Remaining issues solved for OpenSSL 1.1.0 compliance, output corrections, CN/SNI improvements

This commit is contained in:
Dirk 2016-02-03 17:55:53 +01:00
parent 9cf3e21c3d
commit a676742256
1 changed files with 34 additions and 36 deletions

View File

@ -369,6 +369,9 @@ pr_headlineln() { pr_headline "$1" ; outln; }
pr_squoted() { out "'$1'"; } pr_squoted() { out "'$1'"; }
pr_dquoted() { out "\"$1\""; } pr_dquoted() { out "\"$1\""; }
local_problem_ln() { pr_litemagentaln "Local problem: $1"; }
local_problem() { pr_litemagenta "Local problem: $1"; }
### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/ ### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html ### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html
set_color_functions() { set_color_functions() {
@ -1385,7 +1388,7 @@ std_cipherlists() {
tmpfile_handle $FUNCNAME.$debugname.txt tmpfile_handle $FUNCNAME.$debugname.txt
else else
singlespaces=$(echo "$2" | sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g') singlespaces=$(echo "$2" | sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g')
local_problem "No $singlespaces configured in $OPENSSL" local_problem_ln "No $singlespaces configured in $OPENSSL"
fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)" fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)"
fi fi
# we need 1xlf in those cases: # we need 1xlf in those cases:
@ -2049,7 +2052,7 @@ run_client_simulation() {
locally_supported() { locally_supported() {
[[ -n "$2" ]] && out "$2 " [[ -n "$2" ]] && out "$2 "
if $OPENSSL s_client "$1" 2>&1 | grep -aq "unknown option"; then if $OPENSSL s_client "$1" 2>&1 | grep -aq "unknown option"; then
local_problem "$OPENSSL doesn't support \"s_client $1\"" local_problem_ln "$OPENSSL doesn't support \"s_client $1\""
return 7 return 7
fi fi
return 0 return 0
@ -2116,8 +2119,8 @@ run_protocols() {
using_sockets=false using_sockets=false
else else
using_sockets=true using_sockets=true
pr_headlineln "(via sockets except TLS 1.2 and SPDY/HTTP2) " pr_headlineln "(via sockets except TLS 1.2, SPDY+HTTP2) "
via+="via sockets except for TLS1.1 and SPDY/HTTP2" via+="via sockets except for TLS1.2, SPDY+HTTP2"
fi fi
fi fi
outln outln
@ -2555,7 +2558,7 @@ run_server_preference() {
} }
cipher_pref_check() { cipher_pref_check() {
local p proto protos local p proto protos npn_protos
local tested_cipher cipher order local tested_cipher cipher order
pr_bold " Cipher order" pr_bold " Cipher order"
@ -2588,8 +2591,8 @@ cipher_pref_check() {
if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS? if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS?
outln outln
else else
protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g') npn_protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
for p in $protos; do for p in $npn_protos; do
order="" order=""
$OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE $OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
@ -2619,12 +2622,13 @@ cipher_pref_check() {
get_host_cert() { get_host_cert() {
local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$TEMPDIR/$FUNCNAME.txt $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$tmpdir
if sclient_connect_successful $? $tmpvar; then if sclient_connect_successful $? $tmpvar; then
awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT
else else
return 1 return 1
fi fi
tmpfile_handle $FUNCNAME.txt
# return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]})) # return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]}))
} }
@ -2898,7 +2902,6 @@ certificate_info() {
spaces=" " spaces=" "
fi fi
out "$indent"
sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u ) sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u )
key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u ) key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u )
@ -2937,7 +2940,7 @@ certificate_info() {
esac esac
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html # old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
pr_bold " Server key size " out "$indent"; pr_bold " Server key size "
if [[ -z "$keysize" ]]; then if [[ -z "$keysize" ]]; then
outln "(couldn't determine)" outln "(couldn't determine)"
fileout "$heading key_size" "WARN" "Server keys size cannot be determined" fileout "$heading key_size" "WARN" "Server keys size cannot be determined"
@ -3024,8 +3027,8 @@ certificate_info() {
fi fi
fi fi
else else
cn="(no CN field in subject)" cn="no CN field in subject"
out "$cn" pr_litemagenta "($cn)"
