mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
Merge branch 'master' of https://github.com/drwetter/testssl.sh into severity
This commit is contained in:
commit
baff869850
17
CREDITS.md
17
CREDITS.md
@ -7,7 +7,7 @@
|
|||||||
- openssl sources support with the "missing" features
|
- openssl sources support with the "missing" features
|
||||||
|
|
||||||
* John Newbigin
|
* John Newbigin
|
||||||
- Proxy support
|
- Proxy support (sockets and openssl)
|
||||||
|
|
||||||
* Jonathan Roach
|
* Jonathan Roach
|
||||||
- TLS_FALLBACK_SCSV checks
|
- TLS_FALLBACK_SCSV checks
|
||||||
@ -17,12 +17,13 @@
|
|||||||
- Shellcheck static analysis
|
- Shellcheck static analysis
|
||||||
|
|
||||||
* Frank Breedijk
|
* Frank Breedijk
|
||||||
- Detection of insecure redirect
|
- Detection of insecure redirects
|
||||||
- client simulation
|
- JSON and CSV output
|
||||||
|
- Client simulations
|
||||||
|
|
||||||
* dcooper16
|
* dcooper16
|
||||||
- Detection + output of multiple certificates
|
- Detection + output of multiple certificates
|
||||||
- cleanups of server certificate related stuff
|
- several cleanups of server certificate related stuff
|
||||||
|
|
||||||
* Jean Marsault
|
* Jean Marsault
|
||||||
- client auth: ideas, code snipplets
|
- client auth: ideas, code snipplets
|
||||||
@ -61,6 +62,10 @@
|
|||||||
* Viktor Szépe
|
* Viktor Szépe
|
||||||
- color function maker
|
- color function maker
|
||||||
|
|
||||||
|
* Thomas Martens
|
||||||
|
- colorblind
|
||||||
|
- no-rfc mapping
|
||||||
|
|
||||||
* Jonathon Rossi
|
* Jonathon Rossi
|
||||||
- fix for bash3 (Darwin)
|
- fix for bash3 (Darwin)
|
||||||
- and other Darwin fixes
|
- and other Darwin fixes
|
||||||
@ -75,10 +80,6 @@
|
|||||||
* Dmitri S
|
* Dmitri S
|
||||||
- inspiration & help for Darwin port
|
- inspiration & help for Darwin port
|
||||||
|
|
||||||
* Frank Breedijk
|
|
||||||
- JSON and CSV output
|
|
||||||
- Client simulations
|
|
||||||
|
|
||||||
* Bug reports:
|
* Bug reports:
|
||||||
- Viktor Szépe, Olivier Paroz, Jan H. Terstegge, Lorenz Adena, Jonathon Rossi, Stefan Stidl, Frank Breedijk
|
- Viktor Szépe, Olivier Paroz, Jan H. Terstegge, Lorenz Adena, Jonathon Rossi, Stefan Stidl, Frank Breedijk
|
||||||
|
|
||||||
|
@ -41,7 +41,9 @@ Done so far:
|
|||||||
* Logging to JSON + CSV
|
* Logging to JSON + CSV
|
||||||
* check for multiple server certificates
|
* check for multiple server certificates
|
||||||
* browser cipher simulation
|
* browser cipher simulation
|
||||||
|
* assistance for color-blind users
|
||||||
* Even more compatibilty improvements for FreeBSD, RH-ish and F5 systems
|
* Even more compatibilty improvements for FreeBSD, RH-ish and F5 systems
|
||||||
|
* OpenSSL 1.1.0 compliant
|
||||||
|
|
||||||
Contributions, feedback, also bug reports are welcome! For contributions please note: One patch per feature -- bug fix/improvement. Please test your changes thouroughly as reliability is important for this project.
|
Contributions, feedback, also bug reports are welcome! For contributions please note: One patch per feature -- bug fix/improvement. Please test your changes thouroughly as reliability is important for this project.
|
||||||
|
|
||||||
|
31
etc/curves.txt
Normal file
31
etc/curves.txt
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
# Value, IANA name,
|
||||||
|
1, sect163k1, K-163
|
||||||
|
2, sect163r1,
|
||||||
|
3, sect163r2, B-163
|
||||||
|
4, sect193r1,
|
||||||
|
5, sect193r2,
|
||||||
|
6, sect233k1, K-233
|
||||||
|
7, sect233r1, B-233
|
||||||
|
8, sect239k1,
|
||||||
|
9, sect283k1, K-283
|
||||||
|
10, sect283r1, B-283
|
||||||
|
11, sect409k1, K-409
|
||||||
|
12, sect409r1, B-409
|
||||||
|
13, sect571k1, K-571
|
||||||
|
14, sect571r1, B-571
|
||||||
|
15, secp160k1,
|
||||||
|
16, secp160r1,
|
||||||
|
17, secp160r2,
|
||||||
|
18, secp192k1,
|
||||||
|
19, secp192r1, P-192
|
||||||
|
20, secp224k1,
|
||||||
|
21, secp224r1, P-224
|
||||||
|
22, secp256k1,
|
||||||
|
23, secp256r1, P-256
|
||||||
|
24, secp384r1, P-384
|
||||||
|
25, secp521r1, P-521
|
||||||
|
26, brainpoolP256r1,
|
||||||
|
27, brainpoolP384r1,
|
||||||
|
28, brainpoolP512r1,
|
||||||
|
unknown, curve448,
|
||||||
|
unknown, curve25519
|
@ -340,6 +340,6 @@ xCC13 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
|||||||
xCC14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
xCC14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||||
xCC15 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
xCC15 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||||
xFEFE SSL_RSA_FIPS_WITH_DES_CBC_SHA
|
xFEFE SSL_RSA_FIPS_WITH_DES_CBC_SHA
|
||||||
xFEFE SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
xFEFF SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
||||||
xFFE0 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
xFFE0 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
||||||
xFFE1 SSL_RSA_FIPS_WITH_DES_CBC_SHA
|
xFFE1 SSL_RSA_FIPS_WITH_DES_CBC_SHA
|
||||||
|
@ -14,6 +14,16 @@ td { border:1px solid #999; }
|
|||||||
|
|
||||||
<body>
|
<body>
|
||||||
<br>
|
<br>
|
||||||
|
<!-- see
|
||||||
|
ssl/ssl2.h
|
||||||
|
ssl/ssl3.h
|
||||||
|
ssl/tls1.h
|
||||||
|
ssl/t1_trce.c
|
||||||
|
|
||||||
|
https://github.com/boundary/wireshark/blob/master/epan/dissectors/packet-ssl-utils.c
|
||||||
|
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
|
||||||
|
-->
|
||||||
|
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<col width="8%" />
|
<col width="8%" />
|
||||||
@ -26,6 +36,7 @@ td { border:1px solid #999; }
|
|||||||
<tr><th>Cipher Suite</th><th> Name (OpenSSL)</th><th> KeyExch. </th><th> Encryption </th><th> Bits </th><th>Cipher Suite Name (RFC)</th></tr>
|
<tr><th>Cipher Suite</th><th> Name (OpenSSL)</th><th> KeyExch. </th><th> Encryption </th><th> Bits </th><th>Cipher Suite Name (RFC)</th></tr>
|
||||||
</thead>
|
</thead>
|
||||||
<tbody>
|
<tbody>
|
||||||
|
<!-- RFC 2246, RFC 4346, RFC 5246 -->
|
||||||
<tr><td> [0x00]</td><td> NULL-MD5 </td><td> RSA(512) </td><td> None </td><td> None, export </td><td> TLS_NULL_WITH_NULL_NULL </td></tr>
|
<tr><td> [0x00]</td><td> NULL-MD5 </td><td> RSA(512) </td><td> None </td><td> None, export </td><td> TLS_NULL_WITH_NULL_NULL </td></tr>
|
||||||
<tr><td> [0x01]</td><td> NULL-MD5 </td><td> RSA </td><td> None </td><td> None </td><td> TLS_RSA_WITH_NULL_MD5 </td></tr>
|
<tr><td> [0x01]</td><td> NULL-MD5 </td><td> RSA </td><td> None </td><td> None </td><td> TLS_RSA_WITH_NULL_MD5 </td></tr>
|
||||||
<tr><td> [0x02]</td><td> NULL-SHA </td><td> RSA </td><td> None </td><td> None </td><td> TLS_RSA_WITH_NULL_SHA </td></tr>
|
<tr><td> [0x02]</td><td> NULL-SHA </td><td> RSA </td><td> None </td><td> None </td><td> TLS_RSA_WITH_NULL_SHA </td></tr>
|
||||||
@ -54,9 +65,13 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0x19]</td><td> EXP-ADH-DES-CBC-SHA </td><td> DH(512) </td><td> DES </td><td> 40, export </td><td> TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA </td></tr>
|
<tr><td> [0x19]</td><td> EXP-ADH-DES-CBC-SHA </td><td> DH(512) </td><td> DES </td><td> 40, export </td><td> TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x1a]</td><td> ADH-DES-CBC-SHA </td><td> DH </td><td> DES </td><td> 56 </td><td> TLS_DH_anon_WITH_DES_CBC_SHA </td></tr>
|
<tr><td> [0x1a]</td><td> ADH-DES-CBC-SHA </td><td> DH </td><td> DES </td><td> 56 </td><td> TLS_DH_anon_WITH_DES_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x1b]</td><td> ADH-DES-CBC3-SHA </td><td> DH </td><td> 3DES </td><td> 168 </td><td> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0x1b]</td><td> ADH-DES-CBC3-SHA </td><td> DH </td><td> 3DES </td><td> 168 </td><td> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
|
|
||||||
|
<!-- FORTEZZA, 1E can be disregarded -->
|
||||||
<tr><td> [0x1c]</td><td> </td><td> FORTEZZA </td><td> None </td><td> None </td><td> SSL_FORTEZZA_KEA_WITH_NULL_SHA </td></tr>
|
<tr><td> [0x1c]</td><td> </td><td> FORTEZZA </td><td> None </td><td> None </td><td> SSL_FORTEZZA_KEA_WITH_NULL_SHA </td></tr>
|
||||||
<tr><td> [0x1d]</td><td> </td><td> FORTEZZA </td><td>FORTEZZA_CBC</td><td> 80 </td><td> SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA </td></tr>
|
<tr><td> [0x1d]</td><td> </td><td> FORTEZZA </td><td>FORTEZZA_CBC</td><td> 80 </td><td> SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x1e]</td><td> </td><td> FORTEZZA </td><td>FORTEZZA_RC4</td><td> 128 </td><td> SSL_FORTEZZA_KEA_WITH_RC4_128_SHA </td></tr>
|
<tr><td> [0x1e]</td><td> </td><td> FORTEZZA </td><td>FORTEZZA_RC4</td><td> 128 </td><td> SSL_FORTEZZA_KEA_WITH_RC4_128_SHA </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 2712 -->
|
||||||
<tr><td> [0x1e]</td><td> KRB5-DES-CBC-SHA </td><td> KRB5 </td><td> DES </td><td> 56 </td><td> TLS_KRB5_WITH_DES_CBC_SHA </td></tr>
|
<tr><td> [0x1e]</td><td> KRB5-DES-CBC-SHA </td><td> KRB5 </td><td> DES </td><td> 56 </td><td> TLS_KRB5_WITH_DES_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x1f]</td><td> KRB5-DES-CBC3-SHA </td><td> KRB5 </td><td> 3DES </td><td> 168 </td><td> TLS_KRB5_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0x1f]</td><td> KRB5-DES-CBC3-SHA </td><td> KRB5 </td><td> 3DES </td><td> 168 </td><td> TLS_KRB5_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x20]</td><td> KRB5-RC4-SHA </td><td> KRB5 </td><td> RC4 </td><td> 128 </td><td> TLS_KRB5_WITH_RC4_128_SHA </td></tr>
|
<tr><td> [0x20]</td><td> KRB5-RC4-SHA </td><td> KRB5 </td><td> RC4 </td><td> 128 </td><td> TLS_KRB5_WITH_RC4_128_SHA </td></tr>
|
||||||
@ -71,6 +86,13 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0x29]</td><td> EXP-KRB5-DES-CBC-MD5 </td><td> KRB5 </td><td> DES </td><td> 40, export </td><td> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 </td></tr>
|
<tr><td> [0x29]</td><td> EXP-KRB5-DES-CBC-MD5 </td><td> KRB5 </td><td> DES </td><td> 40, export </td><td> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 </td></tr>
|
||||||
<tr><td> [0x2a]</td><td> EXP-KRB5-RC2-CBC-MD5 </td><td> KRB5 </td><td> RC2 </td><td> 40, export </td><td> TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 </td></tr>
|
<tr><td> [0x2a]</td><td> EXP-KRB5-RC2-CBC-MD5 </td><td> KRB5 </td><td> RC2 </td><td> 40, export </td><td> TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 </td></tr>
|
||||||
<tr><td> [0x2b]</td><td> EXP-KRB5-RC4-MD5 </td><td> KRB5 </td><td> RC4 </td><td> 40, export </td><td> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 </td></tr>
|
<tr><td> [0x2b]</td><td> EXP-KRB5-RC4-MD5 </td><td> KRB5 </td><td> RC4 </td><td> 40, export </td><td> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 4785 -->
|
||||||
|
<tr><td> [0x2c]</td><td> EXP-KRB5-RC4-MD5 </td><td> PSK </td><td> None </td><td> None </td><td> TLS_PSK_WITH_NULL_SHA </td></tr>
|
||||||
|
<tr><td> [0x2d]</td><td> EXP-KRB5-RC4-MD5 </td><td> DH/PSK </td><td> None </td><td> None </td><td> TLS_DHE_PSK_WITH_NULL_SHA </td></tr>
|
||||||
|
<tr><td> [0x2e]</td><td> EXP-KRB5-RC4-MD5 </td><td> RSA/PSK </td><td> None </td><td> None </td><td> TLS_RSA_PSK_WITH_NULL_SHA </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 5246 -->
|
||||||
<tr><td> [0x2f]</td><td> AES128-SHA </td><td> RSA </td><td> AES </td><td> 128 </td><td> TLS_RSA_WITH_AES_128_CBC_SHA </td></tr>
|
<tr><td> [0x2f]</td><td> AES128-SHA </td><td> RSA </td><td> AES </td><td> 128 </td><td> TLS_RSA_WITH_AES_128_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x30]</td><td> DH-DSS-AES128-SHA </td><td> DH/DSS </td><td> AES </td><td> 128 </td><td> TLS_DH_DSS_WITH_AES_128_CBC_SHA </td></tr>
|
<tr><td> [0x30]</td><td> DH-DSS-AES128-SHA </td><td> DH/DSS </td><td> AES </td><td> 128 </td><td> TLS_DH_DSS_WITH_AES_128_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x31]</td><td> DH-RSA-AES128-SHA </td><td> DH/RSA </td><td> AES </td><td> 128 </td><td> TLS_DH_RSA_WITH_AES_128_CBC_SHA </td></tr>
|
<tr><td> [0x31]</td><td> DH-RSA-AES128-SHA </td><td> DH/RSA </td><td> AES </td><td> 128 </td><td> TLS_DH_RSA_WITH_AES_128_CBC_SHA </td></tr>
|
||||||
@ -89,6 +111,8 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0x3e]</td><td> DH-DSS-AES128-SHA256 </td><td> DH/DSS </td><td> AES </td><td> 128 </td><td> TLS_DH_DSS_WITH_AES_128_CBC_SHA256 </td></tr>
