Merge branch 'master' into remove_sockread
This commit is contained in:
commit
b7fbd13f1a
43
testssl.sh
43
testssl.sh
|
@ -1145,7 +1145,7 @@ run_rp_banner() {
|
||||||
if [[ $? -ne 0 ]]; then
|
if [[ $? -ne 0 ]]; then
|
||||||
outln "--"
|
outln "--"
|
||||||
fileout "rp_header" "INFO" "No reverse proxy banner found"
|
fileout "rp_header" "INFO" "No reverse proxy banner found"
|
||||||
else
|
else
|
||||||
while read line; do
|
while read line; do
|
||||||
line=$(strip_lf "$line")
|
line=$(strip_lf "$line")
|
||||||
if ! $first; then
|
if ! $first; then
|
||||||
|
@ -1154,7 +1154,7 @@ run_rp_banner() {
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
emphasize_stuff_in_headers "$line"
|
emphasize_stuff_in_headers "$line"
|
||||||
rp_banners="$rp_bannersline"
|
rp_banners="${rp_banners}${line}"
|
||||||
done < $TMPFILE
|
done < $TMPFILE
|
||||||
fileout "rp_header" "INFO" "Reverse proxy banner(s) found: $rp_banners"
|
fileout "rp_header" "INFO" "Reverse proxy banner(s) found: $rp_banners"
|
||||||
fi
|
fi
|
||||||
|
@ -1180,7 +1180,7 @@ run_application_banner() {
|
||||||
outln "--"
|
outln "--"
|
||||||
fileout "app_banner" "INFO" "No Application Banners found"
|
fileout "app_banner" "INFO" "No Application Banners found"
|
||||||
else
|
else
|
||||||
cat $TMPFILE | while read line; do
|
while IFS='' read -r line; do
|
||||||
line=$(strip_lf "$line")
|
line=$(strip_lf "$line")
|
||||||
if ! $first; then
|
if ! $first; then
|
||||||
out "$spaces"
|
out "$spaces"
|
||||||
|
@ -1188,8 +1188,8 @@ run_application_banner() {
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
emphasize_stuff_in_headers "$line"
|
emphasize_stuff_in_headers "$line"
|
||||||
app_banners="$app_bannersline"
|
app_banners="${app_banners}${line}"
|
||||||
done
|
done < "$TMPFILE"
|
||||||
fileout "app_banner" "WARN" "Application Banners found: $app_banners"
|
fileout "app_banner" "WARN" "Application Banners found: $app_banners"
|
||||||
fi
|
fi
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
|
@ -3347,8 +3347,16 @@ run_server_preference() {
|
||||||
outln
|
outln
|
||||||
|
|
||||||
pr_bold " Has server cipher order? "
|
pr_bold " Has server cipher order? "
|
||||||
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO"
|
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO"
|
||||||
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI" && sni="$SNI"
|
if [[ ! "$OPTIMAL_PROTO" =~ ssl ]]; then
|
||||||
|
addcmd="$SNI"
|
||||||
|
sni="$SNI"
|
||||||
|
if "$HAS_NO_SSL2" && [[ -z "$SNI" ]]; then
|
||||||
|
# the supplied openssl sends otherwise an sslv2 hello -- e.g. if IP address supplied as target
|
||||||
|
# for STARTTLS this doesn't seem to be needed
|
||||||
|
addcmd="-no_ssl2"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
$OPENSSL s_client $STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
|
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
|
||||||
pr_warning "no matching cipher in this list found (pls report this): "
|
pr_warning "no matching cipher in this list found (pls report this): "
|
||||||
|
@ -3361,7 +3369,6 @@ run_server_preference() {
|
||||||
# workaround is to connect with a protocol
|
# workaround is to connect with a protocol
|
||||||
debugme out "(workaround #188) "
|
debugme out "(workaround #188) "
|
||||||
determine_optimal_proto $STARTTLS_PROTOCOL
|
determine_optimal_proto $STARTTLS_PROTOCOL
|
||||||
[[ ! "$STARTTLS_OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$SNI"
|
|
||||||
$OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
pr_warning "no matching cipher in this list found (pls report this): "
|
pr_warning "no matching cipher in this list found (pls report this): "
|
||||||
|
@ -3379,7 +3386,11 @@ run_server_preference() {
|
||||||
addcmd2="$STARTTLS_OPTIMAL_PROTO"
|
addcmd2="$STARTTLS_OPTIMAL_PROTO"
|
||||||
[[ ! "$STARTTLS_OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
|
[[ ! "$STARTTLS_OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
|
||||||
else
|
else
|
||||||
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd2="$OPTIMAL_PROTO"
|
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then
|
||||||
|
addcmd2="$OPTIMAL_PROTO"
|
||||||
|
