mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Make STARTTLS + LDAP work again (via sockets)
A couple of checks required sockets but e.g. LDAP via STARTTLS throwed an error (FIXME: LDAP+STARTTLS over sockets not supported yet) in fd_sockets(). This adds a temporary workaround so that those functions are bypassed and LDAP via STARTTLS can be used again. See also #1258
This commit is contained in:
parent
bdbc194491
commit
bb5450e3f5
58
testssl.sh
58
testssl.sh
@ -6795,6 +6795,12 @@ tls_time() {
|
|||||||
local jsonID="TLS_timestamp"
|
local jsonID="TLS_timestamp"
|
||||||
|
|
||||||
pr_bold " TLS clock skew" ; out "$spaces"
|
pr_bold " TLS clock skew" ; out "$spaces"
|
||||||
|
|
||||||
|
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||||
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
TLS_DIFFTIME_SET=true # this is a switch whether we want to measure the remote TLS_TIME
|
TLS_DIFFTIME_SET=true # this is a switch whether we want to measure the remote TLS_TIME
|
||||||
tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (most frequently used protocol)
|
tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (most frequently used protocol)
|
||||||
[[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2
|
[[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2
|
||||||
@ -7101,7 +7107,10 @@ get_server_certificate() {
|
|||||||
extract_stapled_ocsp
|
extract_stapled_ocsp
|
||||||
success=$?
|
success=$?
|
||||||
else
|
else
|
||||||
if [[ "$1" =~ "tls1_3_RSA" ]]; then
|
# For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
||||||
|
if ( [[ "$STARTTLS" =~ ldap ]] || [[ "$STARTTLS" =~ irc ]] ); then
|
||||||
|
return 1
|
||||||
|
elif [[ "$1" =~ "tls1_3_RSA" ]]; then
|
||||||
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01"
|
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01"
|
||||||
elif [[ "$1" =~ "tls1_3_ECDSA" ]]; then
|
elif [[ "$1" =~ "tls1_3_ECDSA" ]]; then
|
||||||
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,0a,00,08,04,03,05,03,06,03,02,03"
|
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,0a,00,08,04,03,05,03,06,03,02,03"
|
||||||
@ -9127,7 +9136,7 @@ run_pfs() {
|
|||||||
sigalg[nr_supported_ciphers]=""
|
sigalg[nr_supported_ciphers]=""
|
||||||
ossl_supported[nr_supported_ciphers]="${TLS_CIPHER_OSSL_SUPPORTED[i]}"
|
ossl_supported[nr_supported_ciphers]="${TLS_CIPHER_OSSL_SUPPORTED[i]}"
|
||||||
hexcode[nr_supported_ciphers]="${hexc:2:2},${hexc:7:2}"
|
hexcode[nr_supported_ciphers]="${hexc:2:2},${hexc:7:2}"
|
||||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
if [[ "${hexc:2:2}" == 00 ]]; then
|
||||||
normalized_hexcode[nr_supported_ciphers]="x${hexc:7:2}"
|
normalized_hexcode[nr_supported_ciphers]="x${hexc:7:2}"
|
||||||
else
|
else
|
||||||
normalized_hexcode[nr_supported_ciphers]="x${hexc:2:2}${hexc:7:2}"
|
normalized_hexcode[nr_supported_ciphers]="x${hexc:2:2}${hexc:7:2}"
|
||||||
@ -9139,7 +9148,7 @@ run_pfs() {
|
|||||||
else
|
else
|
||||||
while read -r hexc dash ciph[nr_supported_ciphers] sslvers kx[nr_supported_ciphers] auth enc[nr_supported_ciphers] mac export; do
|
while read -r hexc dash ciph[nr_supported_ciphers] sslvers kx[nr_supported_ciphers] auth enc[nr_supported_ciphers] mac export; do
|
||||||
ciphers_found[nr_supported_ciphers]=false
|
ciphers_found[nr_supported_ciphers]=false
|
||||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
if [[ "${hexc:2:2}" == 00 ]]; then
|
||||||
normalized_hexcode[nr_supported_ciphers]="x${hexc:7:2}"
|
normalized_hexcode[nr_supported_ciphers]="x${hexc:7:2}"
|
||||||
else
|
else
|
||||||
normalized_hexcode[nr_supported_ciphers]="x${hexc:2:2}${hexc:7:2}"
|
normalized_hexcode[nr_supported_ciphers]="x${hexc:2:2}${hexc:7:2}"
|
||||||
@ -9909,6 +9918,7 @@ starttls_mysql_dialog() {
|
|||||||
|
|
||||||
# arg1: fd for socket -- which we don't use as it is a hassle and it is not clear whether it works under every bash version
|
# arg1: fd for socket -- which we don't use as it is a hassle and it is not clear whether it works under every bash version
|
||||||
# returns 6 if opening the socket caused a problem, 1 if STARTTLS handshake failed, 0: all ok
|
# returns 6 if opening the socket caused a problem, 1 if STARTTLS handshake failed, 0: all ok
|
||||||
|
#
|
||||||
fd_socket() {
|
fd_socket() {
|
||||||
local jabber=""
|
local jabber=""
|
||||||
local proyxline=""
|
local proyxline=""
|
||||||
@ -9982,7 +9992,7 @@ fd_socket() {
|
|||||||
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
|
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
|
||||||
;;
|
;;
|
||||||
ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
|
ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
|
||||||
fatal "FIXME: LDAP+STARTTLS over sockets not yet supported (try \"--ssl-native\")" $ERR_NOSUPPORT
|
fatal "FIXME: LDAP+STARTTLS over sockets not supported yet (try \"--ssl-native\")" $ERR_NOSUPPORT
|
||||||
;;
|
;;
|
||||||
acap|acaps) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595
|
acap|acaps) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595
|
||||||
fatal "ACAP Easteregg: not implemented -- probably never will" $ERR_NOSUPPORT
|
fatal "ACAP Easteregg: not implemented -- probably never will" $ERR_NOSUPPORT
|
||||||
@ -13313,12 +13323,10 @@ tls_sockets() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
####### vulnerabilities follow #######
|
####### Vulnerabilities follow #######
|
||||||
|
# General overview which browser "supports" which vulnerability:
|
||||||
# general overview which browser "supports" which vulnerability:
|
|
||||||
# http://en.wikipedia.org/wiki/Transport_Layer_Security-SSL#Web_browsers
|
# http://en.wikipedia.org/wiki/Transport_Layer_Security-SSL#Web_browsers
|
||||||
|
|
||||||
|
|
||||||
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
||||||
#
|
#
|
||||||
run_heartbleed(){
|
run_heartbleed(){
|
||||||
@ -13335,6 +13343,11 @@ run_heartbleed(){
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
||||||
pr_bold " Heartbleed"; out " ($cve) "
|
pr_bold " Heartbleed"; out " ($cve) "
|
||||||
|
|
||||||
|
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||||
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
[[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions
|
[[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions
|
||||||
if [[ ! "${TLS_EXTENSIONS}" =~ heartbeat ]]; then
|
if [[ ! "${TLS_EXTENSIONS}" =~ heartbeat ]]; then
|
||||||
pr_svrty_best "not vulnerable (OK)"
|
pr_svrty_best "not vulnerable (OK)"
|
||||||
@ -13389,8 +13402,8 @@ run_heartbleed(){
|
|||||||
tmln_out
|
tmln_out
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $lines_returned -gt 1 ]] && [[ "${tls_hello_ascii:0:4}" == "1803" ]]; then
|
if [[ $lines_returned -gt 1 ]] && [[ "${tls_hello_ascii:0:4}" == 1803 ]]; then
|
||||||
if [[ "$STARTTLS_PROTOCOL" == "ftp" ]] || [[ "$STARTTLS_PROTOCOL" == "ftps" ]]; then
|
if [[ "$STARTTLS_PROTOCOL" =~ ftp ]]; then
|
||||||
# check possibility of weird vsftpd reply, see #426, despite "1803" seems very unlikely...
|
# check possibility of weird vsftpd reply, see #426, despite "1803" seems very unlikely...
|
||||||
if grep -q '500 OOPS' "$SOCK_REPLY_FILE" ; then
|
if grep -q '500 OOPS' "$SOCK_REPLY_FILE" ; then
|
||||||
append=", successful weeded out vsftpd false positive"
|
append=", successful weeded out vsftpd false positive"
|
||||||
@ -13439,6 +13452,11 @@ run_ccs_injection(){
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
|
||||||
pr_bold " CCS"; out " ($cve) "
|
pr_bold " CCS"; out " ($cve) "
|
||||||
|
|
||||||
|
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||||
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ 0 -eq $(has_server_protocol tls1) ]]; then
|
if [[ 0 -eq $(has_server_protocol tls1) ]]; then
|
||||||
tls_hexcode="x03, x01"
|
tls_hexcode="x03, x01"
|
||||||
elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
|
elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
|
||||||
@ -14879,7 +14897,17 @@ run_drown() {
|
|||||||
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
|
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||||
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ $(has_server_protocol ssl2) -ne 1 ]]; then
|
||||||
sslv2_sockets
|
sslv2_sockets
|
||||||
|
else
|
||||||
|
[[ aaa == bbb ]] # provoke retrurn code=1
|
||||||
|
fi
|
||||||
|
|
||||||
case $? in
|
case $? in
|
||||||
7) # strange reply, couldn't convert the cipher spec length to a hex number
|
7) # strange reply, couldn't convert the cipher spec length to a hex number
|
||||||
pr_fixme "strange v2 reply "
|
pr_fixme "strange v2 reply "
|
||||||
@ -14891,6 +14919,7 @@ run_drown() {
|
|||||||
3) # vulnerable, [[ -n "$cert_fingerprint_sha2" ]] test is not needed as we should have RSA certificate here
|
3) # vulnerable, [[ -n "$cert_fingerprint_sha2" ]] test is not needed as we should have RSA certificate here
|
||||||
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
||||||
debugme tm_out " ($lines lines) "
|
debugme tm_out " ($lines lines) "
|
||||||
|
add_tls_offered ssl2 yes
|
||||||
if [[ "$lines" -gt 1 ]]; then
|
if [[ "$lines" -gt 1 ]]; then
|
||||||
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
||||||
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
||||||
@ -15928,6 +15957,11 @@ run_robot() {
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln
|
||||||
pr_bold " ROBOT "
|
pr_bold " ROBOT "
|
||||||
|
|
||||||
|
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||||
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ ! "$HAS_PKUTIL" ]]; then
|
if [[ ! "$HAS_PKUTIL" ]]; then
|
||||||
prln_local_problem "Your $OPENSSL does not support the pkeyutl utility."
|
prln_local_problem "Your $OPENSSL does not support the pkeyutl utility."
|
||||||
fileout "$jsonID" "WARN" "$OPENSSL does not support the pkeyutl utility." "$cve" "$cwe"
|
fileout "$jsonID" "WARN" "$OPENSSL does not support the pkeyutl utility." "$cve" "$cwe"
|
||||||
@ -17777,6 +17811,10 @@ determine_sizelimitbug() {
|
|||||||
local overflow_cipher1='C0,86'
|
local overflow_cipher1='C0,86'
|
||||||
local overflow_cipher2='C0,88'
|
local overflow_cipher2='C0,88'
|
||||||
|
|
||||||
|
# For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
||||||
|
[[ "$STARTTLS" =~ ldap ]] && return 0
|
||||||
|
[[ "$STARTTLS" =~ irc ]] && return 0
|
||||||
|
|
||||||
debugme echo -n "${FUNCNAME[0]} starting at # of ciphers (excl. 00FF): "
|
debugme echo -n "${FUNCNAME[0]} starting at # of ciphers (excl. 00FF): "
|
||||||
debugme 'echo "$test_ciphers" | tr ' ' '\n' | wc -l'
|
debugme 'echo "$test_ciphers" | tr ' ' '\n' | wc -l'
|
||||||
# Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practise. Thus
|
# Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practise. Thus
|
||||||
|
Loading…
Reference in New Issue
Block a user