Merge branch 'master' of https://github.com/drwetter/testssl.sh
This commit is contained in:
commit
b99c5ac30c
1912
etc/java.pem
1912
etc/java.pem
File diff suppressed because it is too large
Load Diff
164
testssl.sh
164
testssl.sh
|
@ -187,6 +187,7 @@ PROTOS_OFFERED=""
|
||||||
TLS_EXTENSIONS=""
|
TLS_EXTENSIONS=""
|
||||||
GOST_STATUS_PROBLEM=false
|
GOST_STATUS_PROBLEM=false
|
||||||
DETECTED_TLS_VERSION=""
|
DETECTED_TLS_VERSION=""
|
||||||
|
PATTERN2SHOW=""
|
||||||
SOCKREPLY=""
|
SOCKREPLY=""
|
||||||
SOCK_REPLY_FILE=""
|
SOCK_REPLY_FILE=""
|
||||||
HEXC=""
|
HEXC=""
|
||||||
|
@ -666,6 +667,7 @@ run_http_header() {
|
||||||
local referer useragent
|
local referer useragent
|
||||||
local url redirect
|
local url redirect
|
||||||
|
|
||||||
|
HEADERFILE=$TEMPDIR/$NODEIP.http_header.txt
|
||||||
outln; pr_headlineln " Testing HTTP header response @ \"$URL_PATH\" "
|
outln; pr_headlineln " Testing HTTP header response @ \"$URL_PATH\" "
|
||||||
outln
|
outln
|
||||||
|
|
||||||
|
@ -695,8 +697,9 @@ run_http_header() {
|
||||||
|
|
||||||
debugme echo "$NOW_TIME: $HTTP_TIME"
|
debugme echo "$NOW_TIME: $HTTP_TIME"
|
||||||
|
|
||||||
sed -e '/^ .<HTML/,$d' -e '/^ .<html/,$d' -e '/^ .<XML /,$d' -e '/ .<?XML /,$d' \
|
# delete from pattern til the end. We ignore any leading spaces (e.g. www.amazon.de)
|
||||||
-e '/^ .<xml /,$d' -e '/ .<?xml /,$d' -e '/^ .<\!DOCTYPE/,$d' -e '/^ .<\!doctype/,$d' $HEADERFILE >$HEADERFILE.2
|
sed -e '/<HTML>/,$d' -e '/<html>/,$d' -e '/<XML/,$d' -e '/<?XML/,$d' \
|
||||||
|
-e '/<xml/,$d' -e '/<?xml/,$d' -e '/<\!DOCTYPE/,$d' -e '/<\!doctype/,$d' $HEADERFILE >$HEADERFILE.2
|
||||||
#### ^^^ Attention: the filtering for the html body only as of now, doesn't work for other content yet
|
#### ^^^ Attention: the filtering for the html body only as of now, doesn't work for other content yet
|
||||||
mv $HEADERFILE.2 $HEADERFILE # sed'ing in place doesn't work with BSD and Linux simultaneously
|
mv $HEADERFILE.2 $HEADERFILE # sed'ing in place doesn't work with BSD and Linux simultaneously
|
||||||
ret=0
|
ret=0
|
||||||
|
@ -795,7 +798,7 @@ detect_ipv4() {
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
pr_litered "$result"
|
pr_litered "$result"
|
||||||
outln "spaces$your_ip_msg"
|
outln "\n$spaces$your_ip_msg"
|
||||||
fileout "ip_in_header_$count" "NOT OK" "IPv4 address in header $result $your_ip_msg"
|
fileout "ip_in_header_$count" "NOT OK" "IPv4 address in header $result $your_ip_msg"
|
||||||
fi
|
fi
|
||||||
count=$count+1
|
count=$count+1
|
||||||
|
@ -926,15 +929,17 @@ run_hpkp() {
|
||||||
else
|
else
|
||||||
hpkp_headers=""
|
hpkp_headers=""
|
||||||
pr_brown "multiple HPKP headers: "
|
pr_brown "multiple HPKP headers: "
|
||||||
|
# https://scotthelme.co.uk is a candidate
|
||||||
|
#FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> egrep -ai -w
|
||||||
for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do
|
for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do
|
||||||
pr_italic $i
|
pr_italic $i
|
||||||
hpkp_headers="$hpkp_headers$i "
|
hpkp_headers="$hpkp_headers$i "
|
||||||
out " "
|
out " "
|
||||||
done
|
done
|
||||||
out "spaces using first "
|
out "\n$spaces Examining first one: "
|
||||||
