Merge branch 'master' into version_negotiation

Conflicts:
	testssl.sh
This commit is contained in:
David Cooper 2016-05-31 09:51:13 -04:00
commit a9cd3ec6ca
2 changed files with 57 additions and 46 deletions

View File

@ -65,7 +65,9 @@ Done so far:
* assistance for color-blind users * assistance for color-blind users
* Even more compatibility improvements for FreeBSD, RH-ish and F5 systems * Even more compatibility improvements for FreeBSD, RH-ish and F5 systems
* Considerable speed improvements for each cipher runs (-e/-E) * Considerable speed improvements for each cipher runs (-e/-E)
* more robust socket interface
* OpenSSL 1.1.0 compliant * OpenSSL 1.1.0 compliant
* whole number of busg squashed
Update notification here or @ [twitter](https://twitter.com/drwetter). Update notification here or @ [twitter](https://twitter.com/drwetter).

View File

@ -765,7 +765,7 @@ run_http_header() {
;; ;;
*) *)
pr_warning ". Oh, didn't expect \"$status_code$msg_thereafter\"" pr_warning ". Oh, didn't expect \"$status_code$msg_thereafter\""
fileout "status_code" "WARN" \ fileout "status_code" "DEBUG" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter"
;; ;;
esac esac
@ -888,7 +888,7 @@ run_hsts() {
else else
out "$hsts_age_sec s = " out "$hsts_age_sec s = "
pr_svrty_medium "$hsts_age_days days, <$HSTS_MIN days is too short" pr_svrty_medium "$hsts_age_days days, <$HSTS_MIN days is too short"
fileout "hsts_time" "NOT ok" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days" fileout "hsts_time" "MEDIUM" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days"
fi fi
if includeSubDomains "$TMPFILE"; then if includeSubDomains "$TMPFILE"; then
fileout "hsts_subdomains" "OK" "HSTS includes subdomains" fileout "hsts_subdomains" "OK" "HSTS includes subdomains"
@ -975,7 +975,7 @@ run_hpkp() {
else else
out "$hpkp_age_sec s = " out "$hpkp_age_sec s = "
pr_svrty_medium "$hpkp_age_days days (<$HPKP_MIN days is not good enough)" pr_svrty_medium "$hpkp_age_days days (<$HPKP_MIN days is not good enough)"
fileout "hpkp_age" "NOT ok" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough." fileout "hpkp_age" "MEDIUM" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough."
fi fi
if includeSubDomains "$TMPFILE"; then if includeSubDomains "$TMPFILE"; then
@ -1295,8 +1295,10 @@ prettyprint_local() {
fatal "pls supply x<number> instead" 2 fatal "pls supply x<number> instead" 2
fi fi
if [[ -z "$1" ]]; then
pr_headline " Displaying all $OPENSSL_NR_CIPHERS local ciphers ";
else
pr_headline " Displaying all local ciphers "; pr_headline " Displaying all local ciphers ";
if [[ -n "$1" ]]; then
# pattern provided; which one? # pattern provided; which one?
[[ $1 =~ $re ]] && \ [[ $1 =~ $re ]] && \
pr_headline "matching number pattern \"$1\" " || \ pr_headline "matching number pattern \"$1\" " || \
@ -1363,8 +1365,8 @@ std_cipherlists() {
pr_done_bestln "offered (OK)" pr_done_bestln "offered (OK)"
fileout "std_$4" "OK" "$2 offered (OK)" fileout "std_$4" "OK" "$2 offered (OK)"
else else
pr_svrty_mediumln "not offered (NOT ok)" pr_svrty_mediumln "not offered"
fileout "std_$4" "NOT ok" "$2 not offered (NOT ok)" fileout "std_$4" "MEDIUM" "$2 not offered (WARN)"
fi fi
;; ;;
1) # the ugly ones 1) # the ugly ones
@ -1388,7 +1390,7 @@ std_cipherlists() {
3) # not totally bad 3) # not totally bad
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_svrty_mediumln "offered" pr_svrty_mediumln "offered"
fileout "std_$4" "NOT ok" "$2 offered - not too bad" fileout "std_$4" "MEDIUM" "$2 offered - not too bad"
else else
outln "not offered (OK)" outln "not offered (OK)"
fileout "std_$4" "OK" "$2 not offered (OK)" fileout "std_$4" "OK" "$2 not offered (OK)"
@ -1437,7 +1439,7 @@ sockread() {
dd bs=$1 of=$ddreply count=1 <&5 2>/dev/null & dd bs=$1 of=$ddreply count=1 <&5 2>/dev/null &
wait_kill $! $maxsleep wait_kill $! $maxsleep
ret=$? ret=$?
