error|failure" $TMPFILE | egrep -v "unable to get local|verify error"
|
[ "$VERBERR" -eq 0 ] && egrep "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
|
|
||||||
if grep -q "no cipher list" $TMPFILE ; then
|
if grep -aq "no cipher list" $TMPFILE ; then
|
||||||
ret=5
|
ret=5
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -1058,10 +1058,10 @@ server_preference() {
|
|||||||
outln "Please report this"
|
outln "Please report this"
|
||||||
ret=6
|
ret=6
|
||||||
else
|
else
|
||||||
cipher1=$(grep -w Cipher $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher1=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
list2=$(echo $list1 | tr ':' '\n' | sort -r | tr '\n' ':') # pr_reverse the list
|
list2=$(echo $list1 | tr ':' '\n' | sort -r | tr '\n' ':') # pr_reverse the list
|
||||||
$OPENSSL s_client $STARTTLS -cipher $list2 -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client $STARTTLS -cipher $list2 -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
||||||
cipher2=$(grep -w Cipher $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher2=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
|
|
||||||
if [[ "$cipher1" != "$cipher2" ]]; then
|
if [[ "$cipher1" != "$cipher2" ]]; then
|
||||||
pr_litered "nope (NOT ok)"
|
pr_litered "nope (NOT ok)"
|
||||||
@ -1075,7 +1075,7 @@ server_preference() {
|
|||||||
|
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
||||||
out " Negotiated protocol "
|
out " Negotiated protocol "
|
||||||
default_proto=$(grep -w "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
||||||
case "$default_proto" in
|
case "$default_proto" in
|
||||||
*TLSv1.2) pr_greenln $default_proto ;;
|
*TLSv1.2) pr_greenln $default_proto ;;
|
||||||
*TLSv1.1) pr_litegreenln $default_proto ;;
|
*TLSv1.1) pr_litegreenln $default_proto ;;
|
||||||
@ -1086,7 +1086,7 @@ server_preference() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
out " Negotiated cipher "
|
out " Negotiated cipher "
|
||||||
default_cipher=$(grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
default_cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||||
case "$default_cipher" in
|
case "$default_cipher" in
|
||||||
*NULL*|*EXP*) pr_red "$default_cipher" ;;
|
*NULL*|*EXP*) pr_red "$default_cipher" ;;
|
||||||
*RC4*) pr_litered "$default_cipher" ;;
|
*RC4*) pr_litered "$default_cipher" ;;
|
||||||
@ -1106,8 +1106,8 @@ server_preference() {
|
|||||||
$OPENSSL s_client $STARTTLS -"$p" -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client $STARTTLS -"$p" -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
#FIXME: BSD output is not so fine
|
#FIXME: BSD output is not so fine
|
||||||
proto[i]=$(grep -w "Protocol" $TMPFILE | sed -e 's/^ \+Protocol \+://' -e 's/ //g')
|
proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^ \+Protocol \+://' -e 's/ //g')
|
||||||
cipher[i]=$(grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
[[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack!
|
[[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack!
