mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-31 04:41:15 +01:00
Add printing of information about client authentication to run_server_defaults(). Minor cleanup of code to extract information about client authentication.
This commit is contained in:
David Cooper
parent
e8a3dce5ad
commit
9dbb629154
52
testssl.sh
52
testssl.sh
@ -2224,7 +2224,7 @@ s_client_options() {
|
||||
service_detection() {
|
||||
local -i was_killed
|
||||
|
||||
if [[ "$CLIENT_AUTH" != require ]]; then
|
||||
if [[ "$CLIENT_AUTH" != required ]]; then
|
||||
if ! "$HAS_TLS13" && "$TLS13_ONLY"; then
|
||||
# Using sockets is a lot slower than using OpenSSL, and it is
|
||||
# not as reliable, but if OpenSSL can't connect to the server,
|
||||
@ -2273,7 +2273,7 @@ service_detection() {
|
||||
out " $SERVICE, thus skipping HTTP specific checks"
|
||||
fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
|
||||
;;
|
||||
*) if [[ "$CLIENT_AUTH" == require ]]; then
|
||||
*) if [[ "$CLIENT_AUTH" == required ]]; then
|
||||
out " certificate-based authentication => skipping all HTTP checks"
|
||||
echo "certificate-based authentication => skipping all HTTP checks" >$TMPFILE
|
||||
fileout "${jsonID}" "INFO" "certificate-based authentication => skipping all HTTP checks"
|
||||
@ -2495,7 +2495,7 @@ run_http_date() {
|
||||
local spaces=" "
|
||||
jsonID="HTTP_clock_skew"
|
||||
|
||||
if [[ $SERVICE != HTTP ]] || [[ "$CLIENT_AUTH" == require ]]; then
|
||||
if [[ $SERVICE != HTTP ]] || [[ "$CLIENT_AUTH" == required ]]; then
|
||||
return 0
|
||||
fi
|
||||
if [[ ! -s $HEADERFILE ]]; then
|
||||
@ -6444,7 +6444,7 @@ sub_session_resumption() {
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
[[ "$CLIENT_AUTH" == require ]] && return 6
|
||||
[[ "$CLIENT_AUTH" == required ]] && return 6
|
||||
if ! "$HAS_TLS13" && "$HAS_NO_SSL2"; then
|
||||
addcmd+=" -no_ssl2"
|
||||
else
|
||||
@ -8366,7 +8366,7 @@ certificate_transparency() {
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != require ]]; then
|
||||
if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != required ]]; then
|
||||
# At the moment Certificate Transparency only applies to HTTPS.
|
||||
tm_out "N/A"
|
||||
else
|
||||
@ -9494,7 +9494,7 @@ run_server_defaults() {
|
||||
local -a ocsp_response_binary ocsp_response ocsp_response_status sni_used tls_version ct
|
||||
local -a ciphers_to_test certificate_type
|
||||
local -a -i success
|
||||
local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions
|
||||
local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions client_auth_ca
|
||||
local using_sockets=true
|
||||
|
||||
"$SSL_NATIVE" && using_sockets=false
|
||||
@ -9842,6 +9842,26 @@ run_server_defaults() {
|
||||
|
||||
tls_time
|
||||
|
||||
jsonID="clientAuth"
|
||||
pr_bold " Client Authentication "
|
||||
outln "$CLIENT_AUTH"
|
||||
fileout "$jsonID" "INFO" "$CLIENT_AUTH"
|
||||
if [[ "$CLIENT_AUTH" != none ]]; then
|
||||
jsonID="clientAuth_CA_list"
|
||||
pr_bold " CA List for Client Auth "
|
||||
out_row_aligned "$CLIENT_AUTH_CA_LIST" " "
|
||||
if [[ "$CLIENT_AUTH_CA_LIST" == empty ]] || [[ $(count_lines "$CLIENT_AUTH_CA_LIST") -eq 1 ]]; then
|
||||
fileout "$jsonID" "INFO" "$CLIENT_AUTH_CA_LIST"
|
||||
else
|
||||
i=1
|
||||
while read client_auth_ca; do
|
||||
fileout "$jsonID #$i" "INFO" "$client_auth_ca"
|
||||
i+=1
|
||||
done <<< "$CLIENT_AUTH_CA_LIST"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [[ -n "$SNI" ]] && [[ $certs_found -ne 0 ]] && [[ ! -e $HOSTCERT.nosni ]]; then
|
||||
# no cipher suites specified here. We just want the default vhost subject
|
||||
if ! "$HAS_TLS13" && [[ $(has_server_protocol "tls1_3") -eq 0 ]]; then
|
||||
@ -15799,7 +15819,7 @@ run_ticketbleed() {
|
||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Ticketbleed vulnerability " && outln