elif "$HAS_NO_SSL2"; then
|
||||||
|
addcmd2="$addcmd2 -no_ssl2"
|
||||||
|
fi
|
||||||
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
|
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client $STARTTLS -cipher $list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS -cipher $list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
|
@ -3953,7 +3964,7 @@ determine_tls_extensions() {
|
||||||
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
|
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
|
||||||
addcmd=""
|
addcmd=""
|
||||||
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
|
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
|
||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug -nextprotoneg $alpn -status </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug -nextprotoneg "$alpn" -status </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE && success=0 && break
|
sclient_connect_successful $? $TMPFILE && success=0 && break
|
||||||
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
||||||
if [[ $success -eq 7 ]]; then
|
if [[ $success -eq 7 ]]; then
|
||||||
|
@ -4108,7 +4119,7 @@ compare_server_name_to_cert()
|
||||||
[[ $(toupper "$san") == "$servername" ]] && ret=1 && break
|
[[ $(toupper "$san") == "$servername" ]] && ret=1 && break
|
||||||
done
|
done
|
||||||
|
|
||||||
if [[ $req -eq 0 ]]; then
|
if [[ $ret -eq 0 ]]; then
|
||||||
# Check whether any of the IP addresses in the certificate match the servername
|
# Check whether any of the IP addresses in the certificate match the servername
|
||||||
ip_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
ip_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||||
tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
|
tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
|
||||||
|
@ -4119,7 +4130,7 @@ compare_server_name_to_cert()
|
||||||
|
|
||||||
# Check whether any of the DNS names in the certificate are wildcard names
|
# Check whether any of the DNS names in the certificate are wildcard names
|
||||||
# that match the servername
|
# that match the servername
|
||||||
if [[ $req -eq 0 ]]; then
|
if [[ $ret -eq 0 ]]; then
|
||||||
for san in $dns_sans; do
|
for san in $dns_sans; do
|
||||||
wildcard_match "$servername" "$san"
|
wildcard_match "$servername" "$san"
|
||||||
[[ $? -eq 0 ]] && ret=2 && break
|
[[ $? -eq 0 ]] && ret=2 && break
|
||||||
|
@ -4189,7 +4200,7 @@ certificate_info() {
|
||||||
sha1WithRSAEncryption)
|
sha1WithRSAEncryption)
|
||||||
pr_svrty_medium "SHA1 with RSA"
|
pr_svrty_medium "SHA1 with RSA"
|
||||||
if [[ "$SERVICE" == HTTP ]]; then
|
if [[ "$SERVICE" == HTTP ]]; then
|
||||||
out " -- besides: users will receive a strong browser warning"
|
out " -- besides: users will receive a "; pr_svrty_high "strong browser WARNING"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)"
|
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)"
|
||||||
|
@ -4287,7 +4298,7 @@ certificate_info() {
|
||||||
out "$cert_sig_algo ("
|
out "$cert_sig_algo ("
|
||||||
pr_warning "FIXME: can't tell whether this is good or not"
|
pr_warning "FIXME: can't tell whether this is good or not"
|
||||||
outln ")"
|
outln ")"
|
||||||
fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: $sign_algo"
|
fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: $cert_sig_algo"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
||||||
|
@ -5102,7 +5113,7 @@ run_spdy() {
|
||||||
outln
|
outln
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg $NPN_PROTOs </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg "$NPN_PROTOs" </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
tmpstr=$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')
|
tmpstr=$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')
|
||||||
if [[ -z "$tmpstr" ]] || [[ "$tmpstr" == " " ]]; then
|
if [[ -z "$tmpstr" ]] || [[ "$tmpstr" == " " ]]; then
|
||||||
outln "not offered"
|
outln "not offered"
|
||||||
|
@ -8785,4 +8796,4 @@ fi
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.540 2016/09/06 06:32:04 dirkw Exp $
|
# $Id: testssl.sh,v 1.541 2016/09/07 19:34:26 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue