mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
FIX #116
CRIME is lightred/litegreen as it is not that bad as ccs or heartbleed resorted some functions
This commit is contained in:
parent
bdff6ba1bd
commit
a98b67013a
94
testssl.sh
94
testssl.sh
@ -1442,7 +1442,7 @@ server_defaults() {
|
|||||||
[ -z "$TLS_TIME" ] && tls_sockets "00" "$TLS_CIPHER"
|
[ -z "$TLS_TIME" ] && tls_sockets "00" "$TLS_CIPHER"
|
||||||
|
|
||||||
if [ -n "$TLS_TIME" ]; then
|
if [ -n "$TLS_TIME" ]; then
|
||||||
difftime=$(($TLS_NOW - $TLS_TIME))
|
difftime=$(($TLS_TIME - $TLS_NOW))
|
||||||
if [[ "${#difftime}" -gt 5 ]]; then
|
if [[ "${#difftime}" -gt 5 ]]; then
|
||||||
# openssl >= 1.0.1f fills this field with random values
|
# openssl >= 1.0.1f fills this field with random values
|
||||||
out " TLS timestamp: random values, no fingerprinting possible "
|
out " TLS timestamp: random values, no fingerprinting possible "
|
||||||
@ -1472,7 +1472,7 @@ server_defaults() {
|
|||||||
HTTP_TIME=$(date -j -f "%a, %d %b %Y %T %Z" "$HTTP_TIME" "+%s" 2>/dev/null) # the trailing \r confuses BSD flavors otherwise
|
HTTP_TIME=$(date -j -f "%a, %d %b %Y %T %Z" "$HTTP_TIME" "+%s" 2>/dev/null) # the trailing \r confuses BSD flavors otherwise
|
||||||
fi
|
fi
|
||||||
|
|
||||||
difftime=$(($now - $HTTP_TIME))
|
difftime=$(($HTTP_TIME - $now))
|
||||||
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
||||||
out "$difftime sec from localtime";
|
out "$difftime sec from localtime";
|
||||||
else
|
else
|
||||||
@ -2509,12 +2509,12 @@ crime() {
|
|||||||
#STR=$($OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 </dev/null | grep Compression )
|
#STR=$($OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 </dev/null | grep Compression )
|
||||||
$OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null &>$TMPFILE
|
$OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null &>$TMPFILE
|
||||||
if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
|
if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
|
||||||
pr_green "not vulnerable (OK)"
|
pr_litegreen "not vulnerable (OK)"
|
||||||
[[ $SERVICE == "HTTP" ]] || out " (not using HTTP anyway)"
|
[[ $SERVICE == "HTTP" ]] || out " (not using HTTP anyway)"
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
if [[ $SERVICE == "HTTP" ]]; then
|
if [[ $SERVICE == "HTTP" ]]; then
|
||||||
pr_red "VULNERABLE (NOT ok)"
|
pr_litered "VULNERABLE (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_brown "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known"
|
pr_brown "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known"
|
||||||
fi
|
fi
|
||||||
@ -2617,7 +2617,47 @@ EOF
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
# Test for TLS_FALLBACK_SCSV
|
### two helper functions for vulnerabilities follow
|
||||||
|
count_ciphers() {
|
||||||
|
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g'
|
||||||
|
}
|
||||||
|
|
||||||
|
actually_supported_ciphers() {
|
||||||
|
$OPENSSL ciphers "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3
|
||||||
|
ssl_poodle() {
|
||||||
|
local ret
|
||||||
|
local cbc_ciphers
|
||||||
|
|
||||||
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption)" && outln "\n"
|
||||||
|
pr_bold " POODLE, SSL"; out " (CVE-2014-3566) "
|
||||||
|
cbc_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/CBC/ { print $1 }' | tr '\n' ':')
|
||||||
|
#FIXME: even with worst openssl client (FreeBSD9) we have 17 reasonable ciphers but is that enough to check??
|
||||||
|
debugme echo $cbc_ciphers
|
||||||
|
$OPENSSL s_client -ssl3 $STARTTLS -cipher $cbc_ciphers -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
||||||
|
ret=$?
|
||||||
|
[ "$VERBERR" -eq 0 ] && egrep -q "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
|
if [ $ret -eq 0 ]; then
|
||||||
|
pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
|
||||||
|
else
|
||||||
|
pr_green "not vulnerable (OK)"
|
||||||
|
fi
|
||||||
|
outln
|
||||||
|
tmpfile_handle $FUNCNAME.txt
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
|
# for appliance which use padding, no fallback needed
|
||||||
|
tls_poodle() {
|
||||||
|
pr_bold " POODLE, SSL"; out " CVE-2014-8730), experimental "
|
||||||
|
#FIXME
|
||||||
|
echo "#FIXME"
|
||||||
|
return 7
|
||||||
|
}
|
||||||
|
|
||||||
tls_fallback_scsv() {
|
tls_fallback_scsv() {
|
||||||
local ret
|
local ret
|
||||||
|
|
||||||
@ -2653,46 +2693,6 @@ tls_fallback_scsv() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
# Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3
|
|
||||||
ssl_poodle() {
|
|
||||||
local ret
|
|
||||||
local cbc_ciphers
|
|
||||||
|
|
||||||
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption)" && outln "\n"
|
|
||||||
pr_bold " POODLE, SSL"; out " (CVE-2014-3566) "
|
|
||||||
cbc_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/CBC/ { print $1 }' | tr '\n' ':')
|
|
||||||
#FIXME: even with worst openssl client (FreeBSD9) we have 17 reasonable ciphers but is that enough to check??
|
|
||||||
debugme echo $cbc_ciphers
|
|
||||||
$OPENSSL s_client -ssl3 $STARTTLS -cipher $cbc_ciphers -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
|
||||||
ret=$?
|
|
||||||
[ "$VERBERR" -eq 0 ] && egrep -q "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
|
||||||
if [ $ret -eq 0 ]; then
|
|
||||||
pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (no TLS_FALLBACK_SCSV mitigation tested)"
|
|
||||||
else
|
|
||||||
pr_green "not vulnerable (OK)"
|
|
||||||
fi
|
|
||||||
outln
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
|
||||||
return $ret
|
|
||||||
}
|
|
||||||
|
|
||||||
# for appliance which use padding, no fallback needed
|
|
||||||
tls_poodle() {
|
|
||||||
pr_bold " POODLE, SSL"; out " CVE-2014-8730), experimental "
|
|
||||||
#FIXME
|
|
||||||
echo "#FIXME"
|
|
||||||
return 7
|
|
||||||
}
|
|
||||||
|
|
||||||
count_ciphers() {
|
|
||||||
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g'
|
|
||||||
}
|
|
||||||
|
|
||||||
actually_supported_ciphers() {
|
|
||||||
$OPENSSL ciphers "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Factoring RSA Export Keys: don't use EXPORT RSA ciphers, see https://freakattack.com/
|
# Factoring RSA Export Keys: don't use EXPORT RSA ciphers, see https://freakattack.com/
|
||||||
freak() {
|
freak() {
|
||||||
@ -2757,7 +2757,7 @@ logjam() {
|
|||||||
$OPENSSL s_client $STARTTLS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
[ "$VERBERR" -eq 0 ] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
[ "$VERBERR" -eq 0 ] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
addtl_warning="$addtl_warning, precomputable primes not checked yet. \"$PROG_NAME -E\" spots candidates"
|
addtl_warning="$addtl_warning, precomputable primes not checked. \"$PROG_NAME -E\" spots candidates"
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers"
|
pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers"
|
||||||
else
|
else
|
||||||
@ -3908,6 +3908,6 @@ fi
|
|||||||
|
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.273 2015/06/11 16:46:21 dirkw Exp $
|
# $Id: testssl.sh,v 1.274 2015/06/11 19:41:24 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
||||||
|
Loading…
Reference in New Issue
Block a user