first_hpkp_header=$(awk -F':' '/Public-Key-Pins/ { print $1 }' $HEADERFILE | head -1)
|
first_hpkp_header=$(awk -F':' '/Public-Key-Pins/ { print $1 }' $HEADERFILE | head -1)
|
||||||
pr_italic "$first_hpkp_header, "
|
pr_italic "$first_hpkp_header, "
|
||||||
fileout "hpkp_multiple" "WARN" "Multiple HPKP headershpkp_headers\nUsing first header: $first_hpkp_header"
|
fileout "hpkp_multiple" "WARN" "Multiple HPKP headershpkp_headers. Using first header: $first_hpkp_header"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is
|
# remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is
|
||||||
|
@ -983,7 +988,7 @@ run_hpkp() {
|
||||||
$OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)"
|
$OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)"
|
||||||
while read hpkp_key; do
|
while read hpkp_key; do
|
||||||
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
|
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
|
||||||
out "spaces matching host key: "
|
out "\n$spaces matching host key: "
|
||||||
pr_litegreen "$hpkp_key"
|
pr_litegreen "$hpkp_key"
|
||||||
fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header"
|
fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header"
|
||||||
key_found=true
|
key_found=true
|
||||||
|
@ -991,9 +996,9 @@ run_hpkp() {
|
||||||
debugme out "\n $hpkp_key | $hpkp_key_hostcert"
|
debugme out "\n $hpkp_key | $hpkp_key_hostcert"
|
||||||
done < <(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }')
|
done < <(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }')
|
||||||
if ! $key_found ; then
|
if ! $key_found ; then
|
||||||
out "spaces"
|
out "\n$spaces"
|
||||||
pr_litered " No matching key for pins found "
|
pr_litered " No matching key for pins found "
|
||||||
out "(CAs pinned? -- not yet checked)"
|
out "(CAs pinned? -- not checked for yet)"
|
||||||
fileout "hpkp_keymatch" "WARN" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this"
|
fileout "hpkp_keymatch" "WARN" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
@ -1456,18 +1461,22 @@ neat_list(){
|
||||||
kx="${3//Kx=/}"
|
kx="${3//Kx=/}"
|
||||||
enc="${4//Enc=/}"
|
enc="${4//Enc=/}"
|
||||||
strength=$(sed -e 's/.*(//' -e 's/)//' <<< "$enc") # strength = encryption bits
|
strength=$(sed -e 's/.*(//' -e 's/)//' <<< "$enc") # strength = encryption bits
|
||||||
|
|
||||||
strength="${strength//ChaCha20-Poly1305/ly1305}"
|
strength="${strength//ChaCha20-Poly1305/ly1305}"
|
||||||
enc=$(sed -e 's/(.*)//g' -e 's/ChaCha20-Poly1305/ChaCha20-Po/g' <<< "$enc") # workaround for empty bits ChaCha20-Poly1305
|
enc=$(sed -e 's/(.*)//g' -e 's/ChaCha20-Poly1305/ChaCha20-Po/g' <<< "$enc") # workaround for empty bits ChaCha20-Poly1305
|
||||||
echo "$export" | grep -iq export && strength="$strength,export"
|
echo "$export" | grep -iq export && strength="$strength,export"
|
||||||
# workaround for color escape codes:
|
|
||||||
if printf -- "$kx" | "${HEXDUMPVIEW[@]}" | grep -q 33 ; then # here's a color code
|
|
||||||
kx="$kx " # one for color code if ECDH and three digits
|
|
||||||
[[ "${#kx}" -eq 18 ]] && kx="$kx " # 18 means DH, colored < 1000. Add another space
|
|
||||||
[[ "${#kx}" -eq 19 ]] && kx="$kx " # 19 means DH, colored >=1000. Add another space