SOCKREPLY=$(cat $ddreply) SOCKREPLY=$(cat $ddreply 2>/dev/null)
rm $ddreply rm $ddreply
return $ret return $ret
} }
@ -1579,7 +1581,7 @@ run_allciphers() {
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
outln outln
pr_headlineln " Testing all $nr_ciphers locally available ciphers against the server, ordered by encryption strength " pr_headlineln " Testing all $OPENSSL_NR_CIPHERS locally available ciphers against the server, ordered by encryption strength "
"$HAS_DH_BITS" || pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)" "$HAS_DH_BITS" || pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)"
outln outln
neat_header neat_header
@ -2331,11 +2333,11 @@ run_protocols() {
fi fi
;; ;;
2) 2)
pr_svrty_medium "not offered (NOT ok)" pr_svrty_medium "not offered"
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
[[ $DEBUG -eq 1 ]] && out " -- downgraded" [[ $DEBUG -eq 1 ]] && out " -- downgraded"
outln outln
fileout "tls1" "NOT ok" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)" fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL"
elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client" pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client"
@ -2418,10 +2420,10 @@ run_protocols() {
latest_supported_string="TLSv1.2" latest_supported_string="TLSv1.2"
;; # GCM cipher in TLS 1.2: very good! ;; # GCM cipher in TLS 1.2: very good!
1) 1)
pr_svrty_medium "not offered (NOT ok)" pr_svrty_mediumln "not offered"
if ! $using_sockets || ! $EXPERIMENTAL || [[ -z $latest_supported ]]; then if ! $using_sockets || ! $EXPERIMENTAL || [[ -z $latest_supported ]]; then
outln outln
fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered (NOT ok)" # no GCM, penalty fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
else else
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string" pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
fileout "tls1_1" "NOT ok" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string" fileout "tls1_1" "NOT ok" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string"
@ -2437,7 +2439,7 @@ run_protocols() {
if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
[[ $DEBUG -eq 1 ]] && out " -- downgraded" [[ $DEBUG -eq 1 ]] && out " -- downgraded"
outln outln
fileout "tls1_2" "INFO" "TLSv1.2 is not offered and downgraded to a weaker protocol (medium)" fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered and downgraded to a weaker protocol"
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then
pr_svrty_criticalln " -- server supports $latest_supported_string, but downgraded to $detected_version_string" pr_svrty_criticalln " -- server supports $latest_supported_string, but downgraded to $detected_version_string"
fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered, and downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)" fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered, and downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)"
@ -2572,11 +2574,17 @@ read_dhbits_from_file() {
# https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography, http://www.keylength.com/en/compare/ # https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography, http://www.keylength.com/en/compare/
elif [[ $what_dh == "ECDH" ]]; then elif [[ $what_dh == "ECDH" ]]; then
[[ -z "$2" ]] && add="bit ECDH" [[ -z "$2" ]] && add="bit ECDH"
if [[ "$bits" -le 128 ]]; then # has that ever existed? if [[ "$bits" -le 80 ]]; then # has that ever existed?
pr_svrty_critical "$bits $add" pr_svrty_critical "$bits $add"
elif [[ "$bits" -le 163 ]]; then elif [[ "$bits" -le 108 ]]; then # has that ever existed?
pr_svrty_high "$bits $add" pr_svrty_high "$bits $add"
elif [[ "$bits" -ge 224 ]]; then elif [[ "$bits" -le 163 ]]; then
pr_svrty_medium "$bits $add"
elif [[ "$bits" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok
pr_svrty_minor "$bits $add" # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416
elif [[ "$bits" -le 224 ]]; then
out "$bits $add"
elif [[ "$bits" -gt 224 ]]; then
pr_done_good "$bits $add" pr_done_good "$bits $add"
else else
out "$bits $add" out "$bits $add"
@ -2694,7 +2702,6 @@ run_server_preference() {
case "$default_cipher" in case "$default_cipher" in
*NULL*|*EXP*) *NULL*|*EXP*)
pr_svrty_critical "$default_cipher" pr_svrty_critical "$default_cipher"
fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
;; ;;
*RC4*) *RC4*)
@ -2703,7 +2710,7 @@ run_server_preference() {
;; ;;
*CBC*) *CBC*)
pr_svrty_medium "$default_cipher" pr_svrty_medium "$default_cipher"
fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list ;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
*GCM*|*CHACHA20*) *GCM*|*CHACHA20*)
pr_done_best "$default_cipher" pr_done_best "$default_cipher"
@ -3170,7 +3177,7 @@ certificate_info() {
case $cert_sig_algo in case $cert_sig_algo in
sha1WithRSAEncryption) sha1WithRSAEncryption)
pr_svrty_mediumln "SHA1 with RSA" pr_svrty_mediumln "SHA1 with RSA"
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)" fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)"
;; ;;
sha224WithRSAEncryption) sha224WithRSAEncryption)
outln "SHA224 with RSA" outln "SHA224 with RSA"
@ -3190,7 +3197,7 @@ certificate_info() {
;; ;;
ecdsa-with-SHA1) ecdsa-with-SHA1)
pr_svrty_mediumln "ECDSA with SHA1" pr_svrty_mediumln "ECDSA with SHA1"
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: ECDSA with SHA1 (warning)" fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: ECDSA with SHA1 (warning)"
;; ;;
ecdsa-with-SHA224) ecdsa-with-SHA224)
outln "ECDSA with SHA224" outln "ECDSA with SHA224"
@ -3210,7 +3217,7 @@ certificate_info() {
;; ;;
dsaWithSHA1) dsaWithSHA1)
pr_svrty_mediumln "DSA with SHA1" pr_svrty_mediumln "DSA with SHA1"
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: DSA with SHA1 (warning)" fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: DSA with SHA1 (warning)"
;; ;;
dsa_with_SHA224) dsa_with_SHA224)
outln "DSA with SHA224" outln "DSA with SHA224"
@ -3225,7 +3232,7 @@ certificate_info() {
case $cert_sig_hash_algo in case $cert_sig_hash_algo in
sha1) sha1)
pr_svrty_mediumln "RSASSA-PSS with SHA1" pr_svrty_mediumln "RSASSA-PSS with SHA1"
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: RSASSA-PSS with SHA1 (warning)" fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: RSASSA-PSS with SHA1 (warning)"
;; ;;
sha224) sha224)
outln "RSASSA-PSS with SHA224" outln "RSASSA-PSS with SHA224"
@ -3288,7 +3295,7 @@ certificate_info() {
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)"
elif [[ "$cert_keysize" -le 163 ]]; then elif [[ "$cert_keysize" -le 163 ]]; then
pr_svrty_medium "$cert_keysize" pr_svrty_medium "$cert_keysize"
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize EC bits"
elif [[ "$cert_keysize" -le 224 ]]; then elif [[ "$cert_keysize" -le 224 ]]; then
out "$cert_keysize" out "$cert_keysize"
fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize EC bits" fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize EC bits"
@ -3297,7 +3304,7 @@ certificate_info() {
fileout "${json_prefix}key_size" "OK" "Server keys $cert_keysize EC bits (OK)" fileout "${json_prefix}key_size" "OK" "Server keys $cert_keysize EC bits (OK)"
else else
out "keysize: $cert_keysize (not expected, FIXME)" out "keysize: $cert_keysize (not expected, FIXME)"
fileout "${json_prefix}key_size" "WARN" "Server keys $cert_keysize bits (not expected)" fileout "${json_prefix}key_size" "DEBUG" "Server keys $cert_keysize bits (not expected)"
fi fi
outln " bits" outln " bits"
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]]; then elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]]; then
@ -3312,7 +3319,7 @@ certificate_info() {
elif [[ "$cert_keysize" -le 1024 ]]; then elif [[ "$cert_keysize" -le 1024 ]]; then
pr_svrty_medium "$cert_keysize" pr_svrty_medium "$cert_keysize"
outln " bits" outln " bits"
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize bits (NOT ok)" fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize bits"
elif [[ "$cert_keysize" -le 2048 ]]; then elif [[ "$cert_keysize" -le 2048 ]]; then
outln "$cert_keysize bits" outln "$cert_keysize bits"
fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize bits" fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize bits"
@ -3755,8 +3762,8 @@ run_pfs() {
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
if [[ $? -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then if [[ $? -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then
outln outln
pr_svrty_mediumln "NOT ok: No ciphers supporting Forward Secrecy offered" pr_svrty_mediumln "No ciphers supporting Forward Secrecy offered"
fileout "pfs" "NOT ok" "(Perfect) Forward Secrecy : NOT ok: No ciphers supporting Forward Secrecy offered" fileout "pfs" "MEDIUM" "(Perfect) Forward Secrecy : No ciphers supporting Forward Secrecy offered"
else else
outln outln
pfs_offered=true pfs_offered=true
@ -3807,7 +3814,7 @@ run_pfs() {
"$WIDE" || outln "$WIDE" || outln
if ! "$pfs_offered"; then if ! "$pfs_offered"; then
pr_svrty_medium "no PFS ciphers found" pr_svrty_medium "WARN: no PFS ciphers found"
fileout "pfs_ciphers" "NOT ok" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)" fileout "pfs_ciphers" "NOT ok" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
else else
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers" fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
@ -5120,8 +5127,8 @@ run_crime() {
pr_svrty_high "VULNERABLE (NOT ok)" pr_svrty_high "VULNERABLE (NOT ok)"
fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)" fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)"
else else
pr_svrty_medium "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" pr_svrty_medium "VULNERABLE but not using HTTP: probably no exploit known"
fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" fileout "crime" "MEDIUM" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (WARN), but not using HTTP: probably no exploit known"
fi fi
ret=1 ret=1
fi fi
@ -5295,7 +5302,7 @@ run_tls_fallback_scsv() {
if grep -q "CONNECTED(00" "$TMPFILE"; then if grep -q "CONNECTED(00" "$TMPFILE"; then
if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
pr_svrty_medium "Downgrade attack prevention NOT supported" pr_svrty_medium "Downgrade attack prevention NOT supported"
fileout "fallback_scsv" "NOT ok" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported" fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
ret=1 ret=1
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
pr_done_good "Downgrade attack prevention supported (OK)" pr_done_good "Downgrade attack prevention supported (OK)"
@ -5303,11 +5310,12 @@ run_tls_fallback_scsv() {
ret=0 ret=0
elif grep -qa "alert handshake failure" "$TMPFILE"; then elif grep -qa "alert handshake failure" "$TMPFILE"; then
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121 # see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\""
fileout "fallback_scsv" "NOT ok" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely: warning)"
ret=2 ret=2
elif grep -qa "ssl handshake failure" "$TMPFILE"; then elif grep -qa "ssl handshake failure" "$TMPFILE"; then
pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\""
fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely: warning)"
ret=3 ret=3
else else
pr_warning "Check failed, unexpected result " pr_warning "Check failed, unexpected result "
@ -5602,7 +5610,7 @@ run_beast(){
-e "s/ /\\${cr} ${spaces}/9" \ -e "s/ /\\${cr} ${spaces}/9" \
-e "s/ /\\${cr} ${spaces}/6" \ -e "s/ /\\${cr} ${spaces}/6" \
-e "s/ /\\${cr} ${spaces}/3") -e "s/ /\\${cr} ${spaces}/3")
fileout "cbc_$proto" "NOT ok" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers" fileout "cbc_$proto" "MEDIUM" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
! "$first" && out "$spaces" ! "$first" && out "$spaces"
out "$(toupper $proto):" out "$(toupper $proto):"
[[ -n "$higher_proto_supported" ]] && \ [[ -n "$higher_proto_supported" ]] && \
@ -5635,16 +5643,16 @@ run_beast(){
pr_svrty_minor "VULNERABLE" pr_svrty_minor "VULNERABLE"
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported" outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
fi fi
fileout "beast" "NOT ok" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported" fileout "beast" "MINOR" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
else else
if "$WIDE"; then if "$WIDE"; then
outln outln
else else
out "$spaces" out "$spaces"
fi fi
pr_svrty_medium "VULNERABLE (NOT ok)" pr_svrty_medium "VULNERABLE"
outln " -- and no higher protocols as mitigation supported" outln " -- and no higher protocols as mitigation supported"
fileout "beast" "NOT ok" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported" fileout "beast" "MEDIUM" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
fi fi
fi fi
"$first" && ! "$vuln_beast" && pr_done_goodln "no CBC ciphers found for any protocol (OK)" "$first" && ! "$vuln_beast" && pr_done_goodln "no CBC ciphers found for any protocol (OK)"
@ -5857,6 +5865,8 @@ find_openssl_binary() {
pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!" pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!"
fi fi
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
$OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \
HAS_SSL2=true HAS_SSL2=true
@ -6010,13 +6020,13 @@ CVS_REL: $CVS_REL
GIT_REL: $GIT_REL GIT_REL: $GIT_REL
PID: $$ PID: $$
commandline: "$CMDLINE"
bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]} bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
status: ${BASH_VERSINFO[4]} status: ${BASH_VERSINFO[4]}
machine: ${BASH_VERSINFO[5]} machine: ${BASH_VERSINFO[5]}
operating system: $SYSTEM operating system: $SYSTEM
shellopts: $SHELLOPTS shellopts: $SHELLOPTS
$OPENSSL version -a:
$($OPENSSL version -a) $($OPENSSL version -a)
OSSL_VER_MAJOR: $OSSL_VER_MAJOR OSSL_VER_MAJOR: $OSSL_VER_MAJOR
OSSL_VER_MINOR: $OSSL_VER_MINOR OSSL_VER_MINOR: $OSSL_VER_MINOR
@ -6024,6 +6034,7 @@ OSSL_VER_APPENDIX: $OSSL_VER_APPENDIX
OSSL_BUILD_DATE: $OSSL_BUILD_DATE OSSL_BUILD_DATE: $OSSL_BUILD_DATE
OSSL_VER_PLATFORM: $OSSL_VER_PLATFORM OSSL_VER_PLATFORM: $OSSL_VER_PLATFORM
OPENSSL_NR_CIPHERS: $OPENSSL_NR_CIPHERS
OPENSSL_CONF: $OPENSSL_CONF OPENSSL_CONF: $OPENSSL_CONF
HAS_IPv6: $HAS_IPv6 HAS_IPv6: $HAS_IPv6
@ -6039,7 +6050,6 @@ RUN_DIR: $RUN_DIR
MAPPING_FILE_RFC: $MAPPING_FILE_RFC MAPPING_FILE_RFC: $MAPPING_FILE_RFC
CAPATH: $CAPATH CAPATH: $CAPATH
ECHO: $ECHO
COLOR: $COLOR COLOR: $COLOR
COLORBLIND: $COLORBLIND COLORBLIND: $COLORBLIND
TERM_DWITH: $TERM_DWITH TERM_DWITH: $TERM_DWITH
@ -6076,14 +6086,13 @@ EOF
mybanner() { mybanner() {
local nr_ciphers
local idtag local idtag
local bb local bb
local openssl_location="$(which $OPENSSL)" local openssl_location="$(which $OPENSSL)"
local cwd="" local cwd=""
$QUIET && return $QUIET && return
nr_ciphers=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)") OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
[[ -z "$GIT_REL" ]] && \ [[ -z "$GIT_REL" ]] && \
idtag="$CVS_REL" || \ idtag="$CVS_REL" || \
idtag="$GIT_REL -- $CVS_REL_SHORT" idtag="$GIT_REL -- $CVS_REL_SHORT"
@ -6105,7 +6114,7 @@ EOF
) )
pr_bold "$bb" pr_bold "$bb"
outln "\n" outln "\n"
outln " Using \"$($OPENSSL version 2>/dev/null)\" [~$nr_ciphers ciphers]" outln " Using \"$($OPENSSL version 2>/dev/null)\" [~$OPENSSL_NR_CIPHERS ciphers]"
out " on $HNAME:" out " on $HNAME:"
[[ -n "$GIT_REL" ]] && \ [[ -n "$GIT_REL" ]] && \
@ -7379,4 +7388,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.487 2016/05/23 20:42:39 dirkw Exp $ # $Id: testssl.sh,v 1.490 2016/05/27 15:43:44 dirkw Exp $