cnfinding="$cn" cnfinding="$cn"
cnok="INFO" cnok="INFO"
fi fi
@ -3038,8 +3041,11 @@ certificate_info() {
#FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite) #FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite)
debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\"" debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\""
if [[ $NODE == "$cn_nosni" ]]; then if [[ "$cn_nosni" == "$cn" ]]; then
if [[ $SERVICE == "HTTP" ]] || $CLIENT_AUTH; then outln " (works w/o SNI)"
cnfinding+=" (works w/o SNI)"
elif [[ $NODE == "$cn_nosni" ]]; then
if [[ $SERVICE == "HTTP" ]] || $CLIENT_AUTH ; then
outln " (works w/o SNI)" outln " (works w/o SNI)"
cnfinding+=" (works w/o SNI)" cnfinding+=" (works w/o SNI)"
else else
@ -3062,7 +3068,7 @@ certificate_info() {
fi fi
outln ")" outln ")"
cnfinding+=")" cnfinding+=")"
elif [[ "$cn_nosni" == "*no CN field*" ]]; then elif [[ "$cn_nosni" == *"no CN field"* ]]; then
outln ", (request w/o SNI: $cn_nosni)" outln ", (request w/o SNI: $cn_nosni)"
cnfinding+=", (request w/o SNI: $cn_nosni)" cnfinding+=", (request w/o SNI: $cn_nosni)"
else else
@ -3399,7 +3405,7 @@ run_pfs() {
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $pfs_cipher_list)) nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $pfs_cipher_list))
if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then
outln outln
local_problem "You only have $nr_supported_ciphers PFS ciphers on the client side " local_problem_ln "You only have $nr_supported_ciphers PFS ciphers on the client side "
fileout "pfs" "WARN" "(Perfect) Forward Secrecy tests: Skipped. You only have $nr_supported_ciphers PFS ciphers on the client site. ($CLIENT_MIN_PFS are required)" fileout "pfs" "WARN" "(Perfect) Forward Secrecy tests: Skipped. You only have $nr_supported_ciphers PFS ciphers on the client site. ($CLIENT_MIN_PFS are required)"
return 1 return 1
fi fi
@ -3512,7 +3518,7 @@ http2_pre(){
return 1 return 1
fi fi
if ! $HAS_ALPN; then if ! $HAS_ALPN; then
local_problem "$OPENSSL doesn't support HTTP2/ALPN"; local_problem_ln "$OPENSSL doesn't support HTTP2/ALPN";
fileout "https_alpn" "WARN" "HTTP2/ALPN : HTTP/2 was not tested as $OPENSSL does not support it" fileout "https_alpn" "WARN" "HTTP2/ALPN : HTTP/2 was not tested as $OPENSSL does not support it"
return 7 return 7
fi fi
@ -4454,10 +4460,6 @@ run_ccs_injection(){
return $ret return $ret
} }
local_problem() {
pr_litemagentaln "Local problem: $1"
}
run_renego() { run_renego() {
# no SNI here. Not needed as there won't be two different SSL stacks for one IP # no SNI here. Not needed as there won't be two different SSL stacks for one IP
local legacycmd="" local legacycmd=""
@ -4499,7 +4501,7 @@ run_renego() {
0.9.8*) # we need this for Mac OSX unfortunately 0.9.8*) # we need this for Mac OSX unfortunately
case "$OSSL_VER_APPENDIX" in case "$OSSL_VER_APPENDIX" in
[a-l]) [a-l])
local_problem "$OPENSSL cannot test this secure renegotiation vulnerability" local_problem_ln "$OPENSSL cannot test this secure renegotiation vulnerability"
fileout "sec_client_renego" "WARN" "Secure Client-Initiated Renegotiation : $OPENSSL cannot test this secure renegotiation vulnerability" fileout "sec_client_renego" "WARN" "Secure Client-Initiated Renegotiation : $OPENSSL cannot test this secure renegotiation vulnerability"
return 3 return 3
;; ;;
@ -4570,7 +4572,7 @@ run_crime() {
# first we need to test whether OpenSSL binary has zlib support # first we need to test whether OpenSSL binary has zlib support
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib $OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
local_problem "$OPENSSL lacks zlib support" local_problem_ln "$OPENSSL lacks zlib support"
fileout "crime" "WARN" "CRIME, TLS (CVE-2012-4929) : Not tested. $OPENSSL lacks zlib support" fileout "crime" "WARN" "CRIME, TLS (CVE-2012-4929) : Not tested. $OPENSSL lacks zlib support"
return 7 return 7
fi fi
@ -4615,7 +4617,7 @@ run_crime() {
# return $ret # return $ret
# esac # esac
# $OPENSSL s_client help 2>&1 | grep -qw nextprotoneg # $OPENSSL s_client -help 2>&1 | grep -qw nextprotoneg
# if [[ $? -eq 0 ]]; then # if [[ $? -eq 0 ]]; then
# $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE # $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE
# if [[ $? -eq 0 ]]; then # if [[ $? -eq 0 ]]; then
@ -4746,8 +4748,8 @@ run_tls_fallback_scsv() {
# the countermeasure to protect against protocol downgrade attacks. # the countermeasure to protect against protocol downgrade attacks.