|
|
||||||
#echo ${#kx} # should be always 20
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
#printf -- "%q" "$kx" | xxd | head -1
|
||||||
|
# length correction for color escape codes (printf counts the escape color codes!!)
|
||||||
|
if printf -- "%q" "$kx" | egrep -aq '.;3.m|E\[1m' ; then # here's a color code which screws up the formatting with prinf below
|
||||||
|
while [[ ${#kx} -lt 20 ]]; do
|
||||||
|
kx="$kx "
|
||||||
|
done
|
||||||
|
elif printf -- "%q" "$kx" | grep -aq 'E\[m' ; then # for color=1/0 we have the pr_off which screws up the formatting
|
||||||
|
while [[ ${#kx} -lt 13 ]]; do # so it'll be filled up ok
|
||||||
|
kx="$kx "
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
#echo "${#kx}" # should be always 20 / 13
|
||||||
printf -- " %-7s %-30s %-10s %-11s%-11s${ADD_RFC_STR:+ %-48s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$(show_rfc_style $HEXC)"
|
printf -- " %-7s %-30s %-10s %-11s%-11s${ADD_RFC_STR:+ %-48s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$(show_rfc_style $HEXC)"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2632,11 +2641,14 @@ verify_retcode_helper() {
|
||||||
|
|
||||||
determine_trust() {
|
determine_trust() {
|
||||||
local heading=$1
|
local heading=$1
|
||||||
local i=1
|
local -i i=1
|
||||||
|
local -i num_ca_bundles=0
|
||||||
local bundle_fname
|
local bundle_fname
|
||||||
local -a certificate_file verify_retcode trust
|
local -a certificate_file verify_retcode trust
|
||||||
local ok_was=""
|
local ok_was=""
|
||||||
local notok_was=""
|
local notok_was=""
|
||||||
|
local all_ok=true
|
||||||
|
local some_ok=false
|
||||||
local code
|
local code
|
||||||
local ca_bundles="$INSTALL_DIR/etc/*.pem"
|
local ca_bundles="$INSTALL_DIR/etc/*.pem"
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
|
@ -2663,43 +2675,46 @@ determine_trust() {
|
||||||
fi
|
fi
|
||||||
debugme printf -- " %-12s" "${certificate_file[i]}"
|
debugme printf -- " %-12s" "${certificate_file[i]}"
|
||||||
# set SSL_CERT_DIR to /dev/null so that $OPENSSL verify will only use certificates in $bundle_fname
|
# set SSL_CERT_DIR to /dev/null so that $OPENSSL verify will only use certificates in $bundle_fname
|
||||||
(export SSL_CERT_DIR="/dev/null"
|
(export SSL_CERT_DIR="/dev/null; export SSL_CERT_FILE=/dev/null"
|
||||||
if [[ $certificates_provided -ge 2 ]]; then
|
if [[ $certificates_provided -ge 2 ]]; then
|
||||||
$OPENSSL verify -purpose sslserver -CAfile "$bundle_fname" -untrusted $TEMPDIR/intermediatecerts.pem $HOSTCERT >$ERRFILE 2>>$ERRFILE
|
$OPENSSL verify -purpose sslserver -CAfile "$bundle_fname" -untrusted $TEMPDIR/intermediatecerts.pem $HOSTCERT >$TEMPDIR/${certificate_file[i]}.1 2>$TEMPDIR/${certificate_file[i]}.2
|
||||||
else
|
else
|
||||||
$OPENSSL verify -purpose sslserver -CAfile "$bundle_fname" $HOSTCERT >>$ERRFILE 2>>$ERRFILE
|
$OPENSSL verify -purpose sslserver -CAfile "$bundle_fname" $HOSTCERT >$TEMPDIR/${certificate_file[i]}.1 2>$TEMPDIR/${certificate_file[i]}.2
|
||||||
fi)
|
fi)
|
||||||
verify_retcode[i]=$?
|
verify_retcode[i]=$(awk '/error [1-9][0-9]? at [0-9]+ depth lookup:/ { if (!found) {print $2; found=1} }' $TEMPDIR/${certificate_file[i]}.1)
|
||||||
|
[[ -z "${verify_retcode[i]}" ]] && verify_retcode[i]=0
|
||||||
if [[ ${verify_retcode[i]} -eq 0 ]]; then
|
if [[ ${verify_retcode[i]} -eq 0 ]]; then
|
||||||
trust[i]=true
|
trust[i]=true
|
||||||
|
some_ok=true
|
||||||
debugme pr_litegreen "Ok "
|
debugme pr_litegreen "Ok "
|
||||||
debugme outln "${verify_retcode[i]}"
|
debugme outln "${verify_retcode[i]}"
|
||||||
else
|
else
|
||||||
trust[i]=false
|
trust[i]=false
|
||||||
debugme pr_red "not trusted "
|
all_ok=false
|
||||||
|
debugme pr_litered "not trusted "
|
||||||
debugme outln "${verify_retcode[i]}"
|
debugme outln "${verify_retcode[i]}"
|
||||||
fi
|
fi
|
||||||
i=$(($i + 1))
|
i=$((i + 1))
|
||||||
done
|
done
|
||||||
|
num_ca_bundles=$(($i - 1))
|
||||||
debugme out " "
|
debugme out " "
|
||||||
# all stores ok
|
# all stores ok
|
||||||
if ${trust[1]} && ${trust[2]} && ${trust[3]} && ${trust[4]}; then
|
if $all_ok; then
|
||||||
pr_litegreen "Ok "
|
pr_litegreen "Ok "
|
||||||
fileout "$heading trust" "OK" "All certificate trust checks passed. $addtl_warning"
|
fileout "$heading trust" "OK" "All certificate trust checks passed. $addtl_warning"
|
||||||
# at least one failed
|
# at least one failed
|
||||||
else
|
else
|
||||||
pr_red "NOT ok "
|
pr_red "NOT ok"
|
||||||
# all failed (we assume with the same issue)
|
if ! $some_ok; then
|
||||||
if ! ${trust[1]} && ! ${trust[2]} && ! ${trust[3]} && ! ${trust[4]}; then
|
# all failed (we assume with the same issue), we're displaying the reason
|
||||||
|
out " "
|
||||||
verify_retcode_helper "${verify_retcode[2]}"
|
verify_retcode_helper "${verify_retcode[2]}"
|
||||||
fileout "$heading trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
|
fileout "$heading trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
|
||||||
else
|
else
|
||||||
# is one ok and the others not?
|
# is one ok and the others not ==> display the culprit store
|
||||||
if ${trust[1]} || ${trust[2]} || ${trust[3]} || ${trust[4]}; then
|
if $some_ok ; then
|
||||||
pr_redln ":"
|
pr_red ":"
|
||||||
out "$spaces"
|
for ((i=1;i<=num_ca_bundles;i++)); do
|
||||||
pr_red "FAILED:"
|
|
||||||
for i in 1 2 3 4; do
|
|
||||||
if ${trust[i]}; then
|
if ${trust[i]}; then
|
||||||
ok_was="${certificate_file[i]} $ok_was"
|
ok_was="${certificate_file[i]} $ok_was"
|
||||||
else
|
else
|
||||||
|
@ -2717,7 +2732,7 @@ determine_trust() {
|
||||||
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
||||||
pr_litegreen "OK: $ok_was"
|
pr_litegreen "OK: $ok_was"
|
||||||
fi
|
fi
|
||||||
fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok : $notok_was $addtl_warning"
|
fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
@ -2868,14 +2883,37 @@ certificate_info() {
|
||||||
outln "(couldn't determine)"
|
outln "(couldn't determine)"
|
||||||
fileout "$heading key_size" "WARN" "Server keys size cannot be determined"
|
fileout "$heading key_size" "WARN" "Server keys size cannot be determined"
|
||||||
else
|
else
|
||||||
if [[ "$keysize" -le 768 ]]; then
|
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
||||||
|
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
|
||||||
|
# see http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
|
||||||
|
# Table 2 @ chapter 5.6.1 (~ p64)
|
||||||
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
|
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
|
||||||
pr_litegreen "EC $keysize"
|
if [[ "$keysize" -le 110 ]]; then # a guess
|
||||||
fileout "$heading key_size" "OK" "Server keys $keysize bits EC (OK)"
|
pr_red "$keysize"
|
||||||
|
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
||||||
|
elif [[ "$keysize" -le 123 ]]; then # a guess
|
||||||
|
pr_litered "$keysize"
|
||||||
|
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
||||||
|
elif [[ "$keysize" -le 163 ]]; then
|
||||||
|
pr_brown "$keysize"
|
||||||
|
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
||||||
|
elif [[ "$keysize" -le 224 ]]; then
|
||||||
|
out "$keysize"
|
||||||
|
fileout "$heading key_size" "INFO" "Server keys $keysize EC bits"
|
||||||
|
elif [[ "$keysize" -le 533 ]]; then
|
||||||
|
pr_litegreen "$keysize"
|
||||||
|
fileout "$heading key_size" "OK" "Server keys $keysize EC bits (OK)"
|
||||||
else
|
else
|
||||||
|
out "keysize: $keysize (not expected, FIXME)"
|
||||||
|
fileout "$heading key_size" "WARN" "Server keys $keysize bits (not expected)"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [[ "$keysize" -le 512 ]]; then
|
||||||
pr_red "$keysize"
|
pr_red "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
fi
|
elif [[ "$keysize" -le 768 ]]; then
|
||||||
|
pr_litered "$keysize"
|
||||||
|
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 1024 ]]; then
|
elif [[ "$keysize" -le 1024 ]]; then
|
||||||
pr_brown "$keysize"
|
pr_brown "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
|
@ -2886,10 +2924,11 @@ certificate_info() {
|
||||||
pr_litegreen "$keysize"
|
pr_litegreen "$keysize"
|
||||||
fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)"
|
fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)"
|
||||||
else
|
else
|
||||||
out "weird keysize: $keysize"
|
out "weird keysize: $keysize (compatibility problems)"
|
||||||
fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)"
|
fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
outln " bit"
|
outln " bit"
|
||||||
|
|
||||||
out "$indent" ; pr_bold " Signature Algorithm "
|
out "$indent" ; pr_bold " Signature Algorithm "
|
||||||
|
@ -2949,7 +2988,6 @@ certificate_info() {
|
||||||
else
|
else
|
||||||
cnfinding+=" NO match)"
|
cnfinding+=" NO match)"
|
||||||
cnok="INFO"
|
cnok="INFO"
|
||||||
:
|
|
||||||
#FIXME: we need to test also the SANs as they can contain a wild card (google.de .e.g) ==> 2.7dev
|
#FIXME: we need to test also the SANs as they can contain a wild card (google.de .e.g) ==> 2.7dev
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -5318,7 +5356,6 @@ maketempf() {
|
||||||
ERRFILE=$TEMPDIR/errorfile.txt || exit -6
|
ERRFILE=$TEMPDIR/errorfile.txt || exit -6
|
||||||
fi
|
fi
|
||||||
HOSTCERT=$TEMPDIR/host_certificate.txt
|
HOSTCERT=$TEMPDIR/host_certificate.txt
|
||||||
HEADERFILE=$TEMPDIR/http_header.txt
|
|
||||||
initialize_engine
|
initialize_engine
|
||||||
if [[ $DEBUG -ne 0 ]]; then
|
if [[ $DEBUG -ne 0 ]]; then
|
||||||
cat >$TEMPDIR/environment.txt << EOF
|
cat >$TEMPDIR/environment.txt << EOF
|
||||||
|
@ -6085,7 +6122,7 @@ run_mass_testing_parallel() {
|
||||||
$cmdline >$LOGFILE &
|
$cmdline >$LOGFILE &
|
||||||
sleep $PARALLEL_SLEEP
|
sleep $PARALLEL_SLEEP
|
||||||
done < "$FNAME"
|
done < "$FNAME"
|
||||||
exit $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -6105,8 +6142,7 @@ run_mass_testing() {
|
||||||
outln "$cmdline"
|
outln "$cmdline"
|
||||||
$cmdline
|
$cmdline
|
||||||
done < "${FNAME}"
|
done < "${FNAME}"
|
||||||
|
return $?
|
||||||
exit $?