|
<tr><td> [0x3e]</td><td> DH-DSS-AES128-SHA256 </td><td> DH/DSS </td><td> AES </td><td> 128 </td><td> TLS_DH_DSS_WITH_AES_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0x3f]</td><td> DH-RSA-AES128-SHA256 </td><td> DH/RSA </td><td> AES </td><td> 128 </td><td> TLS_DH_RSA_WITH_AES_128_CBC_SHA256 </td></tr>
|
<tr><td> [0x3f]</td><td> DH-RSA-AES128-SHA256 </td><td> DH/RSA </td><td> AES </td><td> 128 </td><td> TLS_DH_RSA_WITH_AES_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0x40]</td><td> DHE-DSS-AES128-SHA256 </td><td> DH </td><td> AES </td><td> 128 </td><td> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 </td></tr>
|
<tr><td> [0x40]</td><td> DHE-DSS-AES128-SHA256 </td><td> DH </td><td> AES </td><td> 128 </td><td> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 4132 -->
|
||||||
<tr><td> [0x41]</td><td> CAMELLIA128-SHA </td><td> RSA </td><td> Camellia</td><td> 128 </td><td> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
<tr><td> [0x41]</td><td> CAMELLIA128-SHA </td><td> RSA </td><td> Camellia</td><td> 128 </td><td> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x42]</td><td> DH-DSS-CAMELLIA128-SHA </td><td> DH/DSS </td><td> Camellia</td><td> 128 </td><td> TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
<tr><td> [0x42]</td><td> DH-DSS-CAMELLIA128-SHA </td><td> DH/DSS </td><td> Camellia</td><td> 128 </td><td> TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x43]</td><td> DH-RSA-CAMELLIA128-SHA </td><td> DH/RSA </td><td> Camellia</td><td> 128 </td><td> TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
<tr><td> [0x43]</td><td> DH-RSA-CAMELLIA128-SHA </td><td> DH/RSA </td><td> Camellia</td><td> 128 </td><td> TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
||||||
@ -96,7 +120,8 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0x45]</td><td> DHE-RSA-CAMELLIA128-SHA </td><td> DH </td><td> Camellia</td><td> 128 </td><td> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
<tr><td> [0x45]</td><td> DHE-RSA-CAMELLIA128-SHA </td><td> DH </td><td> Camellia</td><td> 128 </td><td> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x46]</td><td> ADH-CAMELLIA128-SHA </td><td> DH </td><td> Camellia</td><td> 128 </td><td> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
<tr><td> [0x46]</td><td> ADH-CAMELLIA128-SHA </td><td> DH </td><td> Camellia</td><td> 128 </td><td> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA </td></tr>
|
||||||
|
|
||||||
|
<tr><td> [0x60]</td><td> EXP1024-RC4-MD5 </td><td> RSA(1024)</td><td> RC4 </td><td> 56, export </td><td> TLS_RSA_EXPORT1024_WITH_RC4_56_MD5</td></tr>
|
||||||
|
<tr><td> [0x61]</td><td> EXP1024-RC2-CBC-MD5 </td><td> RSA(1024)</td><td> RC2 </td><td> 56, export </td><td> TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5</td></tr>
|
||||||
<tr><td> [0x62]</td><td> EXP1024-DES-CBC-SHA </td><td> RSA(1024)</td><td> DES </td><td> 56, export </td><td> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA</td></tr>
|
<tr><td> [0x62]</td><td> EXP1024-DES-CBC-SHA </td><td> RSA(1024)</td><td> DES </td><td> 56, export </td><td> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA</td></tr>
|
||||||
<tr><td> [0x63]</td><td> EXP1024-DHE-DSS-DES-CBC-SHA </td><td> DH(1024) </td><td> DES </td><td> 56, export </td><td> TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA</td></tr>
|
<tr><td> [0x63]</td><td> EXP1024-DHE-DSS-DES-CBC-SHA </td><td> DH(1024) </td><td> DES </td><td> 56, export </td><td> TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA</td></tr>
|
||||||
<tr><td> [0x64]</td><td> EXP1024-RC4-SHA </td><td> RSA(1024)</td><td> RC4 </td><td> 56, export </td><td> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA</td></tr>
|
<tr><td> [0x64]</td><td> EXP1024-RC4-SHA </td><td> RSA(1024)</td><td> RC4 </td><td> 56, export </td><td> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA</td></tr>
|
||||||
@ -109,21 +134,26 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0x6b]</td><td> DHE-RSA-AES256-SHA256 </td><td> DH </td><td> AES </td><td> 256 </td><td> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 </td></tr>
|
<tr><td> [0x6b]</td><td> DHE-RSA-AES256-SHA256 </td><td> DH </td><td> AES </td><td> 256 </td><td> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0x6c]</td><td> ADH-AES128-SHA256 </td><td> DH </td><td> AES </td><td> 128 </td><td> TLS_DH_anon_WITH_AES_128_CBC_SHA256 </td></tr>
|
<tr><td> [0x6c]</td><td> ADH-AES128-SHA256 </td><td> DH </td><td> AES </td><td> 128 </td><td> TLS_DH_anon_WITH_AES_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0x6d]</td><td> ADH-AES256-SHA256 </td><td> DH </td><td> AES </td><td> 256 </td><td> TLS_DH_anon_WITH_AES_256_CBC_SHA256 </td></tr>
|
<tr><td> [0x6d]</td><td> ADH-AES256-SHA256 </td><td> DH </td><td> AES </td><td> 256 </td><td> TLS_DH_anon_WITH_AES_256_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0x80]</td><td> GOST94-GOST89-GOST89 </td><td> GOST </td><td> GOST89 </td><td> 256 </td><td> TLS_GOSTR341094_WITH_28147_CNT_IMIT </td></tr>
|
|
||||||
<tr><td> [0x81]</td><td> GOST2001-GOST89-GOST89 </td><td> GOST </td><td> GOST89 </td><td> 256 </td><td> TLS_GOSTR341001_WITH_28147_CNT_IMIT</td></tr>
|
<!-- ГОСТ | draft-chudov-cryptopro-cptls-04.txt (expired), RFC 4357 -->
|
||||||
<tr><td> [0x82]</td><td> GOST94-NULL-GOST94 </td><td> GOST </td><td> eNULL </td><td> None </td><td> TLS_GOSTR341001_WITH_NULL_GOSTR3411</td></tr>
|
<tr><td> [0x80]</td><td> GOST94-GOST89-GOST89 </td><td> VKO GOST 34.10-94 </td><td> GOST89 </td><td> 256 </td><td> TLS_GOSTR341094_WITH_28147_CNT_IMIT </td></tr>
|
||||||
<tr><td> [0x83]</td><td> GOST2001-GOST89-GOST89 </td><td> GOST </td><td> eNULL </td><td> None </td><td> TLS_GOSTR341094_WITH_NULL_GOSTR3411</td></tr>
|
<tr><td> [0x81]</td><td> GOST2001-GOST89-GOST89 </td><td> VKO GOST 34.10-2001 </td><td> GOST89 </td><td> 256 </td><td> TLS_GOSTR341001_WITH_28147_CNT_IMIT</td></tr>
|
||||||
|
<tr><td> [0x82]</td><td> GOST94-NULL-GOST94 </td><td> VKO GOST 34.10-94 </td><td> eNULL </td><td> None </td><td> TLS_GOSTR341001_WITH_NULL_GOSTR3411</td></tr>
|
||||||
|
<tr><td> [0x83]</td><td> GOST2001-GOST89-GOST89 </td><td> VKO GOST 34.10-2001 </td><td> eNULL </td><td> None </td><td> TLS_GOSTR341094_WITH_NULL_GOSTR3411</td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 4132 -->
|
||||||
<tr><td> [0x84]</td><td> CAMELLIA256-SHA </td><td> RSA </td><td> Camellia</td><td> 256 </td><td> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
<tr><td> [0x84]</td><td> CAMELLIA256-SHA </td><td> RSA </td><td> Camellia</td><td> 256 </td><td> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x85]</td><td> DH-DSS-CAMELLIA256-SHA </td><td> DH/DSS </td><td> Camellia</td><td> 256 </td><td> TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
<tr><td> [0x85]</td><td> DH-DSS-CAMELLIA256-SHA </td><td> DH/DSS </td><td> Camellia</td><td> 256 </td><td> TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x86]</td><td> DH-RSA-CAMELLIA256-SHA </td><td> DH/RSA </td><td> Camellia</td><td> 256 </td><td> TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
<tr><td> [0x86]</td><td> DH-RSA-CAMELLIA256-SHA </td><td> DH/RSA </td><td> Camellia</td><td> 256 </td><td> TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x87]</td><td> DHE-DSS-CAMELLIA256-SHA </td><td> DH </td><td> Camellia</td><td> 256 </td><td> TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
<tr><td> [0x87]</td><td> DHE-DSS-CAMELLIA256-SHA </td><td> DH </td><td> Camellia</td><td> 256 </td><td> TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x88]</td><td> DHE-RSA-CAMELLIA256-SHA </td><td> DH </td><td> Camellia</td><td> 256 </td><td> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
<tr><td> [0x88]</td><td> DHE-RSA-CAMELLIA256-SHA </td><td> DH </td><td> Camellia</td><td> 256 </td><td> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x89]</td><td> ADH-CAMELLIA256-SHA </td><td> DH </td><td> Camellia</td><td> 256 </td><td> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
<tr><td> [0x89]</td><td> ADH-CAMELLIA256-SHA </td><td> DH </td><td> Camellia</td><td> 256 </td><td> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 4279, PSK -->
|
||||||
<tr><td> [0x8a]</td><td> PSK-RC4-SHA </td><td> PSK </td><td> RC4 </td><td> 128 </td><td> TLS_PSK_WITH_RC4_128_SHA </td></tr>
|
<tr><td> [0x8a]</td><td> PSK-RC4-SHA </td><td> PSK </td><td> RC4 </td><td> 128 </td><td> TLS_PSK_WITH_RC4_128_SHA </td></tr>
|
||||||
<tr><td> [0x8b]</td><td> PSK-3DES-EDE-CBC-SHA </td><td> PSK </td><td> 3DES </td><td> 168 </td><td> TLS_PSK_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0x8b]</td><td> PSK-3DES-EDE-CBC-SHA </td><td> PSK </td><td> 3DES </td><td> 168 </td><td> TLS_PSK_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x8c]</td><td> PSK-AES128-CBC-SHA </td><td> PSK </td><td> AES </td><td> 128 </td><td> TLS_PSK_WITH_AES_128_CBC_SHA </td></tr>
|
<tr><td> [0x8c]</td><td> PSK-AES128-CBC-SHA </td><td> PSK </td><td> AES </td><td> 128 </td><td> TLS_PSK_WITH_AES_128_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x8d]</td><td> PSK-AES256-CBC-SHA </td><td> PSK </td><td> AES </td><td> 256 </td><td> TLS_PSK_WITH_AES_256_CBC_SHA </td></tr>
|
<tr><td> [0x8d]</td><td> PSK-AES256-CBC-SHA </td><td> PSK </td><td> AES </td><td> 256 </td><td> TLS_PSK_WITH_AES_256_CBC_SHA </td></tr>
|
||||||
|
|
||||||
<tr><td> [0x8e]</td><td> </td><td> PSK/DHE </td><td> RC4 </td><td> 128 </td><td> TLS_DHE_PSK_WITH_RC4_128_SHA </td></tr>
|
<tr><td> [0x8e]</td><td> </td><td> PSK/DHE </td><td> RC4 </td><td> 128 </td><td> TLS_DHE_PSK_WITH_RC4_128_SHA </td></tr>
|
||||||
<tr><td> [0x8f]</td><td> </td><td> PSK/DHE </td><td> 3DES </td><td> 168 </td><td> TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0x8f]</td><td> </td><td> PSK/DHE </td><td> 3DES </td><td> 168 </td><td> TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x90]</td><td> </td><td> PSK/DHE </td><td> AES </td><td> 128 </td><td> TLS_DHE_PSK_WITH_AES_128_CBC_SHA </td></tr>
|
<tr><td> [0x90]</td><td> </td><td> PSK/DHE </td><td> AES </td><td> 128 </td><td> TLS_DHE_PSK_WITH_AES_128_CBC_SHA </td></tr>
|
||||||
@ -133,12 +163,15 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0x94]</td><td> </td><td> PSK/RSA </td><td> AES </td><td> 128 </td><td> TLS_RSA_PSK_WITH_AES_128_CBC_SHA </td></tr>
|
<tr><td> [0x94]</td><td> </td><td> PSK/RSA </td><td> AES </td><td> 128 </td><td> TLS_RSA_PSK_WITH_AES_128_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x95]</td><td> </td><td> PSK/RSA </td><td> AES </td><td> 256 </td><td> TLS_RSA_PSK_WITH_AES_256_CBC_SHA </td></tr>
|
<tr><td> [0x95]</td><td> </td><td> PSK/RSA </td><td> AES </td><td> 256 </td><td> TLS_RSA_PSK_WITH_AES_256_CBC_SHA </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 4162, Korean SEED -->
|
||||||
<tr><td> [0x96]</td><td> SEED-SHA </td><td> RSA </td><td> SEED </td><td> 128 </td><td> TLS_RSA_WITH_SEED_CBC_SHA </td></tr>
|
<tr><td> [0x96]</td><td> SEED-SHA </td><td> RSA </td><td> SEED </td><td> 128 </td><td> TLS_RSA_WITH_SEED_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x97]</td><td> DH-DSS-SEED-SHA </td><td> DH/DSS </td><td> SEED </td><td> 128 </td><td> TLS_DH_DSS_WITH_SEED_CBC_SHA </td></tr>
|
<tr><td> [0x97]</td><td> DH-DSS-SEED-SHA </td><td> DH/DSS </td><td> SEED </td><td> 128 </td><td> TLS_DH_DSS_WITH_SEED_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x98]</td><td> DH-RSA-SEED-SHA </td><td> DH/RSA </td><td> SEED </td><td> 128 </td><td> TLS_DH_RSA_WITH_SEED_CBC_SHA </td></tr>
|
<tr><td> [0x98]</td><td> DH-RSA-SEED-SHA </td><td> DH/RSA </td><td> SEED </td><td> 128 </td><td> TLS_DH_RSA_WITH_SEED_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x99]</td><td> DHE-DSS-SEED-SHA </td><td> DH </td><td> SEED </td><td> 128 </td><td> TLS_DHE_DSS_WITH_SEED_CBC_SHA </td></tr>
|
<tr><td> [0x99]</td><td> DHE-DSS-SEED-SHA </td><td> DH </td><td> SEED </td><td> 128 </td><td> TLS_DHE_DSS_WITH_SEED_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x9a]</td><td> DHE-RSA-SEED-SHA </td><td> DH </td><td> SEED </td><td> 128 </td><td> TLS_DHE_RSA_WITH_SEED_CBC_SHA </td></tr>
|
