Merge branch 'master' into remove_sockread

This commit is contained in:
David Cooper 2016-09-14 14:37:14 -04:00
commit b7fbd13f1a

View File

@ -1145,7 +1145,7 @@ run_rp_banner() {
if [[ $? -ne 0 ]]; then
outln "--"
fileout "rp_header" "INFO" "No reverse proxy banner found"
else
else
while read line; do
line=$(strip_lf "$line")
if ! $first; then
@ -1154,7 +1154,7 @@ run_rp_banner() {
first=false
fi
emphasize_stuff_in_headers "$line"
rp_banners="$rp_bannersline"
rp_banners="${rp_banners}${line}"
done < $TMPFILE
fileout "rp_header" "INFO" "Reverse proxy banner(s) found: $rp_banners"
fi
@ -1180,7 +1180,7 @@ run_application_banner() {
outln "--"
fileout "app_banner" "INFO" "No Application Banners found"
else
cat $TMPFILE | while read line; do
while IFS='' read -r line; do
line=$(strip_lf "$line")
if ! $first; then
out "$spaces"
@ -1188,8 +1188,8 @@ run_application_banner() {
first=false
fi
emphasize_stuff_in_headers "$line"
app_banners="$app_bannersline"
done
app_banners="${app_banners}${line}"
done < "$TMPFILE"
fileout "app_banner" "WARN" "Application Banners found: $app_banners"
fi
tmpfile_handle $FUNCNAME.txt
@ -3347,8 +3347,16 @@ run_server_preference() {
outln
pr_bold " Has server cipher order? "
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO"
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI" && sni="$SNI"
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO"
if [[ ! "$OPTIMAL_PROTO" =~ ssl ]]; then
addcmd="$SNI"
sni="$SNI"
if "$HAS_NO_SSL2" && [[ -z "$SNI" ]]; then
# the supplied openssl sends otherwise an sslv2 hello -- e.g. if IP address supplied as target
# for STARTTLS this doesn't seem to be needed
addcmd="-no_ssl2"
fi
fi
$OPENSSL s_client $STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd </dev/null 2>$ERRFILE >$TMPFILE
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
pr_warning "no matching cipher in this list found (pls report this): "
@ -3361,7 +3369,6 @@ run_server_preference() {
# workaround is to connect with a protocol
debugme out "(workaround #188) "
determine_optimal_proto $STARTTLS_PROTOCOL
[[ ! "$STARTTLS_OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$SNI"
$OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>$ERRFILE >$TMPFILE
if ! sclient_connect_successful $? $TMPFILE; then
pr_warning "no matching cipher in this list found (pls report this): "
@ -3379,7 +3386,11 @@ run_server_preference() {
addcmd2="$STARTTLS_OPTIMAL_PROTO"
[[ ! "$STARTTLS_OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
else
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd2="$OPTIMAL_PROTO"
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then
addcmd2="$OPTIMAL_PROTO"
elif "$HAS_NO_SSL2"; then
addcmd2="$addcmd2 -no_ssl2"
fi
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
fi
$OPENSSL s_client $STARTTLS -cipher $list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>>$ERRFILE >$TMPFILE
@ -3953,7 +3964,7 @@ determine_tls_extensions() {
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
addcmd=""
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug -nextprotoneg $alpn -status </dev/null 2>$ERRFILE >$TMPFILE
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug -nextprotoneg "$alpn" -status </dev/null 2>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE && success=0 && break
done # this loop is needed for IIS6 and others which have a handshake size limitations
if [[ $success -eq 7 ]]; then
@ -4108,7 +4119,7 @@ compare_server_name_to_cert()
[[ $(toupper "$san") == "$servername" ]] && ret=1 && break
done
if [[ $req -eq 0 ]]; then
if [[ $ret -eq 0 ]]; then
# Check whether any of the IP addresses in the certificate match the servername
ip_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
@ -4119,7 +4130,7 @@ compare_server_name_to_cert()
# Check whether any of the DNS names in the certificate are wildcard names
# that match the servername
if [[ $req -eq 0 ]]; then
if [[ $ret -eq 0 ]]; then
for san in $dns_sans; do
wildcard_match "$servername" "$san"
[[ $? -eq 0 ]] && ret=2 && break
@ -4189,7 +4200,7 @@ certificate_info() {
sha1WithRSAEncryption)
pr_svrty_medium "SHA1 with RSA"
if [[ "$SERVICE" == HTTP ]]; then
out " -- besides: users will receive a strong browser warning"
out " -- besides: users will receive a "; pr_svrty_high "strong browser WARNING"
fi
outln
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)"
@ -4287,7 +4298,7 @@ certificate_info() {
out "$cert_sig_algo ("
pr_warning "FIXME: can't tell whether this is good or not"
outln ")"
fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: $sign_algo"
fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: $cert_sig_algo"
;;
esac
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
@ -5102,7 +5113,7 @@ run_spdy() {
outln
return 0
fi
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg $NPN_PROTOs </dev/null 2>$ERRFILE >$TMPFILE
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg "$NPN_PROTOs" </dev/null 2>$ERRFILE >$TMPFILE
tmpstr=$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')
if [[ -z "$tmpstr" ]] || [[ "$tmpstr" == " " ]]; then
outln "not offered"
@ -8785,4 +8796,4 @@ fi
exit $?
# $Id: testssl.sh,v 1.540 2016/09/06 06:32:04 dirkw Exp $
# $Id: testssl.sh,v 1.541 2016/09/07 19:34:26 dirkw Exp $