mirror of
https://github.com/drwetter/testssl.sh.git
synced 2026-07-15 11:37:40 +02:00
Merge pull request #3084 from testssl/fix_tls13_only_hosts
Fix confusion when scanning TLS-1.3-only hosts
This commit is contained in:
@@ -122,6 +122,8 @@ $socket_out =~ s/ error querying OCSP responder .*\n//g;
|
|||||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||||
$tests++;
|
$tests++;
|
||||||
|
|
||||||
|
# /usr/bin/openssl on MacOS doesn't seem to be available (anymore)
|
||||||
|
if ( $os ne "darwin" ){
|
||||||
#7
|
#7
|
||||||
# https://ldapwiki.com/wiki/Public%20LDAP%20Servers
|
# https://ldapwiki.com/wiki/Public%20LDAP%20Servers
|
||||||
$uri="db.debian.org:389";
|
$uri="db.debian.org:389";
|
||||||
@@ -130,6 +132,7 @@ $socket_out = `$prg $check2run -t ldap $uri 2>&1`;
|
|||||||
# $socket_json = json('tmp.json');
|
# $socket_json = json('tmp.json');
|
||||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||||
$tests++;
|
$tests++;
|
||||||
|
}
|
||||||
|
|
||||||
# For NNTP there doesn't seem to be reliable host out there
|
# For NNTP there doesn't seem to be reliable host out there
|
||||||
#$uri="144.76.182.167:119";
|
#$uri="144.76.182.167:119";
|
||||||
|
|||||||
+20
-15
@@ -361,6 +361,7 @@ HAS_ALPN=false
|
|||||||
HAS_NPN=false
|
HAS_NPN=false
|
||||||
HAS_FALLBACK_SCSV=false
|
HAS_FALLBACK_SCSV=false
|
||||||
HAS_PROXY=false
|
HAS_PROXY=false
|
||||||
|
HAS_LDAP=false
|
||||||
HAS_XMPP=false
|
HAS_XMPP=false
|
||||||
HAS_XMPP_SERVER=false
|
HAS_XMPP_SERVER=false
|
||||||
HAS_POSTGRES=false
|
HAS_POSTGRES=false
|
||||||
@@ -2623,13 +2624,13 @@ service_detection() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
jsonID="service"
|
jsonID="service"
|
||||||
case $SERVICE in
|
if [[ $SERVICE == HTTP ]] || "$ASSUME_HTTP" || [[ -n "$MTLS" ]]; then
|
||||||
HTTP)
|
|
||||||
if [[ $SERVICE == HTTP ]]; then
|
|
||||||
dns_https_rr
|
dns_https_rr
|
||||||
fi
|
fi
|
||||||
|
case $SERVICE in
|
||||||
|
HTTP)
|
||||||
pr_bold " Service detected"
|
pr_bold " Service detected"
|
||||||
out ": $CORRECT_SPACES $SERVICE"
|
outln ": $CORRECT_SPACES $SERVICE"
|
||||||
fileout "${jsonID}" "INFO" "$SERVICE"
|
fileout "${jsonID}" "INFO" "$SERVICE"
|
||||||
;;
|
;;
|
||||||
IMAP|POP|SMTP|NNTP|MongoDB)
|
IMAP|POP|SMTP|NNTP|MongoDB)
|
||||||
@@ -2637,32 +2638,28 @@ service_detection() {
|
|||||||
out ": $CORRECT_SPACES $SERVICE, thus skipping HTTP specific checks"
|
out ": $CORRECT_SPACES $SERVICE, thus skipping HTTP specific checks"
|
||||||
fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
|
fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
|
||||||
;;
|
;;
|
||||||
#FIXME: \/ \/ dns_https_rr
|
|
||||||
*) pr_bold " Service detected:"; out " $CORRECT_SPACES"
|
*) pr_bold " Service detected:"; out " $CORRECT_SPACES"
|
||||||
if [[ ! -z $MTLS ]]; then
|
if [[ -n "$MTLS" ]]; then
|
||||||
out " not identified, but mTLS authentication is set ==> trying HTTP checks"
|
outln " not identified, but mTLS authentication is set ==> trying HTTP checks"
|
||||||
SERVICE=HTTP
|
SERVICE=HTTP
|
||||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
||||||
dns_https_rr
|
|
||||||
elif [[ "$CLIENT_AUTH" == required ]] && [[ -z $MTLS ]]; then
|
elif [[ "$CLIENT_AUTH" == required ]] && [[ -z $MTLS ]]; then
|
||||||
out " certificate-based authentication without providing client certificate and private key => skipping all HTTP checks" | tee $TMPFILE
|
outln " certificate-based authentication without providing client certificate and private key => skipping all HTTP checks" | tee $TMPFILE
|
||||||
fileout "${jsonID}" "INFO" "certificate-based authentication without providing client certificate and private key => skipping all HTTP checks"
|
fileout "${jsonID}" "INFO" "certificate-based authentication without providing client certificate and private key => skipping all HTTP checks"
|
||||||
else
|
else
|
||||||
out " Couldn't determine what's running on port $PORT"
|
out " Couldn't determine what's running on port $PORT"
|
||||||
if "$ASSUME_HTTP"; then
|
if "$ASSUME_HTTP"; then
|
||||||
SERVICE=HTTP
|
SERVICE=HTTP
|
||||||
out " -- ASSUME_HTTP set though"
|
outln " -- ASSUME_HTTP set though"
|
||||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
||||||
dns_https_rr
|
|
||||||
else
|
else
|
||||||
out ", assuming no HTTP service => skipping all HTTP checks"
|
outln ", assuming no HTTP service => skipping all HTTP checks"
|
||||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
fileout "${jsonID}" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
outln
|
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
@@ -21490,6 +21487,7 @@ find_openssl_binary() {
|
|||||||
HAS_NPN=false
|
HAS_NPN=false
|
||||||
HAS_FALLBACK_SCSV=false
|
HAS_FALLBACK_SCSV=false
|
||||||
HAS_PROXY=false
|
HAS_PROXY=false
|
||||||
|
HAS_LDAP=false
|
||||||
HAS_XMPP=false
|
HAS_XMPP=false
|
||||||
HAS_XMPP_SERVER=false
|
HAS_XMPP_SERVER=false
|
||||||
HAS_XMPP_SERVER2=false
|
HAS_XMPP_SERVER2=false
|
||||||
@@ -21625,6 +21623,8 @@ find_openssl_binary() {
|
|||||||
grep -q 'xmpp' $s_client_starttls_has && HAS_XMPP=true
|
grep -q 'xmpp' $s_client_starttls_has && HAS_XMPP=true
|
||||||
grep -Eq 'xmpp-server|xmpp\[-server\]' $s_client_starttls_has && HAS_XMPP_SERVER=true
|
grep -Eq 'xmpp-server|xmpp\[-server\]' $s_client_starttls_has && HAS_XMPP_SERVER=true
|
||||||
|
|
||||||
|
# Seems like LibreSSL on MacOS somehow lost this with 26.5.2?
|
||||||
|
grep -q 'ldap' $s_client_starttls_has && HAS_LDAP=true
|
||||||
grep -q 'postgres' $s_client_starttls_has && HAS_POSTGRES=true
|
grep -q 'postgres' $s_client_starttls_has && HAS_POSTGRES=true
|
||||||
grep -q 'mysql' $s_client_starttls_has && HAS_MYSQL=true
|
grep -q 'mysql' $s_client_starttls_has && HAS_MYSQL=true
|
||||||
grep -q 'lmtp' $s_client_starttls_has && HAS_LMTP=true
|
grep -q 'lmtp' $s_client_starttls_has && HAS_LMTP=true
|
||||||
@@ -23891,7 +23891,6 @@ determine_optimal_proto() {
|
|||||||
TLS12_CIPHER_OFFERED="$(get_cipher $TMPFILE)"
|
TLS12_CIPHER_OFFERED="$(get_cipher $TMPFILE)"
|
||||||
TLS12_CIPHER_OFFERED="$(openssl2hexcode "$TLS12_CIPHER_OFFERED")"
|
TLS12_CIPHER_OFFERED="$(openssl2hexcode "$TLS12_CIPHER_OFFERED")"
|
||||||
[[ ${#TLS12_CIPHER_OFFERED} -eq 9 ]] && TLS12_CIPHER_OFFERED="${TLS12_CIPHER_OFFERED:2:2},${TLS12_CIPHER_OFFERED:7:2}" || TLS12_CIPHER_OFFERED=""
|
[[ ${#TLS12_CIPHER_OFFERED} -eq 9 ]] && TLS12_CIPHER_OFFERED="${TLS12_CIPHER_OFFERED:2:2},${TLS12_CIPHER_OFFERED:7:2}" || TLS12_CIPHER_OFFERED=""
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "$optimal_proto" == -ssl2 ]]; then
|
if [[ "$optimal_proto" == -ssl2 ]]; then
|
||||||
prln_magenta "$NODEIP:$PORT appears to only support SSLv2."
|
prln_magenta "$NODEIP:$PORT appears to only support SSLv2."
|
||||||
@@ -23966,6 +23965,7 @@ determine_optimal_proto() {
|
|||||||
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes"
|
||||||
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 0
|
return 0
|
||||||
@@ -24095,7 +24095,7 @@ determine_service() {
|
|||||||
if "$HAS_XMPP"; then
|
if "$HAS_XMPP"; then
|
||||||
# small hack -- instead of changing calls all over the place
|
# small hack -- instead of changing calls all over the place
|
||||||
STARTTLS="$STARTTLS -xmpphost $NODE"
|
STARTTLS="$STARTTLS -xmpphost $NODE"
|
||||||
else
|
llelse
|
||||||
# If the XMPP name cannot be provided using -xmpphost,
|
# If the XMPP name cannot be provided using -xmpphost,
|
||||||
# then it needs to be provided to the -connect option
|
# then it needs to be provided to the -connect option
|
||||||
NODEIP="$NODE"
|
NODEIP="$NODE"
|
||||||
@@ -24105,6 +24105,11 @@ determine_service() {
|
|||||||
#FIXME: make use of HAS_XMPP_SERVER2
|
#FIXME: make use of HAS_XMPP_SERVER2
|
||||||
fatal "Your $OPENSSL does not support the \"-starttls xmpp-server\" option" $ERR_OSSLBIN
|
fatal "Your $OPENSSL does not support the \"-starttls xmpp-server\" option" $ERR_OSSLBIN
|
||||||
fi
|
fi
|
||||||
|
elif [[ "$protocol" == ldap ]]; then
|
||||||
|
# Check if openssl version supports postgres.
|
||||||
|
if ! "$HAS_LDAP"; then
|
||||||
|
fatal "Your $OPENSSL does not support the \"-starttls ldap\" option" $ERR_OSSLBIN
|
||||||
|
fi
|
||||||
elif [[ "$protocol" == postgres ]]; then
|
elif [[ "$protocol" == postgres ]]; then
|
||||||
# Check if openssl version supports postgres.
|
# Check if openssl version supports postgres.
|
||||||
if ! "$HAS_POSTGRES"; then
|
if ! "$HAS_POSTGRES"; then
|
||||||
|
|||||||
Reference in New Issue
Block a user