<tr><td> [0x9a]</td><td> DHE-RSA-SEED-SHA </td><td> DH </td><td> SEED </td><td> 128 </td><td> TLS_DHE_RSA_WITH_SEED_CBC_SHA </td></tr>
|
||||||
<tr><td> [0x9b]</td><td> ADH-SEED-SHA </td><td> DH </td><td> SEED </td><td> 128 </td><td> TLS_DH_anon_WITH_SEED_CBC_SHA </td></tr>
|
<tr><td> [0x9b]</td><td> ADH-SEED-SHA </td><td> DH </td><td> SEED </td><td> 128 </td><td> TLS_DH_anon_WITH_SEED_CBC_SHA </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 5288 -->
|
||||||
<tr><td> [0x9c]</td><td> AES128-GCM-SHA256 </td><td> RSA </td><td> AESGCM </td><td> 128 </td><td> TLS_RSA_WITH_AES_128_GCM_SHA256 </td></tr>
|
<tr><td> [0x9c]</td><td> AES128-GCM-SHA256 </td><td> RSA </td><td> AESGCM </td><td> 128 </td><td> TLS_RSA_WITH_AES_128_GCM_SHA256 </td></tr>
|
||||||
<tr><td> [0x9d]</td><td> AES256-GCM-SHA384 </td><td> RSA </td><td> AESGCM </td><td> 256 </td><td> TLS_RSA_WITH_AES_256_GCM_SHA384 </td></tr>
|
<tr><td> [0x9d]</td><td> AES256-GCM-SHA384 </td><td> RSA </td><td> AESGCM </td><td> 256 </td><td> TLS_RSA_WITH_AES_256_GCM_SHA384 </td></tr>
|
||||||
<tr><td> [0x9e]</td><td> DHE-RSA-AES128-GCM-SHA256 </td><td> DH </td><td> AESGCM </td><td> 128 </td><td> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 </td></tr>
|
<tr><td> [0x9e]</td><td> DHE-RSA-AES128-GCM-SHA256 </td><td> DH </td><td> AESGCM </td><td> 128 </td><td> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 </td></tr>
|
||||||
@ -152,8 +185,47 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0xa6]</td><td> ADH-AES128-GCM-SHA256 </td><td> DH </td><td> AESGCM </td><td> 128 </td><td> TLS_DH_anon_WITH_AES_128_GCM_SHA256 </td></tr>
|
<tr><td> [0xa6]</td><td> ADH-AES128-GCM-SHA256 </td><td> DH </td><td> AESGCM </td><td> 128 </td><td> TLS_DH_anon_WITH_AES_128_GCM_SHA256 </td></tr>
|
||||||
<tr><td> [0xa7]</td><td> ADH-AES256-GCM-SHA384 </td><td> DH </td><td> AESGCM </td><td> 256 </td><td> TLS_DH_anon_WITH_AES_256_GCM_SHA384 </td></tr>
|
<tr><td> [0xa7]</td><td> ADH-AES256-GCM-SHA384 </td><td> DH </td><td> AESGCM </td><td> 256 </td><td> TLS_DH_anon_WITH_AES_256_GCM_SHA384 </td></tr>
|
||||||
|
|
||||||
<tr><td> [0x5600]</td><td> TLS_FALLBACK_SCSV </td><td> </td><td> </td><td> </td><td> TLS_FALLBACK_SCSV </td></tr>
|
<!-- RFC 5487 , PSK suites
|
||||||
|
|
||||||
|
missing: a8-b9, see https://github.com/boundary/wireshark/blob/master/epan/dissectors/packet-ssl-utils.c
|
||||||
|
|
||||||
|
<tr><td> [0x]</td><td> </td><td> DH </td><td> AESGCM </td><td> 256 </td><td> </td></tr>
|
||||||
|
|
||||||
|
xA8 TLS_PSK_WITH_AES_128_GCM_SHA256
|
||||||
|
xA9 TLS_PSK_WITH_AES_256_GCM_SHA384
|
||||||
|
xAA TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
|
||||||
|
xAB TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
|
||||||
|
xAC TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
|
||||||
|
xAD TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
|
||||||
|
xAE TLS_PSK_WITH_AES_128_CBC_SHA256
|
||||||
|
xAF TLS_PSK_WITH_AES_256_CBC_SHA384
|
||||||
|
xB0 TLS_PSK_WITH_NULL_SHA256
|
||||||
|
xB1 TLS_PSK_WITH_NULL_SHA384
|
||||||
|
xB2 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
|
||||||
|
xB3 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
|
||||||
|
xB4 TLS_DHE_PSK_WITH_NULL_SHA256
|
||||||
|
xB5 TLS_DHE_PSK_WITH_NULL_SHA384
|
||||||
|
xB6 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
|
||||||
|
xB7 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
|
||||||
|
xB8 TLS_RSA_PSK_WITH_NULL_SHA256
|
||||||
|
xB9 TLS_RSA_PSK_WITH_NULL_SHA384
|
||||||
|
|
||||||
|
|
||||||
|
-->
|
||||||
|
|
||||||
|
|
||||||
|
<!-- RFC 5932 -->
|
||||||
|
<tr><td> [0xba]</td><td> CAMELLIA128-SHA256 </td><td> RSA </td><td> Camellia </td><td> 128 </td><td> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
|
<tr><td> [0xbb]</td><td> DH-DSS-CAMELLIA128-SHA256 </td><td> DH/DSS </td><td> Camellia </td><td> 128 </td><td> TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
|
<tr><td> [0xbc]</td><td> DH-RSA-CAMELLIA128-SHA256 </td><td> DH/RSA </td><td> Camellia </td><td> 128 </td><td> TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
|
<tr><td> [0xbd]</td><td> DHE-DSS-CAMELLIA128-SHA256</td><td> DH </td><td> Camellia </td><td> 128 </td><td> TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
|
<tr><td> [0xbe]</td><td> DHE-RSA-CAMELLIA128-SHA256</td><td> DH </td><td> Camellia </td><td> 128 </td><td> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
|
<tr><td> [0xbf]</td><td> ADH-CAMELLIA128-SHA256 </td><td> DH </td><td> Camellia </td><td> 128 </td><td> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
|
|
||||||
|
<!-- https://tools.ietf.org/html/rfc5746 -->
|
||||||
|
<tr><td> [0x5600]</td><td> TLS_FALLBACK_SCSV </td><td> </td><td> </td><td> </td><td> TLS_EMPTY_RENEGOTIATION_INFO_SCSV </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 4492 -->
|
||||||
<tr><td> [0xc001]</td><td> ECDH-ECDSA-NULL-SHA </td><td> ECDH/ECDSA</td><td> None </td><td> None </td><td> TLS_ECDH_ECDSA_WITH_NULL_SHA </td></tr>
|
<tr><td> [0xc001]</td><td> ECDH-ECDSA-NULL-SHA </td><td> ECDH/ECDSA</td><td> None </td><td> None </td><td> TLS_ECDH_ECDSA_WITH_NULL_SHA </td></tr>
|
||||||
<tr><td> [0xc002]</td><td> ECDH-ECDSA-RC4-SHA </td><td> ECDH/ECDSA</td><td> RC4 </td><td> 128 </td><td> TLS_ECDH_ECDSA_WITH_RC4_128_SHA </td></tr>
|
<tr><td> [0xc002]</td><td> ECDH-ECDSA-RC4-SHA </td><td> ECDH/ECDSA</td><td> RC4 </td><td> 128 </td><td> TLS_ECDH_ECDSA_WITH_RC4_128_SHA </td></tr>
|
||||||
<tr><td> [0xc003]</td><td> ECDH-ECDSA-DES-CBC3-SHA </td><td> ECDH/ECDSA</td><td> 3DES </td><td> 168 </td><td> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0xc003]</td><td> ECDH-ECDSA-DES-CBC3-SHA </td><td> ECDH/ECDSA</td><td> 3DES </td><td> 168 </td><td> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
@ -179,6 +251,8 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0xc017]</td><td> AECDH-DES-CBC3-SHA </td><td> ECDH </td><td> 3DES </td><td> 168 </td><td> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0xc017]</td><td> AECDH-DES-CBC3-SHA </td><td> ECDH </td><td> 3DES </td><td> 168 </td><td> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
<tr><td> [0xc018]</td><td> AECDH-AES128-SHA </td><td> ECDH </td><td> AES </td><td> 128 </td><td> TLS_ECDH_anon_WITH_AES_128_CBC_SHA </td></tr>
|
<tr><td> [0xc018]</td><td> AECDH-AES128-SHA </td><td> ECDH </td><td> AES </td><td> 128 </td><td> TLS_ECDH_anon_WITH_AES_128_CBC_SHA </td></tr>
|
||||||
<tr><td> [0xc019]</td><td> AECDH-AES256-SHA </td><td> ECDH </td><td> AES </td><td> 256 </td><td> TLS_ECDH_anon_WITH_AES_256_CBC_SHA </td></tr>
|
<tr><td> [0xc019]</td><td> AECDH-AES256-SHA </td><td> ECDH </td><td> AES </td><td> 256 </td><td> TLS_ECDH_anon_WITH_AES_256_CBC_SHA </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 5054 Secure Remote Password -->
|
||||||
<tr><td> [0xc01a]</td><td> SRP-3DES-EDE-CBC-SHA </td><td> SRP </td><td> 3DES </td><td> 168 </td><td> TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0xc01a]</td><td> SRP-3DES-EDE-CBC-SHA </td><td> SRP </td><td> 3DES </td><td> 168 </td><td> TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
<tr><td> [0xc01b]</td><td> SRP-RSA-3DES-EDE-CBC-SHA </td><td> SRP </td><td> 3DES </td><td> 168 </td><td> TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0xc01b]</td><td> SRP-RSA-3DES-EDE-CBC-SHA </td><td> SRP </td><td> 3DES </td><td> 168 </td><td> TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
<tr><td> [0xc01c]</td><td> SRP-DSS-3DES-EDE-CBC-SHA </td><td> SRP </td><td> 3DES </td><td> 168 </td><td> TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0xc01c]</td><td> SRP-DSS-3DES-EDE-CBC-SHA </td><td> SRP </td><td> 3DES </td><td> 168 </td><td> TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
@ -188,6 +262,8 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0xc020]</td><td> SRP-AES-256-CBC-SHA </td><td> SRP </td><td> AES </td><td> 256 </td><td> TLS_SRP_SHA_WITH_AES_256_CBC_SHA </td></tr>
|
<tr><td> [0xc020]</td><td> SRP-AES-256-CBC-SHA </td><td> SRP </td><td> AES </td><td> 256 </td><td> TLS_SRP_SHA_WITH_AES_256_CBC_SHA </td></tr>
|
||||||
<tr><td> [0xc021]</td><td> SRP-RSA-AES-256-CBC-SHA </td><td> SRP </td><td> AES </td><td> 256 </td><td> TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA </td></tr>
|
<tr><td> [0xc021]</td><td> SRP-RSA-AES-256-CBC-SHA </td><td> SRP </td><td> AES </td><td> 256 </td><td> TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA </td></tr>
|
||||||
<tr><td> [0xc022]</td><td> SRP-DSS-AES-256-CBC-SHA </td><td> SRP </td><td> AES </td><td> 256 </td><td> TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA </td></tr>
|
<tr><td> [0xc022]</td><td> SRP-DSS-AES-256-CBC-SHA </td><td> SRP </td><td> AES </td><td> 256 </td><td> TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 5589 -->
|
||||||
<tr><td> [0xc023]</td><td> ECDHE-ECDSA-AES128-SHA256 </td><td> ECDH </td><td> AES </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc023]</td><td> ECDHE-ECDSA-AES128-SHA256 </td><td> ECDH </td><td> AES </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0xc024]</td><td> ECDHE-ECDSA-AES256-SHA384 </td><td> ECDH </td><td> AES </td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 </td></tr>
|
<tr><td> [0xc024]</td><td> ECDHE-ECDSA-AES256-SHA384 </td><td> ECDH </td><td> AES </td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 </td></tr>
|
||||||
<tr><td> [0xc025]</td><td> ECDH-ECDSA-AES128-SHA256 </td><td> ECDH/ECDSA</td><td> AES </td><td> 128 </td><td> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc025]</td><td> ECDH-ECDSA-AES128-SHA256 </td><td> ECDH/ECDSA</td><td> AES </td><td> 128 </td><td> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 </td></tr>
|
||||||
@ -205,6 +281,7 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0xc031]</td><td> ECDH-RSA-AES128-GCM-SHA256 </td><td> ECDH/RSA </td><td> AESGCM </td><td> 128 </td><td> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 </td></tr>
|
<tr><td> [0xc031]</td><td> ECDH-RSA-AES128-GCM-SHA256 </td><td> ECDH/RSA </td><td> AESGCM </td><td> 128 </td><td> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 </td></tr>
|
||||||
<tr><td> [0xc032]</td><td> ECDH-RSA-AES256-GCM-SHA384 </td><td> ECDH/RSA </td><td> AESGCM </td><td> 256 </td><td> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 </td></tr>
|
<tr><td> [0xc032]</td><td> ECDH-RSA-AES256-GCM-SHA384 </td><td> ECDH/RSA </td><td> AESGCM </td><td> 256 </td><td> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 5489 -->
|
||||||
<tr><td> [0xc033]</td><td> ECDHE-PSK-RC4-SHA </td><td> PSK/ECDHE </td><td> RC4 </td><td> 128 </td><td> TLS_ECDHE_PSK_WITH_RC4_128_SHA </td></tr>
|
<tr><td> [0xc033]</td><td> ECDHE-PSK-RC4-SHA </td><td> PSK/ECDHE </td><td> RC4 </td><td> 128 </td><td> TLS_ECDHE_PSK_WITH_RC4_128_SHA </td></tr>
|
||||||
<tr><td> [0xc034]</td><td> ECDHE-PSK-3DES-EDE-CBC-SHA </td><td> PSK/ECDHE </td><td> 3DES </td><td> 168 </td><td> TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA </td></tr>
|
<tr><td> [0xc034]</td><td> ECDHE-PSK-3DES-EDE-CBC-SHA </td><td> PSK/ECDHE </td><td> 3DES </td><td> 168 </td><td> TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA </td></tr>
|
||||||
<tr><td> [0xc035]</td><td> ECDHE-PSK-AES128-CBC-SHA </td><td> PSK/ECDHE </td><td> AES </td><td> 128 </td><td> TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA </td></tr>
|
<tr><td> [0xc035]</td><td> ECDHE-PSK-AES128-CBC-SHA </td><td> PSK/ECDHE </td><td> AES </td><td> 128 </td><td> TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA </td></tr>
|
||||||
@ -214,6 +291,8 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0xc039]</td><td> ECDHE-PSK-NULL-SHA </td><td> PSK/ECDHE </td><td> None </td><td> None </td><td> TLS_ECDHE_PSK_WITH_NULL_SHA </td></tr>
|
<tr><td> [0xc039]</td><td> ECDHE-PSK-NULL-SHA </td><td> PSK/ECDHE </td><td> None </td><td> None </td><td> TLS_ECDHE_PSK_WITH_NULL_SHA </td></tr>
|
||||||
<tr><td> [0xc03A]</td><td> ECDHE-PSK-NULL-SHA256 </td><td> PSK/ECDHE </td><td> None </td><td> None </td><td> TLS_ECDHE_PSK_WITH_NULL_SHA256 </td></tr>
|
<tr><td> [0xc03A]</td><td> ECDHE-PSK-NULL-SHA256 </td><td> PSK/ECDHE </td><td> None </td><td> None </td><td> TLS_ECDHE_PSK_WITH_NULL_SHA256 </td></tr>
|
||||||
<tr><td> [0xc03B]</td><td> ECDHE-PSK-NULL-SHA384 </td><td> PSK/ECDHE </td><td> None </td><td> None </td><td> TLS_ECDHE_PSK_WITH_NULL_SHA384 </td></tr>
|
<tr><td> [0xc03B]</td><td> ECDHE-PSK-NULL-SHA384 </td><td> PSK/ECDHE </td><td> None </td><td> None </td><td> TLS_ECDHE_PSK_WITH_NULL_SHA384 </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 6209 -->
|
||||||
<tr><td> [0xc03C]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_WITH_ARIA_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc03C]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_WITH_ARIA_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0xc03D]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_WITH_ARIA_256_CBC_SHA384 </td></tr>
|
<tr><td> [0xc03D]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_WITH_ARIA_256_CBC_SHA384 </td></tr>
|
||||||
<tr><td> [0xc03E]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc03E]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 </td></tr>
|
||||||
@ -269,6 +348,7 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0xc070]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc070]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0xc071]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 </td></tr>
|
<tr><td> [0xc071]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 6367 -->
|
||||||
<tr><td> [0xc072]</td><td> ECDHE-ECDSA-CAMELLIA128-SHA256 </td><td> ECDH </td><td> Camellia </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc072]</td><td> ECDHE-ECDSA-CAMELLIA128-SHA256 </td><td> ECDH </td><td> Camellia </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0xc073]</td><td> ECDHE-ECDSA-CAMELLIA256-SHA38 </td><td> ECDH </td><td> Camellia </td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
<tr><td> [0xc073]</td><td> ECDHE-ECDSA-CAMELLIA256-SHA38 </td><td> ECDH </td><td> Camellia </td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
||||||
<tr><td> [0xc074]</td><td> ECDH-ECDSA-CAMELLIA128-SHA256 </td><td> ECDH/ECDSA </td><td> Camellia </td><td> 128 </td><td> TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc074]</td><td> ECDH-ECDSA-CAMELLIA128-SHA256 </td><td> ECDH/ECDSA </td><td> Camellia </td><td> 128 </td><td> TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
@ -303,15 +383,16 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0xc091]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 </td></tr>
|
<tr><td> [0xc091]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 </td></tr>
|
||||||
<tr><td> [0xc092]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 </td></tr>
|
<tr><td> [0xc092]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 </td></tr>
|
||||||
<tr><td> [0xc093]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 </td></tr>
|
<tr><td> [0xc093]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 </td></tr>
|
||||||
<tr><td> [0xc094]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc094]</td><td> PSK-CAMELLIA128-SHA256 </td><td> PSK </td><td> CAMELLIA </td><td> 128 </td><td> TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0xc095]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
<tr><td> [0xc095]</td><td> PSK-CAMELLIA256-SHA384 </td><td> PSK </td><td> CAMELLIA </td><td> 256 </td><td> TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
||||||
<tr><td> [0xc096]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc096]</td><td> DHE-PSK-CAMELLIA128-SHA256 </td><td> PSK/DHE </td><td> CAMELLIA </td><td> 128 </td><td> TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0xc097]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
<tr><td> [0xc097]</td><td> DHE-PSK-CAMELLIA256-SHA384 </td><td> PSK/DHE </td><td> CAMELLIA </td><td> 256 </td><td> TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
||||||
<tr><td> [0xc098]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc098]</td><td> RSA-PSK-CAMELLIA128-SHA256 </td><td> PSK/RSA </td><td> CAMELLIA </td><td> 128 </td><td> TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0xc099]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
<tr><td> [0xc099]</td><td> RSA-PSK-CAMELLIA256-SHA384 </td><td> PSK/RSA </td><td> CAMELLIA </td><td> 256 </td><td> TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
||||||
<tr><td> [0xc09A]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
<tr><td> [0xc09A]</td><td> ECDHE-PSK-CAMELLIA128-SHA25 </td><td> PSK/ECDHE </td><td> CAMELLIA </td><td> 128 </td><td> TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
|
||||||
<tr><td> [0xc09B]</td><td> </td><td> </td><td> </td><td> </td><td> TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
<tr><td> [0xc09B]</td><td> ECDHE-PSK-CAMELLIA256-SHA38 </td><td> PSK/ECDHE </td><td> CAMELLIA </td><td> 256 </td><td> TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 6655 -->
|
||||||
<tr><td> [0xc09c]</td><td> AES128-CCM </td><td> RSA </td><td> AESCCM </td><td> 128 </td><td> TLS_RSA_WITH_AES_128_CCM </td></tr>
|
<tr><td> [0xc09c]</td><td> AES128-CCM </td><td> RSA </td><td> AESCCM </td><td> 128 </td><td> TLS_RSA_WITH_AES_128_CCM </td></tr>
|
||||||
<tr><td> [0xc09d]</td><td> AES256-CCM </td><td> RSA </td><td> AESCCM </td><td> 256 </td><td> TLS_RSA_WITH_AES_256_CCM </td></tr>
|
<tr><td> [0xc09d]</td><td> AES256-CCM </td><td> RSA </td><td> AESCCM </td><td> 256 </td><td> TLS_RSA_WITH_AES_256_CCM </td></tr>
|
||||||
<tr><td> [0xc09e]</td><td> DHE-RSA-AES128-CCM </td><td> DH </td><td> AESCCM </td><td> 128 </td><td> TLS_DHE_RSA_WITH_AES_128_CCM </td></tr>
|
<tr><td> [0xc09e]</td><td> DHE-RSA-AES128-CCM </td><td> DH </td><td> AESCCM </td><td> 128 </td><td> TLS_DHE_RSA_WITH_AES_128_CCM </td></tr>
|
||||||
@ -328,6 +409,8 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0xc0a9]</td><td> PSK-AES256-CCM8 </td><td> PSK </td><td> AESCCM </td><td> 256 </td><td> TLS_PSK_WITH_AES_256_CCM_8 </td></tr>
|
<tr><td> [0xc0a9]</td><td> PSK-AES256-CCM8 </td><td> PSK </td><td> AESCCM </td><td> 256 </td><td> TLS_PSK_WITH_AES_256_CCM_8 </td></tr>
|
||||||
<tr><td> [0xc0aa]</td><td> DHE-PSK-AES128-CCM8 </td><td> PSK/DHE </td><td> AESCCM </td><td> 128 </td><td> TLS_PSK_DHE_WITH_AES_128_CCM_8 </td></tr>
|
<tr><td> [0xc0aa]</td><td> DHE-PSK-AES128-CCM8 </td><td> PSK/DHE </td><td> AESCCM </td><td> 128 </td><td> TLS_PSK_DHE_WITH_AES_128_CCM_8 </td></tr>
|
||||||
<tr><td> [0xc0ab]</td><td> DHE-PSK-AES256-CCM8 </td><td> PSK/DHE </td><td> AESCCM </td><td> 256 </td><td> TLS_PSK_DHE_WITH_AES_256_CCM_8 </td></tr>
|
<tr><td> [0xc0ab]</td><td> DHE-PSK-AES256-CCM8 </td><td> PSK/DHE </td><td> AESCCM </td><td> 256 </td><td> TLS_PSK_DHE_WITH_AES_256_CCM_8 </td></tr>
|
||||||
|
|
||||||
|
<!-- RFC 7251, AES-CCM -->
|
||||||
<tr><td> [0xc0ac]</td><td> ECDHE-ECDSA-AES128-CCM </td><td> ECDH </td><td> AESCCM </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_AES_128_CCM</td></tr>
|
<tr><td> [0xc0ac]</td><td> ECDHE-ECDSA-AES128-CCM </td><td> ECDH </td><td> AESCCM </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_AES_128_CCM</td></tr>
|
||||||
<tr><td> [0xc0ad]</td><td> ECDHE-ECDSA-AES256-CCM </td><td> ECDH </td><td> AESCCM </td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_AES_256_CCM </td></tr>
|
<tr><td> [0xc0ad]</td><td> ECDHE-ECDSA-AES256-CCM </td><td> ECDH </td><td> AESCCM </td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_AES_256_CCM </td></tr>
|
||||||
<tr><td> [0xc0ae]</td><td> ECDHE-ECDSA-AES128-CCM8 </td><td> ECDH </td><td> AESCCM </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 </td></tr>
|
<tr><td> [0xc0ae]</td><td> ECDHE-ECDSA-AES128-CCM8 </td><td> ECDH </td><td> AESCCM </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 </td></tr>
|
||||||
@ -341,8 +424,31 @@ td { border:1px solid #999; }
|
|||||||
<tr><td> [0xff01]</td><td> GOST-GOST94 </td><td> RSA </td><td> GOST89 </td><td> 256 </td><td>TLS_RSA_WITH_28147_CNT_GOST94</td></tr>
|
<tr><td> [0xff01]</td><td> GOST-GOST94 </td><td> RSA </td><td> GOST89 </td><td> 256 </td><td>TLS_RSA_WITH_28147_CNT_GOST94</td></tr>
|
||||||
<tr><td> [0xff02]</td><td> GOST-GOST89MAC </td><td> RSA </td><td> GOST89 </td><td> 256 </td></tr>
|
<tr><td> [0xff02]</td><td> GOST-GOST89MAC </td><td> RSA </td><td> GOST89 </td><td> 256 </td></tr>
|
||||||
<tr><td> [0xff03]</td><td> GOST-GOST89STREAM </td><td> RSA </td><td> GOST89 </td><td> 256 </td></tr>
|
<tr><td> [0xff03]</td><td> GOST-GOST89STREAM </td><td> RSA </td><td> GOST89 </td><td> 256 </td></tr>
|
||||||
|
|
||||||
|
<!-- http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html -->
|
||||||
|
<tr><td> [0xfefe]</td><td> </td><td> RSA </td><td> DES </td><td> 56 </td><td>SSL_RSA_FIPS_WITH_DES_CBC_SHA</td></tr>
|
||||||
|
<tr><td> [0xfeff]</td><td> </td><td> RSA </td><td> 3DES </td><td> 168 </td><td>SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA</td></tr>
|
||||||
|
<!-- were thought to be of use only "locally" to certain specific U.S. government customers. (same as above) -->
|
||||||
|
<tr><td> [0xfee0]</td><td> </td><td> RSA </td><td> 3DES </td><td> 168 </td><td>SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA</td></tr>
|
||||||
|
<tr><td> [0xfee1]</td><td> </td><td> RSA </td><td> DES </td><td> 56 </td><td>SSL_RSA_FIPS_WITH_DES_CBC_SHA</td></tr>
|
||||||
|
|
||||||
<tr><td> [0x010080]</td><td> RC4-MD5 </td><td> RSA </td><td> RC4 </td><td> 128 </td><td> SSL_CK_RC4_128_WITH_MD5 </td></tr>
|
<tr><td> [0x010080]</td><td> RC4-MD5 </td><td> RSA </td><td> RC4 </td><td> 128 </td><td> SSL_CK_RC4_128_WITH_MD5 </td></tr>
|
||||||
<tr><td> [0x020080]</td><td> EXP-RC4-MD5 </td><td> RSA(512) </td><td> RC4 </td><td> 40, export </td><td> SSL_CK_RC4_128_EXPORT40_WITH_MD5 </td></tr>
|
<tr><td> [0x020080]</td><td> EXP-RC4-MD5 </td><td> RSA(512) </td><td> RC4 </td><td> 40, export </td><td> SSL_CK_RC4_128_EXPORT40_WITH_MD5 </td></tr>
|
||||||
|
<!--
|
||||||
|
|
||||||
|
SSL2_CK_RC4_128_WITH_MD5 0x02010080
|
||||||
|
SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080
|
||||||
|
SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080
|
||||||
|
SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080
|
||||||
|
SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080
|
||||||
|
SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040
|
||||||
|
SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140
|
||||||
|
SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0
|
||||||
|
SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0
|
||||||
|
SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800
|
||||||
|
SSL2_CK_NULL 0x02ff0810
|
||||||
|
|
||||||
|
-->
|
||||||
<tr><td> [0x030080]</td><td> RC2-CBC-MD5 </td><td> RSA </td><td> RC2 </td><td> 128 </td><td> SSL_CK_RC2_128_CBC_WITH_MD5 </td></tr>
|
<tr><td> [0x030080]</td><td> RC2-CBC-MD5 </td><td> RSA </td><td> RC2 </td><td> 128 </td><td> SSL_CK_RC2_128_CBC_WITH_MD5 </td></tr>
|
||||||
<tr><td> [0x040080]</td><td> EXP-RC2-CBC-MD5 </td><td> RSA(512) </td><td> RC2 </td><td> 40, export </td><td> SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5</td></tr>
|
<tr><td> [0x040080]</td><td> EXP-RC2-CBC-MD5 </td><td> RSA(512) </td><td> RC2 </td><td> 40, export </td><td> SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5</td></tr>
|
||||||
<tr><td> [0x050080]</td><td> IDEA-CBC-MD5 </td><td> RSA </td><td> IDEA </td><td> 128 </td><td> SSL_CK_IDEA_128_CBC_WITH_MD5 </td></tr>
|
<tr><td> [0x050080]</td><td> IDEA-CBC-MD5 </td><td> RSA </td><td> IDEA </td><td> 128 </td><td> SSL_CK_IDEA_128_CBC_WITH_MD5 </td></tr>
|
||||||
|
430
testssl.sh
430
testssl.sh
@ -135,6 +135,7 @@ declare -x OPENSSL
|
|||||||
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
||||||
COLORBLIND=${COLORBLIND:-false} # if true, swap blue and green in the output
|
COLORBLIND=${COLORBLIND:-false} # if true, swap blue and green in the output
|
||||||
SHOW_EACH_C=${SHOW_EACH_C:-0} # where individual ciphers are tested show just the positively ones tested #FIXME: upside down value
|
SHOW_EACH_C=${SHOW_EACH_C:-0} # where individual ciphers are tested show just the positively ones tested #FIXME: upside down value
|
||||||
|
SHOW_SIGALGO=${SHOW_SIGALGO:-false} # "secret" switch weher testssl.sh shows the signature algorithm for -E / -e
|
||||||
SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual?
|
SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual?
|
||||||
QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner
|
QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner
|
||||||
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
|
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
|
||||||
@ -368,6 +369,9 @@ pr_headlineln() { pr_headline "$1" ; outln; }
|
|||||||
pr_squoted() { out "'$1'"; }
|
pr_squoted() { out "'$1'"; }
|
||||||
pr_dquoted() { out "\"$1\""; }
|
pr_dquoted() { out "\"$1\""; }
|
||||||
|
|
||||||
|
local_problem_ln() { pr_litemagentaln "Local problem: $1"; }
|
||||||
|
local_problem() { pr_litemagenta "Local problem: $1"; }
|
||||||
|
|
||||||
### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
|
### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
|
||||||
### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html
|
### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html
|
||||||
set_color_functions() {
|
set_color_functions() {
|
||||||
@ -449,23 +453,22 @@ fileout_footer() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
fileout() { # ID, SEVERITY, FINDING
|
fileout() { # ID, SEVERITY, FINDING
|
||||||
local finding="$5"
|
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
|
||||||
|
|
||||||
if "$do_json"; then
|
if "$do_json"; then
|
||||||
"$FIRST_FINDING" || echo "," >> $JSONFILE
|
"$FIRST_FINDING" || echo "," >> $JSONFILE
|
||||||
finding=$(strip_quote "$3")
|
|
||||||
echo -e "
|
echo -e "
|
||||||
{
|
{
|
||||||
'id' : '$1',
|
\"id\" : \"$1\",
|
||||||
'ip' : '$NODE/$NODEIP',
|
\"ip\" : \"$NODE/$NODEIP\",
|
||||||
'port' : '$PORT',
|
\"port\" : \"$PORT\",
|
||||||
'severity' : '$2',
|
\"severity\" : \"$2\",
|
||||||
'finding' : '$finding'
|
\"finding\" : \"$finding\"
|
||||||
}" >> $JSONFILE
|
}" >> $JSONFILE
|
||||||
fi
|
fi
|
||||||
# does the following do any sanitization?
|
# does the following do any sanitization?
|
||||||
if "$do_csv"; then
|
if "$do_csv"; then
|
||||||
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$2"\",\"$(strip_quote "$3")\"" >>$CSVFILE
|
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$2"\",\""$finding"\"" >>$CSVFILE
|
||||||
fi
|
fi
|
||||||
"$FIRST_FINDING" && FIRST_FINDING=false
|
"$FIRST_FINDING" && FIRST_FINDING=false
|
||||||
}
|
}
|
||||||
@ -1280,8 +1283,13 @@ prettyprint_local() {
|
|||||||
local hexcode dash ciph sslvers kx auth enc mac export
|
local hexcode dash ciph sslvers kx auth enc mac export
|
||||||
local re='^[0-9A-Fa-f]+$'
|
local re='^[0-9A-Fa-f]+$'
|
||||||
|
|
||||||
|
if [[ "$1" == 0x* ]] || [[ "$1" == 0X* ]]; then
|
||||||
|
fatal "pls supply x<number> instead" 2
|
||||||
|
fi
|
||||||
|
|
||||||
pr_headline " Displaying all local ciphers ";
|
pr_headline " Displaying all local ciphers ";
|
||||||
if [[ -n "$1" ]]; then
|
if [[ -n "$1" ]]; then
|
||||||
|
# pattern provided; which one?
|
||||||
[[ $1 =~ $re ]] && \
|
[[ $1 =~ $re ]] && \
|
||||||
pr_headline "matching number pattern \"$1\" " || \
|
pr_headline "matching number pattern \"$1\" " || \
|
||||||
pr_headline "matching word pattern "\"$1\"" (ignore case) "
|
pr_headline "matching word pattern "\"$1\"" (ignore case) "
|
||||||
@ -1384,7 +1392,7 @@ std_cipherlists() {
|
|||||||
tmpfile_handle $FUNCNAME.$debugname.txt
|
tmpfile_handle $FUNCNAME.$debugname.txt
|
||||||
else
|
else
|
||||||
singlespaces=$(echo "$2" | sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g')
|
singlespaces=$(echo "$2" | sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g')
|
||||||
local_problem "No $singlespaces configured in $OPENSSL"
|
local_problem_ln "No $singlespaces configured in $OPENSSL"
|
||||||
fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)"
|
fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)"
|
||||||
fi
|
fi
|
||||||
# we need 1xlf in those cases:
|
# we need 1xlf in those cases:
|
||||||
@ -1582,8 +1590,12 @@ run_allciphers(){
|
|||||||
available="not a/v"
|
available="not a/v"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if "$SHOW_SIGALGO"; then
|
||||||
|
$OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1
|
||||||
|
else
|
||||||
|
outln
|
||||||
|
fi
|
||||||
fileout "cipher_$HEXC" "INFO" "$(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available"
|
fileout "cipher_$HEXC" "INFO" "$(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available"
|
||||||
outln
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
done
|
done
|
||||||
outln
|
outln
|
||||||
@ -1628,7 +1640,11 @@ run_cipher_per_proto(){
|
|||||||
available="not a/v"
|
available="not a/v"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln
|
if "$SHOW_SIGALGO"; then
|
||||||
|
$OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1
|
||||||
|
else
|
||||||
|
outln
|
||||||
|
fi
|
||||||
id="cipher$proto"
|
id="cipher$proto"
|
||||||
id+="_$HEXC"
|
id+="_$HEXC"
|
||||||
fileout "$id" "INFO" "$proto_text $(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available"
|
fileout "$id" "INFO" "$proto_text $(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available"
|
||||||
@ -2040,7 +2056,7 @@ run_client_simulation() {
|
|||||||
locally_supported() {
|
locally_supported() {
|
||||||
[[ -n "$2" ]] && out "$2 "
|
[[ -n "$2" ]] && out "$2 "
|
||||||
if $OPENSSL s_client "$1" 2>&1 | grep -aq "unknown option"; then
|
if $OPENSSL s_client "$1" 2>&1 | grep -aq "unknown option"; then
|
||||||
local_problem "$OPENSSL doesn't support \"s_client $1\""
|
local_problem_ln "$OPENSSL doesn't support \"s_client $1\""
|
||||||
return 7
|
return 7
|
||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
@ -2107,8 +2123,8 @@ run_protocols() {
|
|||||||
using_sockets=false
|
using_sockets=false
|
||||||
else
|
else
|
||||||
using_sockets=true
|
using_sockets=true
|
||||||
pr_headlineln "(via sockets except TLS 1.2 and SPDY/HTTP2) "
|
pr_headlineln "(via sockets except TLS 1.2, SPDY+HTTP2) "
|
||||||
via+="via sockets except for TLS1.1 and SPDY/HTTP2"
|
via+="via sockets except for TLS1.2, SPDY+HTTP2"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
@ -2546,7 +2562,7 @@ run_server_preference() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
cipher_pref_check() {
|
cipher_pref_check() {
|
||||||
local p proto protos
|
local p proto protos npn_protos
|
||||||
local tested_cipher cipher order
|
local tested_cipher cipher order
|
||||||
|
|
||||||
pr_bold " Cipher order"
|
pr_bold " Cipher order"
|
||||||
@ -2579,8 +2595,8 @@ cipher_pref_check() {
|
|||||||
if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS?
|
if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS?
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
npn_protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
||||||
for p in $protos; do
|
for p in $npn_protos; do
|
||||||
order=""
|
order=""
|
||||||
$OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||||
@ -2610,12 +2626,13 @@ cipher_pref_check() {
|
|||||||
get_host_cert() {
|
get_host_cert() {
|
||||||
local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE
|
local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE
|
||||||
|
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$TEMPDIR/$FUNCNAME.txt
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$tmpdir
|
||||||
if sclient_connect_successful $? $tmpvar; then
|
if sclient_connect_successful $? $tmpvar; then
|
||||||
awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT
|
awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT
|
||||||
else
|
else
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
tmpfile_handle $FUNCNAME.txt
|
||||||
# return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]}))
|
# return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]}))
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2640,7 +2657,7 @@ verify_retcode_helper() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
determine_trust() {
|
determine_trust() {
|
||||||
local heading=$1
|
local json_prefix=$1
|
||||||
local -i i=1
|
local -i i=1
|
||||||
local -i num_ca_bundles=0
|
local -i num_ca_bundles=0
|
||||||
local bundle_fname
|
local bundle_fname
|
||||||
@ -2651,24 +2668,24 @@ determine_trust() {
|
|||||||
local some_ok=false
|
local some_ok=false
|
||||||
local code
|
local code
|
||||||
local ca_bundles="$INSTALL_DIR/etc/*.pem"
|
local ca_bundles="$INSTALL_DIR/etc/*.pem"
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
local addtl_warning
|
local addtl_warning
|
||||||
|
|
||||||
|
# If $json_prefix is not empty, then there is more than one certificate
|
||||||
|
# and the output should should be indented by two more spaces.
|
||||||
|
[[ -n $json_prefix ]] && spaces=" "
|
||||||
|
|
||||||
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
|
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
|
||||||
pr_litemagentaln "Your $OPENSSL is too new, needed is version 1.0.2"
|
addtl_warning="(Your openssl 1.1.0 might be too new for a reliable check)"
|
||||||
out "$spaces"
|
fileout "${json_prefix}trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
|
||||||
fileout "$heading trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
|
|
||||||
return 7
|
|
||||||
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then
|
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then
|
||||||
pr_litemagentaln "Your $OPENSSL is too old, needed is version >=1.0.2"
|
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
|
||||||
out "$spaces"
|
fileout "${json_prefix}trust_warn" "WARN" "$addtl_warning"
|
||||||
addtl_warning="Your $OPENSSL is too old, need version 1.0.2 to determine trust. Results may be unreliable."
|
|
||||||
fileout "$heading trust_warn" "WARN" "$addtl_warning"
|
|
||||||
fi
|
fi
|
||||||
debugme outln
|
debugme outln
|
||||||
for bundle_fname in $ca_bundles; do
|
for bundle_fname in $ca_bundles; do
|
||||||
certificate_file[i]=$(basename "$bundle_fname" | sed 's/\.pem//')
|
certificate_file[i]=$(basename ${bundle_fname//.pem})
|
||||||
if [[ ! -r $bundle_fname ]]; then
|
if [[ ! -r $bundle_fname ]]; then
|
||||||
pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable"
|
pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable"
|
||||||
return 7
|
return 7
|
||||||
@ -2696,20 +2713,20 @@ determine_trust() {
|
|||||||
fi
|
fi
|
||||||
i=$((i + 1))
|
i=$((i + 1))
|
||||||
done
|
done
|
||||||
num_ca_bundles=$(($i - 1))
|
num_ca_bundles=$((i - 1))
|
||||||
debugme out " "
|
debugme out " "
|
||||||
# all stores ok
|
|
||||||
if $all_ok; then
|
if $all_ok; then
|
||||||
pr_litegreen "Ok "
|
# all stores ok
|
||||||
fileout "$heading trust" "OK" "All certificate trust checks passed. $addtl_warning"
|
pr_litegreen "Ok "; pr_litemagenta "$addtl_warning"
|
||||||
# at least one failed
|
fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning"
|
||||||
else
|
else
|
||||||
|
# at least one failed
|
||||||
pr_red "NOT ok"
|
pr_red "NOT ok"
|
||||||
if ! $some_ok; then
|
if ! $some_ok; then
|
||||||
# all failed (we assume with the same issue), we're displaying the reason
|
# all failed (we assume with the same issue), we're displaying the reason
|
||||||
out " "
|
out " "
|
||||||
verify_retcode_helper "${verify_retcode[2]}"
|
verify_retcode_helper "${verify_retcode[2]}"
|
||||||
fileout "$heading trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
|
fileout "${json_prefix}trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
|
||||||
else
|
else
|
||||||
# is one ok and the others not ==> display the culprit store
|
# is one ok and the others not ==> display the culprit store
|
||||||
if $some_ok ; then
|
if $some_ok ; then
|
||||||
@ -2728,20 +2745,19 @@ determine_trust() {
|
|||||||
#pr_litered "$notok_was "
|
#pr_litered "$notok_was "
|
||||||
#outln "$code"
|
#outln "$code"
|
||||||
outln
|
outln
|
||||||
#lf + green ones
|
# lf + green ones
|
||||||
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
||||||
pr_litegreen "OK: $ok_was"
|
pr_litegreen "OK: $ok_was"
|
||||||
fi
|
fi
|
||||||
fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
||||||
fi
|
fi
|
||||||
|
[[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_litemagenta "$addtl_warning"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# not handled: Root CA supplied (contains anchor)
|
# not handled: Root CA supplied (contains anchor)
|
||||||
# attention: 1.0.1 fails on mozilla
|
|
||||||
|
|
||||||
|
|
||||||
tls_time() {
|
tls_time() {
|
||||||
local now difftime
|
local now difftime
|
||||||
@ -2774,7 +2790,6 @@ tls_time() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# core function determining whether handshake succeded or not
|
# core function determining whether handshake succeded or not
|
||||||
#
|
|
||||||
sclient_connect_successful() {
|
sclient_connect_successful() {
|
||||||
[[ $1 -eq 0 ]] && return 0
|
[[ $1 -eq 0 ]] && return 0
|
||||||
[[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0
|
[[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0
|
||||||
@ -2800,7 +2815,7 @@ determine_tls_extensions() {
|
|||||||
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
|
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
|
||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug -nextprotoneg $alpn -status </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug -nextprotoneg $alpn -status </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE && success=0 && break
|
sclient_connect_successful $? $TMPFILE && success=0 && break
|
||||||
done # this loop is needed for IIS/6
|
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
||||||
if [[ $success -eq 7 ]]; then
|
if [[ $success -eq 7 ]]; then
|
||||||
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
@ -2814,7 +2829,13 @@ determine_tls_extensions() {
|
|||||||
GOST_STATUS_PROBLEM=true
|
GOST_STATUS_PROBLEM=true
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
TLS_EXTENSIONS=$(awk -F'"' '/TLS server extension / { printf "\""$2"\" " }' $TMPFILE)
|
#TLS_EXTENSIONS=$(awk -F'"' '/TLS server extension / { printf "\""$2"\" " }' $TMPFILE)
|
||||||
|
#
|
||||||
|
# this is not beautiful (grep+sed)
|
||||||
|
# but maybe we should just get the ids and do a private matching, according to
|
||||||
|
# https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml <-- ALPN is missing
|
||||||
|
TLS_EXTENSIONS=$(grep -a 'TLS server extension ' $TMPFILE | sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' -e 's/,.*$/,/g' -e 's/),$/\"/g')
|
||||||
|
TLS_EXTENSIONS=$(echo $TLS_EXTENSIONS) # into one line
|
||||||
|
|
||||||
# Place the server's certificate in $HOSTCERT and any intermediate
|
# Place the server's certificate in $HOSTCERT and any intermediate
|
||||||
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
||||||
@ -2843,6 +2864,21 @@ determine_tls_extensions() {
|
|||||||
return $success
|
return $success
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# arg1: path to certificate
|
||||||
|
# returns CN
|
||||||
|
get_cn_from_cert() {
|
||||||
|
local subject
|
||||||
|
|
||||||
|
# attention! openssl 1.0.2 doesn't properly handle online output from certifcates from trustwave.com/github.com
|
||||||
|
#FIXME: use -nameopt oid for robustness
|
||||||
|
|
||||||
|
# for e.g. russian sites -esc_msb,utf8 works in an UTF8 terminal -- any way to check platform indepedent?
|
||||||
|
# see x509(1ssl):
|
||||||
|
subject="$($OPENSSL x509 -in $1 -noout -subject -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)"
|
||||||
|
echo "$(awk -F'=' '/CN=/ { print $2 }' <<< "$subject")"
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
certificate_info() {
|
certificate_info() {
|
||||||
local proto
|
local proto
|
||||||
@ -2862,6 +2898,7 @@ certificate_info() {
|
|||||||
local cnfinding
|
local cnfinding
|
||||||
local cnok="OK"
|
local cnok="OK"
|
||||||
local expfinding expok="OK"
|
local expfinding expok="OK"
|
||||||
|
local json_prefix="" # string to place at begging of JSON IDs when there is more than one certificate
|
||||||
local indent=""
|
local indent=""
|
||||||
|
|
||||||
if [[ $number_of_certificates -gt 1 ]]; then
|
if [[ $number_of_certificates -gt 1 ]]; then
|
||||||
@ -2869,19 +2906,54 @@ certificate_info() {
|
|||||||
indent=" "
|
indent=" "
|
||||||
out "$indent"
|
out "$indent"
|
||||||
pr_headlineln "Server Certificate #$certificate_number"
|
pr_headlineln "Server Certificate #$certificate_number"
|
||||||
|
json_prefix="Server Certificate #$certificate_number "
|
||||||
spaces=" "
|
spaces=" "
|
||||||
else
|
else
|
||||||
spaces=" "
|
spaces=" "
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"
|
|
||||||
pr_bold " Server key size "
|
|
||||||
sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u )
|
sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u )
|
||||||
key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u )
|
key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u )
|
||||||
|
|
||||||
|
out "$indent" ; pr_bold " Signature Algorithm "
|
||||||
|
case $sig_algo in
|
||||||
|
sha1WithRSAEncryption)
|
||||||
|
pr_brownln "SHA1 with RSA"
|
||||||
|
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
|
||||||
|
;;
|
||||||
|
sha256WithRSAEncryption)
|
||||||
|
pr_litegreenln "SHA256 with RSA"
|
||||||
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
|
||||||
|
;;
|
||||||
|
sha384WithRSAEncryption)
|
||||||
|
pr_litegreenln "SHA384 with RSA"
|
||||||
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
|
||||||
|
;;
|
||||||
|
sha512WithRSAEncryption)
|
||||||
|
pr_litegreenln "SHA512 with RSA"
|
||||||
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
|
||||||
|
;;
|
||||||
|
ecdsa-with-SHA256)
|
||||||
|
pr_litegreenln "ECDSA with SHA256"
|
||||||
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
|
||||||
|
;;
|
||||||
|
md5*)
|
||||||
|
pr_redln "MD5"
|
||||||
|
fileout "${json_prefix}algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
out "$sig_algo ("
|
||||||
|
pr_litemagenta "Unknown"
|
||||||
|
outln ")"
|
||||||
|
fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: $sign_algo"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
||||||
|
|
||||||
|
out "$indent"; pr_bold " Server key size "
|
||||||
if [[ -z "$keysize" ]]; then
|
if [[ -z "$keysize" ]]; then
|
||||||
outln "(couldn't determine)"
|
outln "(couldn't determine)"
|
||||||
fileout "$heading key_size" "WARN" "Server keys size cannot be determined"
|
fileout "${json_prefix}key_size" "WARN" "Server keys size cannot be determined"
|
||||||
else
|
else
|
||||||
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
||||||
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
|
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
|
||||||
@ -2890,79 +2962,55 @@ certificate_info() {
|
|||||||
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
|
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
|
||||||
if [[ "$keysize" -le 110 ]]; then # a guess
|
if [[ "$keysize" -le 110 ]]; then # a guess
|
||||||
pr_red "$keysize"
|
pr_red "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 123 ]]; then # a guess
|
elif [[ "$keysize" -le 123 ]]; then # a guess
|
||||||
pr_litered "$keysize"
|
pr_litered "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 163 ]]; then
|
elif [[ "$keysize" -le 163 ]]; then
|
||||||
pr_brown "$keysize"
|
pr_brown "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 224 ]]; then
|
elif [[ "$keysize" -le 224 ]]; then
|
||||||
out "$keysize"
|
out "$keysize"
|
||||||
fileout "$heading key_size" "INFO" "Server keys $keysize EC bits"
|
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits"
|
||||||
elif [[ "$keysize" -le 533 ]]; then
|
elif [[ "$keysize" -le 533 ]]; then
|
||||||
pr_litegreen "$keysize"
|
pr_litegreen "$keysize"
|
||||||
fileout "$heading key_size" "OK" "Server keys $keysize EC bits (OK)"
|
fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)"
|
||||||
else
|
else
|
||||||
out "keysize: $keysize (not expected, FIXME)"
|
out "keysize: $keysize (not expected, FIXME)"
|
||||||
fileout "$heading key_size" "WARN" "Server keys $keysize bits (not expected)"
|
fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (not expected)"
|
||||||
fi
|
fi
|
||||||
else
|
outln " bit"
|
||||||
|
elif [[ $sig_algo = *RSA* ]]; then
|
||||||
if [[ "$keysize" -le 512 ]]; then
|
if [[ "$keysize" -le 512 ]]; then
|
||||||
pr_red "$keysize"
|
pr_red "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
outln " bits"
|
||||||
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 768 ]]; then
|
elif [[ "$keysize" -le 768 ]]; then
|
||||||
pr_litered "$keysize"
|
pr_litered "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
outln " bits"
|
||||||
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 1024 ]]; then
|
elif [[ "$keysize" -le 1024 ]]; then
|
||||||
pr_brown "$keysize"
|
pr_brown "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
outln " bits"
|
||||||
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 2048 ]]; then
|
elif [[ "$keysize" -le 2048 ]]; then
|
||||||
out "$keysize"
|
outln "$keysize bits"
|
||||||
fileout "$heading key_size" "INFO" "Server keys $keysize bits"
|
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits"
|
||||||
elif [[ "$keysize" -le 4096 ]]; then
|
elif [[ "$keysize" -le 4096 ]]; then
|
||||||
pr_litegreen "$keysize"
|
pr_litegreen "$keysize"
|
||||||
fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)"
|
fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)"
|
||||||
|
outln " bits"
|
||||||
else
|
else
|
||||||
out "weird keysize: $keysize (compatibility problems)"
|
pr_magenta "weird keysize: $keysize bits"; outln " (could cause compatibility problems)"
|
||||||
fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)"
|
fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (Odd)"
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
out "$keysize bits ("
|
||||||
|
pr_litemagenta "can't tell whether $keysize bits is good or not"
|
||||||
|
outln ")"
|
||||||
|
fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (unknown signature algorithm)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln " bit"
|
|
||||||
|
|
||||||
out "$indent" ; pr_bold " Signature Algorithm "
|
|
||||||
case $sig_algo in
|
|
||||||
sha1WithRSAEncryption)
|
|
||||||
pr_brownln "SHA1 with RSA"
|
|
||||||
fileout "$heading algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
|
|
||||||
;;
|
|
||||||
sha256WithRSAEncryption)
|
|
||||||
pr_litegreenln "SHA256 with RSA"
|
|
||||||
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
|
|
||||||
;;
|
|
||||||
sha384WithRSAEncryption)
|
|
||||||
pr_litegreenln "SHA384 with RSA"
|
|
||||||
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
|
|
||||||
;;
|
|
||||||
sha512WithRSAEncryption)
|
|
||||||
pr_litegreenln "SHA512 with RSA"
|
|
||||||
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
|
|
||||||
;;
|
|
||||||
ecdsa-with-SHA256)
|
|
||||||
pr_litegreenln "ECDSA with SHA256"
|
|
||||||
fileout "$heading algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
|
|
||||||
;;
|
|
||||||
md5*)
|
|
||||||
pr_redln "MD5"
|
|
||||||
fileout "$heading algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
outln "$sig_algo"
|
|
||||||
fileout "$heading algorithm" "INFO" "Signature Algorithm: $sign_algo"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
|
||||||
|
|
||||||
out "$indent"; pr_bold " Fingerprint / Serial "
|
out "$indent"; pr_bold " Fingerprint / Serial "
|
||||||
cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')"
|
cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')"
|
||||||
@ -2970,12 +3018,12 @@ certificate_info() {
|
|||||||
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
|
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
|
||||||
outln "$cert_fingerprint_sha1 / $cert_fingerprint_serial"
|
outln "$cert_fingerprint_sha1 / $cert_fingerprint_serial"
|
||||||
outln "$spaces$cert_fingerprint_sha2"
|
outln "$spaces$cert_fingerprint_sha2"
|
||||||
fileout "$heading fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
|
fileout "${json_prefix}fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
|
||||||
|
|
||||||
out "$indent"; pr_bold " Common Name (CN) "
|
out "$indent"; pr_bold " Common Name (CN) "
|
||||||
cnfinding="Common Name (CN) : "
|
cnfinding="Common Name (CN) : "
|
||||||
if $OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | grep -wq CN; then
|
cn="$(get_cn_from_cert $HOSTCERT)"
|
||||||
cn=$($OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//')
|
if [[ -n "$cn" ]]; then
|
||||||
pr_dquoted "$cn"
|
pr_dquoted "$cn"
|
||||||
cnfinding="$cn"
|
cnfinding="$cn"
|
||||||
if echo -n "$cn" | grep -q '^*.' ; then
|
if echo -n "$cn" | grep -q '^*.' ; then
|
||||||
@ -2992,26 +3040,25 @@ certificate_info() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
cn="(no CN field in subject)"
|
cn="no CN field in subject"
|
||||||
out "$cn"
|
pr_litemagenta "($cn)"
|
||||||
cnfinding="$cn"
|
cnfinding="$cn"
|
||||||
cnok="INFO"
|
cnok="INFO"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -cipher $cipher -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
# no cipher suites specified here. We just want the default vhost subject
|
||||||
cn_nosni=""
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
||||||
if [[ -s $HOSTCERT.nosni ]]; then
|
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
|
||||||
if $OPENSSL x509 -in $HOSTCERT.nosni -noout -subject 2>>$ERRFILE | grep -wq CN; then
|
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
|
||||||
cn_nosni=$($OPENSSL x509 -in $HOSTCERT.nosni -noout -subject 2>>$ERRFILE | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//')
|
|
||||||
else
|
#FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite)
|
||||||
cn_nosni="no CN field in subject"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
#FIXME: check for SSLv3/v2 and look wheher it goes to a different CN
|
|
||||||
|
|
||||||
debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\""
|
debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\""
|
||||||
if [[ $NODE == "$cn_nosni" ]]; then
|
if [[ "$cn_nosni" == "$cn" ]]; then
|
||||||
if [[ $SERVICE == "HTTP" ]] || $CLIENT_AUTH; then
|
outln " (works w/o SNI)"
|
||||||
|
cnfinding+=" (works w/o SNI)"
|
||||||
|
elif [[ $NODE == "$cn_nosni" ]]; then
|
||||||
|
if [[ $SERVICE == "HTTP" ]] || $CLIENT_AUTH ; then
|
||||||
outln " (works w/o SNI)"
|
outln " (works w/o SNI)"
|
||||||
cnfinding+=" (works w/o SNI)"
|
cnfinding+=" (works w/o SNI)"
|
||||||
else
|
else
|
||||||
@ -3034,7 +3081,7 @@ certificate_info() {
|
|||||||
fi
|
fi
|
||||||
outln ")"
|
outln ")"
|
||||||
cnfinding+=")"
|
cnfinding+=")"
|
||||||
elif [[ "$cn_nosni" == "*no CN field*" ]]; then
|
elif [[ "$cn_nosni" == *"no CN field"* ]]; then
|
||||||
outln ", (request w/o SNI: $cn_nosni)"
|
outln ", (request w/o SNI: $cn_nosni)"
|
||||||
cnfinding+=", (request w/o SNI: $cn_nosni)"
|
cnfinding+=", (request w/o SNI: $cn_nosni)"
|
||||||
else
|
else
|
||||||
@ -3042,7 +3089,7 @@ certificate_info() {
|
|||||||
cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")"
|
cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fileout "$heading cn" "$cnok" "$cnfinding"
|
fileout "${json_prefix}cn" "$cnok" "$cnfinding"
|
||||||
|
|
||||||
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
|
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
|
||||||
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
|
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
|
||||||
@ -3053,33 +3100,32 @@ certificate_info() {
|
|||||||
pr_dquoted "$san"
|
pr_dquoted "$san"
|
||||||
out " "
|
out " "
|
||||||
done
|
done
|
||||||
fileout "$heading san" "INFO" "subjectAltName (SAN) : $sans"
|
fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $sans"
|
||||||
else
|
else
|
||||||
out "-- "
|
out "-- "
|
||||||
fileout "$heading san" "INFO" "subjectAltName (SAN) : --"
|
fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : --"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
out "$indent"; pr_bold " Issuer "
|
out "$indent"; pr_bold " Issuer "
|
||||||
issuer=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE| sed -e 's/^.*CN=//g' -e 's/\/.*$//g')
|
#FIXME: oid would be better maybe (see above)
|
||||||
issuer_O=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | sed 's/^.*O=//g' | sed 's/\/.*$//g')
|
issuer="$($OPENSSL x509 -in $HOSTCERT -noout -issuer -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)"
|
||||||
if $OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | grep -q 'C=' ; then
|
issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")"
|
||||||
issuer_C=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | sed 's/^.*C=//g' | sed 's/\/.*$//g')
|
issuer_O="$(awk -F'=' '/O=/ { print $2 }' <<< "$issuer")"
|
||||||
|
issuer_C="$(awk -F'=' '/C=/ { print $2 }' <<< "$issuer")"
|
||||||
|
|
||||||
|
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then
|
||||||
|
pr_redln "self-signed (NOT ok)"
|
||||||
|
fileout "${json_prefix}issuer" "NOT OK" "Issuer: selfsigned (NOT ok)"
|
||||||
else
|
else
|
||||||
issuer_C="" # CACert would have 'issuer= ' here otherwise
|
pr_dquoted "$issuer_CN"
|
||||||
fi
|
|
||||||
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer" == "$CN" ]]; then
|
|
||||||
pr_redln "selfsigned (NOT ok)"
|
|
||||||
fileout "$heading issuer" "NOT OK" "Issuer: selfsigned (NOT ok)"
|
|
||||||
else
|
|
||||||
pr_dquoted "$issuer"
|
|
||||||
out " ("
|
out " ("
|
||||||
pr_dquoted "$issuer_O"
|
pr_dquoted "$issuer_O"
|
||||||
if [[ -n "$issuer_C" ]]; then
|
if [[ -n "$issuer_C" ]]; then
|
||||||
out " from "
|
out " from "
|
||||||
pr_dquoted "$issuer_C"
|
pr_dquoted "$issuer_C"
|
||||||
fileout "$heading issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")"
|
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")"
|
||||||
else
|
else
|
||||||
fileout "$heading issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" )"
|
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" )"
|
||||||
fi
|
fi
|
||||||
outln ")"
|
outln ")"
|
||||||
fi
|
fi
|
||||||
@ -3096,10 +3142,10 @@ certificate_info() {
|
|||||||
[[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \
|
[[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \
|
||||||
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
|
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
|
||||||
out "yes "
|
out "yes "
|
||||||
fileout "$heading ev" "OK" "Extended Validation (EV) (experimental) : yes"
|
fileout "${json_prefix}ev" "OK" "Extended Validation (EV) (experimental) : yes"
|
||||||
else
|
else
|
||||||
out "no "
|
out "no "
|
||||||
fileout "$heading ev" "INFO" "Extended Validation (EV) (experimental) : no"
|
fileout "${json_prefix}ev" "INFO" "Extended Validation (EV) (experimental) : no"
|
||||||
fi
|
fi
|
||||||
debugme echo "($(newline_to_spaces "$policy_oid"))"
|
debugme echo "($(newline_to_spaces "$policy_oid"))"
|
||||||
outln
|
outln
|
||||||
@ -3121,7 +3167,7 @@ certificate_info() {
|
|||||||
fi
|
fi
|
||||||
days2expire=$((days2expire / 3600 / 24 ))
|
days2expire=$((days2expire / 3600 / 24 ))
|
||||||
|
|
||||||
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 0 2>>$ERRFILE)
|
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
|
||||||
if ! echo $expire | grep -qw not; then
|
if ! echo $expire | grep -qw not; then
|
||||||
pr_red "expired!"
|
pr_red "expired!"
|
||||||
expfinding="expired!"
|
expfinding="expired!"
|
||||||
@ -3147,72 +3193,75 @@ certificate_info() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln " ($startdate --> $enddate)"
|
outln " ($startdate --> $enddate)"
|
||||||
fileout "$heading expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
|
fileout "${json_prefix}expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
|
||||||
|
|
||||||
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
||||||
fileout "$heading certcount" "INFO" "# of certificates provided : $certificates_provided"
|
fileout "${json_prefix}certcount" "INFO" "# of certificates provided : $certificates_provided"
|
||||||
|
|
||||||
|
|
||||||
out "$indent"; pr_bold " Chain of trust"; out " (experim.) "
|
out "$indent"; pr_bold " Chain of trust"; out " (experim.) "
|
||||||
determine_trust "$heading" #Also handles fileout
|
determine_trust "$json_prefix" # Also handles fileout
|
||||||
|
|
||||||
out "$indent"; pr_bold " Certificate Revocation List "
|
out "$indent"; pr_bold " Certificate Revocation List "
|
||||||
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
|
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
|
||||||
if [[ -z "$crl" ]]; then
|
if [[ -z "$crl" ]]; then
|
||||||
pr_literedln "--"
|
pr_literedln "--"
|
||||||
fileout "$heading crl" "NOT OK" "No CRL provided (NOT ok)"
|
fileout "${json_prefix}crl" "NOT OK" "No CRL provided (NOT ok)"
|
||||||
elif grep -q http <<< "$crl"; then
|
elif grep -q http <<< "$crl"; then
|
||||||
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
||||||
outln "$crl"
|
outln "$crl"
|
||||||
fileout "$heading crl" "INFO" "Certificate Revocation List : $crl"
|
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
|
||||||
else # more than one CRL
|
else # more than one CRL
|
||||||
out_row_aligned "$crl" "$spaces"
|
out_row_aligned "$crl" "$spaces"
|
||||||
fileout "$heading crl" "INFO" "Certificate Revocation List : $crl"
|
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
pr_litemagentaln "no parsable output \"$crl\", pls report"
|
pr_litemagentaln "no parsable output \"$crl\", pls report"
|
||||||
fileout "$heading crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
|
fileout "${json_prefix}crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP URI "
|
out "$indent"; pr_bold " OCSP URI "
|
||||||
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
||||||
if [[ -z "$ocsp_uri" ]]; then
|
if [[ -z "$ocsp_uri" ]]; then
|
||||||
pr_literedln "--"
|
pr_literedln "--"
|
||||||
fileout "$heading ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)"
|
fileout "${json_prefix}ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)"
|
||||||
else
|
else
|
||||||
outln "$ocsp_uri"
|
outln "$ocsp_uri"
|
||||||
fileout "$heading ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP stapling "
|
out "$indent"; pr_bold " OCSP stapling "
|
||||||
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
||||||
outln " not offered"
|
pr_yellow "--"
|
||||||
fileout "$heading ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
||||||
else
|
else
|
||||||
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
||||||
pr_litegreenln " offered"
|
pr_litegreen "offered"
|
||||||
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : offered"
|
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
|
||||||
else
|
else
|
||||||
if $GOST_STATUS_PROBLEM; then
|
if $GOST_STATUS_PROBLEM; then
|
||||||
outln " (GOST servers make problems here, sorry)"
|
outln "(GOST servers make problems here, sorry)"
|
||||||
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
|
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
outln " not sure what's going on here, debug:"
|
out "(response status unknown)"
|
||||||
grep -aA 20 "OCSP response" <<<"$ocsp_response"
|
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: grep -aA 20 "OCSP response" <<<"$ocsp_response""
|
||||||
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: grep -aA 20 "OCSP response" <<<"$ocsp_response""
|
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
|
||||||
ret=2
|
ret=2
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln
|
outln "\n"
|
||||||
|
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
# FIXME: revoked, see checkcert.sh
|
# FIXME: revoked, see checkcert.sh
|
||||||
# FIXME: Trust (only CN)
|
# FIXME: Trust (only CN)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
run_server_defaults() {
|
run_server_defaults() {
|
||||||
local ciph match_found newhostcert
|
local ciph match_found newhostcert
|
||||||
local sessticket_str=""
|
local sessticket_str=""
|
||||||
@ -3304,7 +3353,7 @@ run_server_defaults() {
|
|||||||
pr_headlineln " Testing server defaults (Server Hello) "
|
pr_headlineln " Testing server defaults (Server Hello) "
|
||||||
outln
|
outln
|
||||||
|
|
||||||
pr_bold " TLS server extensions (std) "
|
pr_bold " TLS extensions (standard) "
|
||||||
if [[ -z "$all_tls_extensions" ]]; then
|
if [[ -z "$all_tls_extensions" ]]; then
|
||||||
outln "(none)"
|
outln "(none)"
|
||||||
fileout "tls_extensions" "INFO" "TLS server extensions (std): (none)"
|
fileout "tls_extensions" "INFO" "TLS server extensions (std): (none)"
|
||||||
@ -3369,7 +3418,7 @@ run_pfs() {
|
|||||||
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $pfs_cipher_list))
|
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $pfs_cipher_list))
|
||||||
if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then
|
if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then
|
||||||
outln
|
outln
|
||||||
local_problem "You only have $nr_supported_ciphers PFS ciphers on the client side "
|
local_problem_ln "You only have $nr_supported_ciphers PFS ciphers on the client side "
|
||||||
fileout "pfs" "WARN" "(Perfect) Forward Secrecy tests: Skipped. You only have $nr_supported_ciphers PFS ciphers on the client site. ($CLIENT_MIN_PFS are required)"
|
fileout "pfs" "WARN" "(Perfect) Forward Secrecy tests: Skipped. You only have $nr_supported_ciphers PFS ciphers on the client site. ($CLIENT_MIN_PFS are required)"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -3482,7 +3531,7 @@ http2_pre(){
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
if ! $HAS_ALPN; then
|
if ! $HAS_ALPN; then
|
||||||
local_problem "$OPENSSL doesn't support HTTP2/ALPN";
|
local_problem_ln "$OPENSSL doesn't support HTTP2/ALPN";
|
||||||
fileout "https_alpn" "WARN" "HTTP2/ALPN : HTTP/2 was not tested as $OPENSSL does not support it"
|
fileout "https_alpn" "WARN" "HTTP2/ALPN : HTTP/2 was not tested as $OPENSSL does not support it"
|
||||||
return 7
|
return 7
|
||||||
fi
|
fi
|
||||||
@ -4424,10 +4473,6 @@ run_ccs_injection(){
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
local_problem() {
|
|
||||||
pr_litemagentaln "Local problem: $1"
|
|
||||||
}
|
|
||||||
|
|
||||||
run_renego() {
|
run_renego() {
|
||||||
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
|
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
|
||||||
local legacycmd=""
|
local legacycmd=""
|
||||||
@ -4469,7 +4514,7 @@ run_renego() {
|
|||||||
0.9.8*) # we need this for Mac OSX unfortunately
|
0.9.8*) # we need this for Mac OSX unfortunately
|
||||||
case "$OSSL_VER_APPENDIX" in
|
case "$OSSL_VER_APPENDIX" in
|
||||||
[a-l])
|
[a-l])
|
||||||
local_problem "$OPENSSL cannot test this secure renegotiation vulnerability"
|
local_problem_ln "$OPENSSL cannot test this secure renegotiation vulnerability"
|
||||||
fileout "sec_client_renego" "WARN" "Secure Client-Initiated Renegotiation : $OPENSSL cannot test this secure renegotiation vulnerability"
|
fileout "sec_client_renego" "WARN" "Secure Client-Initiated Renegotiation : $OPENSSL cannot test this secure renegotiation vulnerability"
|
||||||
return 3
|
return 3
|
||||||
;;
|
;;
|
||||||
@ -4540,7 +4585,7 @@ run_crime() {
|
|||||||
# first we need to test whether OpenSSL binary has zlib support
|
# first we need to test whether OpenSSL binary has zlib support
|
||||||
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
|
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
local_problem "$OPENSSL lacks zlib support"
|
local_problem_ln "$OPENSSL lacks zlib support"
|
||||||
fileout "crime" "WARN" "CRIME, TLS (CVE-2012-4929) : Not tested. $OPENSSL lacks zlib support"
|
fileout "crime" "WARN" "CRIME, TLS (CVE-2012-4929) : Not tested. $OPENSSL lacks zlib support"
|
||||||
return 7
|
return 7
|
||||||
fi
|
fi
|
||||||
@ -4585,7 +4630,7 @@ run_crime() {
|
|||||||
# return $ret
|
# return $ret
|
||||||
# esac
|
# esac
|
||||||
|
|
||||||
# $OPENSSL s_client help 2>&1 | grep -qw nextprotoneg
|
# $OPENSSL s_client -help 2>&1 | grep -qw nextprotoneg
|
||||||
# if [[ $? -eq 0 ]]; then
|
# if [[ $? -eq 0 ]]; then
|
||||||
# $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE
|
# $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI </dev/null 2>/dev/null >$TMPFILE
|
||||||
# if [[ $? -eq 0 ]]; then
|
# if [[ $? -eq 0 ]]; then
|
||||||
@ -4618,7 +4663,7 @@ run_breach() {
|
|||||||
local url
|
local url
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
local disclaimer=""
|
local disclaimer=""
|
||||||
local when_makesense="Can be ignored for static pages or if no secrets in the page"
|
local when_makesense=" Can be ignored for static pages or if no secrets in the page"
|
||||||
|
|
||||||
[[ $SERVICE != "HTTP" ]] && return 7
|
[[ $SERVICE != "HTTP" ]] && return 7
|
||||||
|
|
||||||
@ -4716,8 +4761,8 @@ run_tls_fallback_scsv() {
|
|||||||
# the countermeasure to protect against protocol downgrade attacks.
|
# the countermeasure to protect against protocol downgrade attacks.
|
||||||
|
|
||||||
# First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
|
# First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
|
||||||
if ! $OPENSSL s_client -h 2>&1 | grep -q "\-fallback_scsv"; then
|
if ! $OPENSSL s_client -help 2>&1 | grep -q "\-fallback_scsv"; then
|
||||||
local_problem "$OPENSSL lacks TLS_FALLBACK_SCSV support"
|
local_problem_ln "$OPENSSL lacks TLS_FALLBACK_SCSV support"
|
||||||
return 4
|
return 4
|
||||||
fi
|
fi
|
||||||
#TODO: this need some tuning: a) if one protocol is supported only it has practcally no value (theoretical it's interesting though)
|
#TODO: this need some tuning: a) if one protocol is supported only it has practcally no value (theoretical it's interesting though)
|
||||||
@ -4784,7 +4829,7 @@ run_freak() {
|
|||||||
|
|
||||||
case $nr_supported_ciphers in
|
case $nr_supported_ciphers in
|
||||||
0)
|
0)
|
||||||
local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured"
|
local_problem_ln "$OPENSSL doesn't have any EXPORT RSA ciphers configured"
|
||||||
fileout "freak" "WARN" "FREAK (CVE-2015-0204) : Not tested. $OPENSSL doesn't have any EXPORT RSA ciphers configured"
|
fileout "freak" "WARN" "FREAK (CVE-2015-0204) : Not tested. $OPENSSL doesn't have any EXPORT RSA ciphers configured"
|
||||||
return 7
|
return 7
|
||||||
;;
|
;;
|
||||||
@ -4830,7 +4875,7 @@ run_logjam() {
|
|||||||
|
|
||||||
case $nr_supported_ciphers in
|
case $nr_supported_ciphers in
|
||||||
0)
|
0)
|
||||||
local_problem "$OPENSSL doesn't have any DHE EXPORT ciphers configured"
|
local_problem_ln "$OPENSSL doesn't have any DHE EXPORT ciphers configured"
|
||||||
fileout "logjam" "WARN" "LOGJAM (CVE-2015-4000) : Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured"
|
fileout "logjam" "WARN" "LOGJAM (CVE-2015-4000) : Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured"
|
||||||
return 3
|
return 3
|
||||||
;;
|
;;
|
||||||
@ -4891,12 +4936,11 @@ run_beast(){
|
|||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
||||||
"$WIDE" && outln
|
|
||||||
# output in wide mode if cipher doesn't exist is not ok
|
# output in wide mode if cipher doesn't exist is not ok
|
||||||
|
|
||||||
>$ERRFILE
|
>$ERRFILE
|
||||||
|
|
||||||
# first determine whether it's mitogated by higher protocols
|
# first determine whether it's mitigated by higher protocols
|
||||||
for proto in tls1_1 tls1_2; do
|
for proto in tls1_1 tls1_2; do
|
||||||
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null
|
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
@ -4906,24 +4950,26 @@ run_beast(){
|
|||||||
|
|
||||||
for proto in ssl3 tls1; do
|
for proto in ssl3 tls1; do
|
||||||
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
||||||
if "$continued"; then # second round: we hit TLS1:
|
if "$continued"; then # second round: we hit TLS1
|
||||||
pr_litegreenln "no SSL3 or TLS1"
|
pr_litegreenln "no SSL3 or TLS1 (OK)"
|
||||||
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
|
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
|
||||||
return 0
|
return 0
|
||||||
else # protocol not succeeded but it's the first time
|
else # protocol not succeeded but it's the first time
|
||||||
continued=true
|
continued=true
|
||||||
continue # protocol not supported, so we do not need to check each cipher with that protocol
|
continue # protocol not supported, so we do not need to check each cipher with that protocol
|
||||||
|
"$WIDE" && outln
|
||||||
fi
|
fi
|
||||||
fi # protocol succeeded
|
fi # protocol succeeded
|
||||||
|
|
||||||
|
|
||||||
# now we test in one shot with the precompiled ciphers
|
# now we test in one shot with the precompiled ciphers
|
||||||
$OPENSSL s_client -"$proto" -cipher "$cbc_cipher_list" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -"$proto" -cipher "$cbc_cipher_list" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE || continue
|
sclient_connect_successful $? $TMPFILE || continue
|
||||||
|
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln "\n $(toupper $proto):";
|
outln "\n $(toupper $proto):";
|
||||||
neat_header # NOT_THAT_NICE: we display the header also if in the end no cbc cipher is available on the client side
|
neat_header # NOT_THAT_NICE: we display the header also if in the end no cbc cipher is available on the client side
|
||||||
fi
|
fi
|
||||||
for ciph in $(colon_to_spaces "$cbc_cipher_list"); do
|
for ciph in $(colon_to_spaces "$cbc_cipher_list"); do
|
||||||
read hexcode dash cbc_cipher sslvers kx auth enc mac < <($OPENSSL ciphers -V "$ciph" 2>>$ERRFILE) # -V doesn't work with openssl < 1.0
|
read hexcode dash cbc_cipher sslvers kx auth enc mac < <($OPENSSL ciphers -V "$ciph" 2>>$ERRFILE) # -V doesn't work with openssl < 1.0
|
||||||
@ -4955,25 +5001,27 @@ run_beast(){
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [[ -n "$detected_cbc_ciphers" ]]; then
|
if ! "$WIDE"; then
|
||||||
fileout "cbc_$proto" "NOT OK" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
|
if [[ -n "$detected_cbc_ciphers" ]]; then
|
||||||
if ! "$WIDE"; then
|
|
||||||
detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
||||||
|
fileout "cbc_$proto" "NOT OK" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
|
||||||
! "$first" && out "$spaces"
|
! "$first" && out "$spaces"
|
||||||
out "$(toupper $proto):"
|
out "$(toupper $proto):"
|
||||||
[[ -n "$higher_proto_supported" ]] && \
|
[[ -n "$higher_proto_supported" ]] && \
|
||||||
pr_yellowln "$detected_cbc_ciphers" || \
|
pr_yellowln "$detected_cbc_ciphers" || \
|
||||||
pr_brownln "$detected_cbc_ciphers"
|
pr_brownln "$detected_cbc_ciphers"
|
||||||
detected_cbc_ciphers="" # empty for next round
|
detected_cbc_ciphers="" # empty for next round
|
||||||
|
first=false
|
||||||
|
else
|
||||||
|
[[ $proto == "tls1" ]] && ! $first && echo -n "$spaces "
|
||||||
|
pr_litegreenln "no CBC ciphers for $(toupper $proto) (OK)"
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
fileout "cbc_$proto" "OK" "BEAST (CVE-2011-3389) : No CBC ciphers for $(toupper $proto) (OK)"
|
if ! "$vuln_beast" ; then
|
||||||
if ! "$WIDE"; then
|
pr_litegreenln " no CBC ciphers for $(toupper $proto) (OK)"
|
||||||
[[ $proto == "tls1" ]] && ! $first && echo -n "$spaces "
|
fileout "cbc_$proto" "OK" "BEAST (CVE-2011-3389) : No CBC ciphers for $(toupper $proto) (OK)"
|
||||||
first=false
|
|
||||||
fi
|
fi
|
||||||
pr_litegreenln "no CBC ciphers for $(toupper $proto) (OK)"
|
|
||||||
fi
|
fi
|
||||||
done # for proto in ssl3 tls1
|
done # for proto in ssl3 tls1
|
||||||
|
|
||||||
@ -4981,11 +5029,11 @@ run_beast(){
|
|||||||
if [[ -n "$higher_proto_supported" ]]; then
|
if [[ -n "$higher_proto_supported" ]]; then
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln
|
outln
|
||||||
# BOT ok seems too harsh for me if we have TLS >1.0
|
# NOT ok seems too harsh for me if we have TLS >1.0
|
||||||
pr_yellow "VULNERABLE"
|
pr_yellow "VULNERABLE"
|
||||||
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
else
|
else
|
||||||
out "${spaces}"
|
out "$spaces"
|
||||||
pr_yellow "VULNERABLE"
|
pr_yellow "VULNERABLE"
|
||||||
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
fi
|
fi
|
||||||
@ -4994,14 +5042,14 @@ run_beast(){
|
|||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
out "${spaces}"
|
out "$spaces"
|
||||||
fi
|
fi
|
||||||
pr_brown "VULNERABLE (NOT ok)"
|
pr_brown "VULNERABLE (NOT ok)"
|
||||||
outln " -- and no higher protocols as mitigation supported"
|
outln " -- and no higher protocols as mitigation supported"
|
||||||
fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
|
fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
$first && pr_litegreenln "no CBC ciphers found for any protocol (OK)"
|
"$first" && ! "$vuln_beast" && pr_litegreenln "no CBC ciphers found for any protocol (OK)"
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return 0
|
return 0
|
||||||
@ -5214,10 +5262,10 @@ find_openssl_binary() {
|
|||||||
$OPENSSL s_client -ssl3 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -ssl3 2>&1 | grep -aq "unknown option" || \
|
||||||
HAS_SSL3=true && \
|
HAS_SSL3=true && \
|
||||||
HAS_SSL3=false
|
HAS_SSL3=false
|
||||||
$OPENSSL s_client help 2>&1 | grep -qw '\-alpn' && \
|
$OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \
|
||||||
HAS_ALPN=true || \
|
HAS_ALPN=true || \
|
||||||
HAS_ALPN=false
|
HAS_ALPN=false
|
||||||
$OPENSSL s_client help 2>&1 | grep -qw '\-nextprotoneg' && \
|
$OPENSSL s_client -help 2>&1 | grep -qw '\-nextprotoneg' && \
|
||||||
HAS_SPDY=true || \
|
HAS_SPDY=true || \
|
||||||
HAS_SPDY=false
|
HAS_SPDY=false
|
||||||
|
|
||||||
@ -5245,10 +5293,6 @@ openssl_age() {
|
|||||||
esac
|
esac
|
||||||
ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives "
|
ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives "
|
||||||
fi
|
fi
|
||||||
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
|
|
||||||
pr_magentaln "$PROG_NAME doesn't work yet with OpenSSL 1.1.0!"
|
|
||||||
ignore_no_or_lame "Type \"yes\" to accept weird output, false negatives and positives "
|
|
||||||
fi
|
|
||||||
outln
|
outln
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5852,7 +5896,7 @@ get_mx_record() {
|
|||||||
#
|
#
|
||||||
check_proxy() {
|
check_proxy() {
|
||||||
if [[ -n "$PROXY" ]]; then
|
if [[ -n "$PROXY" ]]; then
|
||||||
if ! $OPENSSL s_client help 2>&1 | grep -qw proxy; then
|
if ! $OPENSSL s_client -help 2>&1 | grep -qw proxy; then
|
||||||
fatal "Your $OPENSSL is too old to support the \"--proxy\" option" -1
|
fatal "Your $OPENSSL is too old to support the \"--proxy\" option" -1
|
||||||
fi
|
fi
|
||||||
PROXYNODE=${PROXY%:*}
|
PROXYNODE=${PROXY%:*}
|
||||||
@ -6716,4 +6760,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.456 2016/02/01 16:33:58 dirkw Exp $
|
# $Id: testssl.sh,v 1.464 2016/02/07 18:13:58 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user