Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #306 from thecky/severity

Browse Source 
Rename pr_() from color to severity naming
This commit is contained in:
Dirk Wetter 2016-03-02 16:49:46 +01:00
commit c4a68df423
1 changed files with 151 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

302
testssl.sh
View File

@ -319,10 +319,10 @@ pr_liteblueln() { pr_liteblue "$1"; outln; }
pr_blue() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;32m$1" || out "\033[1;34m$1" ) || out "$1"; pr_off; } # used for head lines of single tests pr_blue() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;32m$1" || out "\033[1;34m$1" ) || out "$1"; pr_off; } # used for head lines of single tests
pr_blueln() { pr_blue "$1"; outln; } pr_blueln() { pr_blue "$1"; outln; }
pr_litered() { [[ "$COLOR" -eq 2 ]] && out "\033[0;31m$1" || pr_bold "$1"; pr_off; } # this is bad pr_svrty_high() { [[ "$COLOR" -eq 2 ]] && out "\033[0;31m$1" || pr_bold "$1"; pr_off; } # this is bad
pr_literedln() { pr_litered "$1"; outln; } pr_svrty_highln() { pr_svrty_high "$1"; outln; }
pr_red() { [[ "$COLOR" -eq 2 ]] && out "\033[1;31m$1" || pr_bold "$1"; pr_off; } # oh, this is really bad pr_svrty_critical() { [[ "$COLOR" -eq 2 ]] && out "\033[1;31m$1" || pr_bold "$1"; pr_off; } # oh, this is really bad
pr_redln() { pr_red "$1"; outln; } pr_svrty_criticalln() { pr_svrty_critical "$1"; outln; }
pr_litemagenta() { [[ "$COLOR" -eq 2 ]] && out "\033[0;35m$1" || pr_underline "$1"; pr_off; } # local problem: one test cannot be done pr_litemagenta() { [[ "$COLOR" -eq 2 ]] && out "\033[0;35m$1" || pr_underline "$1"; pr_off; } # local problem: one test cannot be done
pr_litemagentaln() { pr_litemagenta "$1"; outln; } pr_litemagentaln() { pr_litemagenta "$1"; outln; }
@ -339,15 +339,15 @@ pr_litegrey() { [[ "$COLOR" -eq 2 ]] && out "\033[0;37m$1" || out "$1"; pr_off
pr_grey() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m$1" || out "$1"; pr_off; } pr_grey() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m$1" || out "$1"; pr_off; }
pr_greyln() { pr_grey "$1"; outln; } pr_greyln() { pr_grey "$1"; outln; }
pr_litegreen() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # This is good pr_done_good() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # This is good
pr_litegreenln() { pr_litegreen "$1"; outln; } pr_done_goodln() { pr_done_good "$1"; outln; }
pr_green() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # This is the best pr_done_best() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # This is the best
pr_greenln() { pr_green "$1"; outln; } pr_done_bestln() { pr_done_best "$1"; outln; }
pr_yellow() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem pr_svrty_minor() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # academic or minor problem
pr_yellowln() { pr_yellow "$1"; outln; } pr_svrty_minorln() { pr_svrty_minor "$1"; outln; }
pr_brown() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this pr_svrty_medium() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # it is not a bad problem but you shouldn't do this
pr_brownln() { pr_brown "$1"; outln; } pr_svrty_mediumln() { pr_svrty_medium "$1"; outln; }
# color=1 functions # color=1 functions
@ -721,7 +721,7 @@ run_http_header() {
redirect=$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n') redirect=$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')
out ", redirecting to \"$redirect\"" out ", redirecting to \"$redirect\""
if [[ $redirect == "http://"* ]]; then if [[ $redirect == "http://"* ]]; then
pr_litered " -- Redirect to insecure URL (NOT ok)" pr_svrty_high " -- Redirect to insecure URL (NOT ok)"
fileout "status_code" "NOT OK" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\"" fileout "status_code" "NOT OK" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\""
fi fi
fileout "status_code" "INFO" \ fileout "status_code" "INFO" \
@ -800,7 +800,7 @@ detect_ipv4() {
else else
first=false first=false
fi fi
pr_litered "$result" pr_svrty_high "$result"
outln "\n$spaces$your_ip_msg" outln "\n$spaces$your_ip_msg"
fileout "ip_in_header_$count" "NOT OK" "IPv4 address in header $result $your_ip_msg" fileout "ip_in_header_$count" "NOT OK" "IPv4 address in header $result $your_ip_msg"
fi fi
@ -845,7 +845,7 @@ run_http_date() {
includeSubDomains() { includeSubDomains() {
if grep -aiqw includeSubDomains "$1"; then if grep -aiqw includeSubDomains "$1"; then
pr_litegreen ", includeSubDomains" pr_done_good ", includeSubDomains"
return 1 return 1
else else
pr_litecyan ", just this domain" pr_litecyan ", just this domain"
@ -855,7 +855,7 @@ includeSubDomains() {
preload() { preload() {
if grep -aiqw preload "$1"; then if grep -aiqw preload "$1"; then
pr_litegreen ", preload" pr_done_good ", preload"
return 1 return 1
else else
return 0 return 0
@ -879,11 +879,11 @@ run_hsts() {
#FIXME: test for number! #FIXME: test for number!
