mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Use tls_sockets() in run_tls_fallback_scsv()
This commit adds the use of tls_sockets() to run_tls_fallback_scsv() to perform testing when the --ssl-native flag is not used. With this commit, run_tls_fallback_scsv() only uses tls_sockets() instead of $OPENSSL if the ClientHello needs to include the TLS_FALLBACK_SCSV flag, but it is not supported by $OPENSSL, or if the protocol that would be negotiated is SSLv3 and $OPENSSL does not support SSLv3.
This commit is contained in:
parent
b3979a8979
commit
c14ea2efc8
65
testssl.sh
65
testssl.sh
@ -13599,6 +13599,7 @@ parse_tls_serverhello() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $tls_alert_ascii_len -gt 0 ]]; then
|
if [[ $tls_alert_ascii_len -gt 0 ]]; then
|
||||||
|
echo "CONNECTED(00000003)" > $TMPFILE
|
||||||
debugme echo "TLS alert messages:"
|
debugme echo "TLS alert messages:"
|
||||||
for (( i=0; i+3 < tls_alert_ascii_len; i+=4 )); do
|
for (( i=0; i+3 < tls_alert_ascii_len; i+=4 )); do
|
||||||
tls_err_level=${tls_alert_ascii:i:2} # 1: warning, 2: fatal
|
tls_err_level=${tls_alert_ascii:i:2} # 1: warning, 2: fatal
|
||||||
@ -13798,11 +13799,13 @@ parse_tls_serverhello() {
|
|||||||
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
if [[ $tls_alert_ascii_len -eq 0 ]]; then
|
||||||
if [[ $DEBUG -eq 0 ]]; then
|
if [[ $DEBUG -eq 0 ]]; then
|
||||||
echo "CONNECTED(00000003)" > $TMPFILE
|
echo "CONNECTED(00000003)" > $TMPFILE
|
||||||
else
|
else
|
||||||
echo "CONNECTED(00000003)" >> $TMPFILE
|
echo "CONNECTED(00000003)" >> $TMPFILE
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# First parse the server hello handshake message
|
# First parse the server hello handshake message
|
||||||
# byte 0+1: 03, TLS version word see byte 1+2
|
# byte 0+1: 03, TLS version word see byte 1+2
|
||||||
@ -17096,16 +17099,19 @@ run_tls_poodle() {
|
|||||||
# the countermeasure to protect against protocol downgrade attacks.
|
# the countermeasure to protect against protocol downgrade attacks.
|
||||||
#
|
#
|
||||||
run_tls_fallback_scsv() {
|
run_tls_fallback_scsv() {
|
||||||
local -i ret=0
|
local -i ret=0 debug_level
|
||||||
local high_proto="" low_proto=""
|
local high_proto="" low_proto=""
|
||||||
local p high_proto_str protos_to_try
|
local p high_proto_str protos_to_try
|
||||||
|
local using_sockets=true
|
||||||
local jsonID="fallback_SCSV"
|
local jsonID="fallback_SCSV"
|
||||||
|
|
||||||
|
"$SSL_NATIVE" && using_sockets=false
|
||||||
|
|
||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for TLS_FALLBACK_SCSV Protection " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for TLS_FALLBACK_SCSV Protection " && outln
|
||||||
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507) "
|
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507) "
|
||||||
|
|
||||||
# First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
|
# First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
|
||||||
if ! "$HAS_FALLBACK_SCSV"; then
|
if ! "$HAS_FALLBACK_SCSV" && ! "$using_sockets"; then
|
||||||
prln_local_problem "$OPENSSL lacks TLS_FALLBACK_SCSV support"
|
prln_local_problem "$OPENSSL lacks TLS_FALLBACK_SCSV support"
|
||||||
fileout "$jsonID" "WARN" "$OPENSSL lacks TLS_FALLBACK_SCSV support"
|
fileout "$jsonID" "WARN" "$OPENSSL lacks TLS_FALLBACK_SCSV support"
|
||||||
return 1
|
return 1
|
||||||
@ -17123,12 +17129,24 @@ run_tls_fallback_scsv() {
|
|||||||
high_proto="$p"
|
high_proto="$p"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
[[ "$p" == ssl3 ]] && ! "$HAS_SSL3" && continue
|
|
||||||
|
if [[ "$p" == ssl3 ]] && ! "$HAS_SSL3"; then
|
||||||
|
"$using_sockets" || continue
|
||||||
|
tls_sockets "00" "$TLS_CIPHER" "" "" "true"
|
||||||
|
if [[ $? -eq 0 ]]; then
|
||||||
|
high_proto="$p"
|
||||||
|
add_proto_offered ssl3 yes
|
||||||
|
break
|
||||||
|
else
|
||||||
|
add_proto_offered ssl3 no
|
||||||
|
fi
|
||||||
|
else
|
||||||
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
high_proto="$p"
|
high_proto="$p"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
case "$high_proto" in
|
case "$high_proto" in
|
||||||
"tls1_2")
|
"tls1_2")
|
||||||
@ -17181,15 +17199,26 @@ run_tls_fallback_scsv() {
|
|||||||
low_proto="$p"
|
low_proto="$p"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
[[ "$p" == ssl3 ]] && ! "$HAS_SSL3" && continue
|
if [[ "$p" == ssl3 ]] && ! "$HAS_SSL3"; then
|
||||||
|
"$using_sockets" || continue
|
||||||
|
tls_sockets "00" "$TLS_CIPHER" "" "" "true"
|
||||||
|
if [[ $? -eq 0 ]]; then
|
||||||
|
low_proto="$p"
|
||||||
|
add_proto_offered ssl3 yes
|
||||||
|
break
|
||||||
|
else
|
||||||
|
add_proto_offered ssl3 no
|
||||||
|
fi
|
||||||
|
else
|
||||||
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-$p $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
low_proto="$p"
|
low_proto="$p"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if ! "$HAS_SSL3" && \
|
if ! "$HAS_SSL3" && ! "$using_sockets" && \
|
||||||
( [[ "$low_proto" == ssl3 ]] || \
|
( [[ "$low_proto" == ssl3 ]] || \
|
||||||
( [[ "$high_proto" == tls1 ]] && [[ $(has_server_protocol ssl3) -eq 2 ]] ) ); then
|
( [[ "$high_proto" == tls1 ]] && [[ $(has_server_protocol ssl3) -eq 2 ]] ) ); then
|
||||||
# If the protocol that the server would fall back to is SSLv3, but $OPENSSL does
|
# If the protocol that the server would fall back to is SSLv3, but $OPENSSL does
|
||||||
@ -17228,7 +17257,33 @@ run_tls_fallback_scsv() {
|
|||||||
debugme echo "Simulating fallback from $high_proto to $low_proto"
|
debugme echo "Simulating fallback from $high_proto to $low_proto"
|
||||||
|
|
||||||
# ...and do the test (we need to parse the error here!)
|
# ...and do the test (we need to parse the error here!)
|
||||||
|
if "$HAS_FALLBACK_SCSV" && sclient_supported "-$low_proto"; then
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $p -fallback_scsv") &>$TMPFILE </dev/null
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $p -fallback_scsv") &>$TMPFILE </dev/null
|
||||||
|
else
|
||||||
|
# Need to ensure that $TEMPDIR/$NODEIP.parse_tls_serverhello.txt contains the results of the
|
||||||
|
# most recent calls to tls_sockets even if tls_sockets is not successful. Setting $DEBUG to
|
||||||
|
# a non-zero value ensures this. Setting it to 1 prevents any extra information from being
|
||||||
|
# displayed.
|
||||||
|
debug_level="$DEBUG"
|
||||||
|
[[ $DEBUG -eq 0 ]] && DEBUG=1
|
||||||
|
> "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt"
|
||||||
|
|
||||||
|
# tls_sockets() needs to parse the full response since the following code is
|
||||||
|
# looking for "BEGIN CERTIFICATE" when the TLS connection is successful. It
|
||||||
|
# may be possible to speed up this code by having the following code check
|
||||||
|
# the return value from tls_sockets() to determine whether the connection was
|
||||||
|
# successful rather than looking for "BEGIN CERTIFICATE".
|
||||||
|
case "$low_proto" in
|
||||||
|
"tls1_1")
|
||||||
|
tls_sockets "02" "56,00, $TLS_CIPHER" "all" "" "true" ;;
|
||||||
|
"tls1")
|
||||||
|
tls_sockets "01" "56,00, $TLS_CIPHER" "all" "" "true" ;;
|
||||||
|
"ssl3")
|
||||||
|
tls_sockets "00" "56,00, $TLS_CIPHER" "all" "" "true" ;;
|
||||||
|
esac
|
||||||
|
mv "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" "$TMPFILE"
|
||||||
|
DEBUG=$debug_level
|
||||||
|
fi
|
||||||
if grep -q "CONNECTED(00" "$TMPFILE"; then
|
if grep -q "CONNECTED(00" "$TMPFILE"; then
|
||||||
if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
|
if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
|
||||||
if [[ -z "$POODLE" ]]; then
|
if [[ -z "$POODLE" ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user