Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-19 15:09:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

- collect more TLS extensions

Browse Source
This commit is contained in:
Dirk 2017-02-21 11:16:14 +01:00
parent 34053e27cd
commit be079acb5e
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
testssl.sh
View File

@ -5716,7 +5716,7 @@ get_server_certificate() {
local savedir local savedir
local nrsaved local nrsaved
"$HAS_SPDY" && [[ -z $STARTTLS ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\"" "$HAS_SPDY" && [[ -z "$STARTTLS" ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
if [[ -n "$2" ]]; then if [[ -n "$2" ]]; then
protocols_to_try="$2" protocols_to_try="$2"
@ -5758,11 +5758,21 @@ get_server_certificate() {
return $success return $success
fi fi
# this all needs to be moved into determine_tls_extensions()
>$TEMPDIR/tlsext.txt
# first shot w/o any protocol, then in turn we collect all extensions
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -tlsextdebug -status </dev/null 2>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE && grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext.txt
for proto in $protocols_to_try; do for proto in $protocols_to_try; do
# we could know here which protcols are supported
addcmd="" addcmd=""
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI" [[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $npn_params -status </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $npn_params -status </dev/null 2>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE && success=0 && break if sclient_connect_successful $? $TMPFILE; then
success=0
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
break # now we have the certificate
fi
done # this loop is needed for IIS6 and others which have a handshake size limitations done # this loop is needed for IIS6 and others which have a handshake size limitations
if [[ $success -eq 7 ]]; then if [[ $success -eq 7 ]]; then
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then: # "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
@ -5774,6 +5784,7 @@ get_server_certificate() {
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return 7 # this is ugly, I know return 7 # this is ugly, I know
else else
grep -a 'TLS server extension' $TMPFILE >>$TEMPDIR/tlsext.txt
GOST_STATUS_PROBLEM=true GOST_STATUS_PROBLEM=true
fi fi
fi fi
@ -5782,7 +5793,7 @@ get_server_certificate() {
# this is not beautiful (grep+sed) # this is not beautiful (grep+sed)
# but maybe we should just get the ids and do a private matching, according to # but maybe we should just get the ids and do a private matching, according to
# https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
tls_extensions=$(grep -a 'TLS server extension ' $TMPFILE | \ tls_extensions=$(grep -a 'TLS server extension ' $TEMPDIR/tlsext.txt | \
sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \ sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \
-e 's/,.*$/,/g' -e 's/),$/\"/g' \ -e 's/,.*$/,/g' -e 's/),$/\"/g' \
-e 's/elliptic curves\/#10/supported_groups\/#10/g') -e 's/elliptic curves\/#10/supported_groups\/#10/g')
@ -6589,8 +6600,6 @@ certificate_info() {
# FIXME: Trust (only CN) # FIXME: Trust (only CN)
run_server_defaults() { run_server_defaults() {
local ciph match_found newhostcert sni local ciph match_found newhostcert sni
local sessticket_str="" local sessticket_str=""