Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-09-05 19:42:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Redo PR for Opossum

Browse Source 
Fixes #2833

This does a check for the opossum vulnerability, see https://opossum-attack.com/ .

It uses a separate function to send the payload and retrieve the result via `http_header_printf()`.  It doesn't use curl or wget. The latter wouldn't work anyway as according to the manpage as the HTTP header which needs to be sent must not contain LFs.  This function was introduced because `http_get_header()` -- which was renamed to `http_head()` -- could use wget if curl is not available. On the way to this PR `http_head()` was improved, so that timeouts were used for curl and wget for better maturity.

`http_header_printf()` now uses bach sockets , strips the URI so that a plaintext request is made. This will be done in the background because not every host will answer.

Done also:
- handling when PROXY is requested (try anyway directly as the payload is not "proxyable")
- print a message when no HTTP service is present
- try hard to use plaintext HTTP when auth is required for HTTPS and service HTTP would not be defined otherwise
- manpages
- help

Also when pwnedkeys are checked a not pwned certificate is labled not neutral but OK=green.
This commit is contained in:
Dirk Wetter
2025-07-12 20:59:50 +02:00
parent c467398a37
commit a4953d6e22
7 changed files with 166 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
doc/testssl.1.md
View File

@ -236,9 +236,11 @@ Also for multiple server certificates are being checked for as well as for the c
`-T, --ticketbleed` Checks for Ticketbleed memory leakage in BigIP loadbalancers.
`--BB, --robot` Checks for vulnerability to ROBOT / (*Return Of Bleichenbacher's Oracle Threat*) attack.
`--OP, --opossum` Checks for HTTP to HTTPS upgrade vulnerability named Opossum.
`--SI, --starttls-injection` Checks for STARTTLS injection vulnerabilities (SMTP, IMAP, POP3 only). `socat` and OpenSSL >=1.1.0 is needed.
`--BB, --robot` Checks for vulnerability to ROBOT / (*Return Of Bleichenbacher's Oracle Threat*) attack.
`--SI, --starttls-injection` Checks for STARTTLS injection vulnerabilities (SMTP, IMAP, POP3 only). `socat` and OpenSSL >=1.1.0 is needed.
`-R, --renegotiation` Tests renegotiation vulnerabilities. Currently there's a check for *Secure Renegotiation* and for *Secure Client-Initiated Renegotiation*. Please be aware that vulnerable servers to the latter can likely be DoSed very easily (HTTP). A check for *Insecure Client-Initiated Renegotiation* is not yet implemented.
@ -490,6 +492,7 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
* RFC 2246: The TLS Protocol Version 1.0
* RFC 2595: Using TLS with IMAP, POP3 and ACAP
* RFC 2817: Upgrading to TLS Within HTTP/1.1
* RFC 2818: HTTP Over TLS
* RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
* RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
@ -551,7 +554,6 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
**etc/client-simulation.txt** contains client simulation data.
**etc/cipher-mapping.txt** provides a mandatory file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs.
**etc/tls_data.txt** provides a mandatory file for ciphers (bash sockets) and key material.