BREACH is not labeled as experimental anymore as it works reliably

- so is heartbleed
 - FIX: shopt is removed in rc4 as most of the bash shells segfault here (bug!)
 - not tested anymore for HTTP within starttls, instead displaying here a line
This commit is contained in:
Dirk 2015-01-23 12:01:32 +01:00
parent 6c6511ddb2
commit baadfd0492
1 changed files with 42 additions and 26 deletions

View File

@ -263,7 +263,7 @@ wait_kill(){
# is agnostic to the version of TLS/SSL, more: http://www.breachattack.com/
# foreign referers are the important thing here!
breach() {
bold " BREACH"; out " =HTTP Compression, experimental "
bold " BREACH"; out " (CVE-2013-3587) =HTTP Compression "
url="$1"
[ -z "$url" ] && url="/"
if [ $SNEAKY -eq 0 ] ; then
@ -451,6 +451,20 @@ hpkp() {
}
#FIXME: once checkcert.sh is here: fingerprints!
# arg1: number
emphasize_numbers_in_headers(){
local number=""
local letter=""
# that works with #red=$(tput setaf 1) / off=$(tput sgr0)
# see http://www.grymoire.com/Unix/Sed.html#uh-3
#outln "$1" | sed "s/[0-9]*/$red&$off/g"
# sed "s/\([0-9]\)/$red\1$off/g"
outln "$1"
}
serverbanner() {
bold " Server "
if [ ! -s $HEADERFILE ] ; then
@ -462,7 +476,7 @@ serverbanner() {
if [ x"$serverbanner" == "x\n" -o x"$serverbanner" == "x\n\r" -o x"$serverbanner" == "x" ]; then
outln "banner exists but empty string"
else
outln "$serverbanner"
emphasize_numbers_in_headers "$serverbanner"
fi
else
outln "no HTTP header, interesting!"
@ -481,7 +495,8 @@ applicationbanner() {
egrep -ai '^X-Powered-By|^X-AspNet-Version|^X-Runtime|^X-Version' $HEADERFILE >$TMPFILE
if [ $? -eq 0 ]; then
#cat $TMPFILE | sed 's/^.*:/:/' | sed -e :a -e '$!N;s/\n:/ \n\ +/;ta' -e 'P;D' | sed 's/://g'
sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' '
sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ' | sed "s/\([0-9]\)/$red\1$off/g"
emphasize_numbers_in_headers "$(sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ')"
outln
#i=0
#cat $TMPFILE | sed 's/^/ /' | while read line; do
@ -1200,7 +1215,8 @@ pfs() {
if [ $ret -ne 0 ] || [ `grep -c "BEGIN CERTIFICATE" $TMPFILE` -eq 0 ]; then
brown "No PFS available"
else
litegreen "PFS seems generally available. Now testing specific ciphers ..."; outln "\n"
litegreenln "PFS seems generally available. Now testing specific ciphers ...";
outln "(it depends on the browser/client whether one of them will be used)\n"
noone=0
neat_header
$OPENSSL ciphers -V "$PFSOK" | while read hexcode n ciph sslvers kx auth enc mac; do
@ -1224,21 +1240,20 @@ pfs() {
done
outln
if [ "$noone" -eq 0 ] ; then
out "Please note: detected PFS ciphers don't necessarily mean any client/browser will use them"
ret=0
else
magenta "no PFS ciphers found"
ret=1
fi
outln
fi
tmpfile_handle $FUNCNAME.txt
return $ret
#FIXME: setopt or something different
}
rc4() {
shopt -s lastpipe # otherwise it's more tricky to access variables in a while loop
# shopt -s lastpipe # otherwise it's more tricky to access variables in a while loop
outln
blue "--> Checking RC4 Ciphers" ; outln
$OPENSSL ciphers -V 'RC4:@STRENGTH' >$TMPFILE
@ -1246,7 +1261,7 @@ rc4() {
$OPENSSL s_client -cipher `$OPENSSL ciphers RC4` $STARTTLS -connect $NODEIP:$PORT $SNI &>/dev/null </dev/null
if [ $? -eq 0 ]; then
literedln "\nRC4 is broken. It seems generally available. Now testing specific ciphers...";
outln "(for legacy support (e.g. IE6) rather consider x13 or x0a)\n"
outln "(for legacy support e.g. IE6 rather consider x13 or x0a)\n"
bad=1
neat_header
cat $TMPFILE | while read hexcode n ciph sslvers kx auth enc mac; do
@ -1278,7 +1293,7 @@ rc4() {
bad=0
fi
shopt -u lastpipe # othwise for some reason it segfaults
# shopt -u lastpipe # othwise for some reason it segfaults
# FIXME: still segfaults: see https://www.mail-archive.com/bug-bash@gnu.org/msg14428.html |
# maybe use @PIPESTATUS as a workaround
tmpfile_handle $FUNCNAME.txt
@ -1469,7 +1484,7 @@ ccs_injection(){
}
heartbleed(){
bold " Heartbleed\c"; out " (CVE-2014-0160), experimental "
bold " Heartbleed\c"; out " (CVE-2014-0160) "
# mainly adapted from https://gist.github.com/takeshixx/10107280
# determine TLS versions available:
@ -1820,6 +1835,7 @@ starttls() {
protocol=`echo "$1" | sed 's/s$//'` # strip trailing s in ftp(s), smtp(s), pop3(s), imap(s)
case "$1" in
ftp|smtp|pop3|imap|xmpp|telnet)
outln " Trying STARTTLS via $(echo $protocol| tr '[a-z]' '[A-Z]')\n"
$OPENSSL s_client -connect $NODEIP:$PORT $SNI -starttls $protocol </dev/null >$TMPFILE 2>&1
ret=$?
if [ $ret -ne 0 ]; then
@ -1845,12 +1861,12 @@ starttls() {
poodle ; ret=`expr $? + $ret`
beast ; ret=`expr $? + $ret`
rc4 ; ret=`expr $? + $ret`
pfs ; ret=`expr $? + $ret`
outln
#cipher_per_proto ; ret=`expr $? + $ret`
allciphers ; ret=`expr $? + $ret`
rc4 ; ret=`expr $? + $ret`
pfs ; ret=`expr $? + $ret`
fi
;;
*) litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet allowed" >&2
@ -2101,7 +2117,7 @@ parse_hn_port() {
datebanner "Testing"
runs_HTTP
[[ -z "$2" ]] && runs_HTTP # for starttl all is clear
#[ "$PORT" != 443 ] && bold "A non standard port or testing no web servers might show lame reponses (then just wait)\n"
initialize_engine
@ -2350,16 +2366,6 @@ case "$1" in
server_preference ; ret=`expr $? + $ret`
server_defaults ; ret=`expr $? + $ret`
outln; blue "--> Testing specific vulnerabilities"
outln "\n"
heartbleed ; ret=`expr $? + $ret`
ccs_injection ; ret=`expr $? + $ret`
renego ; ret=`expr $? + $ret`
crime ; ret=`expr $? + $ret`
[[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=`expr $? + $ret`
poodle ; ret=`expr $? + $ret`
beast ; ret=`expr $? + $ret`
if [[ $SERVICE == "HTTP" ]]; then
outln; blue "--> Testing HTTP Header response"
outln "\n"
@ -2370,11 +2376,21 @@ case "$1" in
cookieflags "$URL_PATH" ; ret=`expr $? + $ret`
fi
outln; blue "--> Testing specific vulnerabilities"
outln "\n"
heartbleed ; ret=`expr $? + $ret`
ccs_injection ; ret=`expr $? + $ret`
renego ; ret=`expr $? + $ret`
crime ; ret=`expr $? + $ret`
[[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=`expr $? + $ret`
poodle ; ret=`expr $? + $ret`
beast ; ret=`expr $? + $ret`
rc4 ; ret=`expr $? + $ret`
pfs ; ret=`expr $? + $ret`
exit $ret ;;
esac
# $Id: testssl.sh,v 1.170 2015/01/21 11:52:59 dirkw Exp $
# $Id: testssl.sh,v 1.171 2015/01/23 11:01:31 dirkw Exp $
# vim:ts=5:sw=5