# First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL # First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
if ! $OPENSSL s_client -h 2>&1 | grep -q "\-fallback_scsv"; then if ! $OPENSSL s_client -help 2>&1 | grep -q "\-fallback_scsv"; then
local_problem "$OPENSSL lacks TLS_FALLBACK_SCSV support" local_problem_ln "$OPENSSL lacks TLS_FALLBACK_SCSV support"
return 4 return 4
fi fi
#TODO: this need some tuning: a) if one protocol is supported only it has practcally no value (theoretical it's interesting though) #TODO: this need some tuning: a) if one protocol is supported only it has practcally no value (theoretical it's interesting though)
@ -4814,7 +4816,7 @@ run_freak() {
case $nr_supported_ciphers in case $nr_supported_ciphers in
0) 0)
local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured" local_problem_ln "$OPENSSL doesn't have any EXPORT RSA ciphers configured"
fileout "freak" "WARN" "FREAK (CVE-2015-0204) : Not tested. $OPENSSL doesn't have any EXPORT RSA ciphers configured" fileout "freak" "WARN" "FREAK (CVE-2015-0204) : Not tested. $OPENSSL doesn't have any EXPORT RSA ciphers configured"
return 7 return 7
;; ;;
@ -4860,7 +4862,7 @@ run_logjam() {
case $nr_supported_ciphers in case $nr_supported_ciphers in
0) 0)
local_problem "$OPENSSL doesn't have any DHE EXPORT ciphers configured" local_problem_ln "$OPENSSL doesn't have any DHE EXPORT ciphers configured"
fileout "logjam" "WARN" "LOGJAM (CVE-2015-4000) : Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured" fileout "logjam" "WARN" "LOGJAM (CVE-2015-4000) : Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured"
return 3 return 3
;; ;;
@ -5244,10 +5246,10 @@ find_openssl_binary() {
$OPENSSL s_client -ssl3 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -ssl3 2>&1 | grep -aq "unknown option" || \
HAS_SSL3=true && \ HAS_SSL3=true && \
HAS_SSL3=false HAS_SSL3=false
$OPENSSL s_client help 2>&1 | grep -qw '\-alpn' && \ $OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \
HAS_ALPN=true || \ HAS_ALPN=true || \
HAS_ALPN=false HAS_ALPN=false
$OPENSSL s_client help 2>&1 | grep -qw '\-nextprotoneg' && \ $OPENSSL s_client -help 2>&1 | grep -qw '\-nextprotoneg' && \
HAS_SPDY=true || \ HAS_SPDY=true || \
HAS_SPDY=false HAS_SPDY=false
@ -5275,10 +5277,6 @@ openssl_age() {
esac esac
ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives "
fi fi
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
pr_magentaln "$PROG_NAME doesn't work yet with OpenSSL 1.1.0!"
ignore_no_or_lame "Type \"yes\" to accept weird output, false negatives and positives "
fi
outln outln
} }
@ -5882,7 +5880,7 @@ get_mx_record() {
# #
check_proxy() { check_proxy() {
if [[ -n "$PROXY" ]]; then if [[ -n "$PROXY" ]]; then
if ! $OPENSSL s_client help 2>&1 | grep -qw proxy; then if ! $OPENSSL s_client -help 2>&1 | grep -qw proxy; then
fatal "Your $OPENSSL is too old to support the \"--proxy\" option" -1 fatal "Your $OPENSSL is too old to support the \"--proxy\" option" -1
fi fi
PROXYNODE=${PROXY%:*} PROXYNODE=${PROXY%:*}
@ -6746,4 +6744,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.460 2016/02/03 08:55:45 dirkw Exp $ # $Id: testssl.sh,v 1.461 2016/02/03 16:55:52 dirkw Exp $