mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
commit
a395f91f0e
85
testssl.sh
85
testssl.sh
@ -270,6 +270,7 @@ HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables
|
|||||||
HAS_SSL2=false
|
HAS_SSL2=false
|
||||||
HAS_SSL3=false
|
HAS_SSL3=false
|
||||||
HAS_NO_SSL2=false
|
HAS_NO_SSL2=false
|
||||||
|
HAS_NOSERVERNAME=false
|
||||||
HAS_ALPN=false
|
HAS_ALPN=false
|
||||||
HAS_SPDY=false
|
HAS_SPDY=false
|
||||||
HAS_FALLBACK_SCSV=false
|
HAS_FALLBACK_SCSV=false
|
||||||
@ -1293,6 +1294,29 @@ string_to_asciihex() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Adjust options to $OPENSSL s_client based on OpenSSL version and protocol version
|
||||||
|
s_client_options() {
|
||||||
|
local options="$1"
|
||||||
|
|
||||||
|
# Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
|
||||||
|
[[ -n "$SNI" ]] && [[ " $options " =~ \ -ssl[2|3]\ ]] && options="$(sed "s/$SNI//" <<< "$options")"
|
||||||
|
|
||||||
|
# The server_name extension should not be included in the ClientHello unless
|
||||||
|
# the -servername option is provided. However, OpenSSL 1.1.1 will include the
|
||||||
|
# server_name extension unless the -noservername option is provided. So, if
|
||||||
|
# the command line doesn't include -servername and the -noservername option is
|
||||||
|
# supported, then add -noservername to the options.
|
||||||
|
"$HAS_NOSERVERNAME" && [[ ! " $options " =~ " -servername " ]] && options+=" -noservername"
|
||||||
|
|
||||||
|
# Newer versions of OpenSSL have dropped support for the -no_ssl2 option, so
|
||||||
|
# remove any -no_ssl2 option if the option isn't supported. (Since versions of
|
||||||
|
# OpenSSL that don't support -no_ssl2 also don't support SSLv2, the option
|
||||||
|
# isn't needed for these versions of OpenSSL.)
|
||||||
|
! "$HAS_NO_SSL2" && options="$(sed 's/-no_ssl2//' <<< "$options")"
|
||||||
|
|
||||||
|
tm_out "$options"
|
||||||
|
}
|
||||||
|
|
||||||
###### check code starts here ######
|
###### check code starts here ######
|
||||||
|
|
||||||
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
|
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
|
||||||
@ -1300,12 +1324,10 @@ string_to_asciihex() {
|
|||||||
service_detection() {
|
service_detection() {
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
local -i was_killed
|
local -i was_killed
|
||||||
local addcmd=""
|
|
||||||
|
|
||||||
if ! "$CLIENT_AUTH"; then
|
if ! "$CLIENT_AUTH"; then
|
||||||
# SNI is not standardardized for !HTTPS but fortunately for other protocols s_client doesn't seem to care
|
# SNI is not standardardized for !HTTPS but fortunately for other protocols s_client doesn't seem to care
|
||||||
[[ ! "$1" =~ ssl ]] && addcmd="$SNI"
|
printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$1 -quiet $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE &
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $1 -quiet $BUGS -connect $NODEIP:$PORT $PROXY $addcmd >$TMPFILE 2>$ERRFILE &
|
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
was_killed=$?
|
was_killed=$?
|
||||||
head $TMPFILE | grep -aq '^HTTP\/' && SERVICE=HTTP
|
head $TMPFILE | grep -aq '^HTTP\/' && SERVICE=HTTP
|
||||||
@ -1358,7 +1380,7 @@ service_detection() {
|
|||||||
|
|
||||||
#problems not handled: chunked
|
#problems not handled: chunked
|
||||||
run_http_header() {
|
run_http_header() {
|
||||||
local header addcmd=""
|
local header
|
||||||
local -i ret
|
local -i ret
|
||||||
local referer useragent
|
local referer useragent
|
||||||
local url redirect
|
local url redirect
|
||||||
@ -1368,13 +1390,12 @@ run_http_header() {
|
|||||||
outln
|
outln
|
||||||
|
|
||||||
[[ -z "$1" ]] && url="/" || url="$1"
|
[[ -z "$1" ]] && url="/" || url="$1"
|
||||||
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI"
|
printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $addcmd >$HEADERFILE 2>$ERRFILE &
