From 7f7b1edd50ea960b8b8fcdc87866d32cbbe6c991 Mon Sep 17 00:00:00 2001 From: Thomas Martens Date: Sun, 31 Jan 2016 22:40:39 +0100 Subject: [PATCH 1/8] fixed output in ciphertest with --color=1 With --color=1 the output in the ciphertest missed some spaces between the KeyExch. and Encryption columns. This is a result of the pr_off() function. This commit add an additional check in neat_list() and insert the missing spaces. --- testssl.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 2705199..074e000 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1461,11 +1461,16 @@ neat_list(){ enc=$(sed -e 's/(.*)//g' -e 's/ChaCha20-Poly1305/ChaCha20-Po/g' <<< "$enc") # workaround for empty bits ChaCha20-Poly1305 echo "$export" | grep -iq export && strength="$strength,export" # workaround for color escape codes: - if printf -- "$kx" | "${HEXDUMPVIEW[@]}" | grep -q 33 ; then # here's a color code + if printf -- "$kx" | "${HEXDUMPVIEW[@]}" | grep -q 33 ; then # here's a color code kx="$kx " # one for color code if ECDH and three digits [[ "${#kx}" -eq 18 ]] && kx="$kx " # 18 means DH, colored < 1000. Add another space [[ "${#kx}" -eq 19 ]] && kx="$kx " # 19 means DH, colored >=1000. Add another space #echo ${#kx} # should be always 20 + elif printf -- "$kx" | "${HEXDUMPVIEW[@]}" | grep -q "5b 6d" ; then # here's a code from pr_off() + kx="$kx " # one for color code if ECDH and three digits + [[ "${#kx}" -eq 11 ]] && kx="$kx " # 11 means DH, colored < 1000. Add another space + [[ "${#kx}" -eq 12 ]] && kx="$kx " # 12 means DH, colored >=1000. Add another space + #echo ${#kx} # should be always 13 fi printf -- " %-7s %-30s %-10s %-11s%-11s${ADD_RFC_STR:+ %-48s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$(show_rfc_style $HEXC)" From 52f7de1a4a36b352092eff415438a08ddf7ebbdb Mon Sep 17 00:00:00 2001 From: Thomas Martens Date: Mon, 1 Feb 2016 21:03:22 +0100 Subject: [PATCH 2/8] Revert "fixed output in ciphertest with --color=1" This reverts commit 7f7b1edd50ea960b8b8fcdc87866d32cbbe6c991. This is already fixed with c62abaf215c0bbcae4cecdd52eeaa37405d0d9b1 in upstream. --- testssl.sh | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 074e000..2705199 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1461,16 +1461,11 @@ neat_list(){ enc=$(sed -e 's/(.*)//g' -e 's/ChaCha20-Poly1305/ChaCha20-Po/g' <<< "$enc") # workaround for empty bits ChaCha20-Poly1305 echo "$export" | grep -iq export && strength="$strength,export" # workaround for color escape codes: - if printf -- "$kx" | "${HEXDUMPVIEW[@]}" | grep -q 33 ; then # here's a color code + if printf -- "$kx" | "${HEXDUMPVIEW[@]}" | grep -q 33 ; then # here's a color code kx="$kx " # one for color code if ECDH and three digits [[ "${#kx}" -eq 18 ]] && kx="$kx " # 18 means DH, colored < 1000. Add another space [[ "${#kx}" -eq 19 ]] && kx="$kx " # 19 means DH, colored >=1000. Add another space #echo ${#kx} # should be always 20 - elif printf -- "$kx" | "${HEXDUMPVIEW[@]}" | grep -q "5b 6d" ; then # here's a code from pr_off() - kx="$kx " # one for color code if ECDH and three digits - [[ "${#kx}" -eq 11 ]] && kx="$kx " # 11 means DH, colored < 1000. Add another space - [[ "${#kx}" -eq 12 ]] && kx="$kx " # 12 means DH, colored >=1000. Add another space - #echo ${#kx} # should be always 13 fi printf -- " %-7s %-30s %-10s %-11s%-11s${ADD_RFC_STR:+ %-48s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$(show_rfc_style $HEXC)" From cad924e707eace82012a48581756f98407528040 Mon Sep 17 00:00:00 2001 From: Thomas Martens Date: Tue, 1 Mar 2016 20:25:41 +0100 Subject: [PATCH 3/8] renamed pr_litered to pr_svrty_high --- testssl.sh | 62 +++++++++++++++++++++++++++--------------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/testssl.sh b/testssl.sh index 2446715..204146e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -319,8 +319,8 @@ pr_liteblueln() { pr_liteblue "$1"; outln; } pr_blue() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;32m$1" || out "\033[1;34m$1" ) || out "$1"; pr_off; } # used for head lines of single tests pr_blueln() { pr_blue "$1"; outln; } -pr_litered() { [[ "$COLOR" -eq 2 ]] && out "\033[0;31m$1" || pr_bold "$1"; pr_off; } # this is bad -pr_literedln() { pr_litered "$1"; outln; } +pr_svrty_high() { [[ "$COLOR" -eq 2 ]] && out "\033[0;31m$1" || pr_bold "$1"; pr_off; } # this is bad +pr_svrty_highln() { pr_svrty_high "$1"; outln; } pr_red() { [[ "$COLOR" -eq 2 ]] && out "\033[1;31m$1" || pr_bold "$1"; pr_off; } # oh, this is really bad pr_redln() { pr_red "$1"; outln; } @@ -721,7 +721,7 @@ run_http_header() { redirect=$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n') out ", redirecting to \"$redirect\"" if [[ $redirect == "http://"* ]]; then - pr_litered " -- Redirect to insecure URL (NOT ok)" + pr_svrty_high " -- Redirect to insecure URL (NOT ok)" fileout "status_code" "NOT OK" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\"" fi fileout "status_code" "INFO" \ @@ -800,7 +800,7 @@ detect_ipv4() { else first=false fi - pr_litered "$result" + pr_svrty_high "$result" outln "\n$spaces$your_ip_msg" fileout "ip_in_header_$count" "NOT OK" "IPv4 address in header $result $your_ip_msg" fi @@ -955,7 +955,7 @@ run_hpkp() { hpkp_nr_keys=$(grep -ac pin-sha $TMPFILE) out "# of keys: " if [[ $hpkp_nr_keys -eq 1 ]]; then - pr_litered "1 (NOT ok), " + pr_svrty_high "1 (NOT ok), " fileout "hpkp_keys" "NOT OK" "Only one key pinned in HPKP header, this means the site may become unavaiable if the key is revoked" else out "$hpkp_nr_keys, " @@ -1003,7 +1003,7 @@ run_hpkp() { done < <(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') if ! $key_found ; then out "\n$spaces" - pr_litered " No matching key for pins found " + pr_svrty_high " No matching key for pins found " out "(CAs pinned? -- not checked for yet)" fileout "hpkp_keymatch" "WARN" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this" fi @@ -1373,7 +1373,7 @@ std_cipherlists() { ;; 2) # bad but not worst if [[ $sclient_success -eq 0 ]]; then - pr_literedln "offered (NOT ok)" + pr_svrty_highln "offered (NOT ok)" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - bad" else pr_litegreenln "not offered (OK)" @@ -2147,7 +2147,7 @@ run_protocols() { fileout "sslv2" "OK" "SSLv2 is not offered (OK)" ;; 5) - pr_litered "$supported_no_ciph2"; + pr_svrty_high "$supported_no_ciph2"; outln " (may need further attention)" # protocol ok, but no cipher fileout "sslv2" "WARN" "SSLv2 is $supported_no_ciph2 (may need further attention)" ;; @@ -2165,7 +2165,7 @@ run_protocols() { fi case $? in 0) - pr_literedln "offered (NOT ok)" + pr_svrty_highln "offered (NOT ok)" fileout "sslv3" "NOT OK" "SSLv3 is offered (NOT ok)" ;; 1) @@ -2178,7 +2178,7 @@ run_protocols() { ;; 5) fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1" - pr_litered "$supported_no_ciph2" + pr_svrty_high "$supported_no_ciph2" outln "(may need debugging)" ;; # protocol ok, but no cipher 7) @@ -2330,7 +2330,7 @@ read_dhbits_from_file() { if [[ "$bits" -le 600 ]]; then pr_red "$bits $add" elif [[ "$bits" -le 800 ]]; then - pr_litered "$bits $add" + pr_svrty_high "$bits $add" elif [[ "$bits" -le 1280 ]]; then pr_brown "$bits $add" elif [[ "$bits" -ge 2048 ]]; then @@ -2344,7 +2344,7 @@ read_dhbits_from_file() { if [[ "$bits" -le 128 ]]; then # has that ever existed? pr_red "$bits $add" elif [[ "$bits" -le 163 ]]; then - pr_litered "$bits $add" + pr_svrty_high "$bits $add" elif [[ "$bits" -ge 224 ]]; then pr_litegreen "$bits $add" else @@ -2403,7 +2403,7 @@ run_server_preference() { cipher2=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g') if [[ "$cipher1" != "$cipher2" ]]; then - pr_litered "nope (NOT ok)" + pr_svrty_high "nope (NOT ok)" remark4default_cipher=" (limited sense as client will pick)" fileout "order" "NOT OK" "Server does NOT set a cipher order (NOT ok)" else @@ -2467,7 +2467,7 @@ run_server_preference() { fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" ;; *RC4*) - pr_litered "$default_cipher" + pr_svrty_high "$default_cipher" fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher" ;; *CBC*) @@ -2713,7 +2713,7 @@ determine_trust() { else trust[i]=false all_ok=false - debugme pr_litered "not trusted " + debugme pr_svrty_high "not trusted " debugme outln "${verify_retcode[i]}" fi i=$((i + 1)) @@ -2742,12 +2742,12 @@ determine_trust() { else #code="$(verify_retcode_helper ${verify_retcode[i]})" #notok_was="${certificate_file[i]} $notok_was" - pr_litered " ${certificate_file[i]} " + pr_svrty_high " ${certificate_file[i]} " verify_retcode_helper "${verify_retcode[i]}" notok_was="${certificate_file[i]} $(verify_retcode_helper "${verify_retcode[i]}") $notok_was" fi done - #pr_litered "$notok_was " + #pr_svrty_high "$notok_was " #outln "$code" outln # lf + green ones @@ -2969,7 +2969,7 @@ certificate_info() { pr_red "$keysize" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" elif [[ "$keysize" -le 123 ]]; then # a guess - pr_litered "$keysize" + pr_svrty_high "$keysize" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" elif [[ "$keysize" -le 163 ]]; then pr_brown "$keysize" @@ -2991,7 +2991,7 @@ certificate_info() { outln " bits" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" elif [[ "$keysize" -le 768 ]]; then - pr_litered "$keysize" + pr_svrty_high "$keysize" outln " bits" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" elif [[ "$keysize" -le 1024 ]]; then @@ -3192,7 +3192,7 @@ certificate_info() { expok="WARN" fi else - pr_litered "expires < $DAYS2WARN2 days ($days2expire) !" + pr_svrty_high "expires < $DAYS2WARN2 days ($days2expire) !" expfinding+="expires < $DAYS2WARN2 days ($days2expire) !" expok="NOT OK" fi @@ -3211,7 +3211,7 @@ certificate_info() { out "$indent"; pr_bold " Certificate Revocation List " crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')" if [[ -z "$crl" ]]; then - pr_literedln "--" + pr_svrty_highln "--" fileout "${json_prefix}crl" "NOT OK" "No CRL provided (NOT ok)" elif grep -q http <<< "$crl"; then if [[ $(count_lines "$crl") -eq 1 ]]; then @@ -3229,7 +3229,7 @@ certificate_info() { out "$indent"; pr_bold " OCSP URI " ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE) if [[ -z "$ocsp_uri" ]]; then - pr_literedln "--" + pr_svrty_highln "--" fileout "${json_prefix}ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)" else outln "$ocsp_uri" @@ -4003,7 +4003,7 @@ sslv2_sockets() { if [[ "$lines" -gt 1 ]]; then ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) if [[ 0 -eq "$ciphers_detected" ]]; then - pr_litered "supported but couldn't detect a cipher"; + pr_svrty_high "supported but couldn't detect a cipher"; outln " (may need further attention)" fileout "sslv2" "NOT OK" "SSLv2 offered (NOT ok), but could not detect a cipher (may need further attention)" else @@ -4557,7 +4557,7 @@ run_renego() { sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln! case "$sec_client_renego" in 0) - pr_litered "VULNERABLE (NOT ok)"; outln ", DoS threat" + pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat" fileout "sec_client_renego" "NOT OK" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat" ;; 1) @@ -4612,7 +4612,7 @@ run_crime() { ret=0 else if [[ $SERVICE == "HTTP" ]]; then - pr_litered "VULNERABLE (NOT ok)" + pr_svrty_high "VULNERABLE (NOT ok)" fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)" else pr_brown "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" @@ -4711,7 +4711,7 @@ run_breach() { fileout "breach" "OK" "BREACH (CVE-2013-3587) : no HTTP compression (OK) $disclaimer" ret=0 else - pr_litered "potentially NOT ok, uses $result HTTP compression." + pr_svrty_high "potentially NOT ok, uses $result HTTP compression." outln "$disclaimer" outln "$spaces$when_makesense" fileout "breach" "NOT OK" "BREACH (CVE-2013-3587) : potentially VULNERABLE, uses $result HTTP compression. $disclaimer ($when_makesense)" @@ -4741,7 +4741,7 @@ run_ssl_poodle() { sclient_success=$? [[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" if [[ $sclient_success -eq 0 ]]; then - pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)" + pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)" fileout "poodle_ssl" "NOT OK" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)" else pr_green "not vulnerable (OK)" @@ -5103,7 +5103,7 @@ run_rc4() { $OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE Date: Tue, 1 Mar 2016 20:31:26 +0100 Subject: [PATCH 4/8] renamed pr_red to pr_svrty_critical --- testssl.sh | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/testssl.sh b/testssl.sh index 204146e..0e9fa3b 100755 --- a/testssl.sh +++ b/testssl.sh @@ -321,8 +321,8 @@ pr_blueln() { pr_blue "$1"; outln; } pr_svrty_high() { [[ "$COLOR" -eq 2 ]] && out "\033[0;31m$1" || pr_bold "$1"; pr_off; } # this is bad pr_svrty_highln() { pr_svrty_high "$1"; outln; } -pr_red() { [[ "$COLOR" -eq 2 ]] && out "\033[1;31m$1" || pr_bold "$1"; pr_off; } # oh, this is really bad -pr_redln() { pr_red "$1"; outln; } +pr_svrty_critical() { [[ "$COLOR" -eq 2 ]] && out "\033[1;31m$1" || pr_bold "$1"; pr_off; } # oh, this is really bad +pr_svrty_criticalln() { pr_svrty_critical "$1"; outln; } pr_litemagenta() { [[ "$COLOR" -eq 2 ]] && out "\033[0;35m$1" || pr_underline "$1"; pr_off; } # local problem: one test cannot be done pr_litemagentaln() { pr_litemagenta "$1"; outln; } @@ -1364,7 +1364,7 @@ std_cipherlists() { ;; 1) # the ugly ones if [[ $sclient_success -eq 0 ]]; then - pr_redln "offered (NOT ok)" + pr_svrty_criticalln "offered (NOT ok)" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - ugly" else pr_greenln "not offered (OK)" @@ -2139,7 +2139,7 @@ run_protocols() { run_prototest_openssl "-ssl2" case $? in 0) - pr_redln "offered (NOT ok)" + pr_svrty_criticalln "offered (NOT ok)" fileout "sslv2" "NOT OK" "SSLv2 is offered (NOT ok)" ;; 1) @@ -2328,7 +2328,7 @@ read_dhbits_from_file() { if [[ $what_dh == "DH" ]] || [[ $what_dh == "EDH" ]]; then [[ -z "$2" ]] && add="bit DH" if [[ "$bits" -le 600 ]]; then - pr_red "$bits $add" + pr_svrty_critical "$bits $add" elif [[ "$bits" -le 800 ]]; then pr_svrty_high "$bits $add" elif [[ "$bits" -le 1280 ]]; then @@ -2342,7 +2342,7 @@ read_dhbits_from_file() { elif [[ $what_dh == "ECDH" ]]; then [[ -z "$2" ]] && add="bit ECDH" if [[ "$bits" -le 128 ]]; then # has that ever existed? - pr_red "$bits $add" + pr_svrty_critical "$bits $add" elif [[ "$bits" -le 163 ]]; then pr_svrty_high "$bits $add" elif [[ "$bits" -ge 224 ]]; then @@ -2436,11 +2436,11 @@ run_server_preference() { fileout "order_proto" "INFO" "Default protocol TLS1.0" ;; *SSLv2) - pr_redln $default_proto + pr_svrty_criticalln $default_proto fileout "order_proto" "NOT OK" "Default protocol SSLv2" ;; *SSLv3) - pr_redln $default_proto + pr_svrty_criticalln $default_proto fileout "order_proto" "NOT OK" "Default protocol SSLv3" ;; "") @@ -2462,7 +2462,7 @@ run_server_preference() { default_cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') case "$default_cipher" in *NULL*|*EXP*) - pr_red "$default_cipher" + pr_svrty_critical "$default_cipher" fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" ;; @@ -2726,7 +2726,7 @@ determine_trust() { fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning" else # at least one failed - pr_red "NOT ok" + pr_svrty_critical "NOT ok" if ! $some_ok; then # all failed (we assume with the same issue), we're displaying the reason out " " @@ -2735,7 +2735,7 @@ determine_trust() { else # is one ok and the others not ==> display the culprit store if $some_ok ; then - pr_red ":" + pr_svrty_critical ":" for ((i=1;i<=num_ca_bundles;i++)); do if ${trust[i]}; then ok_was="${certificate_file[i]} $ok_was" @@ -2943,7 +2943,7 @@ certificate_info() { fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)" ;; md5*) - pr_redln "MD5" + pr_svrty_criticalln "MD5" fileout "${json_prefix}algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)" ;; *) @@ -2966,7 +2966,7 @@ certificate_info() { # Table 2 @ chapter 5.6.1 (~ p64) if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then if [[ "$keysize" -le 110 ]]; then # a guess - pr_red "$keysize" + pr_svrty_critical "$keysize" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" elif [[ "$keysize" -le 123 ]]; then # a guess pr_svrty_high "$keysize" @@ -2987,7 +2987,7 @@ certificate_info() { outln " bit" elif [[ $sig_algo = *RSA* ]]; then if [[ "$keysize" -le 512 ]]; then - pr_red "$keysize" + pr_svrty_critical "$keysize" outln " bits" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" elif [[ "$keysize" -le 768 ]]; then @@ -3119,7 +3119,7 @@ certificate_info() { issuer_C="$(awk -F'=' '/C=/ { print $2 }' <<< "$issuer")" if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then - pr_redln "self-signed (NOT ok)" + pr_svrty_criticalln "self-signed (NOT ok)" fileout "${json_prefix}issuer" "NOT OK" "Issuer: selfsigned (NOT ok)" else pr_dquoted "$issuer_CN" @@ -3174,7 +3174,7 @@ certificate_info() { expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE) if ! echo $expire | grep -qw not; then - pr_red "expired!" + pr_svrty_critical "expired!" expfinding="expired!" expok="NOT OK" else @@ -4007,7 +4007,7 @@ sslv2_sockets() { outln " (may need further attention)" fileout "sslv2" "NOT OK" "SSLv2 offered (NOT ok), but could not detect a cipher (may need further attention)" else - pr_red "offered (NOT ok)"; + pr_svrty_critical "offered (NOT ok)"; outln " -- $ciphers_detected ciphers" fileout "sslv2" "NOT OK" "SSLv2 offered (NOT ok).\nDetected ciphers: $ciphers_detected" fi @@ -4329,7 +4329,7 @@ run_heartbleed(){ lines_returned=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l | sed 's/ //g') if [[ $lines_returned -gt 1 ]]; then - pr_red "VULNERABLE (NOT ok)" + pr_svrty_critical "VULNERABLE (NOT ok)" if [[ $retval -eq 3 ]]; then fileout "heartbleed" "NOT OK" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok) (timed out)" else @@ -4466,7 +4466,7 @@ run_ccs_injection(){ fi ret=0 else - pr_red "VULNERABLE (NOT ok)" + pr_svrty_critical "VULNERABLE (NOT ok)" if [[ $retval -eq 3 ]]; then fileout "ccs" "NOT OK" "CCS (CVE-2014-0224): VULNERABLE (NOT ok) (timed out)" else @@ -4499,7 +4499,7 @@ run_renego() { #FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported" case $sec_renego in 0) - pr_redln "VULNERABLE (NOT ok)" + pr_svrty_criticalln "VULNERABLE (NOT ok)" fileout "secure_renego" "NOT OK" "Secure Renegotiation (CVE-2009-3555) : VULNERABLE (NOT ok)" ;; 1) @@ -4651,7 +4651,7 @@ run_crime() { # pr_green "not vulnerable (OK)" # ret=$((ret + 0)) # else -# pr_red "VULNERABLE (NOT ok)" +# pr_svrty_critical "VULNERABLE (NOT ok)" # ret=$((ret + 1)) # fi # fi @@ -4854,7 +4854,7 @@ run_freak() { sclient_success=$? [[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" if [[ $sclient_success -eq 0 ]]; then - pr_red "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers" + pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers" fileout "freak" "NOT OK" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers" else pr_green "not vulnerable (OK)"; out "$addtl_warning" @@ -4906,7 +4906,7 @@ run_logjam() { fi if [[ $sclient_success -eq 0 ]]; then - pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked." + pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked." fileout "logjam" "NOT OK" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked." else pr_green "not vulnerable (OK)"; out "$addtl_warning" From 2686f8cdb4233ff8a8b3ea88abe92e09f9238ef8 Mon Sep 17 00:00:00 2001 From: Thomas Martens Date: Tue, 1 Mar 2016 20:36:41 +0100 Subject: [PATCH 5/8] renamed pr_litegreen to pr_done_good --- testssl.sh | 74 +++++++++++++++++++++++++++--------------------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/testssl.sh b/testssl.sh index 0e9fa3b..b165abb 100755 --- a/testssl.sh +++ b/testssl.sh @@ -339,8 +339,8 @@ pr_litegrey() { [[ "$COLOR" -eq 2 ]] && out "\033[0;37m$1" || out "$1"; pr_off pr_grey() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m$1" || out "$1"; pr_off; } pr_greyln() { pr_grey "$1"; outln; } -pr_litegreen() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # This is good -pr_litegreenln() { pr_litegreen "$1"; outln; } +pr_done_good() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # This is good +pr_done_goodln() { pr_done_good "$1"; outln; } pr_green() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # This is the best pr_greenln() { pr_green "$1"; outln; } @@ -845,7 +845,7 @@ run_http_date() { includeSubDomains() { if grep -aiqw includeSubDomains "$1"; then - pr_litegreen ", includeSubDomains" + pr_done_good ", includeSubDomains" return 1 else pr_litecyan ", just this domain" @@ -855,7 +855,7 @@ includeSubDomains() { preload() { if grep -aiqw preload "$1"; then - pr_litegreen ", preload" + pr_done_good ", preload" return 1 else return 0 @@ -879,7 +879,7 @@ run_hsts() { #FIXME: test for number! hsts_age_days=$(( hsts_age_sec / 86400)) if [[ $hsts_age_days -gt $HSTS_MIN ]]; then - pr_litegreen "$hsts_age_days days" ; out "=$hsts_age_sec s" + pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s" fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days" else out "$hsts_age_sec s = " @@ -966,7 +966,7 @@ run_hpkp() { hpkp_age_sec=$(awk -F= '/max-age/{max_age=$2; print max_age}' $TMPFILE | sed -E 's/[^[:digit:]]//g') hpkp_age_days=$((hpkp_age_sec / 86400)) if [[ $hpkp_age_days -ge $HPKP_MIN ]]; then - pr_litegreen "$hpkp_age_days days" ; out "=$hpkp_age_sec s" + pr_done_good "$hpkp_age_days days" ; out "=$hpkp_age_sec s" fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)" else out "$hpkp_age_sec s = " @@ -995,7 +995,7 @@ run_hpkp() { while read hpkp_key; do if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then out "\n$spaces matching host key: " - pr_litegreen "$hpkp_key" + pr_done_good "$hpkp_key" fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header" key_found=true fi @@ -1169,7 +1169,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path nr_secure=$(grep -iac secure $TMPFILE) case $nr_secure in 0) pr_brown "$negative_word" ;; - [123456789]) pr_litegreen "$nr_secure/$nr_cookies";; + [123456789]) pr_done_good "$nr_secure/$nr_cookies";; esac out " secure, " if [[ $nr_cookies == $nr_secure ]]; then @@ -1180,7 +1180,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path nr_httponly=$(grep -cai httponly $TMPFILE) case $nr_httponly in 0) pr_brown "$negative_word" ;; - [123456789]) pr_litegreen "$nr_httponly/$nr_cookies";; + [123456789]) pr_done_good "$nr_httponly/$nr_cookies";; esac out " HttpOnly" if [[ $nr_cookies == $nr_httponly ]]; then @@ -1231,8 +1231,8 @@ run_more_flags() { first=false fi # extract and print key(=flag) in green: - pr_litegreen "${result_str%%:*}:" - #pr_litegreen "$(sed 's/:.*$/:/' <<< "$result_str")" + pr_done_good "${result_str%%:*}:" + #pr_done_good "$(sed 's/:.*$/:/' <<< "$result_str")" # print value in plain text: outln "${result_str#*:}" fileout "${result_str%%:*}" "OK" "${result_str%%:*}: ${result_str#*:}" @@ -1376,7 +1376,7 @@ std_cipherlists() { pr_svrty_highln "offered (NOT ok)" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - bad" else - pr_litegreenln "not offered (OK)" + pr_done_goodln "not offered (OK)" fileout "std_$4" "OK" "$2 not offered (OK)" fi ;; @@ -2334,7 +2334,7 @@ read_dhbits_from_file() { elif [[ "$bits" -le 1280 ]]; then pr_brown "$bits $add" elif [[ "$bits" -ge 2048 ]]; then - pr_litegreen "$bits $add" + pr_done_good "$bits $add" else out "$bits $add" fi @@ -2346,7 +2346,7 @@ read_dhbits_from_file() { elif [[ "$bits" -le 163 ]]; then pr_svrty_high "$bits $add" elif [[ "$bits" -ge 224 ]]; then - pr_litegreen "$bits $add" + pr_done_good "$bits $add" else out "$bits $add" fi @@ -2428,7 +2428,7 @@ run_server_preference() { fileout "order_proto" "OK" "Default protocol TLS1.2 (OK)" ;; *TLSv1.1) - pr_litegreenln $default_proto + pr_done_goodln $default_proto fileout "order_proto" "OK" "Default protocol TLS1.1 (OK)" ;; *TLSv1) @@ -2708,7 +2708,7 @@ determine_trust() { if [[ ${verify_retcode[i]} -eq 0 ]]; then trust[i]=true some_ok=true - debugme pr_litegreen "Ok " + debugme pr_done_good "Ok " debugme outln "${verify_retcode[i]}" else trust[i]=false @@ -2722,7 +2722,7 @@ determine_trust() { debugme out " " if $all_ok; then # all stores ok - pr_litegreen "Ok "; pr_litemagenta "$addtl_warning" + pr_done_good "Ok "; pr_litemagenta "$addtl_warning" fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning" else # at least one failed @@ -2752,7 +2752,7 @@ determine_trust() { outln # lf + green ones [[ "$DEBUG" -eq 0 ]] && out "$spaces" - pr_litegreen "OK: $ok_was" + pr_done_good "OK: $ok_was" fi fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" fi @@ -2927,19 +2927,19 @@ certificate_info() { fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)" ;; sha256WithRSAEncryption) - pr_litegreenln "SHA256 with RSA" + pr_done_goodln "SHA256 with RSA" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)" ;; sha384WithRSAEncryption) - pr_litegreenln "SHA384 with RSA" + pr_done_goodln "SHA384 with RSA" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)" ;; sha512WithRSAEncryption) - pr_litegreenln "SHA512 with RSA" + pr_done_goodln "SHA512 with RSA" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)" ;; ecdsa-with-SHA256) - pr_litegreenln "ECDSA with SHA256" + pr_done_goodln "ECDSA with SHA256" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)" ;; md5*) @@ -2978,7 +2978,7 @@ certificate_info() { out "$keysize" fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits" elif [[ "$keysize" -le 533 ]]; then - pr_litegreen "$keysize" + pr_done_good "$keysize" fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)" else out "keysize: $keysize (not expected, FIXME)" @@ -3002,7 +3002,7 @@ certificate_info() { outln "$keysize bits" fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits" elif [[ "$keysize" -le 4096 ]]; then - pr_litegreen "$keysize" + pr_done_good "$keysize" fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)" outln " bits" else @@ -3184,7 +3184,7 @@ certificate_info() { secs2warn=$((24 * 60 * 60 * DAYS2WARN1)) expire=$($OPENSSL x509 -in $HOSTCERT -checkend $secs2warn 2>>$ERRFILE) if echo "$expire" | grep -qw not; then - pr_litegreen "$days2expire >= $DAYS2WARN1 days" + pr_done_good "$days2expire >= $DAYS2WARN1 days" expfinding+="$days2expire >= $DAYS2WARN1 days" else pr_brown "expires < $DAYS2WARN1 days ($days2expire)" @@ -3242,7 +3242,7 @@ certificate_info() { fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered" else if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then - pr_litegreen "offered" + pr_done_good "offered" fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered" else if $GOST_STATUS_PROBLEM; then @@ -3438,7 +3438,7 @@ run_pfs() { else pfs_offered=true pfs_ciphers="" - pr_litegreen " PFS is offered (OK)" + pr_done_good " PFS is offered (OK)" fileout "pfs" "OK" "(Perfect) Forward Secrecy : PFS is offered (OK)" if $WIDE; then outln ", ciphers follow (client/browser support is important here) \n" @@ -4548,7 +4548,7 @@ run_renego() { echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE & wait_kill $! $HEADER_MAXSLEEP if [[ $? -eq 3 ]]; then - pr_litegreen "likely not vulnerable (OK)"; outln " (timed out)" # it hung + pr_done_good "likely not vulnerable (OK)"; outln " (timed out)" # it hung fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : likely not vulnerable (OK) (timed out)" sec_client_renego=1 else @@ -4561,7 +4561,7 @@ run_renego() { fileout "sec_client_renego" "NOT OK" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat" ;; 1) - pr_litegreenln "not vulnerable (OK)" + pr_done_goodln "not vulnerable (OK)" fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : not vulnerable (OK)" ;; *) @@ -4602,7 +4602,7 @@ run_crime() { [[ "$OSSL_VER" == "0.9.8"* ]] && addcmd="-no_ssl2" $OPENSSL s_client $OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI $TMPFILE if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then - pr_litegreen "not vulnerable (OK)" + pr_done_good "not vulnerable (OK)" if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then out " (not using HTTP anyway)" fileout "crime" "OK" "CRIME, TLS (CVE-2012-4929) : Not vulnerable (OK) (not using HTTP anyway)" @@ -4782,7 +4782,7 @@ run_tls_fallback_scsv() { # first: make sure we have tls1_2: $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 >$TMPFILE 2>$ERRFILE $TMPFILE 2>>$ERRFILE Date: Tue, 1 Mar 2016 20:39:30 +0100 Subject: [PATCH 6/8] renamed pr_green to pr_done_best --- testssl.sh | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/testssl.sh b/testssl.sh index b165abb..d907d84 100755 --- a/testssl.sh +++ b/testssl.sh @@ -341,8 +341,8 @@ pr_greyln() { pr_grey "$1"; outln; } pr_done_good() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # This is good pr_done_goodln() { pr_done_good "$1"; outln; } -pr_green() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # This is the best -pr_greenln() { pr_green "$1"; outln; } +pr_done_best() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # This is the best +pr_done_bestln() { pr_done_best "$1"; outln; } pr_yellow() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem pr_yellowln() { pr_yellow "$1"; outln; } @@ -1355,7 +1355,7 @@ std_cipherlists() { case $3 in 0) # ok to offer if [[ $sclient_success -eq 0 ]]; then - pr_greenln "offered (OK)" + pr_done_bestln "offered (OK)" fileout "std_$4" "OK" "$2 offered (OK)" else pr_brownln "not offered (NOT ok)" @@ -1367,7 +1367,7 @@ std_cipherlists() { pr_svrty_criticalln "offered (NOT ok)" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - ugly" else - pr_greenln "not offered (OK)" + pr_done_bestln "not offered (OK)" fileout "std_$4" "OK" "$2 not offered (OK)" fi ;; @@ -2143,7 +2143,7 @@ run_protocols() { fileout "sslv2" "NOT OK" "SSLv2 is offered (NOT ok)" ;; 1) - pr_greenln "not offered (OK)" + pr_done_bestln "not offered (OK)" fileout "sslv2" "OK" "SSLv2 is not offered (OK)" ;; 5) @@ -2169,7 +2169,7 @@ run_protocols() { fileout "sslv3" "NOT OK" "SSLv3 is offered (NOT ok)" ;; 1) - pr_greenln "not offered (OK)" + pr_done_bestln "not offered (OK)" fileout "sslv3" "OK" "SSLv3 is not offered (OK)" ;; 2) @@ -2254,7 +2254,7 @@ run_protocols() { fi case $? in 0) - pr_greenln "offered (OK)" + pr_done_bestln "offered (OK)" fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)" ;; # GCM cipher in TLS 1.2: very good! 1) @@ -2407,7 +2407,7 @@ run_server_preference() { remark4default_cipher=" (limited sense as client will pick)" fileout "order" "NOT OK" "Server does NOT set a cipher order (NOT ok)" else - pr_green "yes (OK)" + pr_done_best "yes (OK)" remark4default_cipher="" fileout "order" "OK" "Server sets a cipher order (OK)" fi @@ -2424,7 +2424,7 @@ run_server_preference() { default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') case "$default_proto" in *TLSv1.2) - pr_greenln $default_proto + pr_done_bestln $default_proto fileout "order_proto" "OK" "Default protocol TLS1.2 (OK)" ;; *TLSv1.1) @@ -2475,7 +2475,7 @@ run_server_preference() { fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" ;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list *GCM*|*CHACHA20*) - pr_green "$default_cipher" + pr_done_best "$default_cipher" fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (OK) $remark4default_cipher" ;; # best ones ECDHE*AES*) @@ -3464,7 +3464,7 @@ run_pfs() { neat_list $HEXC $pfs_cipher "$kx" $enc $strength if [[ "$SHOW_EACH_C" -ne 0 ]]; then if [[ $sclient_success -eq 0 ]]; then - pr_green "works" + pr_done_best "works" else out "not a/v" fi @@ -3988,12 +3988,12 @@ sslv2_sockets() { fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 replay (rerun with DEBUG>=2)" ;; 1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP! - pr_greenln "not offered (OK)" + pr_done_bestln "not offered (OK)" ret=0 fileout "sslv2" "OK" "SSLv2 not offered (OK)" ;; 0) # reset - pr_greenln "not offered (OK)" + pr_done_bestln "not offered (OK)" ret=0 fileout "sslv2" "OK" "SSLv2 not offered (OK)" ;; @@ -4234,7 +4234,7 @@ run_heartbleed(){ [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then - pr_green "not vulnerable (OK)" + pr_done_best "not vulnerable (OK)" outln " (no heartbeat extension)" fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (no heartbeat extension)" return 0 @@ -4337,7 +4337,7 @@ run_heartbleed(){ fi ret=1 else - pr_green "not vulnerable (OK)" + pr_done_best "not vulnerable (OK)" if [[ $retval -eq 3 ]]; then fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (timed out)" else @@ -4355,7 +4355,7 @@ run_heartbleed(){ # helper function ok_ids(){ - pr_greenln "\n ok -- something resetted our ccs packets" + pr_done_bestln "\n ok -- something resetted our ccs packets" return 0 } @@ -4458,7 +4458,7 @@ run_ccs_injection(){ debugme echo "lines: $lines, byte6: $byte6" if [[ "$byte6" == "0a" ]] || [[ "$lines" -gt 1 ]]; then - pr_green "not vulnerable (OK)" + pr_done_best "not vulnerable (OK)" if [[ $retval -eq 3 ]]; then fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK) (timed out)" else @@ -4503,7 +4503,7 @@ run_renego() { fileout "secure_renego" "NOT OK" "Secure Renegotiation (CVE-2009-3555) : VULNERABLE (NOT ok)" ;; 1) - pr_greenln "not vulnerable (OK)" + pr_done_bestln "not vulnerable (OK)" fileout "secure_renego" "OK" "Secure Renegotiation (CVE-2009-3555) : not vulnerable (OK)" ;; *) @@ -4648,7 +4648,7 @@ run_crime() { # STR=$(grep Compression $TMPFILE ) # if echo $STR | grep -q NONE >/dev/null; then -# pr_green "not vulnerable (OK)" +# pr_done_best "not vulnerable (OK)" # ret=$((ret + 0)) # else # pr_svrty_critical "VULNERABLE (NOT ok)" @@ -4706,7 +4706,7 @@ run_breach() { pr_litemagenta ") " ret=3 elif [[ -z $result ]]; then - pr_green "no HTTP compression (OK) " + pr_done_best "no HTTP compression (OK) " outln "$disclaimer" fileout "breach" "OK" "BREACH (CVE-2013-3587) : no HTTP compression (OK) $disclaimer" ret=0 @@ -4744,7 +4744,7 @@ run_ssl_poodle() { pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)" fileout "poodle_ssl" "NOT OK" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)" else - pr_green "not vulnerable (OK)" + pr_done_best "not vulnerable (OK)" fileout "poodle_ssl" "OK" "POODLE, SSL (CVE-2014-3566) : not vulnerable (OK)" fi outln @@ -4857,7 +4857,7 @@ run_freak() { pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers" fileout "freak" "NOT OK" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers" else - pr_green "not vulnerable (OK)"; out "$addtl_warning" + pr_done_best "not vulnerable (OK)"; out "$addtl_warning" fileout "freak" "OK" "FREAK (CVE-2015-0204) : not vulnerable (OK) $addtl_warning" fi outln @@ -4909,7 +4909,7 @@ run_logjam() { pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked." fileout "logjam" "NOT OK" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked." else - pr_green "not vulnerable (OK)"; out "$addtl_warning" + pr_done_best "not vulnerable (OK)"; out "$addtl_warning" fileout "logjam" "OK" "LOGJAM (CVE-2015-4000) : not vulnerable (OK) $addtl_warning" fi outln From dbfa66e6c7b1d81da515207d79bb78153ad4f3a2 Mon Sep 17 00:00:00 2001 From: Thomas Martens Date: Tue, 1 Mar 2016 20:41:03 +0100 Subject: [PATCH 7/8] renamed pr_yellow to pr_svrty_minor --- testssl.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index d907d84..5b6e07e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -344,8 +344,8 @@ pr_done_goodln() { pr_done_good "$1"; outln; } pr_done_best() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # This is the best pr_done_bestln() { pr_done_best "$1"; outln; } -pr_yellow() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem -pr_yellowln() { pr_yellow "$1"; outln; } +pr_svrty_minor() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem +pr_svrty_minorln() { pr_svrty_minor "$1"; outln; } pr_brown() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this pr_brownln() { pr_brown "$1"; outln; } @@ -2479,7 +2479,7 @@ run_server_preference() { fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (OK) $remark4default_cipher" ;; # best ones ECDHE*AES*) - pr_yellow "$default_cipher" + pr_svrty_minor "$default_cipher" fileout "order_cipher" "WARN" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher" ;; # it's CBC. --> lucky13 "") @@ -3238,7 +3238,7 @@ certificate_info() { out "$indent"; pr_bold " OCSP stapling " if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then - pr_yellow "--" + pr_svrty_minor "--" fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered" else if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then @@ -3377,7 +3377,7 @@ run_server_defaults() { lifetime=$(echo $sessticket_str | grep -a lifetime | sed 's/[A-Za-z:() ]//g') unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g') out "$lifetime $unit " - pr_yellowln "(PFS requires session ticket keys to be rotated <= daily)" + pr_svrty_minorln "(PFS requires session ticket keys to be rotated <= daily)" fileout "session_ticket" "INFO" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)" fi @@ -4997,7 +4997,7 @@ run_beast(){ neat_list $HEXC $cbc_cipher $kx $enc if [[ $sclient_success -eq 0 ]]; then [[ -n "$higher_proto_supported" ]] && \ - pr_yellowln "available" || \ + pr_svrty_minorln "available" || \ pr_brownln "available" else @@ -5025,7 +5025,7 @@ run_beast(){ ! "$first" && out "$spaces" out "$(toupper $proto):" [[ -n "$higher_proto_supported" ]] && \ - pr_yellowln "$detected_cbc_ciphers" || \ + pr_svrty_minorln "$detected_cbc_ciphers" || \ pr_brownln "$detected_cbc_ciphers" detected_cbc_ciphers="" # empty for next round first=false @@ -5047,11 +5047,11 @@ run_beast(){ if "$WIDE"; then outln # NOT ok seems too harsh for me if we have TLS >1.0 - pr_yellow "VULNERABLE" + pr_svrty_minor "VULNERABLE" outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported" else out "$spaces" - pr_yellow "VULNERABLE" + pr_svrty_minor "VULNERABLE" outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported" fi fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported" From 38477b43834bbe26df2c6cbbd26193bbb7eb36d0 Mon Sep 17 00:00:00 2001 From: Thomas Martens Date: Tue, 1 Mar 2016 20:42:34 +0100 Subject: [PATCH 8/8] renamed pr_brown to pr_svrty_medium --- testssl.sh | 56 +++++++++++++++++++++++++++--------------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/testssl.sh b/testssl.sh index 5b6e07e..bc51976 100755 --- a/testssl.sh +++ b/testssl.sh @@ -346,8 +346,8 @@ pr_done_bestln() { pr_done_best "$1"; outln; } pr_svrty_minor() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem pr_svrty_minorln() { pr_svrty_minor "$1"; outln; } -pr_brown() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this -pr_brownln() { pr_brown "$1"; outln; } +pr_svrty_medium() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this +pr_svrty_mediumln() { pr_svrty_medium "$1"; outln; } # color=1 functions @@ -883,7 +883,7 @@ run_hsts() { fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days" else out "$hsts_age_sec s = " - pr_brown "$hsts_age_days days, <$HSTS_MIN days is too short" + pr_svrty_medium "$hsts_age_days days, <$HSTS_MIN days is too short" fileout "hsts_time" "NOT OK" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days" fi if includeSubDomains "$TMPFILE"; then @@ -931,7 +931,7 @@ run_hpkp() { : else hpkp_headers="" - pr_brown "multiple HPKP headers: " + pr_svrty_medium "multiple HPKP headers: " # https://scotthelme.co.uk is a candidate #FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> egrep -ai -w for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do @@ -970,7 +970,7 @@ run_hpkp() { fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)" else out "$hpkp_age_sec s = " - pr_brown "$hpkp_age_days days (<$HPKP_MIN days is not good enough)" + pr_svrty_medium "$hpkp_age_days days (<$HPKP_MIN days is not good enough)" fileout "hpkp_age" "NOT OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough." fi @@ -1168,7 +1168,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path fi nr_secure=$(grep -iac secure $TMPFILE) case $nr_secure in - 0) pr_brown "$negative_word" ;; + 0) pr_svrty_medium "$negative_word" ;; [123456789]) pr_done_good "$nr_secure/$nr_cookies";; esac out " secure, " @@ -1179,7 +1179,7 @@ run_cookie_flags() { # ARG1: Path, ARG2: path fi nr_httponly=$(grep -cai httponly $TMPFILE) case $nr_httponly in - 0) pr_brown "$negative_word" ;; + 0) pr_svrty_medium "$negative_word" ;; [123456789]) pr_done_good "$nr_httponly/$nr_cookies";; esac out " HttpOnly" @@ -1358,7 +1358,7 @@ std_cipherlists() { pr_done_bestln "offered (OK)" fileout "std_$4" "OK" "$2 offered (OK)" else - pr_brownln "not offered (NOT ok)" + pr_svrty_mediumln "not offered (NOT ok)" fileout "std_$4" "NOT OK" "$2 not offered (NOT ok)" fi ;; @@ -1382,7 +1382,7 @@ std_cipherlists() { ;; 3) # not totally bad if [[ $sclient_success -eq 0 ]]; then - pr_brownln "offered (NOT ok)" + pr_svrty_mediumln "offered (NOT ok)" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - not too bad" else outln "not offered (OK)" @@ -2202,7 +2202,7 @@ run_protocols() { fileout "tls1" "INFO" "TLSv1.0 is not offered" ;; # neither good or bad 2) - pr_brown "not offered (NOT ok)" + pr_svrty_medium "not offered (NOT ok)" [[ $DEBUG -eq 1 ]] && out " -- downgraded" outln fileout "tls1" "NOT OK" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)" @@ -2258,11 +2258,11 @@ run_protocols() { fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)" ;; # GCM cipher in TLS 1.2: very good! 1) - pr_brownln "not offered (NOT ok)" + pr_svrty_mediumln "not offered (NOT ok)" fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered (NOT ok)" ;; # no GCM, penalty 2) - pr_brown "not offered (NOT ok)" + pr_svrty_medium "not offered (NOT ok)" [[ $DEBUG -eq 1 ]] && out " -- downgraded" outln fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered and downgraded to a weaker protocol (NOT ok)" @@ -2332,7 +2332,7 @@ read_dhbits_from_file() { elif [[ "$bits" -le 800 ]]; then pr_svrty_high "$bits $add" elif [[ "$bits" -le 1280 ]]; then - pr_brown "$bits $add" + pr_svrty_medium "$bits $add" elif [[ "$bits" -ge 2048 ]]; then pr_done_good "$bits $add" else @@ -2471,7 +2471,7 @@ run_server_preference() { fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher" ;; *CBC*) - pr_brown "$default_cipher" + pr_svrty_medium "$default_cipher" fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" ;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list *GCM*|*CHACHA20*) @@ -2923,7 +2923,7 @@ certificate_info() { out "$indent" ; pr_bold " Signature Algorithm " case $sig_algo in sha1WithRSAEncryption) - pr_brownln "SHA1 with RSA" + pr_svrty_mediumln "SHA1 with RSA" fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)" ;; sha256WithRSAEncryption) @@ -2972,7 +2972,7 @@ certificate_info() { pr_svrty_high "$keysize" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" elif [[ "$keysize" -le 163 ]]; then - pr_brown "$keysize" + pr_svrty_medium "$keysize" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" elif [[ "$keysize" -le 224 ]]; then out "$keysize" @@ -2995,7 +2995,7 @@ certificate_info() { outln " bits" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" elif [[ "$keysize" -le 1024 ]]; then - pr_brown "$keysize" + pr_svrty_medium "$keysize" outln " bits" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" elif [[ "$keysize" -le 2048 ]]; then @@ -3075,7 +3075,7 @@ certificate_info() { if [[ $SERVICE != "HTTP" ]]; then outln cnfinding+="\n" - #pr_brownln " (non-SNI clients don't match CN but for non-HTTP services it might be ok)" + #pr_svrty_mediumln " (non-SNI clients don't match CN but for non-HTTP services it might be ok)" #FIXME: this is irritating and needs to be redone. Then also the wildcard match needs to be tested against "$cn_nosni" elif [[ -z "$cn_nosni" ]]; then out " (request w/o SNI didn't succeed"; @@ -3187,7 +3187,7 @@ certificate_info() { pr_done_good "$days2expire >= $DAYS2WARN1 days" expfinding+="$days2expire >= $DAYS2WARN1 days" else - pr_brown "expires < $DAYS2WARN1 days ($days2expire)" + pr_svrty_medium "expires < $DAYS2WARN1 days ($days2expire)" expfinding+="expires < $DAYS2WARN1 days ($days2expire)" expok="WARN" fi @@ -3433,7 +3433,7 @@ run_pfs() { sclient_success=$? outln if [[ $sclient_success -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then - pr_brownln "Not OK: No ciphers supporting Forward Secrecy offered" + pr_svrty_mediumln "Not OK: No ciphers supporting Forward Secrecy offered" fileout "pfs" "NOT OK" "(Perfect) Forward Secrecy : Not OK: No ciphers supporting Forward Secrecy offered" else pfs_offered=true @@ -3480,7 +3480,7 @@ run_pfs() { $WIDE || outln if ! "$pfs_offered"; then - pr_brown "no PFS ciphers found" + pr_svrty_medium "no PFS ciphers found" fileout "pfs_ciphers" "NOT OK" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)" else fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers" @@ -4615,7 +4615,7 @@ run_crime() { pr_svrty_high "VULNERABLE (NOT ok)" fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)" else - pr_brown "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" + pr_svrty_medium "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" fi ret=1 @@ -4789,7 +4789,7 @@ run_tls_fallback_scsv() { $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE