Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

cleanups / bsd date in tls time

Browse Source
This commit is contained in:
Dirk 2015-03-30 23:09:19 +02:00
parent 6c30386278
commit 9ed58b6202
1 changed files with 40 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
testssl.sh
View File

@ -829,7 +829,7 @@ allciphers(){
cipher_per_proto(){ cipher_per_proto(){
pr_blue "--> Testing all locally available ciphers per protocol against the server"; outln "\n" pr_blue "--> Testing all locally available ciphers per protocol against the server"; outln "\n"
neat_header neat_header
outln " -ssl2 SSLv2\n -ssl3 SSLv3\n -tls1 TLSv1\n -tls1_1 TLSv1.1\n -tls1_2 TLSv1.2"| while read proto prtext; do outln " -ssl2 SSLv2\n -ssl3 SSLv3\n -tls1 TLS 1\n -tls1_1 TLS 1.1\n -tls1_2 TLS 1.2"| while read proto prtext; do
locally_supported "$proto" "$prtext" || continue locally_supported "$proto" "$prtext" || continue
outln outln
$OPENSSL ciphers $proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode n ciph sslvers kx auth enc mac export; do $OPENSSL ciphers $proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode n ciph sslvers kx auth enc mac export; do
@ -856,7 +856,7 @@ cipher_per_proto(){
} }
locally_supported() { locally_supported() {
out "$2 " [ ! -z "$2" ] && out "$2 "
$OPENSSL s_client "$1" 2>&1 | grep -q "unknown option" $OPENSSL s_client "$1" 2>&1 | grep -q "unknown option"
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pr_magentaln "Local problem: $OPENSSL doesn't support \"s_client $1\"" pr_magentaln "Local problem: $OPENSSL doesn't support \"s_client $1\""
@ -864,9 +864,7 @@ locally_supported() {
else else
ret=0 ret=0
fi fi
return $ret return $ret
} }
testversion() { testversion() {
@ -889,6 +887,9 @@ testprotohelper() {
if locally_supported "$1" "$2" ; then if locally_supported "$1" "$2" ; then
testversion "$1" "$2" testversion "$1" "$2"
return $? return $?
# 0: offered
# 1: not offered
# 5: protocol ok, but no cipher
else else
return 7 return 7
fi fi
@ -901,8 +902,8 @@ runprotocols() {
testprotohelper "-ssl2" " SSLv2 " testprotohelper "-ssl2" " SSLv2 "
case $? in case $? in
0) ok 1 1 ;; # pr_red 0) ok 1 1 ;; # pr_red
5) ok 5 5 ;; # protocol ok, but no cipher
1) ok 0 1 ;; # pr_green "not offered (ok)" 1) ok 0 1 ;; # pr_green "not offered (ok)"
5) ok 5 5 ;; # protocol ok, but no cipher
7) ;; # no local support 7) ;; # no local support
esac esac
else else
@ -1522,7 +1523,7 @@ len2twobytes() {
socksend_sslv2_clienthello() { socksend_sslv2_clienthello() {
code2network "$SSLv2_CLIENT_HELLO" code2network "$SSLv2_CLIENT_HELLO"
data=$(echo $NW_STR) data=$(echo $NW_STR)
[[ "$DEBUG" -ge 3 ]] && echo "\"$data\"" [[ "$DEBUG" -ge 4 ]] && echo "\"$data\""
printf -- "$data" >&5 2>/dev/null & printf -- "$data" >&5 2>/dev/null &
sleep $USLEEP_SND sleep $USLEEP_SND
} }
@ -1573,7 +1574,7 @@ display_sslv2_serverhello() {
# [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY! # [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY!
v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1) v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
[[ "$DEBUG" -ge 4 ]] && echo $v2_hello_ascii # one line without any blanks [[ "$DEBUG" -ge 5 ]] && echo $v2_hello_ascii # one line without any blanks
if [[ -z $v2_hello_ascii ]] ; then if [[ -z $v2_hello_ascii ]] ; then
ret=0 # no server hello received ret=0 # no server hello received
debugme echo "server hello empty" debugme echo "server hello empty"
@ -1629,8 +1630,8 @@ display_tls_serverhello() {
tls_len_all=$(printf "%d\n" ${tls_hello_ascii:6:4}) tls_len_all=$(printf "%d\n" ${tls_hello_ascii:6:4})
if [[ $tls_hello_initbyte != "16" ]] ; then if [[ $tls_hello_initbyte != "16" ]] ; then
[[ $DEBUG -ge 1 ]] && echo "tls_hello_initbyte: 0x$tls_hello_initbyte"
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
echo "tls_hello_initbyte: 0x$tls_hello_initbyte"
echo "tls_hello_protocol: 0x$tls_hello_protocol" echo "tls_hello_protocol: 0x$tls_hello_protocol"
echo "tls_len_all: $tls_len_all" echo "tls_len_all: $tls_len_all"
echo "tls_err_level: ${tls_hello_ascii:10:2}" echo "tls_err_level: ${tls_hello_ascii:10:2}"
@ -1645,7 +1646,10 @@ display_tls_serverhello() {
tls_hello_protocol2="${tls_hello_ascii:18:4}" tls_hello_protocol2="${tls_hello_ascii:18:4}"
tls_hello_time="${tls_hello_ascii:22:8}" tls_hello_time="${tls_hello_ascii:22:8}"
tls_time=$(printf "%d\n" 0x$tls_hello_time) tls_time=$(printf "%d\n" 0x$tls_hello_time)
tls_time=$(date --date="@$tls_time" "+%Y-%m-%d %r") case $(uname -s) in
*BSD|Darwin) tls_time=$(date -j -f %s "$tls_time" "+%Y-%m-%d %r") ;;
*) tls_time=$(date --date="@$tls_time" "+%Y-%m-%d %r") ;;
esac
tls_sid_len=$(printf "%d\n" 0x${tls_hello_ascii:86:2}) tls_sid_len=$(printf "%d\n" 0x${tls_hello_ascii:86:2})
let sid_offset=88+$tls_sid_len*2 let sid_offset=88+$tls_sid_len*2
tls_cipher_suite="${tls_hello_ascii:$sid_offset:4}" tls_cipher_suite="${tls_hello_ascii:$sid_offset:4}"
@ -1653,18 +1657,15 @@ display_tls_serverhello() {
tls_compression_method="${tls_hello_ascii:$sid_offset:2}" tls_compression_method="${tls_hello_ascii:$sid_offset:2}"
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
echo "tls_hello_initbyte: 0x$tls_hello_initbyte"
echo "tls_hello: 0x$tls_hello" echo "tls_hello: 0x$tls_hello"
echo "tls_hello_protocol: 0x$tls_hello_protocol"
if [[ $DEBUG -ge 4 ]]; then if [[ $DEBUG -ge 4 ]]; then
echo "tls_hello_protocol2: 0x$tls_hello_protocol2" echo "tls_hello_protocol2: 0x$tls_hello_protocol2"
echo "tls_len_all: $tls_len_all"
echo "tls_sid_len: $tls_sid_len" echo "tls_sid_len: $tls_sid_len"
fi fi
echo "tls_hello_time: 0x$tls_hello_time ($tls_time)" echo "tls_hello_time: 0x$tls_hello_time ($tls_time)"
echo "tls_cipher_suite: 0x$tls_cipher_suite" echo "tls_cipher_suite: 0x$tls_cipher_suite"
echo "tls_compression_method: 0x$tls_compression_method" echo "tls_compression_method: 0x$tls_compression_method"
outln
fi fi
return 0 return 0
@ -1672,16 +1673,17 @@ display_tls_serverhello() {
sslv2_sockets() { sslv2_sockets() {
local ciphers_detected
out " SSLv2 "; out " SSLv2 ";
fd_socket 5 || return 6 fd_socket 5 || return 6
[[ "$DEBUG" -ge 2 ]] && outln "sending client hello... "
[[ "$DEBUG" -ge 2 ]] && out "sending client hello... "
socksend_sslv2_clienthello socksend_sslv2_clienthello
sockread_serverhello 32768 0 sockread_serverhello 32768 0
[[ "$DEBUG" -ge 2 ]] && out "reading server hello... " [[ "$DEBUG" -ge 2 ]] && outln "reading server hello... "
if [[ "$DEBUG" -eq 3 ]]; then if [[ "$DEBUG" -eq 4 ]]; then
hexdump -C $SOCK_REPLY_FILE | head -6 hexdump -C $SOCK_REPLY_FILE | head -6
outln outln
fi fi
@ -1691,7 +1693,7 @@ sslv2_sockets() {
# strange reply # strange reply
pr_litemagenta "strange v2 reply " pr_litemagenta "strange v2 reply "
outln " (rerun with DEBUG=2)" outln " (rerun with DEBUG=2)"
[[ $DEBUG -ge 2 ]] && hexdump -C $SOCK_REPLY_FILE | head -1 [[ $DEBUG -ge 3 ]] && hexdump -C $SOCK_REPLY_FILE | head -1
else else
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL # see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l) lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l)
@ -1711,6 +1713,7 @@ sslv2_sockets() {
fi fi
fi fi
pr_off pr_off
debugme outln
close_socket close_socket
TMPFILE=$SOCK_REPLY_FILE TMPFILE=$SOCK_REPLY_FILE
@ -1758,15 +1761,15 @@ socksend_tls_clienthello() {
len_ciph_suites=$(printf "%02x\n" $(($len_ciph_suites_byte / 4 ))) len_ciph_suites=$(printf "%02x\n" $(($len_ciph_suites_byte / 4 )))
len2twobytes "$len_ciph_suites" len2twobytes "$len_ciph_suites"
len_ciph_suites_word="$LEN_STR" len_ciph_suites_word="$LEN_STR"
[[ $DEBUG -ge 3 ]] && echo $len_ciph_suites_word #[[ $DEBUG -ge 3 ]] && echo $len_ciph_suites_word
len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x27 + 0x$len_extension_hex + 0x2))) len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x27 + 0x$len_extension_hex + 0x2)))
len_client_hello_word="$LEN_STR" len_client_hello_word="$LEN_STR"
[[ $DEBUG -ge 3 ]] && echo $len_client_hello_word #[[ $DEBUG -ge 3 ]] && echo $len_client_hello_word
len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x2b + 0x$len_extension_hex + 0x2))) len2twobytes $(printf "%02x\n" $((0x$len_ciph_suites + 0x2b + 0x$len_extension_hex + 0x2)))
len_all_word="$LEN_STR" len_all_word="$LEN_STR"
[[ $DEBUG -ge 3 ]] && echo $len_all_word #[[ $DEBUG -ge 3 ]] && echo $len_all_word
TLS_CLIENT_HELLO=" TLS_CLIENT_HELLO="
# TLS header ( 5 bytes) # TLS header ( 5 bytes)
@ -1809,6 +1812,9 @@ socksend_tls_clienthello() {
# ARG1: TLS version low byte (00: SSLv3, 01: TLS 1.0, 02: TLS 1.1, 03: TLS 1.2) # ARG1: TLS version low byte (00: SSLv3, 01: TLS 1.0, 02: TLS 1.1, 03: TLS 1.2)
tls_sockets() { tls_sockets() {
local ret save
local lines
local tls_low_byte
tls_low_byte="$1" tls_low_byte="$1"
if [ ! -z "$2" ] ; then if [ ! -z "$2" ] ; then
@ -1818,20 +1824,20 @@ tls_sockets() {
[[ "$DEBUG" -ge 2 ]] && echo "sending client hello..." [[ "$DEBUG" -ge 2 ]] && echo "sending client hello..."
if [[ "$tls_low_byte" == "03" ]] ; then if [[ "$tls_low_byte" == "03" ]] ; then
socksend_tls_clienthello $tls_low_byte "$TLS12_CIPHER" socksend_tls_clienthello "$tls_low_byte" "$TLS12_CIPHER"
else else
socksend_tls_clienthello $tls_low_byte "$TLS_CIPHER" socksend_tls_clienthello "$tls_low_byte" "$TLS_CIPHER"
fi fi
sockread_serverhello 32768 0 sockread_serverhello 32768 0
[[ "$DEBUG" -ge 2 ]] && printf "reading server hello..." [[ "$DEBUG" -ge 2 ]] && outln "reading server hello..."
if [[ "$DEBUG" -ge 3 ]]; then if [[ "$DEBUG" -ge 3 ]]; then
hexdump -C $SOCK_REPLY_FILE | head -6 hexdump -C $SOCK_REPLY_FILE | head -6
echo echo
fi fi
display_tls_serverhello "$SOCK_REPLY_FILE" display_tls_serverhello "$SOCK_REPLY_FILE"
ret=$? save=$?
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL # see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l) lines=$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null | wc -l)
@ -1846,7 +1852,7 @@ tls_sockets() {
# printf "Protokoll "; tput bold; printf "$tls_low_byte = $tls_str"; tput sgr0; printf ": " # printf "Protokoll "; tput bold; printf "$tls_low_byte = $tls_str"; tput sgr0; printf ": "
if [[ $ret -eq 1 ]] || [[ $lines -eq 1 ]] ; then if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]] ; then
outln "NOT available" outln "NOT available"
ret=1 ret=1
else else
@ -1856,9 +1862,11 @@ tls_sockets() {
else else
out "NOT available " out "NOT available "
[[ $DEBUG -ge 2 ]] && echo -n "send: 0x03$tls_low_byte, returned: 0x$DETECTED_TLS_VERSION" [[ $DEBUG -ge 2 ]] && echo -n "send: 0x03$tls_low_byte, returned: 0x$DETECTED_TLS_VERSION"
ret=2
echo echo
fi fi
fi fi
debugme outln
close_socket close_socket
TMPFILE=$SOCK_REPLY_FILE TMPFILE=$SOCK_REPLY_FILE
@ -1867,6 +1875,7 @@ tls_sockets() {
} }
###### ccs, heartbleed ###### ccs, heartbleed
ok_ids(){ ok_ids(){
@ -2846,7 +2855,7 @@ mybanner
#PATH_TO_TESTSSL="$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")" #PATH_TO_TESTSSL="$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"
PATH_TO_TESTSSL=$(readlink "$BASH_SOURCE") 2>/dev/null PATH_TO_TESTSSL=$(readlink "$BASH_SOURCE") 2>/dev/null
[ -z "$PATH_TO_TESTSSL" ] && PATH_TO_TESTSSL="." [ -z "$PATH_TO_TESTSSL" ] && PATH_TO_TESTSSL="."
#
# next file provides a pair "keycode/ RFC style name", see the RFCs, cipher(1) and # next file provides a pair "keycode/ RFC style name", see the RFCs, cipher(1) and
# https://www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_simple_table_all.htm # https://www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_simple_table_all.htm
[ -r "$(dirname $PATH_TO_TESTSSL)/mapping-rfc.txt" ] && MAP_RFC_FNAME=$(dirname $PATH_TO_TESTSSL)"/mapping-rfc.txt" [ -r "$(dirname $PATH_TO_TESTSSL)/mapping-rfc.txt" ] && MAP_RFC_FNAME=$(dirname $PATH_TO_TESTSSL)"/mapping-rfc.txt"
@ -2860,6 +2869,7 @@ case "$1" in
;; ;;
--mx) --mx)
mx_allentries "$2" mx_allentries "$2"
#FIXME: argument: port 587, 465 once Peter has the pasing done
exit $? exit $?
;; ;;
-V|--local) -V|--local)
@ -2873,7 +2883,8 @@ case "$1" in
exit $? ;; exit $? ;;
-t|--starttls) -t|--starttls)
maketempf maketempf
parse_hn_port "$3" "$2" # here comes protocol to signal starttls and hostname:port parse_hn_port "$3" "$2" # here comes protocol to signal starttls and hostname:port
#FIXME: once proper arg handling is done, we don't call within starttls everything again, just filling the variables
starttls "$2" # protocol starttls "$2" # protocol
exit $? ;; exit $? ;;
-e|--each-cipher) -e|--each-cipher)
@ -3045,5 +3056,5 @@ case "$1" in
esac esac
# $Id: testssl.sh,v 1.215 2015/03/30 12:59:10 dirkw Exp $ # $Id: testssl.sh,v 1.216 2015/03/30 21:09:18 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5