|
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
# we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it
|
# we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it
|
||||||
# again in the foreground to get an accurate header time!
|
# again in the foreground to get an accurate header time!
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $addcmd >$HEADERFILE 2>$ERRFILE
|
printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE
|
||||||
NOW_TIME=$(date "+%s")
|
NOW_TIME=$(date "+%s")
|
||||||
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
|
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
|
||||||
HAD_SLEPT=0
|
HAD_SLEPT=0
|
||||||
@ -2263,15 +2284,14 @@ std_cipherlists() {
|
|||||||
local -i i len sclient_success
|
local -i i len sclient_success
|
||||||
local sslv2_cipherlist detected_ssl2_ciphers
|
local sslv2_cipherlist detected_ssl2_ciphers
|
||||||
local singlespaces
|
local singlespaces
|
||||||
local proto="" addcmd=""
|
local proto=""
|
||||||
local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")"
|
local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")"
|
||||||
|
|
||||||
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && proto="$OPTIMAL_PROTO"
|
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && proto="$OPTIMAL_PROTO"
|
||||||
pr_bold "$2 " # to be indented equal to server preferences
|
pr_bold "$2 " # to be indented equal to server preferences
|
||||||
if [[ -n "$5" ]] || listciphers "$1" $proto; then
|
if [[ -n "$5" ]] || listciphers "$1" $proto; then
|
||||||
if [[ -z "$5" ]] || ( "$FAST" && listciphers "$1" -tls1 ); then
|
if [[ -z "$5" ]] || ( "$FAST" && listciphers "$1" -tls1 ); then
|
||||||
"$HAS_NO_SSL2" && addcmd="-no_ssl2"
|
$OPENSSL s_client $(s_client_options "-cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI -no_ssl2") 2>$ERRFILE >$TMPFILE </dev/null
|
||||||
$OPENSSL s_client -cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $addcmd 2>$ERRFILE >$TMPFILE </dev/null
|
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
debugme cat $ERRFILE
|
debugme cat $ERRFILE
|
||||||
@ -2533,7 +2553,7 @@ run_cipher_match(){
|
|||||||
local -a -i index
|
local -a -i index
|
||||||
local -i nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0
|
local -i nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0
|
||||||
local -i num_bundles mod_check bundle_size bundle end_of_bundle
|
local -i num_bundles mod_check bundle_size bundle end_of_bundle
|
||||||
local addcmd dhlen has_dh_bits="$HAS_DH_BITS"
|
local dhlen has_dh_bits="$HAS_DH_BITS"
|
||||||
local available
|
local available
|
||||||
local -i sclient_success
|
local -i sclient_success
|
||||||
local re='^[0-9A-Fa-f]+$'
|
local re='^[0-9A-Fa-f]+$'
|
||||||
@ -2686,7 +2706,6 @@ run_cipher_match(){
|
|||||||
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
"$HAS_NO_SSL2" && addcmd="-no_ssl2" || addcmd=""
|
|
||||||
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
||||||
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
||||||
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
|
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
|
||||||
@ -2696,7 +2715,7 @@ run_cipher_match(){
|
|||||||
! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}"
|
! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}"
|
||||||
done
|
done
|
||||||
[[ -z "$ciphers_to_test" ]] && break
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
$OPENSSL s_client $addcmd -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-no_ssl2 -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful "$?" "$TMPFILE" || break
|
sclient_connect_successful "$?" "$TMPFILE" || break
|
||||||
cipher=$(get_cipher $TMPFILE)
|
cipher=$(get_cipher $TMPFILE)
|
||||||
[[ -z "$cipher" ]] && break
|
[[ -z "$cipher" ]] && break
|
||||||
@ -2818,7 +2837,7 @@ run_allciphers() {
|
|||||||
local -i i end_of_bundle bundle bundle_size num_bundles mod_check
|
local -i i end_of_bundle bundle bundle_size num_bundles mod_check
|
||||||
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
|
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
|
||||||
local -i -a index
|
local -i -a index
|
||||||
local dhlen available ciphers_to_test supported_sslv2_ciphers addcmd=""
|
local dhlen available ciphers_to_test supported_sslv2_ciphers
|
||||||
local has_dh_bits="$HAS_DH_BITS"
|
local has_dh_bits="$HAS_DH_BITS"
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
|
|
||||||
@ -2943,7 +2962,6 @@ run_allciphers() {
|
|||||||
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
"$HAS_NO_SSL2" && addcmd="-no_ssl2"
|
|
||||||
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
||||||
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
||||||
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
|
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
|
||||||
@ -2954,7 +2972,7 @@ run_allciphers() {
|
|||||||
done
|
done
|
||||||
success=1
|
success=1
|
||||||
if [[ -n "$ciphers_to_test" ]]; then
|
if [[ -n "$ciphers_to_test" ]]; then
|
||||||
$OPENSSL s_client $addcmd -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-no_ssl2 -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful "$?" "$TMPFILE"
|
sclient_connect_successful "$?" "$TMPFILE"
|
||||||
if [[ "$?" -eq 0 ]]; then
|
if [[ "$?" -eq 0 ]]; then
|
||||||
cipher=$(get_cipher $TMPFILE)
|
cipher=$(get_cipher $TMPFILE)
|
||||||
@ -3071,7 +3089,7 @@ run_cipher_per_proto() {
|
|||||||
local -a hexcode2 ciph2 rfc_ciph2
|
local -a hexcode2 ciph2 rfc_ciph2
|
||||||
local -i i bundle end_of_bundle bundle_size num_bundles mod_check
|
local -i i bundle end_of_bundle bundle_size num_bundles mod_check
|
||||||
local -a ciphers_found ciphers_found2 sigalg ossl_supported index
|
local -a ciphers_found ciphers_found2 sigalg ossl_supported index
|
||||||
local dhlen supported_sslv2_ciphers ciphers_to_test addcmd sni temp
|
local dhlen supported_sslv2_ciphers ciphers_to_test addcmd temp
|
||||||
local available
|
local available
|
||||||
local id
|
local id
|
||||||
local has_dh_bits="$HAS_DH_BITS"
|
local has_dh_bits="$HAS_DH_BITS"
|
||||||
@ -3230,8 +3248,6 @@ run_cipher_per_proto() {
|
|||||||
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
[[ $mod_check -ne 0 ]] && bundle_size+=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sni=""
|
|
||||||
[[ ! "$proto" =~ ssl ]] && sni="$SNI"
|
|
||||||
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
for (( bundle=0; bundle < num_bundles; bundle++ )); do
|
||||||
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
end_of_bundle=$bundle*$bundle_size+$bundle_size
|
||||||
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
|
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
|
||||||
@ -3242,7 +3258,7 @@ run_cipher_per_proto() {
|
|||||||
done
|
done
|
||||||
success=1
|
success=1
|
||||||
if [[ -n "$ciphers_to_test" ]]; then
|
if [[ -n "$ciphers_to_test" ]]; then
|
||||||
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-cipher "${ciphers_to_test:1}" $proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful "$?" "$TMPFILE"
|
sclient_connect_successful "$?" "$TMPFILE"
|
||||||
if [[ "$?" -eq 0 ]]; then
|
if [[ "$?" -eq 0 ]]; then
|
||||||
cipher=$(get_cipher $TMPFILE)
|
cipher=$(get_cipher $TMPFILE)
|
||||||
@ -3618,6 +3634,7 @@ run_client_simulation() {
|
|||||||
local name tls proto cipher temp what_dh bits curve
|
local name tls proto cipher temp what_dh bits curve
|
||||||
local has_dh_bits using_sockets=true
|
local has_dh_bits using_sockets=true
|
||||||
local client_service
|
local client_service
|
||||||
|
local options
|
||||||
|
|
||||||
# source the external file
|
# source the external file
|
||||||
. "$TESTSSL_INSTALL_DIR/etc/client-simulation.txt" 2>/dev/null
|
. "$TESTSSL_INSTALL_DIR/etc/client-simulation.txt" 2>/dev/null
|
||||||
@ -3683,9 +3700,9 @@ run_client_simulation() {
|
|||||||
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
|
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
"$HAS_NO_SSL2" || protos[i]="$(sed 's/-no_ssl2//' <<< "${protos[i]}")"
|
options="$(s_client_options "-cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]}")"
|
||||||
debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
|
debugme echo "$OPENSSL s_client $options </dev/null"
|
||||||
$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
|
$OPENSSL s_client $options </dev/null >$TMPFILE 2>$ERRFILE
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
fi
|
fi
|
||||||
@ -5317,7 +5334,7 @@ determine_tls_extensions() {
|
|||||||
# arg1 is "-cipher <OpenSSL cipher>" or empty
|
# arg1 is "-cipher <OpenSSL cipher>" or empty
|
||||||
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
|
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
|
||||||
get_server_certificate() {
|
get_server_certificate() {
|
||||||
local protocols_to_try proto addcmd
|
local protocols_to_try proto
|
||||||
local success
|
local success
|
||||||
local npn_params="" line
|
local npn_params="" line
|
||||||
local savedir
|
local savedir
|
||||||
@ -5373,8 +5390,7 @@ get_server_certificate() {
|
|||||||
for proto in $protocols_to_try; do
|
for proto in $protocols_to_try; do
|
||||||
# we could know here which protcols are supported
|
# we could know here which protcols are supported
|
||||||
addcmd=""
|
addcmd=""
|
||||||
