Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-11-04 07:45:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add robustness to STARTTLS+sockets

Browse Source 
When testing servers which fall back after succeeding the STARTTLS handshake
to the underlying protocol (smtp, ftp etc.) there was often misleading output
=not available instead of notifying the user that there's a problem.

Now it is being tested in parse*serverhello() functions whether the first
by resembles a 5XX code and STARTTLS is supposed to be tested and then
passes an error code back to the caller , i.e. tls_sockets() and then
run_protocols(). Also other error code after the handshake are passed
better.

This is only an addition to the top level function run_protocols().
We might want to look into other top level functions too
This commit is contained in:
Dirk
2017-11-24 19:28:55 +01:00
parent ad97b6fc4e
commit 9fe02e45fa
1 changed files with 54 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
testssl.sh
View File

@@ -4203,6 +4203,7 @@ run_protocols() {
local lines nr_ciphers_detected local lines nr_ciphers_detected
local tls13_ciphers_to_test="" local tls13_ciphers_to_test=""
local drafts_offered="" local drafts_offered=""
local debug_recomm=", rerun with DEBUG>=2"
local -i ret local -i ret
outln; pr_headline " Testing protocols " outln; pr_headline " Testing protocols "
@@ -4226,7 +4227,7 @@ run_protocols() {
case $? in case $? in
7) # strange reply, couldn't convert the cipher spec length to a hex number 7) # strange reply, couldn't convert the cipher spec length to a hex number
pr_cyan "strange v2 reply " pr_cyan "strange v2 reply "
outln " (rerun with DEBUG >=2)" outln "$debug_recomm"
[[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1 [[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1
fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)" fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
;; ;;
@@ -4240,6 +4241,9 @@ run_protocols() {
fileout "sslv2" "OK" "SSLv2 is not offered" fileout "sslv2" "OK" "SSLv2 is not offered"
add_tls_offered ssl2 no add_tls_offered ssl2 no
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "sslv2" "WARN" "SSLv2: received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
;;
3) # everything else 3) # everything else
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)") lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
[[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) " [[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) "
@@ -4308,6 +4312,9 @@ run_protocols() {
fi fi
fi fi
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "sslv3" "WARN" "SSLv3: received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
;;
5) pr_svrty_high "$supported_no_ciph2" 5) pr_svrty_high "$supported_no_ciph2"
fileout "sslv3" "HIGH" "SSLv3 is $supported_no_ciph1" fileout "sslv3" "HIGH" "SSLv3 is $supported_no_ciph1"
outln "(may need debugging)" outln "(may need debugging)"
@@ -4315,13 +4322,13 @@ run_protocols() {
;; ;;
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
prln_warning "strange reply, maybe a client side problem with SSLv3" pr_warning "strange reply, maybe a client side problem with SSLv3"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() # warning on screen came already from locally_supported()
fileout "sslv3" "WARN" "SSLv3 is not tested due to lack of local support" fileout "sslv3" "WARN" "SSLv3 is not tested due to lack of local support"
fi fi
;; ;;
*) prln_fixme "unexpected value around line $((LINENO))" *) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
;; ;;
esac esac
@@ -4368,19 +4375,22 @@ run_protocols() {
fi fi
fi fi
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "tls1" "WARN" "TLSv1.0: received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
;;
5) outln "$supported_no_ciph1" # protocol ok, but no cipher 5) outln "$supported_no_ciph1" # protocol ok, but no cipher
fileout "tls1" "INFO" "TLSv1.0 is $supported_no_ciph1" fileout "tls1" "INFO" "TLSv1.0 is $supported_no_ciph1"
add_tls_offered tls1 yes add_tls_offered tls1 yes
;; ;;
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
prln_warning "strange reply, maybe a client side problem with TLS 1.0" pr_warning "strange reply, maybe a client side problem with TLS 1.0"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() # warning on screen came already from locally_supported()
fileout "tls1" "WARN" "TLSv1.0 is not tested due to lack of local support" fileout "tls1" "WARN" "TLSv1.0 is not tested due to lack of local support"
fi fi
;; ;;
*) prln_fixme "unexpected value around line $((LINENO))" *) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
;; ;;
esac esac
@@ -4430,19 +4440,22 @@ run_protocols() {
fi fi
fi fi
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "tls1_1" "WARN" "TLSv1.1: received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
;;
5) outln "$supported_no_ciph1" 5) outln "$supported_no_ciph1"
fileout "tls1_1" "INFO" "TLSv1.1 is $supported_no_ciph1" fileout "tls1_1" "INFO" "TLSv1.1 is $supported_no_ciph1"
add_tls_offered tls1_1 yes add_tls_offered tls1_1 yes
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
prln_warning "strange reply, maybe a client side problem with TLS 1.1" pr_warning "strange reply, maybe a client side problem with TLS 1.1"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() # warning on screen came already from locally_supported()
fileout "tls1_1" "WARN" "TLSv1.1 is not tested due to lack of local support" fileout "tls1_1" "WARN" "TLSv1.1 is not tested due to lack of local support"
fi fi
;; ;;
*) prln_fixme "unexpected value around line $((LINENO))" *) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
;; ;;
esac esac
@@ -4503,19 +4516,22 @@ run_protocols() {
fi fi
fi fi
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "tls1_2" "WARN" "TLSv1.2: received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
;;
5) outln "$supported_no_ciph1" 5) outln "$supported_no_ciph1"
fileout "tls1_2" "INFO" "TLSv1.2 is $supported_no_ciph1" fileout "tls1_2" "INFO" "TLSv1.2 is $supported_no_ciph1"
add_tls_offered tls1_2 yes add_tls_offered tls1_2 yes
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
prln_warning "strange reply, maybe a client side problem with TLS 1.2" pr_warning "strange reply, maybe a client side problem with TLS 1.2"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() # warning on screen came already from locally_supported()
fileout "tls1_2" "WARN" "TLSv1.2 is not tested due to lack of local support" fileout "tls1_2" "WARN" "TLSv1.2 is not tested due to lack of local support"
fi fi
;; ;;
*) prln_fixme "unexpected value around line $((LINENO))" *) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
;; ;;
esac esac
@@ -4574,7 +4590,7 @@ run_protocols() {
pr_done_best "offered (OK)"; outln ": $drafts_offered" pr_done_best "offered (OK)"; outln ": $drafts_offered"
fileout "tls1_3" "OK" "TLSv1.3 offered: $drafts_offered" fileout "tls1_3" "OK" "TLSv1.3 offered: $drafts_offered"
else else
prln_warning "Unexpected results" pr_warning "Unexpected results"; outln "$debug_recomm"
fileout "tls1_3" "WARN" "TLSv1.3 unexpected results" fileout "tls1_3" "WARN" "TLSv1.3 unexpected results"
fi fi
fi fi
@@ -4614,21 +4630,25 @@ run_protocols() {
fi fi
add_tls_offered tls1_3 no add_tls_offered tls1_3 no
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "tls1_3" "WARN" "TLSv1.3: received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
;;
5) outln "$supported_no_ciph1" 5) outln "$supported_no_ciph1"
fileout "tls1_3" "INFO" "TLSv1.3 is $supported_no_ciph1" fileout "tls1_3" "INFO" "TLSv1.3 is $supported_no_ciph1"
add_tls_offered tls1_3 yes add_tls_offered tls1_3 yes
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) if "$using_sockets" ; then 7) if "$using_sockets" ; then
# can only happen in debug mode # can only happen in debug mode
prln_warning "strange reply, maybe a client side problem with TLS 1.3" prln_warning "strange reply, maybe a client side problem with TLS 1.3"; outln "$debug_recomm"
