Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

polishing #784 and #788

Browse Source 
Also introduced the global BAD_SERVER_HELLO_CIPHER which can be later used
for notifying crappy cipher negotiations
This commit is contained in:
Dirk 2017-07-19 18:46:46 +02:00
parent fc7a89e659
commit ad1dd01466
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
testssl.sh
View File

@ -201,7 +201,7 @@ UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo)
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs) SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false} CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false}
# tuning vars, can not be set by a cmd line switch # tuning vars, can be set by a cmd line switch
EXPERIMENTAL=${EXPERIMENTAL:-false} EXPERIMENTAL=${EXPERIMENTAL:-false}
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this. MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this.
@ -255,6 +255,7 @@ HEADERVALUE=""
HTTP_STATUS_CODE="" HTTP_STATUS_CODE=""
PROTOS_OFFERED="" PROTOS_OFFERED=""
TLS_EXTENSIONS="" TLS_EXTENSIONS=""
BAD_SERVER_HELLO_CIPHER=false # reserved for cases where a ServerHello doesn't contain a cipher offered in the ClientHello
GOST_STATUS_PROBLEM=false GOST_STATUS_PROBLEM=false
DETECTED_TLS_VERSION="" DETECTED_TLS_VERSION=""
PATTERN2SHOW="" PATTERN2SHOW=""
@ -8126,6 +8127,8 @@ parse_tls_serverhello() {
fi fi
# If a CIPHER_SUITES string was provided, then check that $tls_cipher_suite is in the string. # If a CIPHER_SUITES string was provided, then check that $tls_cipher_suite is in the string.
# this appeared in yassl + MySQL (https://github.com/drwetter/testssl.sh/pull/784) but adds robustness
# to the implemenation
if [[ -n "$cipherlist" ]]; then if [[ -n "$cipherlist" ]]; then
tls_cipher_suite="$(tolower "$tls_cipher_suite")" tls_cipher_suite="$(tolower "$tls_cipher_suite")"
tls_cipher_suite="${tls_cipher_suite:0:2}\\x${tls_cipher_suite:2:2}" tls_cipher_suite="${tls_cipher_suite:0:2}\\x${tls_cipher_suite:2:2}"
@ -8134,6 +8137,7 @@ parse_tls_serverhello() {
[[ "${cipherlist:i:6}" == "$tls_cipher_suite" ]] && break [[ "${cipherlist:i:6}" == "$tls_cipher_suite" ]] && break
done done
if [[ $i -ge $cipherlist_len ]]; then if [[ $i -ge $cipherlist_len ]]; then
BAD_SERVER_HELLO_CIPHER=true
debugme echo "The ServerHello specifies a cipher suite that wasn't included in the ClientHello." debugme echo "The ServerHello specifies a cipher suite that wasn't included in the ClientHello."
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return 1 return 1
@ -9169,8 +9173,8 @@ run_ccs_injection(){
# in general, see https://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol # in general, see https://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol
# https://tools.ietf.org/html/rfc5246#section-7.2 # https://tools.ietf.org/html/rfc5246#section-7.2
# #
# not ok fo CCSI: 15 | 0301 | 00 02 | 02 15 # not ok for CCSI: 15 | 0301 | 00 02 | 02 15
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21) # ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
# #
# ok: nothing: ==> RST # ok: nothing: ==> RST
# #
@ -9202,7 +9206,8 @@ run_ccs_injection(){
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert # MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
# Error: #08S01 Bad handshake # Error: #08S01 Bad handshake
pr_done_best "not vulnerable (OK)" pr_done_best "not vulnerable (OK)"
fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe" out ", looks like MySQL community edition (yaSSL)"
fileout "ccs" "OK" "CCS: not vulnerable (MySQL community edition (yaSSL) detected)" "$cve" "$cwe"
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then
pr_warning "test failed" pr_warning "test failed"
out ", probably read buffer too small (${tls_hello_ascii:0:14})" out ", probably read buffer too small (${tls_hello_ascii:0:14})"