Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add printing of information about client authentication to run_server_defaults(). Minor cleanup of code to extract information about client authentication.

Browse Source
This commit is contained in:
David Cooper
2021-01-25 11:08:44 -05:00
parent e8a3dce5ad
commit 9dbb629154
1 changed files with 36 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
testssl.sh
View File

@@ -2224,7 +2224,7 @@ s_client_options() {
service_detection() { service_detection() {
local -i was_killed local -i was_killed
if [[ "$CLIENT_AUTH" != require ]]; then if [[ "$CLIENT_AUTH" != required ]]; then
if ! "$HAS_TLS13" && "$TLS13_ONLY"; then if ! "$HAS_TLS13" && "$TLS13_ONLY"; then
# Using sockets is a lot slower than using OpenSSL, and it is # Using sockets is a lot slower than using OpenSSL, and it is
# not as reliable, but if OpenSSL can't connect to the server, # not as reliable, but if OpenSSL can't connect to the server,
@@ -2273,7 +2273,7 @@ service_detection() {
out " $SERVICE, thus skipping HTTP specific checks" out " $SERVICE, thus skipping HTTP specific checks"
fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks" fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
;; ;;
*) if [[ "$CLIENT_AUTH" == require ]]; then *) if [[ "$CLIENT_AUTH" == required ]]; then
out " certificate-based authentication => skipping all HTTP checks" out " certificate-based authentication => skipping all HTTP checks"
echo "certificate-based authentication => skipping all HTTP checks" >$TMPFILE echo "certificate-based authentication => skipping all HTTP checks" >$TMPFILE
fileout "${jsonID}" "INFO" "certificate-based authentication => skipping all HTTP checks" fileout "${jsonID}" "INFO" "certificate-based authentication => skipping all HTTP checks"
@@ -2495,7 +2495,7 @@ run_http_date() {
local spaces=" " local spaces=" "
jsonID="HTTP_clock_skew" jsonID="HTTP_clock_skew"
if [[ $SERVICE != HTTP ]] || [[ "$CLIENT_AUTH" == require ]]; then if [[ $SERVICE != HTTP ]] || [[ "$CLIENT_AUTH" == required ]]; then
return 0 return 0
fi fi
if [[ ! -s $HEADERFILE ]]; then if [[ ! -s $HEADERFILE ]]; then
@@ -6444,7 +6444,7 @@ sub_session_resumption() {
return 1 return 1
fi fi
fi fi
[[ "$CLIENT_AUTH" == require ]] && return 6 [[ "$CLIENT_AUTH" == required ]] && return 6
if ! "$HAS_TLS13" && "$HAS_NO_SSL2"; then if ! "$HAS_TLS13" && "$HAS_NO_SSL2"; then
addcmd+=" -no_ssl2" addcmd+=" -no_ssl2"
else else
@@ -8366,7 +8366,7 @@ certificate_transparency() {
fi fi
fi fi
if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != require ]]; then if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != required ]]; then
# At the moment Certificate Transparency only applies to HTTPS. # At the moment Certificate Transparency only applies to HTTPS.
tm_out "N/A" tm_out "N/A"
else else
@@ -9494,7 +9494,7 @@ run_server_defaults() {
local -a ocsp_response_binary ocsp_response ocsp_response_status sni_used tls_version ct local -a ocsp_response_binary ocsp_response ocsp_response_status sni_used tls_version ct
local -a ciphers_to_test certificate_type local -a ciphers_to_test certificate_type
local -a -i success local -a -i success
local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions client_auth_ca
local using_sockets=true local using_sockets=true
"$SSL_NATIVE" && using_sockets=false "$SSL_NATIVE" && using_sockets=false
@@ -9842,6 +9842,26 @@ run_server_defaults() {
tls_time tls_time
jsonID="clientAuth"
pr_bold " Client Authentication "
outln "$CLIENT_AUTH"
fileout "$jsonID" "INFO" "$CLIENT_AUTH"
if [[ "$CLIENT_AUTH" != none ]]; then
jsonID="clientAuth_CA_list"
pr_bold " CA List for Client Auth "
out_row_aligned "$CLIENT_AUTH_CA_LIST" " "
if [[ "$CLIENT_AUTH_CA_LIST" == empty ]] || [[ $(count_lines "$CLIENT_AUTH_CA_LIST") -eq 1 ]]; then
fileout "$jsonID" "INFO" "$CLIENT_AUTH_CA_LIST"
else
i=1
while read client_auth_ca; do
fileout "$jsonID #$i" "INFO" "$client_auth_ca"
i+=1
done <<< "$CLIENT_AUTH_CA_LIST"
fi
fi
if [[ -n "$SNI" ]] && [[ $certs_found -ne 0 ]] && [[ ! -e $HOSTCERT.nosni ]]; then if [[ -n "$SNI" ]] && [[ $certs_found -ne 0 ]] && [[ ! -e $HOSTCERT.nosni ]]; then
# no cipher suites specified here. We just want the default vhost subject # no cipher suites specified here. We just want the default vhost subject
if ! "$HAS_TLS13" && [[ $(has_server_protocol "tls1_3") -eq 0 ]]; then if ! "$HAS_TLS13" && [[ $(has_server_protocol "tls1_3") -eq 0 ]]; then
@@ -15799,7 +15819,7 @@ run_ticketbleed() {
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Ticketbleed vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Ticketbleed vulnerability " && outln
pr_bold " Ticketbleed"; out " ($cve), experiment. " pr_bold " Ticketbleed"; out " ($cve), experiment. "
if [[ "$SERVICE" != HTTP ]] && [[ "$CLIENT_AUTH" != require ]]; then if [[ "$SERVICE" != HTTP ]] && [[ "$CLIENT_AUTH" != required ]]; then
outln "-- (applicable only for HTTPS)" outln "-- (applicable only for HTTPS)"
fileout "$jsonID" "INFO" "not applicable, not HTTP" "$cve" "$cwe" fileout "$jsonID" "INFO" "not applicable, not HTTP" "$cve" "$cwe"
return 0 return 0
@@ -16129,7 +16149,7 @@ run_renego() {
[[ $DEBUG -ge 1 ]] && out ", no renegotiation support in TLS 1.3 only servers" [[ $DEBUG -ge 1 ]] && out ", no renegotiation support in TLS 1.3 only servers"
outln outln
fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe"
elif [[ "$CLIENT_AUTH" == require ]]; then elif [[ "$CLIENT_AUTH" == required ]]; then
prln_warning "client x509-based authentication prevents this from being tested" prln_warning "client x509-based authentication prevents this from being tested"
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested"
sec_client_renego=1 sec_client_renego=1
@@ -16252,14 +16272,14 @@ run_crime() {
ret=1 ret=1
elif grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then elif grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
pr_svrty_good "not vulnerable (OK)" pr_svrty_good "not vulnerable (OK)"
if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != require ]]; then if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != required ]]; then
out " (not using HTTP anyway)" out " (not using HTTP anyway)"
fileout "CRIME_TLS" "OK" "not vulnerable (not using HTTP anyway)" "$cve" "$cwe" fileout "CRIME_TLS" "OK" "not vulnerable (not using HTTP anyway)" "$cve" "$cwe"
else else
fileout "CRIME_TLS" "OK" "not vulnerable" "$cve" "$cwe" fileout "CRIME_TLS" "OK" "not vulnerable" "$cve" "$cwe"
fi fi
else else
if [[ $SERVICE == HTTP ]] || [[ "$CLIENT_AUTH" == require ]]; then if [[ $SERVICE == HTTP ]] || [[ "$CLIENT_AUTH" == required ]]; then
pr_svrty_high "VULNERABLE (NOT ok)" pr_svrty_high "VULNERABLE (NOT ok)"
fileout "CRIME_TLS" "HIGH" "VULNERABLE" "$cve" "$cwe" "$hint" fileout "CRIME_TLS" "HIGH" "VULNERABLE" "$cve" "$cwe" "$hint"
else else
@@ -16365,11 +16385,11 @@ run_breach() {
local detected_compression="" local detected_compression=""
local get_command="" local get_command=""
[[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != require ]] && return 7 [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != required ]] && return 7
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln
pr_bold " BREACH"; out " ($cve) " pr_bold " BREACH"; out " ($cve) "
if [[ "$CLIENT_AUTH" == require ]]; then if [[ "$CLIENT_AUTH" == required ]]; then
outln "cannot be tested (server side requires x509 authentication)" outln "cannot be tested (server side requires x509 authentication)"
fileout "$jsonID" "INFO" "was not tested, server side requires x509 authentication" "$cve" "$cwe" fileout "$jsonID" "INFO" "was not tested, server side requires x509 authentication" "$cve" "$cwe"
fi fi
@@ -20397,7 +20417,7 @@ print_dn() {
extract_calist() { extract_calist() {
local response="$1" local response="$1"
local is_tls13=false local is_tls13=false
local certreq calist certtypes sigalgs dn local certreq calist="" certtypes sigalgs dn
local calist_string="" local calist_string=""
local -i len type local -i len type
@@ -20430,7 +20450,7 @@ extract_calist() {
# This is the certificate_authorities extension # This is the certificate_authorities extension
calist="${certreq:8:len}" calist="${certreq:8:len}"
len=2*$(hex2dec "${calist:0:4}") len=2*$(hex2dec "${calist:0:4}")
calist="${calist:4}" calist="${calist:4:len}"
break break
fi fi
certreq="${certreq:$((len+8))}" certreq="${certreq:$((len+8))}"
@@ -20449,7 +20469,7 @@ extract_calist() {
sigalgs="${certreq:4:len}" sigalgs="${certreq:4:len}"
certreq="${certreq:$((len+4))}" certreq="${certreq:$((len+4))}"
len=2*$(hex2dec "${certreq:0:4}") len=2*$(hex2dec "${certreq:0:4}")
calist="${certreq:4}" calist="${certreq:4:len}"
fi fi
# Convert each DN to a string. # Convert each DN to a string.
while true; do while true; do
@@ -20482,7 +20502,7 @@ sclient_auth() {
if "$connect_success"; then if "$connect_success"; then
if [[ "$server_hello" =~ \<\<\<\ (SSL\ [23]|TLS\ 1)(\.[0-3])?[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]]; then if [[ "$server_hello" =~ \<\<\<\ (SSL\ [23]|TLS\ 1)(\.[0-3])?[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]]; then
# CertificateRequest message in -msg # CertificateRequest message in -msg
CLIENT_AUTH="require" CLIENT_AUTH="required"
[[ $1 -eq 0 ]] && CLIENT_AUTH="optional" [[ $1 -eq 0 ]] && CLIENT_AUTH="optional"
CLIENT_AUTH_CA_LIST="$(extract_calist "$server_hello")" CLIENT_AUTH_CA_LIST="$(extract_calist "$server_hello")"
return 0 return 0