- protocol check stream lined: similar now for every protocol

- NPN/SPDY is not green anymore
This commit is contained in:
Dirk 2014-11-19 18:04:43 +01:00
parent ab7074aefd
commit 9d5d77c813

View File

@ -208,7 +208,7 @@ boldandunder() { [ "$COLOR" != 0 ] && out "\033[1m\033[4m$1" || out "$1" ; off;
reverse() { [ "$COLOR" != 0 ] && out "\033[7m$1" || out "$1" ; off; } reverse() { [ "$COLOR" != 0 ] && out "\033[7m$1" || out "$1" ; off; }
# whether it is ok for offer/not offer enc/cipher/version # whether it is ok to offer/not to offer enc/cipher/version
ok(){ ok(){
if [ "$2" -eq 1 ] ; then if [ "$2" -eq 1 ] ; then
case $1 in case $1 in
@ -217,9 +217,11 @@ ok(){
esac esac
else else
case $1 in case $1 in
6) literedln "offered (NOT ok)" ;; # 4 0 6) literedln "offered (NOT ok)" ;; # 6 0
5) litered "supported but couldn't detect a cipher"; outln "(check manually)" ;; # 5 5
4) litegreenln "offered (OK)" ;; # 4 0
3) brownln "offered" ;; # 3 0 3) brownln "offered" ;; # 3 0
2) boldln "offered" ;; # 2 0 2) boldln "offered" ;; # 2 0
1) greenln "offered (OK)" ;; # 1 0 1) greenln "offered (OK)" ;; # 1 0
0) boldln "not offered" ;; # 0 0 0) boldln "not offered" ;; # 0 0
esac esac
@ -690,14 +692,15 @@ locally_supported() {
} }
testversion_new() { testversion_new() {
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null local sni=$SNI
[ "x$1" = "x-ssl2" ] && sni="" # newer openssl throw an error if SNI with SSLv2
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $sni &>$TMPFILE </dev/null
ret=$? ret=$?
[ "$VERBERR" -eq 0 ] && cat $TMPFILE | egrep "error|failure" | egrep -v "unable to get local|verify error" [ "$VERBERR" -eq 0 ] && cat $TMPFILE | egrep "error|failure" | egrep -v "unable to get local|verify error"
if grep -q "no cipher list" $TMPFILE ; then if grep -q "no cipher list" $TMPFILE ; then
litered "supported but couldn't detect a cipher" ret=5
outln "(check manually)"
ret=3
fi fi
rm $TMPFILE rm $TMPFILE
@ -718,57 +721,46 @@ runprotocols() {
blue "--> Testing Protocols"; outln "\n" blue "--> Testing Protocols"; outln "\n"
# e.g. ubuntu's 12.04 openssl binary + soon others don't want sslv2 anymore: bugs.launchpad.net/ubuntu/+source/openssl/+bug/955675 # e.g. ubuntu's 12.04 openssl binary + soon others don't want sslv2 anymore: bugs.launchpad.net/ubuntu/+source/openssl/+bug/955675
testprotohelper "-ssl2" " SSLv2 " testprotohelper "-ssl2" " SSLv2 "
ret=$?; case $? in
if [ $ret -ne 7 ]; then 0) ok 1 1 ;; # red
if [ $ret -eq 0 ]; then 5) ok 5 5 ;; # protocol ok, but no cipher
ok 1 1 # red 1) ok 0 1 ;; # green "not offered (ok)"
elif [ $ret -eq 3 ] ; then 7) ;; # no local support
: esac
else
ok 0 1 # green "not offered (ok)"
fi
fi
testprotohelper "-ssl3" " SSLv3 " testprotohelper "-ssl3" " SSLv3 "
ret=$?; case $? in
if [ $ret -ne 7 ]; then 0) ok 6 0 ;; # poodle hack"
if [ $ret -eq 0 ]; then 1) ok 0 1 ;; # green "not offered (ok)"
ok 6 0 # poodle hack" 5) ok 5 5 ;; # protocol ok, but no cipher
else 7) ;; # no local support
ok 0 1 # green "not offered (ok)" esac
fi
fi
testprotohelper "-tls1" " TLSv1 " testprotohelper "-tls1" " TLSv1 "
ret=$?; case $? in
if [ $ret -ne 7 ]; then 0) ok 4 0 ;; # no GCM, thus in litegreen
if [ $ret -eq 0 ]; then 1) ok 0 0 ;;
ok 1 0 5) ok 5 5 ;; # protocol ok, but no cipher
else 7) ;; # no local support
ok 0 0 esac
fi
fi
testprotohelper "-tls1_1" " TLSv1.1 " testprotohelper "-tls1_1" " TLSv1.1 "
ret=$?; case $? in
if [ $ret -ne 7 ]; then 0) ok 1 0 ;;
if [ $ret -eq 0 ]; then 1) ok 0 0 ;;
ok 1 0 5) ok 5 5 ;; # protocol ok, but no cipher
else 7) ;; # no local support
ok 0 0 esac
fi
fi
testprotohelper "-tls1_2" " TLSv1.2 " testprotohelper "-tls1_2" " TLSv1.2 "
ret=$?; case $? in
if [ $ret -ne 7 ]; then 0) ok 1 0 ;;
if [ $ret -eq 0 ]; then 1) ok 0 0 ;;
ok 1 0 5) ok 5 5 ;; # protocol ok, but no cipher
else 7) ;; # no local support
ok 0 0 esac
fi
fi
return 0 return 0
} }
@ -1039,7 +1031,7 @@ spdy(){
else else
# now comes a strange thing: "Protocols advertised by server:" is empty but connection succeeded # now comes a strange thing: "Protocols advertised by server:" is empty but connection succeeded
if echo $tmpstr | egrep -q "spdy|http" ; then if echo $tmpstr | egrep -q "spdy|http" ; then
green "$tmpstr" ; out " (advertised)" bold "$tmpstr" ; out " (advertised)"
ret=0 ret=0
else else
litemagenta "please check manually, response from server was ambigious ..." litemagenta "please check manually, response from server was ambigious ..."
@ -1973,7 +1965,7 @@ case "$1" in
exit $ret ;; exit $ret ;;
esac esac
# $Id: testssl.sh,v 1.143 2014/11/19 16:08:58 dirkw Exp $ # $Id: testssl.sh,v 1.144 2014/11/19 17:04:42 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5