hsts_age_days=$(( hsts_age_sec / 86400)) hsts_age_days=$(( hsts_age_sec / 86400))
if [[ $hsts_age_days -gt $HSTS_MIN ]]; then if [[ $hsts_age_days -gt $HSTS_MIN ]]; then
pr_litegreen "$hsts_age_days days" ; out "=$hsts_age_sec s" pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days" fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days"
else else
out "$hsts_age_sec s = " out "$hsts_age_sec s = "
pr_brown "$hsts_age_days days, <$HSTS_MIN days is too short" pr_svrty_medium "$hsts_age_days days, <$HSTS_MIN days is too short"
fileout "hsts_time" "NOT OK" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days" fileout "hsts_time" "NOT OK" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days"
fi fi
if includeSubDomains "$TMPFILE"; then if includeSubDomains "$TMPFILE"; then
@ -931,7 +931,7 @@ run_hpkp() {
: :
else else
hpkp_headers="" hpkp_headers=""
pr_brown "multiple HPKP headers: " pr_svrty_medium "multiple HPKP headers: "
# https://scotthelme.co.uk is a candidate # https://scotthelme.co.uk is a candidate
#FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> egrep -ai -w #FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> egrep -ai -w
for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do
@ -955,7 +955,7 @@ run_hpkp() {
hpkp_nr_keys=$(grep -ac pin-sha $TMPFILE) hpkp_nr_keys=$(grep -ac pin-sha $TMPFILE)
out "# of keys: " out "# of keys: "
if [[ $hpkp_nr_keys -eq 1 ]]; then if [[ $hpkp_nr_keys -eq 1 ]]; then
pr_litered "1 (NOT ok), " pr_svrty_high "1 (NOT ok), "
fileout "hpkp_keys" "NOT OK" "Only one key pinned in HPKP header, this means the site may become unavaiable if the key is revoked" fileout "hpkp_keys" "NOT OK" "Only one key pinned in HPKP header, this means the site may become unavaiable if the key is revoked"
else else
out "$hpkp_nr_keys, " out "$hpkp_nr_keys, "
@ -966,11 +966,11 @@ run_hpkp() {
hpkp_age_sec=$(awk -F= '/max-age/{max_age=$2; print max_age}' $TMPFILE | sed -E 's/[^[:digit:]]//g') hpkp_age_sec=$(awk -F= '/max-age/{max_age=$2; print max_age}' $TMPFILE | sed -E 's/[^[:digit:]]//g')
hpkp_age_days=$((hpkp_age_sec / 86400)) hpkp_age_days=$((hpkp_age_sec / 86400))
if [[ $hpkp_age_days -ge $HPKP_MIN ]]; then if [[ $hpkp_age_days -ge $HPKP_MIN ]]; then
pr_litegreen "$hpkp_age_days days" ; out "=$hpkp_age_sec s" pr_done_good "$hpkp_age_days days" ; out "=$hpkp_age_sec s"
fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)" fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)"
else else
out "$hpkp_age_sec s = " out "$hpkp_age_sec s = "
pr_brown "$hpkp_age_days days (<$HPKP_MIN days is not good enough)" pr_svrty_medium "$hpkp_age_days days (<$HPKP_MIN days is not good enough)"
fileout "hpkp_age" "NOT OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough." fileout "hpkp_age" "NOT OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough."
fi fi
@ -995,7 +995,7 @@ run_hpkp() {
while read hpkp_key; do while read hpkp_key; do
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
out "\n$spaces matching host key: " out "\n$spaces matching host key: "
pr_litegreen "$hpkp_key" pr_done_good "$hpkp_key"
fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header" fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header"
key_found=true key_found=true
fi fi
@ -1003,7 +1003,7 @@ run_hpkp() {
done < <(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') done < <(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }')
if ! $key_found ; then if ! $key_found ; then
out "\n$spaces" out "\n$spaces"
pr_litered " No matching key for pins found " pr_svrty_high " No matching key for pins found "
out "(CAs pinned? -- not checked for yet)" out "(CAs pinned? -- not checked for yet)"
fileout "hpkp_keymatch" "WARN" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this" fileout "hpkp_keymatch" "WARN" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this"
fi fi
@ -1168,8 +1168,8 @@ run_cookie_flags() { # ARG1: Path, ARG2: path
fi fi
nr_secure=$(grep -iac secure $TMPFILE) nr_secure=$(grep -iac secure $TMPFILE)
case $nr_secure in case $nr_secure in
0) pr_brown "$negative_word" ;; 0) pr_svrty_medium "$negative_word" ;;
[123456789]) pr_litegreen "$nr_secure/$nr_cookies";; [123456789]) pr_done_good "$nr_secure/$nr_cookies";;
esac esac
out " secure, " out " secure, "
if [[ $nr_cookies == $nr_secure ]]; then if [[ $nr_cookies == $nr_secure ]]; then
@ -1179,8 +1179,8 @@ run_cookie_flags() { # ARG1: Path, ARG2: path
fi fi
nr_httponly=$(grep -cai httponly $TMPFILE) nr_httponly=$(grep -cai httponly $TMPFILE)
case $nr_httponly in case $nr_httponly in
0) pr_brown "$negative_word" ;; 0) pr_svrty_medium "$negative_word" ;;
[123456789]) pr_litegreen "$nr_httponly/$nr_cookies";; [123456789]) pr_done_good "$nr_httponly/$nr_cookies";;
esac esac
out " HttpOnly" out " HttpOnly"
if [[ $nr_cookies == $nr_httponly ]]; then if [[ $nr_cookies == $nr_httponly ]]; then
@ -1231,8 +1231,8 @@ run_more_flags() {
first=false first=false
fi fi
# extract and print key(=flag) in green: # extract and print key(=flag) in green:
pr_litegreen "${result_str%%:*}:" pr_done_good "${result_str%%:*}:"
#pr_litegreen "$(sed 's/:.*$/:/' <<< "$result_str")" #pr_done_good "$(sed 's/:.*$/:/' <<< "$result_str")"
# print value in plain text: # print value in plain text:
outln "${result_str#*:}" outln "${result_str#*:}"
fileout "${result_str%%:*}" "OK" "${result_str%%:*}: ${result_str#*:}" fileout "${result_str%%:*}" "OK" "${result_str%%:*}: ${result_str#*:}"
@ -1355,34 +1355,34 @@ std_cipherlists() {
case $3 in case $3 in
0) # ok to offer 0) # ok to offer
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_greenln "offered (OK)" pr_done_bestln "offered (OK)"
fileout "std_$4" "OK" "$2 offered (OK)" fileout "std_$4" "OK" "$2 offered (OK)"
else else
pr_brownln "not offered (NOT ok)" pr_svrty_mediumln "not offered (NOT ok)"
fileout "std_$4" "NOT OK" "$2 not offered (NOT ok)" fileout "std_$4" "NOT OK" "$2 not offered (NOT ok)"
fi fi
;; ;;
1) # the ugly ones 1) # the ugly ones
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_redln "offered (NOT ok)" pr_svrty_criticalln "offered (NOT ok)"
fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - ugly" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - ugly"
else else
pr_greenln "not offered (OK)" pr_done_bestln "not offered (OK)"
fileout "std_$4" "OK" "$2 not offered (OK)" fileout "std_$4" "OK" "$2 not offered (OK)"
fi fi
;; ;;
2) # bad but not worst 2) # bad but not worst
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_literedln "offered (NOT ok)" pr_svrty_highln "offered (NOT ok)"
fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - bad" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - bad"
else else
pr_litegreenln "not offered (OK)" pr_done_goodln "not offered (OK)"
fileout "std_$4" "OK" "$2 not offered (OK)" fileout "std_$4" "OK" "$2 not offered (OK)"
fi fi
;; ;;
3) # not totally bad 3) # not totally bad
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_brownln "offered (NOT ok)" pr_svrty_mediumln "offered (NOT ok)"
fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - not too bad" fileout "std_$4" "NOT OK" "$2 offered (NOT ok) - not too bad"
else else
outln "not offered (OK)" outln "not offered (OK)"
@ -2139,15 +2139,15 @@ run_protocols() {
run_prototest_openssl "-ssl2" run_prototest_openssl "-ssl2"
case $? in case $? in
0) 0)
pr_redln "offered (NOT ok)" pr_svrty_criticalln "offered (NOT ok)"
fileout "sslv2" "NOT OK" "SSLv2 is offered (NOT ok)" fileout "sslv2" "NOT OK" "SSLv2 is offered (NOT ok)"
;; ;;
1) 1)
pr_greenln "not offered (OK)" pr_done_bestln "not offered (OK)"
fileout "sslv2" "OK" "SSLv2 is not offered (OK)" fileout "sslv2" "OK" "SSLv2 is not offered (OK)"
;; ;;
5) 5)
pr_litered "$supported_no_ciph2"; pr_svrty_high "$supported_no_ciph2";
outln " (may need further attention)" # protocol ok, but no cipher outln " (may need further attention)" # protocol ok, but no cipher
fileout "sslv2" "WARN" "SSLv2 is $supported_no_ciph2 (may need further attention)" fileout "sslv2" "WARN" "SSLv2 is $supported_no_ciph2 (may need further attention)"
;; ;;
@ -2165,11 +2165,11 @@ run_protocols() {
fi fi
case $? in case $? in
0) 0)
pr_literedln "offered (NOT ok)" pr_svrty_highln "offered (NOT ok)"
fileout "sslv3" "NOT OK" "SSLv3 is offered (NOT ok)" fileout "sslv3" "NOT OK" "SSLv3 is offered (NOT ok)"
;; ;;
1) 1)
pr_greenln "not offered (OK)" pr_done_bestln "not offered (OK)"
fileout "sslv3" "OK" "SSLv3 is not offered (OK)" fileout "sslv3" "OK" "SSLv3 is not offered (OK)"
;; ;;
2) 2)
@ -2178,7 +2178,7 @@ run_protocols() {
;; ;;
5) 5)
fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1" fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1"
pr_litered "$supported_no_ciph2" pr_svrty_high "$supported_no_ciph2"
outln "(may need debugging)" outln "(may need debugging)"
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) 7)
@ -2202,7 +2202,7 @@ run_protocols() {
fileout "tls1" "INFO" "TLSv1.0 is not offered" fileout "tls1" "INFO" "TLSv1.0 is not offered"
;; # neither good or bad ;; # neither good or bad
2) 2)
pr_brown "not offered (NOT ok)" pr_svrty_medium "not offered (NOT ok)"
[[ $DEBUG -eq 1 ]] && out " -- downgraded" [[ $DEBUG -eq 1 ]] && out " -- downgraded"
outln outln
fileout "tls1" "NOT OK" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)" fileout "tls1" "NOT OK" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)"
@ -2254,15 +2254,15 @@ run_protocols() {
fi fi
case $? in case $? in
0) 0)
pr_greenln "offered (OK)" pr_done_bestln "offered (OK)"
fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)" fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)"
;; # GCM cipher in TLS 1.2: very good! ;; # GCM cipher in TLS 1.2: very good!
1) 1)
pr_brownln "not offered (NOT ok)" pr_svrty_mediumln "not offered (NOT ok)"
fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered (NOT ok)" fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered (NOT ok)"
;; # no GCM, penalty ;; # no GCM, penalty
2) 2)
pr_brown "not offered (NOT ok)" pr_svrty_medium "not offered (NOT ok)"
[[ $DEBUG -eq 1 ]] && out " -- downgraded" [[ $DEBUG -eq 1 ]] && out " -- downgraded"
outln outln
fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered and downgraded to a weaker protocol (NOT ok)" fileout "tls1_2" "NOT OK" "TLSv1.2 is not offered and downgraded to a weaker protocol (NOT ok)"
@ -2328,13 +2328,13 @@ read_dhbits_from_file() {
if [[ $what_dh == "DH" ]] || [[ $what_dh == "EDH" ]]; then if [[ $what_dh == "DH" ]] || [[ $what_dh == "EDH" ]]; then
[[ -z "$2" ]] && add="bit DH" [[ -z "$2" ]] && add="bit DH"
if [[ "$bits" -le 600 ]]; then if [[ "$bits" -le 600 ]]; then
pr_red "$bits $add" pr_svrty_critical "$bits $add"
elif [[ "$bits" -le 800 ]]; then elif [[ "$bits" -le 800 ]]; then
pr_litered "$bits $add" pr_svrty_high "$bits $add"
elif [[ "$bits" -le 1280 ]]; then elif [[ "$bits" -le 1280 ]]; then
pr_brown "$bits $add" pr_svrty_medium "$bits $add"
elif [[ "$bits" -ge 2048 ]]; then elif [[ "$bits" -ge 2048 ]]; then
pr_litegreen "$bits $add" pr_done_good "$bits $add"
else else
out "$bits $add" out "$bits $add"
fi fi
@ -2342,11 +2342,11 @@ read_dhbits_from_file() {
elif [[ $what_dh == "ECDH" ]]; then elif [[ $what_dh == "ECDH" ]]; then
[[ -z "$2" ]] && add="bit ECDH" [[ -z "$2" ]] && add="bit ECDH"
if [[ "$bits" -le 128 ]]; then # has that ever existed? if [[ "$bits" -le 128 ]]; then # has that ever existed?
pr_red "$bits $add" pr_svrty_critical "$bits $add"
elif [[ "$bits" -le 163 ]]; then elif [[ "$bits" -le 163 ]]; then
pr_litered "$bits $add" pr_svrty_high "$bits $add"
elif [[ "$bits" -ge 224 ]]; then elif [[ "$bits" -ge 224 ]]; then
pr_litegreen "$bits $add" pr_done_good "$bits $add"
else else
out "$bits $add" out "$bits $add"
fi fi
@ -2403,11 +2403,11 @@ run_server_preference() {
cipher2=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g') cipher2=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
if [[ "$cipher1" != "$cipher2" ]]; then if [[ "$cipher1" != "$cipher2" ]]; then
pr_litered "nope (NOT ok)" pr_svrty_high "nope (NOT ok)"
remark4default_cipher=" (limited sense as client will pick)" remark4default_cipher=" (limited sense as client will pick)"
fileout "order" "NOT OK" "Server does NOT set a cipher order (NOT ok)" fileout "order" "NOT OK" "Server does NOT set a cipher order (NOT ok)"
else else
pr_green "yes (OK)" pr_done_best "yes (OK)"
remark4default_cipher="" remark4default_cipher=""
fileout "order" "OK" "Server sets a cipher order (OK)" fileout "order" "OK" "Server sets a cipher order (OK)"
fi fi
@ -2424,11 +2424,11 @@ run_server_preference() {
default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
case "$default_proto" in case "$default_proto" in
*TLSv1.2) *TLSv1.2)
pr_greenln $default_proto pr_done_bestln $default_proto
fileout "order_proto" "OK" "Default protocol TLS1.2 (OK)" fileout "order_proto" "OK" "Default protocol TLS1.2 (OK)"
;; ;;
*TLSv1.1) *TLSv1.1)
pr_litegreenln $default_proto pr_done_goodln $default_proto
fileout "order_proto" "OK" "Default protocol TLS1.1 (OK)" fileout "order_proto" "OK" "Default protocol TLS1.1 (OK)"
;; ;;
*TLSv1) *TLSv1)
@ -2436,11 +2436,11 @@ run_server_preference() {
fileout "order_proto" "INFO" "Default protocol TLS1.0" fileout "order_proto" "INFO" "Default protocol TLS1.0"
;; ;;
*SSLv2) *SSLv2)
pr_redln $default_proto pr_svrty_criticalln $default_proto
fileout "order_proto" "NOT OK" "Default protocol SSLv2" fileout "order_proto" "NOT OK" "Default protocol SSLv2"
;; ;;
*SSLv3) *SSLv3)