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -6144,6 +6180,7 @@ initialize_globals() {
|
||||||
do_test_just_one=false
|
do_test_just_one=false
|
||||||
do_tls_sockets=false
|
do_tls_sockets=false
|
||||||
do_client_simulation=false
|
do_client_simulation=false
|
||||||
|
do_display_only=false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -6181,7 +6218,7 @@ query_globals() {
|
||||||
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
||||||
do_freak do_logjam do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
do_freak do_logjam do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
||||||
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
||||||
do_client_simulation do_test_just_one do_tls_sockets do_mass_testing ; do
|
do_client_simulation do_test_just_one do_tls_sockets do_mass_testing do_display_only; do
|
||||||
[[ "${!gbl}" == "true" ]] && let true_nr++
|
[[ "${!gbl}" == "true" ]] && let true_nr++
|
||||||
done
|
done
|
||||||
return $true_nr
|
return $true_nr
|
||||||
|
@ -6194,17 +6231,18 @@ debug_globals() {
|
||||||
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
||||||
do_freak do_logjam do_header do_heartbleed do_rc4 do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
do_freak do_logjam do_header do_heartbleed do_rc4 do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
||||||
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
||||||
do_client_simulation do_test_just_one do_tls_sockets do_mass_testing; do
|
do_client_simulation do_test_just_one do_tls_sockets do_mass_testing do_display_only; do
|
||||||
printf "%-22s = %s\n" $gbl "${!gbl}"
|
printf "%-22s = %s\n" $gbl "${!gbl}"
|
||||||
done
|
done
|
||||||
printf "%-22s : %s\n" URI: "$URI"
|
printf "%-22s : %s\n" URI: "$URI"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# arg1+2 are just the options
|
# arg1: either switch+value (=) or switch
|
||||||
|
# arg2: value (if no = provided)
|
||||||
parse_opt_equal_sign() {
|
parse_opt_equal_sign() {
|
||||||
if [[ "$1" == *=* ]]; then
|
if [[ "$1" == *=* ]]; then
|
||||||
echo "$1" | awk -F'=' '{ print $2 }'
|
echo ${1#*=}
|
||||||
return 1 # = means we don't need to shift args!
|
return 1 # = means we don't need to shift args!
|
||||||
else
|
else
|
||||||
echo $2
|
echo $2
|
||||||
|
@ -6244,13 +6282,15 @@ parse_cmd_line() {
|
||||||
CMDLINE_IP=$(parse_opt_equal_sign "$1" "$2")
|
CMDLINE_IP=$(parse_opt_equal_sign "$1" "$2")
|
||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
;;
|
;;
|
||||||
-V|-V=*|--local|--local=*) # this is only displaying local ciphers, thus we don't put it in the loop
|
-V|-V=*|--local|--local=*) # attention, this could have a value or not!
|
||||||
find_openssl_binary
|
do_display_only=true
|
||||||
maketempf # for GOST support
|
PATTERN2SHOW="$(parse_opt_equal_sign "$1" "$2")"
|
||||||
mybanner
|
retval=$?
|
||||||
openssl_age
|
if [[ "$PATTERN2SHOW" == -* ]]; then
|
||||||
prettyprint_local $(parse_opt_equal_sign "$1" "$2")
|
unset PATTERN2SHOW # we hit the next command ==> not our value
|
||||||
exit $?
|
else # it was ours, point to next arg
|
||||||
|
[[ $retval -eq 0 ]] && shift
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
-x|-x=*|--single[-_]cipher|--single[-_]cipher=*)
|
-x|-x=*|--single[-_]cipher|--single[-_]cipher=*)
|
||||||
do_test_just_one=true
|
do_test_just_one=true
|
||||||
|
@ -6506,7 +6546,7 @@ parse_cmd_line() {
|
||||||
done
|
done
|
||||||
|
|
||||||
# Show usage if no options were specified
|
# Show usage if no options were specified
|
||||||
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] ; then
|
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! $do_display_only; then
|
||||||
help 0
|
help 0
|
||||||
else
|
else
|
||||||
# left off here is the URI
|
# left off here is the URI
|
||||||
|
@ -6625,7 +6665,15 @@ openssl_age
|
||||||
ret=0
|
ret=0
|
||||||
ip=""
|
ip=""
|
||||||
|
|
||||||
$do_mass_testing && run_mass_testing
|
if $do_display_only; then
|
||||||
|
prettyprint_local "$PATTERN2SHOW"
|
||||||
|
exit $?
|
||||||
|
fi
|
||||||
|
|
||||||
|
if $do_mass_testing; then
|
||||||
|
run_mass_testing
|
||||||
|
exit $?
|
||||||
|
fi
|
||||||
|
|
||||||
#TODO: there shouldn't be the need for a special case for --mx, only the ip adresses we would need upfront and the do-parser
|
#TODO: there shouldn't be the need for a special case for --mx, only the ip adresses we would need upfront and the do-parser
|
||||||
if $do_mx_all_ips; then
|
if $do_mx_all_ips; then
|
||||||
|
@ -6668,4 +6716,4 @@ fi
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.450 2016/01/31 10:04:58 dirkw Exp $
|
# $Id: testssl.sh,v 1.456 2016/02/01 16:33:58 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue