mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Also introduced the global BAD_SERVER_HELLO_CIPHER which can be later used for notifying crappy cipher negotiations
This commit is contained in:
parent
fc7a89e659
commit
ad1dd01466
11
testssl.sh
11
testssl.sh
@ -201,7 +201,7 @@ UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo)
|
|||||||
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
|
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
|
||||||
CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false}
|
CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false}
|
||||||
|
|
||||||
# tuning vars, can not be set by a cmd line switch
|
# tuning vars, can be set by a cmd line switch
|
||||||
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
||||||
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
||||||
MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this.
|
MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this.
|
||||||
@ -255,6 +255,7 @@ HEADERVALUE=""
|
|||||||
HTTP_STATUS_CODE=""
|
HTTP_STATUS_CODE=""
|
||||||
PROTOS_OFFERED=""
|
PROTOS_OFFERED=""
|
||||||
TLS_EXTENSIONS=""
|
TLS_EXTENSIONS=""
|
||||||
|
BAD_SERVER_HELLO_CIPHER=false # reserved for cases where a ServerHello doesn't contain a cipher offered in the ClientHello
|
||||||
GOST_STATUS_PROBLEM=false
|
GOST_STATUS_PROBLEM=false
|
||||||
DETECTED_TLS_VERSION=""
|
DETECTED_TLS_VERSION=""
|
||||||
PATTERN2SHOW=""
|
PATTERN2SHOW=""
|
||||||
@ -8126,6 +8127,8 @@ parse_tls_serverhello() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# If a CIPHER_SUITES string was provided, then check that $tls_cipher_suite is in the string.
|
# If a CIPHER_SUITES string was provided, then check that $tls_cipher_suite is in the string.
|
||||||
|
# this appeared in yassl + MySQL (https://github.com/drwetter/testssl.sh/pull/784) but adds robustness
|
||||||
|
# to the implemenation
|
||||||
if [[ -n "$cipherlist" ]]; then
|
if [[ -n "$cipherlist" ]]; then
|
||||||
tls_cipher_suite="$(tolower "$tls_cipher_suite")"
|
tls_cipher_suite="$(tolower "$tls_cipher_suite")"
|
||||||
tls_cipher_suite="${tls_cipher_suite:0:2}\\x${tls_cipher_suite:2:2}"
|
tls_cipher_suite="${tls_cipher_suite:0:2}\\x${tls_cipher_suite:2:2}"
|
||||||
@ -8134,6 +8137,7 @@ parse_tls_serverhello() {
|
|||||||
[[ "${cipherlist:i:6}" == "$tls_cipher_suite" ]] && break
|
[[ "${cipherlist:i:6}" == "$tls_cipher_suite" ]] && break
|
||||||
done
|
done
|
||||||
if [[ $i -ge $cipherlist_len ]]; then
|
if [[ $i -ge $cipherlist_len ]]; then
|
||||||
|
BAD_SERVER_HELLO_CIPHER=true
|
||||||
debugme echo "The ServerHello specifies a cipher suite that wasn't included in the ClientHello."
|
debugme echo "The ServerHello specifies a cipher suite that wasn't included in the ClientHello."
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return 1
|
return 1
|
||||||
@ -9169,7 +9173,7 @@ run_ccs_injection(){
|
|||||||
# in general, see https://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol
|
# in general, see https://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol
|
||||||
# https://tools.ietf.org/html/rfc5246#section-7.2
|
# https://tools.ietf.org/html/rfc5246#section-7.2
|
||||||
#
|
#
|
||||||
# not ok fo CCSI: 15 | 0301 | 00 02 | 02 15
|
# not ok for CCSI: 15 | 0301 | 00 02 | 02 15
|
||||||
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
|
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
|
||||||
#
|
#
|
||||||
# ok: nothing: ==> RST
|
# ok: nothing: ==> RST
|
||||||
@ -9202,7 +9206,8 @@ run_ccs_injection(){
|
|||||||
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
|
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
|
||||||
# Error: #08S01 Bad handshake
|
# Error: #08S01 Bad handshake
|
||||||
pr_done_best "not vulnerable (OK)"
|
pr_done_best "not vulnerable (OK)"
|
||||||
fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe"
|
out ", looks like MySQL community edition (yaSSL)"
|
||||||
|
fileout "ccs" "OK" "CCS: not vulnerable (MySQL community edition (yaSSL) detected)" "$cve" "$cwe"
|
||||||
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then
|
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then
|
||||||
pr_warning "test failed"
|
pr_warning "test failed"
|
||||||
out ", probably read buffer too small (${tls_hello_ascii:0:14})"
|
out ", probably read buffer too small (${tls_hello_ascii:0:14})"
|
||||||
|
Loading…
Reference in New Issue
Block a user