- RELEASE: final 2.2

- change of cmd line order for STARTTLS
- help more clear
This commit is contained in:
Dirk 2014-12-08 10:32:51 +01:00
parent b3efb3c4b0
commit b40c0b7178

View File

@ -1,14 +1,16 @@
#!/usr/bin/env bash #!/usr/bin/env bash
#
# bash is needed for some distros which use dash as /bin/sh and for tcp sockets which # bash is needed for some distros which use dash as /bin/sh and for tcp sockets which
# this program uses a couple of times. Also some expressions are bashisms as I expect # this program uses a couple of times. Also some expressions are bashisms as I expect
# the to be faster. Idea is to not overdo it. # them to be faster. Idea is to not overdo it though
# Program for spotting weak SSL encryption, ciphers, version and some vulnerablities or # testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some
# features # vulnerablities or features
# Devel version from https://github.com/drwetter/testssl.sh, #
# stable: https://testssl.sh # Devel version is availabe from https://github.com/drwetter/testssl.sh,
# stable version from https://testssl.sh
VERSION="2.1rc4" VERSION="2.2" # any char suffixes denotes non=stable
SWURL="https://testssl.sh" SWURL="https://testssl.sh"
SWCONTACT="dirk aet testssl dot sh" SWCONTACT="dirk aet testssl dot sh"
@ -35,14 +37,11 @@ SWCONTACT="dirk aet testssl dot sh"
# the internet. And those are 3rd parties. If those four restrictions are fine # the internet. And those are 3rd parties. If those four restrictions are fine
# with you, they might tell you more than this tool -- as of now. # with you, they might tell you more than this tool -- as of now.
# Note that 56Bit ciphers are disabled during compile time in $OPENSSL > 0.9.8c # Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities)
# (http://rt.$OPENSSL.org/Ticket/Display.html?user=guest&pass=guest&id=1461) # are disabled as they'll impact security otherwise. For security testing though we
# ---> TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES in ssl/tls1.h . For testing it's recommended # need all those features. Thus it's highly recommended to use the suppied binaries.
# to change this to 1 and recompile e.g. w/ ./config --prefix=/usr/ --openssldir=/etc/ssl # Except on-available local ciphers you'll get a warning about missing features
# or use the supplied binaries!
# Also some distributions disable SSLv2. Please note: Everything which is disabled or not
# supported on the client side is not possible to test on the server side! You'll get
# a warning though
# following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host> # following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
CAPATH="${CAPATH:-/etc/ssl/certs/}" # same as previous. Doing nothing yet. FC has only a CA bundle per default, ==> openssl version -d CAPATH="${CAPATH:-/etc/ssl/certs/}" # same as previous. Doing nothing yet. FC has only a CA bundle per default, ==> openssl version -d
@ -62,7 +61,7 @@ VERBOSE=${VERBOSE:-0} # if 1 it shows what's going on. Currently only used for h
VERB_CLIST="" # ... and if so, "-V" shows them row by row cipher, SSL-version, KX, Au, Enc and Mac VERB_CLIST="" # ... and if so, "-V" shows them row by row cipher, SSL-version, KX, Au, Enc and Mac
HSTS_MIN=180 # >180 days is ok for HSTS HSTS_MIN=180 # >180 days is ok for HSTS
HPKP_MIN=30 # >30 days should be ok for HPKP_MIN, practical hints? HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints?
MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
@ -420,7 +419,7 @@ hpkp() {
egrep -ciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -wq "1" || out "(two HPKP header, using 1st one) " egrep -ciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -wq "1" || out "(two HPKP header, using 1st one) "
AGE_SEC=`sed -e 's/\r//g' -e 's/^.*max-age=//' -e 's/;.*//' $TMPFILE` AGE_SEC=`sed -e 's/\r//g' -e 's/^.*max-age=//' -e 's/;.*//' $TMPFILE`
AGE_DAYS=`expr $AGE_SEC \/ 86400` AGE_DAYS=`expr $AGE_SEC \/ 86400`
if [ $AGE_DAYS -gt $HPKP_MIN ]; then if [ $AGE_DAYS -ge $HPKP_MIN ]; then
litegreen "$AGE_DAYS days \c" ; out "($AGE_SEC s)" litegreen "$AGE_DAYS days \c" ; out "($AGE_SEC s)"
else else
brown "$AGE_DAYS days (<$HPKP_MIN is not good enough)" brown "$AGE_DAYS days (<$HPKP_MIN is not good enough)"
@ -1572,7 +1571,7 @@ starttls() {
pfs ; ret=`expr $? + $ret` pfs ; ret=`expr $? + $ret`
fi fi
;; ;;
*) outln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet allowed" >&2 *) litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet allowed" >&2
ret=2 ret=2
;; ;;
esac esac
@ -1590,7 +1589,7 @@ $PRG <options>
<-b|--banner> displays banner + version <-b|--banner> displays banner + version
<-v|--version> same as above <-v|--version> same as above
<-V|--local> pretty print all local ciphers <-V|--local> pretty print all local ciphers
<-V|--local> <pattern> what local cipher with <pattern> is a/v? <-V|--local> pattern what local cipher with <pattern> is a/v?
$PRG <options> URI $PRG <options> URI
@ -1611,14 +1610,14 @@ $PRG <options> URI
<-4|--rc4|--appelbaum> which RC4 ciphers are being offered? <-4|--rc4|--appelbaum> which RC4 ciphers are being offered?
<-H|--header|--headers> check for HSTS, HPKP and server/application banner string <-H|--header|--headers> check for HSTS, HPKP and server/application banner string
<-t|--starttls> host:port <ftp|smtp|pop3|imap|xmpp|telnet> <SNI hostname> *) <-t|--starttls> protocol does a default run against a STARTTLS enabled service
*) for telnet STARTTLS support you need the supplied openssl
<URI> host|host:port|URL|URL:port (port 443 is assumed unless otherwise specified)
<pattern> an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits
partly mandatory parameters:
URI host|host:port|URL|URL:port (port 443 is assumed unless otherwise specified)
pattern an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits
protocol is one of ftp,smtp,pop3,imap,xmpp,telnet (for the latter you need e.g. the supplied openssl)
EOF EOF
@ -1902,8 +1901,8 @@ case "$1" in
exit $ret ;; exit $ret ;;
-t|--starttls) -t|--starttls)
maketempf maketempf
parse_hn_port "$2" "$3" # here comes hostname:port and protocol to signal starttls parse_hn_port "$3" "$2" # here comes protocol to signal starttls and hostname:port
starttls "$3" # protocol starttls "$2" # protocol
ret=$? ret=$?
exit $ret ;; exit $ret ;;
-e|--each-cipher) -e|--each-cipher)
@ -2052,7 +2051,7 @@ case "$1" in
exit $ret ;; exit $ret ;;
esac esac
# $Id: testssl.sh,v 1.150 2014/11/30 00:30:19 dirkw Exp $ # $Id: testssl.sh,v 1.151 2014/12/08 09:32:50 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5