|
||||||
[[ $DEBUG -ge 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}"
|
[[ $DEBUG -ge 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}"
|
||||||
else
|
else
|
||||||
@ -1124,7 +1124,7 @@ server_preference() {
|
|||||||
if [ -z "${proto[i]}" ]; then
|
if [ -z "${proto[i]}" ]; then
|
||||||
cipher[i]=""
|
cipher[i]=""
|
||||||
else
|
else
|
||||||
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
[[ $DEBUG -ge 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}"
|
[[ $DEBUG -ge 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -1169,15 +1169,15 @@ cipher_pref_check() {
|
|||||||
$OPENSSL s_client $STARTTLS -"$p" -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client $STARTTLS -"$p" -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
tested_cipher=""
|
tested_cipher=""
|
||||||
proto=$(grep -w "Protocol" $TMPFILE | sed -e 's/^ \+Protocol \+://' -e 's/ //g')
|
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^ \+Protocol \+://' -e 's/ //g')
|
||||||
cipher=$(grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
outln
|
outln
|
||||||
printf " %-10s %s " "$proto:" "$cipher"
|
printf " %-10s %s " "$proto:" "$cipher"
|
||||||
tested_cipher="-"$cipher
|
tested_cipher="-"$cipher
|
||||||
while true; do
|
while true; do
|
||||||
$OPENSSL s_client $STARTTLS -"$p" -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client $STARTTLS -"$p" -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
||||||
[ $? -ne 0 ] && break
|
[ $? -ne 0 ] && break
|
||||||
cipher=$(grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
out "$cipher "
|
out "$cipher "
|
||||||
tested_cipher="$tested_cipher:-$cipher"
|
tested_cipher="$tested_cipher:-$cipher"
|
||||||
done
|
done
|
||||||
@ -1190,13 +1190,13 @@ cipher_pref_check() {
|
|||||||
protos=$($OPENSSL s_client -host $NODE -port $PORT -nextprotoneg \"\" </dev/null 2>/dev/null | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
protos=$($OPENSSL s_client -host $NODE -port $PORT -nextprotoneg \"\" </dev/null 2>/dev/null | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
||||||
for p in $protos; do
|
for p in $protos; do
|
||||||
$OPENSSL s_client -host $NODE -port $PORT -nextprotoneg "$p" </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client -host $NODE -port $PORT -nextprotoneg "$p" </dev/null 2>/dev/null >$TMPFILE
|
||||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
printf "\n %-10s %s " "$p:" "$cipher"
|
printf "\n %-10s %s " "$p:" "$cipher"
|
||||||
tested_cipher="-"$cipher
|
tested_cipher="-"$cipher
|
||||||
while true; do
|
while true; do
|
||||||
$OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT -nextprotoneg "$p" </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT -nextprotoneg "$p" </dev/null 2>/dev/null >$TMPFILE
|
||||||
[ $? -ne 0 ] && break
|
[ $? -ne 0 ] && break
|
||||||
cipher=$(grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
out "$cipher "
|
out "$cipher "
|
||||||
tested_cipher="$tested_cipher:-$cipher"
|
tested_cipher="$tested_cipher:-$cipher"
|
||||||
done
|
done
|
||||||
@ -1223,7 +1223,7 @@ server_defaults() {
|
|||||||
ret=6
|
ret=6
|
||||||
else
|
else
|
||||||
out " TLS server extensions "
|
out " TLS server extensions "
|
||||||
extensions=$(grep -w "^TLS server extension" $TMPFILE | sed -e 's/^TLS server extension \"//' -e 's/\".*$/,/g')
|
extensions=$(grep -aw "^TLS server extension" $TMPFILE | sed -e 's/^TLS server extension \"//' -e 's/\".*$/,/g')
|
||||||
if [ -z "$extensions" ]; then
|
if [ -z "$extensions" ]; then
|
||||||
outln "(none)"
|
outln "(none)"
|
||||||
else
|
else
|
||||||
@ -1231,17 +1231,17 @@ server_defaults() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
out " Session Tickets RFC 5077 "
|
out " Session Tickets RFC 5077 "
|
||||||
sessticket_str=$(grep -w "session ticket" $TMPFILE | grep lifetime)
|
sessticket_str=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime)
|
||||||
if [ -z "$sessticket_str" ]; then
|
if [ -z "$sessticket_str" ]; then
|
||||||
outln "(none)"
|
outln "(none)"
|
||||||
else
|
else
|
||||||
lifetime=$(echo $sessticket_str | grep lifetime | sed 's/[A-Za-z:() ]//g')
|
lifetime=$(echo $sessticket_str | grep -a lifetime | sed 's/[A-Za-z:() ]//g')
|
||||||
unit=$(echo $sessticket_str | grep lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g')
|
unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g')
|
||||||
outln "$lifetime $unit"
|
outln "$lifetime $unit"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out " Server key size "
|
out " Server key size "
|
||||||
keysize=$(grep -w "^Server public key is" $TMPFILE | sed -e 's/^Server public key is //')
|
keysize=$(grep -aw "^Server public key is" $TMPFILE | sed -e 's/^Server public key is //')
|
||||||
if [ -z "$keysize" ]; then
|
if [ -z "$keysize" ]; then
|
||||||
outln "(couldn't determine)"
|
outln "(couldn't determine)"
|
||||||
else
|
else
|
||||||
@ -1433,7 +1433,7 @@ pfs() {
|
|||||||
$OPENSSL s_client -cipher 'ECDH:DH' $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
$OPENSSL s_client -cipher 'ECDH:DH' $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
outln
|
outln
|
||||||
if [ $ret -ne 0 ] || [ $(grep -c "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]; then
|
if [ $ret -ne 0 ] || [ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]; then
|
||||||
pr_brownln "Not OK: No ciphers supporting Forward Secrecy offered"
|
pr_brownln "Not OK: No ciphers supporting Forward Secrecy offered"
|
||||||
else
|
else
|
||||||
pr_litegreen "OK: PFS is offered. ";
|
pr_litegreen "OK: PFS is offered. ";
|
||||||
@ -1542,7 +1542,12 @@ breach() {
|
|||||||
url="$1"
|
url="$1"
|
||||||
[ -z "$url" ] && url="/"
|
[ -z "$url" ] && url="/"
|
||||||
if [ $SNEAKY -eq 0 ] ; then
|
if [ $SNEAKY -eq 0 ] ; then
|
||||||
referer="Referer: http://google.com/" # see https://community.qualys.com/message/20360
|
# see https://community.qualys.com/message/20360
|
||||||
|
if [[ "$NODE" =~ google ]]; then
|
||||||
|
referer="Referer: http://yandex.ru/" # otherwise we have a false positive for google.com
|
||||||
|
else
|
||||||
|
referer="Referer: http://google.com/"
|
||||||
|
fi
|
||||||
useragent="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
|
useragent="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
|
||||||
else
|
else
|
||||||
referer="Referer: TLS/SSL-Tester from $SWURL"
|
referer="Referer: TLS/SSL-Tester from $SWURL"
|
||||||
@ -1618,7 +1623,7 @@ spdy() {
|
|||||||
ret=1
|
ret=1
|
||||||
else
|
else
|
||||||
# now comes a strange thing: "Protocols advertised by server:" is empty but connection succeeded
|
# now comes a strange thing: "Protocols advertised by server:" is empty but connection succeeded
|
||||||
if echo $tmpstr | egrep -q "spdy|http" ; then
|
if echo $tmpstr | egrep -aq "spdy|http" ; then
|
||||||
pr_bold "$tmpstr" ; out " (advertised)"
|
pr_bold "$tmpstr" ; out " (advertised)"
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
@ -2047,8 +2052,8 @@ ccs_injection(){
|
|||||||
|
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT &>$TMPFILE </dev/null
|
||||||
|
|
||||||
tls_proto_offered=$(grep -w Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
||||||
#tls_proto_offered=$(grep -w Protocol $TMPFILE | sed 's/^.*Protocol//')
|
#tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed 's/^.*Protocol//')
|
||||||
case $tls_proto_offered in
|
case $tls_proto_offered in
|
||||||
12) tls_hexcode="x03, x03" ;;
|
12) tls_hexcode="x03, x03" ;;
|
||||||
11) tls_hexcode="x03, x02" ;;
|
11) tls_hexcode="x03, x02" ;;
|
||||||
@ -2148,7 +2153,7 @@ heartbleed(){
|
|||||||
# determine TLS versions available:
|
# determine TLS versions available:
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null
|
||||||
|
|
||||||
tls_proto_offered=$(grep -w Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
||||||
case $tls_proto_offered in
|
case $tls_proto_offered in
|
||||||
12) tls_hexcode="x03, x03" ;;
|
12) tls_hexcode="x03, x03" ;;
|
||||||
11) tls_hexcode="x03, x02" ;;
|
11) tls_hexcode="x03, x02" ;;
|
||||||
@ -2276,7 +2281,7 @@ renego() {
|
|||||||
|
|
||||||
pr_bold " Renegotiation "; out "(CVE 2009-3555) "
|
pr_bold " Renegotiation "; out "(CVE 2009-3555) "
|
||||||
NEG_STR="Secure Renegotiation IS NOT"
|
NEG_STR="Secure Renegotiation IS NOT"
|
||||||
echo "R" | $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 | grep -iq "$NEG_STR"
|
echo "R" | $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 | grep -iaq "$NEG_STR"
|
||||||
secreg=$? # 0= Secure Renegotiation IS NOT supported
|
secreg=$? # 0= Secure Renegotiation IS NOT supported
|
||||||
case $secreg in
|
case $secreg in
|
||||||
0) pr_redln "VULNERABLE (NOT ok)" ;;
|
0) pr_redln "VULNERABLE (NOT ok)" ;;
|
||||||
@ -2305,7 +2310,7 @@ crime() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
# first we need to test whether OpenSSL binary has zlib support
|
# first we need to test whether OpenSSL binary has zlib support
|
||||||
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
|
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
pr_magentaln "Local Problem: Your $OPENSSL lacks zlib support"
|
pr_magentaln "Local Problem: Your $OPENSSL lacks zlib support"
|
||||||
return 7
|
return 7
|
||||||
@ -2313,7 +2318,7 @@ crime() {
|
|||||||
|
|
||||||
#STR=$($OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 </dev/null | grep Compression )
|
#STR=$($OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 </dev/null | grep Compression )
|
||||||
$OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null &>$TMPFILE
|
$OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null &>$TMPFILE
|
||||||
if grep Compression $TMPFILE | grep -q NONE >/dev/null; then
|
if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
|
||||||
pr_green "not vulnerable (OK)"
|
pr_green "not vulnerable (OK)"
|
||||||
[[ $SERVICE == "HTTP" ]] || out " (not using HTTP anyway)"
|
[[ $SERVICE == "HTTP" ]] || out " (not using HTTP anyway)"
|
||||||
ret=0
|
ret=0
|
||||||
@ -2387,7 +2392,7 @@ ssl_poodle() {
|
|||||||
debugme echo $cbc_ciphers
|
debugme echo $cbc_ciphers
|
||||||
$OPENSSL s_client -ssl3 $STARTTLS -cipher $cbc_ciphers -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
$OPENSSL s_client -ssl3 $STARTTLS -cipher $cbc_ciphers -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
[ "$VERBERR" -eq 0 ] && egrep "error|failure" $TMPFILE | egrep -v "unable to get local|verify error"
|
[ "$VERBERR" -eq 0 ] && egrep -q "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (no TLS_FALLBACK_SCSV mitigation tested)"
|
pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (no TLS_FALLBACK_SCSV mitigation tested)"
|
||||||
else
|
else
|
||||||
@ -2408,7 +2413,7 @@ freak() {
|
|||||||
|
|
||||||
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for FREAK attack" && outln "\n"
|
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for FREAK attack" && outln "\n"
|
||||||
pr_bold " FREAK "; out " (CVE-2015-0204), experimental "
|
pr_bold " FREAK "; out " (CVE-2015-0204), experimental "
|
||||||
no_exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | egrep "^EXP.*RSA" | wc -l)
|
no_exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | egrep -a "^EXP.*RSA" | wc -l)
|
||||||
exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/^EXP.*RSA/ {print $1}' | tr '\n' ':')
