mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-01 06:19:44 +01:00
Make STARTTLS + LDAP work again (via sockets)
A couple of checks required sockets but e.g. LDAP via STARTTLS throwed an error (FIXME: LDAP+STARTTLS over sockets not supported yet) in fd_sockets(). This adds a temporary workaround so that those functions are bypassed and LDAP via STARTTLS can be used again. See also #1258
This commit is contained in:
parent
bdbc194491
commit
bb5450e3f5
60
testssl.sh
60
testssl.sh
@ -6795,6 +6795,12 @@ tls_time() {
|
||||
local jsonID="TLS_timestamp"
|
||||
|
||||
pr_bold " TLS clock skew" ; out "$spaces"
|
||||
|
||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||
return 1
|
||||
fi
|
||||
|
||||
TLS_DIFFTIME_SET=true # this is a switch whether we want to measure the remote TLS_TIME
|
||||
tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (most frequently used protocol)
|
||||
[[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2
|
||||
@ -7101,7 +7107,10 @@ get_server_certificate() {
|
||||
extract_stapled_ocsp
|
||||
success=$?
|
||||
else
|
||||
if [[ "$1" =~ "tls1_3_RSA" ]]; then
|
||||
# For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
||||
if ( [[ "$STARTTLS" =~ ldap ]] || [[ "$STARTTLS" =~ irc ]] ); then
|
||||
return 1
|
||||
elif [[ "$1" =~ "tls1_3_RSA" ]]; then
|
||||
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01"
|
||||
elif [[ "$1" =~ "tls1_3_ECDSA" ]]; then
|
||||
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,0a,00,08,04,03,05,03,06,03,02,03"
|
||||
@ -9127,7 +9136,7 @@ run_pfs() {
|
||||
sigalg[nr_supported_ciphers]=""
|
||||
ossl_supported[nr_supported_ciphers]="${TLS_CIPHER_OSSL_SUPPORTED[i]}"
|
||||
hexcode[nr_supported_ciphers]="${hexc:2:2},${hexc:7:2}"
|
||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
||||
if [[ "${hexc:2:2}" == 00 ]]; then
|
||||
normalized_hexcode[nr_supported_ciphers]="x${hexc:7:2}"
|
||||
else
|
||||
normalized_hexcode[nr_supported_ciphers]="x${hexc:2:2}${hexc:7:2}"
|
||||
@ -9139,7 +9148,7 @@ run_pfs() {
|
||||
else
|
||||
while read -r hexc dash ciph[nr_supported_ciphers] sslvers kx[nr_supported_ciphers] auth enc[nr_supported_ciphers] mac export; do
|
||||
ciphers_found[nr_supported_ciphers]=false
|
||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
||||
if [[ "${hexc:2:2}" == 00 ]]; then
|
||||
normalized_hexcode[nr_supported_ciphers]="x${hexc:7:2}"
|
||||
else
|
||||
normalized_hexcode[nr_supported_ciphers]="x${hexc:2:2}${hexc:7:2}"
|
||||
@ -9909,6 +9918,7 @@ starttls_mysql_dialog() {
|
||||
|
||||
# arg1: fd for socket -- which we don't use as it is a hassle and it is not clear whether it works under every bash version
|
||||
# returns 6 if opening the socket caused a problem, 1 if STARTTLS handshake failed, 0: all ok
|
||||
#
|
||||
fd_socket() {
|
||||
local jabber=""
|
||||
local proyxline=""
|
||||
@ -9982,7 +9992,7 @@ fd_socket() {
|
||||
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
|
||||
;;
|
||||
ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
|
||||
fatal "FIXME: LDAP+STARTTLS over sockets not yet supported (try \"--ssl-native\")" $ERR_NOSUPPORT
|
||||
fatal "FIXME: LDAP+STARTTLS over sockets not supported yet (try \"--ssl-native\")" $ERR_NOSUPPORT
|
||||
;;
|
||||
acap|acaps) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595
|
||||
fatal "ACAP Easteregg: not implemented -- probably never will" $ERR_NOSUPPORT
|
||||
@ -13313,12 +13323,10 @@ tls_sockets() {
|
||||
}
|
||||
|
||||
|
||||
####### vulnerabilities follow #######
|
||||
|
||||
# general overview which browser "supports" which vulnerability:
|
