Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 05:45:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix TLS_FALLBACK_SCSV detection for non RFC compliants F5 loadbalancers. They pass now the test but get additonally penalized for their non compliance, see also https://github.com/drwetter/testssl.sh/issues/121#issuecomment-113790270

Browse Source
This commit is contained in:
Dirk
2017-02-03 11:47:21 +01:00
parent ec7aa2481a
commit b9232fd5d0
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
testssl.sh
View File

@@ -9619,7 +9619,7 @@ run_tls_fallback_scsv() {
local -i ret=0 local -i ret=0
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for TLS_FALLBACK_SCSV Protection " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for TLS_FALLBACK_SCSV Protection " && outln
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507), " pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507) "
# This isn't a vulnerability check per se, but checks for the existence of # This isn't a vulnerability check per se, but checks for the existence of
# the countermeasure to protect against protocol downgrade attacks. # the countermeasure to protect against protocol downgrade attacks.
@@ -9656,9 +9656,12 @@ run_tls_fallback_scsv() {
fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported" fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported"
ret=0 ret=0
elif grep -qa "alert handshake failure" "$TMPFILE"; then elif grep -qa "alert handshake failure" "$TMPFILE"; then
pr_done_good "Probably OK. "
fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Probably oK"
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121 # see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\"" # other case reported by Nicolas was F5 and at costumer of mine: the same
fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely: warning)" pr_svrty_medium "But received non-RFC-compliant \"handshake failure\" instead of \"inappropriate fallback\""
fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : But received non-RFC-compliant \"handshake failure\" instead of \"inappropriate fallback\""
ret=2 ret=2
elif grep -qa "ssl handshake failure" "$TMPFILE"; then elif grep -qa "ssl handshake failure" "$TMPFILE"; then
pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\"" pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\""