else else
# warning on screen came already from locally_supported() # warning on screen came already from locally_supported()
fileout "tls1_3" "WARN" "TLSv1.3 is not tested due to lack of local support" fileout "tls1_3" "WARN" "TLSv1.3 is not tested due to lack of local support"
fi fi
;; ;;
*) prln_fixme "unexpected value around line $((LINENO))" *) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
;; ;;
esac esac
debugme echo "PROTOS_OFFERED: $PROTOS_OFFERED" debugme echo "PROTOS_OFFERED: $PROTOS_OFFERED"
if [[ ! "$PROTOS_OFFERED" =~ yes ]]; then if [[ ! "$PROTOS_OFFERED" =~ yes ]]; then
outln outln
@@ -8306,8 +8326,12 @@ parse_sslv2_serverhello() {
V2_HELLO_CIPHERSPEC_LENGTH=$(printf "%d\n" "0x$v2_hello_cipherspec_length" 2>/dev/null) V2_HELLO_CIPHERSPEC_LENGTH=$(printf "%d\n" "0x$v2_hello_cipherspec_length" 2>/dev/null)
[[ $? -ne 0 ]] && ret=7 [[ $? -ne 0 ]] && ret=7
if [[ $v2_hello_initbyte != "8" ]] || [[ $v2_hello_handshake != "04" ]]; then if [[ "${v2_hello_ascii:0:2}" == "35" ]] && "$do_starttls"; then
ret=1 # this could be a 500/5xx for some weird reason where the STARTTLS handshake failed
debugme echo "$(hex2ascii "$v2_hello_ascii")"
ret=4
elif [[ $v2_hello_initbyte != "8" ]] || [[ $v2_hello_handshake != "04" ]]; then
ret=8
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
echo "no correct server hello" echo "no correct server hello"
echo "SSLv2 server init byte: 0x0$v2_hello_initbyte" echo "SSLv2 server init byte: 0x0$v2_hello_initbyte"
@@ -8537,9 +8561,14 @@ parse_tls_serverhello() {
echo " msg_len: $((msg_len/2))" echo " msg_len: $((msg_len/2))"
tmln_out tmln_out
fi fi
if [[ $tls_content_type != "15" ]] && [[ $tls_content_type != "16" ]] && [[ $tls_content_type != "17" ]]; then
if [[ $tls_content_type == "35" ]] && "$do_starttls"; then
# this could be a 500/5xx for some weird reason where the STARTTLS handshake failed
debugme echo "$(hex2ascii "$tls_hello_ascii")"
return 4
elif [[ $tls_content_type != "15" ]] && [[ $tls_content_type != "16" ]] && [[ $tls_content_type != "17" ]]; then
debugme tmln_warning "Content type other than alert, handshake, or application data detected." debugme tmln_warning "Content type other than alert, handshake, or application data detected."
return 1 return 8
elif [[ "${tls_protocol:0:2}" != "03" ]]; then elif [[ "${tls_protocol:0:2}" != "03" ]]; then
debugme tmln_warning "Protocol record_version.major is not 03." debugme tmln_warning "Protocol record_version.major is not 03."
return 1 return 1
@@ -8549,11 +8578,10 @@ parse_tls_serverhello() {
if [[ $msg_len -gt $tls_hello_ascii_len-$i ]]; then if [[ $msg_len -gt $tls_hello_ascii_len-$i ]]; then
if [[ "$process_full" == "all" ]]; then if [[ "$process_full" == "all" ]]; then
debugme tmln_warning "Malformed message." debugme tmln_warning "Malformed message."
return 1 return 7
else else
# This could just be a result of the server's response being # This could just be a result of the server's response being split
# split across two or more packets. Just grab the part that # across two or more packets. Just grab the part that is available.
# is available.
msg_len=$tls_hello_ascii_len-$i msg_len=$tls_hello_ascii_len-$i
fi fi
fi fi
@@ -10143,6 +10171,12 @@ tls_sockets() {
# determine the return value for higher level, so that they can tell what the result is # determine the return value for higher level, so that they can tell what the result is
if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then
ret=1 # NOT available ret=1 # NOT available
elif [[ $save -eq 8 ]]; then
# odd return, we just pass this from parse_tls_serverhello() back
ret=8
elif [[ $save -eq 4 ]]; then
# STARTTLS problem passing back
ret=4
else else
if [[ 03$tls_low_byte -eq $DETECTED_TLS_VERSION ]]; then if [[ 03$tls_low_byte -eq $DETECTED_TLS_VERSION ]]; then
ret=0 # protocol available, TLS version returned equal to the one send ret=0 # protocol available, TLS version returned equal to the one send