||||
####### Vulnerabilities follow #######
|
||||
# General overview which browser "supports" which vulnerability:
|
||||
# http://en.wikipedia.org/wiki/Transport_Layer_Security-SSL#Web_browsers
|
||||
|
||||
|
||||
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
||||
#
|
||||
run_heartbleed(){
|
||||
@ -13335,6 +13343,11 @@ run_heartbleed(){
|
||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
||||
pr_bold " Heartbleed"; out " ($cve) "
|
||||
|
||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||
return 1
|
||||
fi
|
||||
|
||||
[[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions
|
||||
if [[ ! "${TLS_EXTENSIONS}" =~ heartbeat ]]; then
|
||||
pr_svrty_best "not vulnerable (OK)"
|
||||
@ -13389,8 +13402,8 @@ run_heartbleed(){
|
||||
tmln_out
|
||||
fi
|
||||
|
||||
if [[ $lines_returned -gt 1 ]] && [[ "${tls_hello_ascii:0:4}" == "1803" ]]; then
|
||||
if [[ "$STARTTLS_PROTOCOL" == "ftp" ]] || [[ "$STARTTLS_PROTOCOL" == "ftps" ]]; then
|
||||
if [[ $lines_returned -gt 1 ]] && [[ "${tls_hello_ascii:0:4}" == 1803 ]]; then
|
||||
if [[ "$STARTTLS_PROTOCOL" =~ ftp ]]; then
|
||||
# check possibility of weird vsftpd reply, see #426, despite "1803" seems very unlikely...
|
||||
if grep -q '500 OOPS' "$SOCK_REPLY_FILE" ; then
|
||||
append=", successful weeded out vsftpd false positive"
|
||||
@ -13439,6 +13452,11 @@ run_ccs_injection(){
|
||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
|
||||
pr_bold " CCS"; out " ($cve) "
|
||||
|
||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [[ 0 -eq $(has_server_protocol tls1) ]]; then
|
||||
tls_hexcode="x03, x01"
|
||||
elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
|
||||
@ -14879,7 +14897,17 @@ run_drown() {
|
||||
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
|
||||
fi
|
||||
|
||||
sslv2_sockets
|
||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [[ $(has_server_protocol ssl2) -ne 1 ]]; then
|
||||
sslv2_sockets
|
||||
else
|
||||
[[ aaa == bbb ]] # provoke retrurn code=1
|
||||
fi
|
||||
|
||||
case $? in
|
||||
7) # strange reply, couldn't convert the cipher spec length to a hex number
|
||||
pr_fixme "strange v2 reply "
|
||||
@ -14891,6 +14919,7 @@ run_drown() {
|
||||
3) # vulnerable, [[ -n "$cert_fingerprint_sha2" ]] test is not needed as we should have RSA certificate here
|
||||
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
||||
debugme tm_out " ($lines lines) "
|
||||
add_tls_offered ssl2 yes
|
||||
if [[ "$lines" -gt 1 ]]; then
|
||||
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
||||
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
||||
@ -15928,6 +15957,11 @@ run_robot() {
|
||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln
|
||||
pr_bold " ROBOT "
|
||||
|
||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [[ ! "$HAS_PKUTIL" ]]; then
|
||||
prln_local_problem "Your $OPENSSL does not support the pkeyutl utility."
|
||||
fileout "$jsonID" "WARN" "$OPENSSL does not support the pkeyutl utility." "$cve" "$cwe"
|
||||
@ -17777,6 +17811,10 @@ determine_sizelimitbug() {
|
||||
local overflow_cipher1='C0,86'
|
||||
local overflow_cipher2='C0,88'
|
||||
|
||||
# For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
|
||||
[[ "$STARTTLS" =~ ldap ]] && return 0
|
||||
[[ "$STARTTLS" =~ irc ]] && return 0
|
||||
|
||||
debugme echo -n "${FUNCNAME[0]} starting at # of ciphers (excl. 00FF): "
|
||||
debugme 'echo "$test_ciphers" | tr ' ' '\n' | wc -l'
|
||||
# Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practise. Thus
|
||||
|
Loading…
Reference in New Issue
Block a user