mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
cleaned up exit codes for error cases
For recognising error conditions during run any testssl.sh run, the program returns 0 if all checks have been performed successfully and unambiguously. 1 is returned per error or unambiguous condition and per IP. E.g. ./testssl.sh --ssl-native testssl.net with two IP addresses returns 2 as each client simulation gets a "1" (ssl-native returns currently wrong results here). This fixes #986. A kind of vulnerability scoring for monitoring tools or CI will be done later separately, see #985 and #327.
This commit is contained in:
parent
17e6802fb4
commit
a0dabf9acf
18
testssl.sh
18
testssl.sh
@ -3153,7 +3153,7 @@ run_cipher_match(){
|
|||||||
|
|
||||||
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad)
|
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad)
|
||||||
run_allciphers() {
|
run_allciphers() {
|
||||||
local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 ret
|
local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 sclient_success=0
|
||||||
local n auth mac export hexc sslv2_ciphers="" s
|
local n auth mac export hexc sslv2_ciphers="" s
|
||||||
local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported
|
local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported
|
||||||
local -i i end_of_bundle bundle bundle_size num_bundles mod_check
|
local -i i end_of_bundle bundle bundle_size num_bundles mod_check
|
||||||
@ -3376,8 +3376,8 @@ run_allciphers() {
|
|||||||
else
|
else
|
||||||
tls_sockets "$proto" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
|
tls_sockets "$proto" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
|
||||||
fi
|
fi
|
||||||
ret=$?
|
sclient_success=$?
|
||||||
[[ $ret -ne 0 ]] && [[ $ret -ne 2 ]] && break
|
[[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break
|
||||||
cipher=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
|
cipher=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
|
||||||
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
|
||||||
[[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break
|
[[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break
|
||||||
@ -3416,6 +3416,7 @@ run_allciphers() {
|
|||||||
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
||||||
|
|
||||||
outln
|
outln
|
||||||
|
[[ $sclient_success -ge 6 ]] && return 1
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3454,7 +3455,8 @@ run_cipher_per_proto() {
|
|||||||
neat_header
|
neat_header
|
||||||
echo -e " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n -tls1_3 04 TLS 1.3" | while read proto proto_hex proto_text; do
|
echo -e " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n -tls1_3 04 TLS 1.3" | while read proto proto_hex proto_text; do
|
||||||
pr_underline "$(printf "%s" "$proto_text")"
|
pr_underline "$(printf "%s" "$proto_text")"
|
||||||
out " "; # for local problem if it happens
|
# for local problem if it happens
|
||||||
|
out " "
|
||||||
if ! "$using_sockets" && ! locally_supported "$proto"; then
|
if ! "$using_sockets" && ! locally_supported "$proto"; then
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
@ -3705,6 +3707,7 @@ run_cipher_per_proto() {
|
|||||||
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return 0
|
return 0
|
||||||
|
#FIXME: no error condition
|
||||||
}
|
}
|
||||||
|
|
||||||
# arg1 is an ASCII-HEX encoded SSLv3 or TLS ClientHello.
|
# arg1 is an ASCII-HEX encoded SSLv3 or TLS ClientHello.
|
||||||
@ -3985,6 +3988,7 @@ run_client_simulation() {
|
|||||||
local has_dh_bits using_sockets=true
|
local has_dh_bits using_sockets=true
|
||||||
local client_service
|
local client_service
|
||||||
local options
|
local options
|
||||||
|
local -i ret=0
|
||||||
local jsonID="clientsimulation"
|
local jsonID="clientsimulation"
|
||||||
|
|
||||||
# source the external file
|
# source the external file
|
||||||
@ -4015,6 +4019,7 @@ run_client_simulation() {
|
|||||||
pr_headline " Running client simulations via openssl "
|
pr_headline " Running client simulations via openssl "
|
||||||
prln_warning " -- you shouldn't run this with \"--ssl-native\" as you will get false results"
|
prln_warning " -- you shouldn't run this with \"--ssl-native\" as you will get false results"
|
||||||
fileout "$jsonID" "WARN" "You shouldn't run this with \"--ssl-native\" as you will get false results"
|
fileout "$jsonID" "WARN" "You shouldn't run this with \"--ssl-native\" as you will get false results"
|
||||||
|
ret=1
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
debugme echo
|
debugme echo
|
||||||
@ -4156,10 +4161,11 @@ run_client_simulation() {
|
|||||||
fi
|
fi
|
||||||
fi # correct service?
|
fi # correct service?
|
||||||
fi #current?
|
fi #current?
|
||||||
i=$((i+1))
|
((i++))
|
||||||
done
|
done
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return 0
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
# generic function whether $1 is supported by s_client ($2: string to display)
|
# generic function whether $1 is supported by s_client ($2: string to display)
|
||||||
|
Loading…
Reference in New Issue
Block a user