|
||||
pr_bold " Ticketbleed"; out " ($cve), experiment. "
|
||||
|
||||
if [[ "$SERVICE" != HTTP ]] && [[ "$CLIENT_AUTH" != require ]]; then
|
||||
if [[ "$SERVICE" != HTTP ]] && [[ "$CLIENT_AUTH" != required ]]; then
|
||||
outln "-- (applicable only for HTTPS)"
|
||||
fileout "$jsonID" "INFO" "not applicable, not HTTP" "$cve" "$cwe"
|
||||
return 0
|
||||
@ -16129,7 +16149,7 @@ run_renego() {
|
||||
[[ $DEBUG -ge 1 ]] && out ", no renegotiation support in TLS 1.3 only servers"
|
||||
outln
|
||||
fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe"
|
||||
elif [[ "$CLIENT_AUTH" == require ]]; then
|
||||
elif [[ "$CLIENT_AUTH" == required ]]; then
|
||||
prln_warning "client x509-based authentication prevents this from being tested"
|
||||
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested"
|
||||
sec_client_renego=1
|
||||
@ -16252,14 +16272,14 @@ run_crime() {
|
||||
ret=1
|
||||
elif grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
|
||||
pr_svrty_good "not vulnerable (OK)"
|
||||
if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != require ]]; then
|
||||
if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != required ]]; then
|
||||
out " (not using HTTP anyway)"
|
||||
fileout "CRIME_TLS" "OK" "not vulnerable (not using HTTP anyway)" "$cve" "$cwe"
|
||||
else
|
||||
fileout "CRIME_TLS" "OK" "not vulnerable" "$cve" "$cwe"
|
||||
fi
|
||||
else
|
||||
if [[ $SERVICE == HTTP ]] || [[ "$CLIENT_AUTH" == require ]]; then
|
||||
if [[ $SERVICE == HTTP ]] || [[ "$CLIENT_AUTH" == required ]]; then
|
||||
pr_svrty_high "VULNERABLE (NOT ok)"
|
||||
fileout "CRIME_TLS" "HIGH" "VULNERABLE" "$cve" "$cwe" "$hint"
|
||||
else
|
||||
@ -16365,11 +16385,11 @@ run_breach() {
|
||||
local detected_compression=""
|
||||
local get_command=""
|
||||
|
||||
[[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != require ]] && return 7
|
||||
[[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != required ]] && return 7
|
||||
|
||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln
|
||||
pr_bold " BREACH"; out " ($cve) "
|
||||
if [[ "$CLIENT_AUTH" == require ]]; then
|
||||
if [[ "$CLIENT_AUTH" == required ]]; then
|
||||
outln "cannot be tested (server side requires x509 authentication)"
|
||||
fileout "$jsonID" "INFO" "was not tested, server side requires x509 authentication" "$cve" "$cwe"
|
||||
fi
|
||||
@ -20397,7 +20417,7 @@ print_dn() {
|
||||
extract_calist() {
|
||||
local response="$1"
|
||||
local is_tls13=false
|
||||
local certreq calist certtypes sigalgs dn
|
||||
local certreq calist="" certtypes sigalgs dn
|
||||
local calist_string=""
|
||||
local -i len type
|
||||
|
||||
@ -20430,7 +20450,7 @@ extract_calist() {
|
||||
# This is the certificate_authorities extension
|
||||
calist="${certreq:8:len}"
|
||||
len=2*$(hex2dec "${calist:0:4}")
|
||||
calist="${calist:4}"
|
||||
calist="${calist:4:len}"
|
||||
break
|
||||
fi
|
||||
certreq="${certreq:$((len+8))}"
|
||||
@ -20449,7 +20469,7 @@ extract_calist() {
|
||||
sigalgs="${certreq:4:len}"
|
||||
certreq="${certreq:$((len+4))}"
|
||||
len=2*$(hex2dec "${certreq:0:4}")
|
||||
calist="${certreq:4}"
|
||||
calist="${certreq:4:len}"
|
||||
fi
|
||||
# Convert each DN to a string.
|
||||
while true; do
|
||||
@ -20482,7 +20502,7 @@ sclient_auth() {
|
||||
if "$connect_success"; then
|
||||
if [[ "$server_hello" =~ \<\<\<\ (SSL\ [23]|TLS\ 1)(\.[0-3])?[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]]; then
|
||||
# CertificateRequest message in -msg
|
||||
CLIENT_AUTH="require"
|
||||
CLIENT_AUTH="required"
|
||||
[[ $1 -eq 0 ]] && CLIENT_AUTH="optional"
|
||||
CLIENT_AUTH_CA_LIST="$(extract_calist "$server_hello")"
|
||||
return 0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user