|
exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/^EXP.*RSA/ {print $1}' | tr '\n' ':')
|
||||||
debugme echo $exportrsa_ciphers
|
debugme echo $exportrsa_ciphers
|
||||||
# with correct build it should list these 7 ciphers (plus the two latter as SSLv2 ciphers):
|
# with correct build it should list these 7 ciphers (plus the two latter as SSLv2 ciphers):
|
||||||
@ -2426,7 +2431,7 @@ freak() {
|
|||||||
esac
|
esac
|
||||||
$OPENSSL s_client $STARTTLS -cipher $exportrsa_ciphers -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -cipher $exportrsa_ciphers -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
[ "$VERBERR" -eq 0 ] && egrep "error|failure" $TMPFILE | egrep -v "unable to get local|verify error"
|
[ "$VERBERR" -eq 0 ] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
pr_red "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers"
|
pr_red "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers"
|
||||||
else
|
else
|
||||||
@ -2464,9 +2469,9 @@ beast(){
|
|||||||
#normalize_ciphercode $hexcode
|
#normalize_ciphercode $hexcode
|
||||||
#neat_list $HEXC $ciph $kx $enc | grep -wai "$arg"
|
#neat_list $HEXC $ciph $kx $enc | grep -wai "$arg"
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
detected_cbc_cipher="$detected_cbc_cipher ""$(grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')"
|
detected_cbc_cipher="$detected_cbc_cipher ""$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')"
|
||||||
fi
|
fi
|
||||||
done < <($OPENSSL ciphers -V 'ALL:eNULL' | grep CBC)
|
done < <($OPENSSL ciphers -V 'ALL:eNULL' | grep -a CBC)
|
||||||
# ^^^^^ process substitution as shopt will either segfault or doesn't work with old bash versions
|
# ^^^^^ process substitution as shopt will either segfault or doesn't work with old bash versions
|
||||||
|
|
||||||
#detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g')
|
#detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g')
|
||||||
@ -2485,7 +2490,7 @@ beast(){
|
|||||||
for proto in tls1_1 tls1_2; do
|
for proto in tls1_1 tls1_2; do
|
||||||
$OPENSSL s_client -state -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null >$TMPFILE </dev/null
|
$OPENSSL s_client -state -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null >$TMPFILE </dev/null
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
higher_proto_supported="$higher_proto_supported ""$(grep -w "Protocol" $TMPFILE | sed -e 's/^.*Protocol .*://' -e 's/ //g')"
|
higher_proto_supported="$higher_proto_supported ""$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol .*://' -e 's/ //g')"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [ $ret -eq 1 ] ; then
|
if [ $ret -eq 1 ] ; then
|
||||||
@ -2682,7 +2687,7 @@ mybanner() {
|
|||||||
nr_ciphers=$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' | sed 's/:/ /g' | wc -w)
|
nr_ciphers=$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' | sed 's/:/ /g' | wc -w)
|
||||||
hn=$(hostname)
|
hn=$(hostname)
|
||||||
#poor man's ident (nowadays ident not neccessarily installed)
|
#poor man's ident (nowadays ident not neccessarily installed)
|
||||||
idtag=$(grep '\$Id' $0 | grep -w "[E]xp" | sed -e 's/^# //' -e 's/\$ $/\$/')
|
idtag=$(grep -a '\$Id' $0 | grep -aw "[E]xp" | sed -e 's/^# //' -e 's/\$ $/\$/')
|
||||||
[ "$COLOR" -ne 0 ] && idtag="\033[1;30m$idtag\033[m\033[1m"
|
[ "$COLOR" -ne 0 ] && idtag="\033[1;30m$idtag\033[m\033[1m"
|
||||||
bb=$(cat <<EOF
|
bb=$(cat <<EOF
|
||||||
|
|
||||||
@ -3272,5 +3277,5 @@ main() {
|
|||||||
|
|
||||||
main "$@"
|
main "$@"
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.224 2015/04/13 20:55:38 dirkw Exp $
|
# $Id: testssl.sh,v 1.225 2015/04/14 08:14:43 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
Loading…
Reference in New Issue
Block a user