mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-01 06:19:44 +01:00
Add SSLv2 ciphers in handshakes, housekeeping
In addition to 7d36ba9a2e
which
added new SSLv2 ciphers to the ciphers file this commit adds those
ciphers also to those functions where needed.
Also it does some housekeeping. [[ doesn't require strings on
the right hand side to be quoted, see bash hackers wiki.
This commit is contained in:
parent
de684885fe
commit
bf78a62b2e
60
testssl.sh
60
testssl.sh
@ -422,13 +422,13 @@ SEVERITY_LEVEL=0
|
||||
set_severity_level() {
|
||||
local severity=$1
|
||||
|
||||
if [[ "$severity" == "LOW" ]]; then
|
||||
if [[ "$severity" == LOW ]]; then
|
||||
SEVERITY_LEVEL=$LOW
|
||||
elif [[ "$severity" == "MEDIUM" ]]; then
|
||||
elif [[ "$severity" == MEDIUM ]]; then
|
||||
SEVERITY_LEVEL=$MEDIUM
|
||||
elif [[ "$severity" == "HIGH" ]]; then
|
||||
elif [[ "$severity" == HIGH ]]; then
|
||||
SEVERITY_LEVEL=$HIGH
|
||||
elif [[ "$severity" == "CRITICAL" ]]; then
|
||||
elif [[ "$severity" == CRITICAL ]]; then
|
||||
SEVERITY_LEVEL=$CRITICAL
|
||||
else
|
||||
# WARN will always be logged
|
||||
@ -440,14 +440,14 @@ set_severity_level() {
|
||||
show_finding() {
|
||||
local severity=$1
|
||||
|
||||
( [[ "$severity" == "DEBUG" ]] ) ||
|
||||
( [[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
|
||||
( [[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
|
||||
( [[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
|
||||
( [[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
|
||||
( [[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
|
||||
( [[ "$severity" == "WARN" ]] ) ||
|
||||
( [[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] )
|
||||
( [[ "$severity" == DEBUG ]] ) ||
|
||||
( [[ "$severity" == INFO ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
|
||||
( [[ "$severity" == OK ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
|
||||
( [[ "$severity" == LOW ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
|
||||
( [[ "$severity" == MEDIUM ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
|
||||
( [[ "$severity" == HIGH ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
|
||||
( [[ "$severity" == WARN ]] ) ||
|
||||
( [[ "$severity" == CRITICAL ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] )
|
||||
}
|
||||
|
||||
########### Output functions
|
||||
@ -5352,21 +5352,21 @@ run_cipherlists() {
|
||||
local -i i
|
||||
local -i ret=0
|
||||
local null_ciphers="c0,10, c0,06, c0,15, c0,0b, c0,01, c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e, 00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,82, 00,83, ff,87, 00,ff"
|
||||
local sslv2_null_ciphers=""
|
||||
local sslv2_null_ciphers="FF,80,10, 00,00,00"
|
||||
local anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff"
|
||||
local sslv2_anon_ciphers=""
|
||||
local sslv2_anon_ciphers="FF,80,10"
|
||||
# ~ grep -i EXP etc/cipher-mapping.txt
|
||||
local exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff"
|
||||
local sslv2_exp_ciphers="04,00,80, 02,00,80"
|
||||
local sslv2_exp_ciphers="04,00,80, 02,00,80, 00,00,00"
|
||||
# ~ egrep -w '64|56' etc/cipher-mapping.txt | grep -v export
|
||||
local low_ciphers="00,15, 00,12, 00,0f, 00,0c, 00,09, 00,1e, 00,22, fe,fe, ff,e1, 00,ff"
|
||||
local sslv2_low_ciphers="08,00,80, 06,00,40"
|
||||
local sslv2_low_ciphers="08,00,80, 06,00,40, 06,01,40, FF,80,00"
|
||||
# ~ egrep -w 128 etc/cipher-mapping.txt | egrep -v "Au=None|AEAD|ARIA|Camellia|AES"
|
||||
local medium_ciphers="00,9a, 00,99, 00,98, 00,97, 00,96, 00,07, 00,21, 00,25, c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, 00,92, 00,8a, 00,20, 00,24, c0,33, 00,8e, 00,ff"
|
||||
local sslv2_medium_ciphers="01,00,80, 03,00,80, 05,00,80"
|
||||
# ~ egrep -w '3DES' etc/cipher-mapping.txt
|
||||
local tdes_ciphers="c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, c0,0d, c0,03, 00,0a, 00,93, 00,8b, 00,1f, 00,23, c0,34, 00,8f, fe,ff, ff,e0, 00,ff"
|
||||
local sslv2_tdes_ciphers="07,00,c0"
|
||||
local sslv2_tdes_ciphers="07,00,c0, 07,01,c0"
|
||||
# ~ equivalent to 'egrep -w "GOST|128|256" etc/cipher-mapping.txt | grep -v '=None' | egrep -vw 'RC4|AEAD|IDEA|SEED|RC2'. Attention: 127 ciphers currently
|
||||
local high_ciphers="c0,28, c0,24, c0,14, c0,0a, c0,22, c0,21, c0,20, 00,b7, 00,b3, 00,91, c0,9b, c0,99, c0,97, 00,af, c0,95, 00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, 00,86, 00,85, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, 00,3d, 00,35, 00,c0, c0,38, c0,36, 00,84, 00,95, 00,8d, c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,49, c0,4b, c0,4d, c0,4f, c0,65, c0,67, c0,69, c0,71, 00,80, 00,81, ff,00, ff,01, ff,02, ff,03, ff,85, c0,27, c0,23, c0,13, c0,09, c0,1f, c0,1e, c0,1d, 00,67, 00,40, 00,3f, 00,3e, 00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, 00,bc, 00,bb, 00,45, 00,44, 00,43, 00,42, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, 00,3c, 00,2f, 00,ba, c0,37, c0,35, 00,b6, 00,b2, 00,90, 00,41, c0,9a, c0,98, c0,96, 00,ae, c0,94, 00,94, 00,8c, c0,3c, c0,3e, c0,40, c0,42, c0,44, c0,48, c0,4a, c0,4c, c0,4e, c0,64, c0,66, c0,68, c0,70"
|
||||
# no SSLv2 here and in strong
|
||||
@ -11706,7 +11706,7 @@ sslv2_sockets() {
|
||||
local -i response_len server_hello_len
|
||||
local parse_complete=false
|
||||
|
||||
if [[ "$2" == "true" ]]; then
|
||||
if [[ "$2" == true ]]; then
|
||||
parse_complete=true
|
||||
fi
|
||||
|
||||
@ -11722,8 +11722,12 @@ sslv2_sockets() {
|
||||
06,00,40, # 6th
|
||||
04,00,80, # 7th
|
||||
02,00,80, # 8th
|
||||
00,00,00" # 9th
|
||||
# FIXME: http://max.euston.net/d/tip_sslciphers.html
|
||||
06,01,40, # 9
|
||||
07,01,c0, # 10
|
||||
FF,80,00, # 11
|
||||
FF,80,10, # 12
|
||||
00,00,00" # 13
|
||||
# FIXME: http://max.euston.net/d/tip_sslciphers.html <-- also SSLv3 ciphers
|
||||
fi
|
||||
|
||||
code2network "$cipher_suites" # convert CIPHER_SUITES
|
||||
@ -13788,7 +13792,7 @@ run_freak() {
|
||||
# with correct build it should list these 9 ciphers (plus the two latter as SSLv2 ciphers):
|
||||
local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5"
|
||||
local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03"
|
||||
local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80"
|
||||
local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80, 00,00,00"
