mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
- FIX garbled output for servers with a TLS reply on SSLv2 socket call
This commit is contained in:
parent
74d984cebc
commit
c1ca5a641b
81
testssl.sh
81
testssl.sh
@ -1446,7 +1446,7 @@ sockread_serverhello() {
|
|||||||
[[ "x$2" = "x" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
|
[[ "x$2" = "x" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
|
||||||
ret=0
|
ret=0
|
||||||
|
|
||||||
SOCK_REPLY_FILE=`mktemp /tmp/ddreply.XXXXXX` || exit 7
|
SOCK_REPLY_FILE=`mktemp $TEMPDIR/ddreply.XXXXXX` || exit 7
|
||||||
dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null &
|
dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null &
|
||||||
pid=$!
|
pid=$!
|
||||||
|
|
||||||
@ -1487,27 +1487,32 @@ display_sslv2serverhello() {
|
|||||||
|
|
||||||
v2_hello_ascii=`hexdump -v -e '16/1 "%02X"' $1`
|
v2_hello_ascii=`hexdump -v -e '16/1 "%02X"' $1`
|
||||||
[[ "$DEBUG" -ge 4 ]] && echo $v2_hello_ascii # one line without any blanks
|
[[ "$DEBUG" -ge 4 ]] && echo $v2_hello_ascii # one line without any blanks
|
||||||
[[ -z $v2_hello_ascii ]] && return 0 # no server hello received
|
if [[ -z $v2_hello_ascii ]] ; then
|
||||||
|
ret=0 # no server hello received
|
||||||
|
debugme echo "server hello empty"
|
||||||
|
else
|
||||||
|
# now scrape two bytes out of the reply per byte
|
||||||
|
v2_hello_initbyte="${v2_hello_ascii:0:1}" # normally this belongs to the next, should be 8!
|
||||||
|
v2_hello_length="${v2_hello_ascii:1:3}" # + 0x8000 see above
|
||||||
|
v2_hello_handshake="${v2_hello_ascii:4:2}"
|
||||||
|
v2_hello_cert_length="${v2_hello_ascii:14:4}"
|
||||||
|
v2_hello_cipherspec_length="${v2_hello_ascii:18:4}"
|
||||||
|
|
||||||
# now scrape two bytes out of the reply per byte
|
if [[ $v2_hello_initbyte != "8" ]] || [[ $v2_hello_handshake != "04" ]]; then
|
||||||
v2_hello_initbyte="${v2_hello_ascii:0:1}" # normally this belongs to the next, should be 8!
|
[[ $DEBUG -ge 2 ]] && echo "$v2_hello_initbyte / $v2_hello_handshake"
|
||||||
v2_hello_length="${v2_hello_ascii:1:3}" # + 0x8000 see above
|
ret=1
|
||||||
v2_hello_handshake="${v2_hello_ascii:4:2}"
|
fi
|
||||||
v2_hello_cert_length="${v2_hello_ascii:14:4}"
|
|
||||||
v2_hello_cipherspec_length="${v2_hello_ascii:18:4}"
|
|
||||||
V2_HELLO_CIPHERSPEC_LENGTH=`printf "%d\n" "0x$v2_hello_cipherspec_length"`
|
|
||||||
|
|
||||||
if [[ $v2_hello_initbyte != "8" ]] || [[ $v2_hello_handshake != "04" ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
[[ $DEBUG -ge 2 ]] && echo "$v2_hello_initbyte / $v2_hello_handshake"
|
echo "SSLv2 server hello length: 0x0$v2_hello_length"
|
||||||
return 1
|
echo "SSLv2 certificate length: 0x$v2_hello_cert_length"
|
||||||
|
echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length"
|
||||||
|
fi
|
||||||
|
|
||||||
|
V2_HELLO_CIPHERSPEC_LENGTH=`printf "%d\n" "0x$v2_hello_cipherspec_length" 2>/dev/null`
|
||||||
|
[ $? -ne 0 ] && ret=7
|
||||||
fi
|
fi
|
||||||
|
return $ret
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
|
||||||
echo "SSLv2 server hello length: 0x0$v2_hello_length"
|
|
||||||
echo "SSLv2 certificate length: 0x$v2_hello_cert_length"
|
|
||||||
echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length"
|
|
||||||
fi
|
|
||||||
return 0
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -1634,22 +1639,28 @@ sslv2_sockets() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
display_sslv2serverhello "$SOCK_REPLY_FILE"
|
display_sslv2serverhello "$SOCK_REPLY_FILE"
|
||||||
|
if [ $? -eq 7 ]; then
|
||||||
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
|
# strange reply
|
||||||
lines=`cat "$SOCK_REPLY_FILE" 2>/dev/null | hexdump -C | wc -l`
|
pr_litemagenta "strange v2 reply "
|
||||||
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
|
outln " (rerun with DEBUG=2)"
|
||||||
|
[[ $DEBUG -ge 2 ]] && hexdump -C $SOCK_REPLY_FILE | head -1
|
||||||
if [[ "$lines" -gt 1 ]] ;then
|
|
||||||
ciphers_detected=$(($V2_HELLO_CIPHERSPEC_LENGTH / 3 ))
|
|
||||||
if [ 0 -eq $ciphers_detected ] ; then
|
|
||||||
pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)"
|
|
||||||
else
|
|
||||||
pr_red "offered (NOT ok)"; outln " -- $ciphers_detected ciphers"
|
|
||||||
fi
|
|
||||||
ret=1
|
|
||||||
else
|
else
|
||||||
pr_greenln "not offered (OK)"
|
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
|
||||||
ret=0
|
lines=`cat "$SOCK_REPLY_FILE" 2>/dev/null | hexdump -C | wc -l`
|
||||||
|
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
|
||||||
|
|
||||||
|
if [[ "$lines" -gt 1 ]] ;then
|
||||||
|
ciphers_detected=$(($V2_HELLO_CIPHERSPEC_LENGTH / 3 ))
|
||||||
|
if [ 0 -eq $ciphers_detected ] ; then
|
||||||
|
pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)"
|
||||||
|
else
|
||||||
|
pr_red "offered (NOT ok)"; outln " -- $ciphers_detected ciphers"
|
||||||
|
fi
|
||||||
|
ret=1
|
||||||
|
else
|
||||||
|
pr_greenln "not offered (OK)"
|
||||||
|
ret=0
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
pr_off
|
pr_off
|
||||||
|
|
||||||
@ -2978,6 +2989,6 @@ case "$1" in
|
|||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.201 2015/03/09 07:07:40 dirkw Exp $
|
# $Id: testssl.sh,v 1.203 2015/03/13 11:20:18 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user