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug $npn_params -status") </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $npn_params -status </dev/null 2>$ERRFILE >$TMPFILE
|
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
success=0
|
success=0
|
||||||
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
|
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
|
||||||
@ -5383,7 +5399,7 @@ get_server_certificate() {
|
|||||||
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
||||||
if [[ $success -eq 7 ]]; then
|
if [[ $success -eq 7 ]]; then
|
||||||
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug") </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
if [ -z "$1" ]; then
|
if [ -z "$1" ]; then
|
||||||
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
|
prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
|
||||||
@ -5933,7 +5949,7 @@ certificate_info() {
|
|||||||
|
|
||||||
if [[ -n "$sni_used" ]]; then
|
if [[ -n "$sni_used" ]]; then
|
||||||
# no cipher suites specified here. We just want the default vhost subject
|
# no cipher suites specified here. We just want the default vhost subject
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
||||||
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
|
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
|
||||||
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
|
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
|
||||||
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
|
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
|
||||||
@ -10191,7 +10207,7 @@ run_freak() {
|
|||||||
local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03"
|
local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03"
|
||||||
local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80"
|
local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80"
|
||||||
local detected_ssl2_ciphers
|
local detected_ssl2_ciphers
|
||||||
local addcmd="" addtl_warning="" hexc
|
local addtl_warning="" hexc
|
||||||
local cve="CVE-2015-0204"
|
local cve="CVE-2015-0204"
|
||||||
local cwe="CWE-310"
|
local cwe="CWE-310"
|
||||||
local hint=""
|
local hint=""
|
||||||
@ -10236,8 +10252,7 @@ run_freak() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
"$HAS_NO_SSL2" && addcmd="-no_ssl2" || addcmd=""
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $SNI -no_ssl2") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $SNI $addcmd >$TMPFILE 2>$ERRFILE </dev/null
|
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
@ -10903,7 +10918,7 @@ run_rc4() {
|
|||||||
local -i i
|
local -i i
|
||||||
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
|
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
|
||||||
local -i -a index
|
local -i -a index
|
||||||
local dhlen available="" ciphers_to_test supported_sslv2_ciphers addcmd=""
|
local dhlen available="" ciphers_to_test supported_sslv2_ciphers
|
||||||
local has_dh_bits="$HAS_DH_BITS" rc4_detected=""
|
local has_dh_bits="$HAS_DH_BITS" rc4_detected=""
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
local cve="CVE-2013-2566, CVE-2015-2808"
|
local cve="CVE-2013-2566, CVE-2015-2808"
|
||||||
@ -11017,7 +11032,6 @@ run_rc4() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
"$HAS_NO_SSL2" && addcmd="-no_ssl2"
|
|
||||||
for (( success=0; success==0 ; 1 )); do
|
for (( success=0; success==0 ; 1 )); do
|
||||||
ciphers_to_test=""
|
ciphers_to_test=""
|
||||||
for (( i=0; i < nr_ossl_ciphers; i++ )); do
|
for (( i=0; i < nr_ossl_ciphers; i++ )); do
|
||||||
@ -11025,7 +11039,7 @@ run_rc4() {
|
|||||||
done
|
done
|
||||||
success=1
|
success=1
|
||||||
if [[ -n "$ciphers_to_test" ]]; then
|
if [[ -n "$ciphers_to_test" ]]; then
|
||||||
$OPENSSL s_client $addcmd -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-no_ssl2 -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful "$?" "$TMPFILE"
|
sclient_connect_successful "$?" "$TMPFILE"
|
||||||
if [[ "$?" -eq 0 ]]; then
|
if [[ "$?" -eq 0 ]]; then
|
||||||
cipher=$(get_cipher $TMPFILE)
|
cipher=$(get_cipher $TMPFILE)
|
||||||
@ -11332,6 +11346,9 @@ find_openssl_binary() {
|
|||||||
$OPENSSL s_client -no_ssl2 -connect x 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -no_ssl2 -connect x 2>&1 | grep -aq "unknown option" || \
|
||||||
HAS_NO_SSL2=true
|
HAS_NO_SSL2=true
|
||||||
|
|
||||||
|
$OPENSSL s_client -noservername -connect x 2>&1 | grep -aq "unknown option" || \
|
||||||
|
HAS_NOSERVERNAME=true
|
||||||
|
|
||||||
$OPENSSL s_client -help 2>$s_client_has
|
$OPENSSL s_client -help 2>$s_client_has
|
||||||
|
|
||||||
$OPENSSL s_client -starttls foo 2>$s_client_starttls_has
|
$OPENSSL s_client -starttls foo 2>$s_client_starttls_has
|
||||||
|
Loading…
Reference in New Issue
Block a user