|
||||
local detected_ssl2_ciphers
|
||||
local addtl_warning="" hexc
|
||||
local using_sockets=true
|
||||
@ -14601,7 +14605,7 @@ run_rc4() {
|
||||
fi
|
||||
if [[ ${#hexc} -eq 9 ]]; then
|
||||
hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}"
|
||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
||||
if [[ "${hexc:2:2}" == 00 ]]; then
|
||||
normalized_hexcode[nr_ciphers]="x${hexc:7:2}"
|
||||
else
|
||||
normalized_hexcode[nr_ciphers]="x${hexc:2:2}${hexc:7:2}"
|
||||
@ -14620,7 +14624,7 @@ run_rc4() {
|
||||
if [[ "${ciph[nr_ciphers]}" =~ RC4 ]]; then
|
||||
ciphers_found[nr_ciphers]=false
|
||||
if [[ ${#hexc} -eq 9 ]]; then
|
||||
if [[ "${hexc:2:2}" == "00" ]]; then
|
||||
if [[ "${hexc:2:2}" == 00 ]]; then
|
||||
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:7:2}")"
|
||||
else
|
||||
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:2:2}${hexc:7:2}")"
|
||||
@ -14642,7 +14646,7 @@ run_rc4() {
|
||||
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
||||
"$WIDE" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")"
|
||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
|
||||
if [[ "${sslvers[i]}" == SSLv2 ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
|
||||
ciphers_found[i]=true
|
||||
"$WIDE" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||
rc4_offered=1
|
||||
@ -14656,7 +14660,7 @@ run_rc4() {
|
||||
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
|
||||
"$WIDE" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
|
||||
for (( i=0 ; i<nr_ciphers; i++ )); do
|
||||
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
|
||||
if [[ "${sslvers[i]}" == SSLv2 ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
|
||||
ciphers_found[i]=true
|
||||
"$WIDE" && "$SHOW_SIGALGO" && sigalg[i]="$s"
|
||||
rc4_offered=1
|
||||
@ -14666,7 +14670,7 @@ run_rc4() {
|
||||
fi
|
||||
|
||||
for (( i=0; i < nr_ciphers; i++ )); do
|
||||
if "${ossl_supported[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then
|
||||
if "${ossl_supported[i]}" && [[ "${sslvers[i]}" != SSLv2 ]]; then
|
||||
ciphers_found2[nr_ossl_ciphers]=false
|
||||
ciph2[nr_ossl_ciphers]="${ciph[i]}"
|
||||
index[nr_ossl_ciphers]=$i
|
||||
@ -14705,7 +14709,7 @@ run_rc4() {
|
||||
|
||||
if "$using_sockets"; then
|
||||
for (( i=0; i < nr_ciphers; i++ )); do
|
||||
if ! "${ciphers_found[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then
|
||||
if ! "${ciphers_found[i]}" && [[ "${sslvers[i]}" != SSLv2 ]]; then
|
||||
ciphers_found2[nr_nonossl_ciphers]=false
|
||||
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
|
||||
rfc_ciph2[nr_nonossl_ciphers]="${rfc_ciph[i]}"
|
||||
@ -16011,7 +16015,7 @@ prepare_arrays() {
|
||||
if [[ -n "$ossl_ciph" ]]; then
|
||||
TLS_CIPHER_OSSL_SUPPORTED[i]=true
|
||||
[[ "$ossl_ciph" != "${TLS_CIPHER_OSSL_NAME[i]}" ]] && TLS_CIPHER_OSSL_NAME[i]="$ossl_ciph"
|
||||
[[ "${hexc:2:2}" == "13" ]] && TLS13_OSSL_CIPHERS+=":$ossl_ciph"
|
||||
[[ "${hexc:2:2}" == 13 ]] && TLS13_OSSL_CIPHERS+=":$ossl_ciph"
|
||||
fi
|
||||
fi
|
||||
elif [[ $OSSL_VER_MAJOR -lt 1 ]]; then
|
||||
|
Loading…
Reference in New Issue
Block a user