pr_redln $default_proto pr_svrty_criticalln $default_proto
fileout "order_proto" "NOT OK" "Default protocol SSLv3" fileout "order_proto" "NOT OK" "Default protocol SSLv3"
;; ;;
"") "")
@ -2462,24 +2462,24 @@ run_server_preference() {
default_cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') default_cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
case "$default_cipher" in case "$default_cipher" in
*NULL*|*EXP*) *NULL*|*EXP*)
pr_red "$default_cipher" pr_svrty_critical "$default_cipher"
fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
;; ;;
*RC4*) *RC4*)
pr_litered "$default_cipher" pr_svrty_high "$default_cipher"
fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher" fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher"
;; ;;
*CBC*) *CBC*)
pr_brown "$default_cipher" pr_svrty_medium "$default_cipher"
fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" fileout "order_cipher" "NOT OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list ;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
*GCM*|*CHACHA20*) *GCM*|*CHACHA20*)
pr_green "$default_cipher" pr_done_best "$default_cipher"
fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (OK) $remark4default_cipher" fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (OK) $remark4default_cipher"
;; # best ones ;; # best ones
ECDHE*AES*) ECDHE*AES*)
pr_yellow "$default_cipher" pr_svrty_minor "$default_cipher"
fileout "order_cipher" "WARN" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher" fileout "order_cipher" "WARN" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher"
;; # it's CBC. --> lucky13 ;; # it's CBC. --> lucky13
"") "")
@ -2708,12 +2708,12 @@ determine_trust() {
if [[ ${verify_retcode[i]} -eq 0 ]]; then if [[ ${verify_retcode[i]} -eq 0 ]]; then
trust[i]=true trust[i]=true
some_ok=true some_ok=true
debugme pr_litegreen "Ok " debugme pr_done_good "Ok "
debugme outln "${verify_retcode[i]}" debugme outln "${verify_retcode[i]}"
else else
trust[i]=false trust[i]=false
all_ok=false all_ok=false
debugme pr_litered "not trusted " debugme pr_svrty_high "not trusted "
debugme outln "${verify_retcode[i]}" debugme outln "${verify_retcode[i]}"
fi fi
i=$((i + 1)) i=$((i + 1))
@ -2722,11 +2722,11 @@ determine_trust() {
debugme out " " debugme out " "
if $all_ok; then if $all_ok; then
# all stores ok # all stores ok
pr_litegreen "Ok "; pr_litemagenta "$addtl_warning" pr_done_good "Ok "; pr_litemagenta "$addtl_warning"
fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning" fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning"
else else
# at least one failed # at least one failed
pr_red "NOT ok" pr_svrty_critical "NOT ok"
if ! $some_ok; then if ! $some_ok; then
# all failed (we assume with the same issue), we're displaying the reason # all failed (we assume with the same issue), we're displaying the reason
out " " out " "
@ -2735,24 +2735,24 @@ determine_trust() {
else else
# is one ok and the others not ==> display the culprit store # is one ok and the others not ==> display the culprit store
if $some_ok ; then if $some_ok ; then
pr_red ":" pr_svrty_critical ":"
for ((i=1;i<=num_ca_bundles;i++)); do for ((i=1;i<=num_ca_bundles;i++)); do
if ${trust[i]}; then if ${trust[i]}; then
ok_was="${certificate_file[i]} $ok_was" ok_was="${certificate_file[i]} $ok_was"
else else
#code="$(verify_retcode_helper ${verify_retcode[i]})" #code="$(verify_retcode_helper ${verify_retcode[i]})"
#notok_was="${certificate_file[i]} $notok_was" #notok_was="${certificate_file[i]} $notok_was"
pr_litered " ${certificate_file[i]} " pr_svrty_high " ${certificate_file[i]} "
verify_retcode_helper "${verify_retcode[i]}" verify_retcode_helper "${verify_retcode[i]}"
notok_was="${certificate_file[i]} $(verify_retcode_helper "${verify_retcode[i]}") $notok_was" notok_was="${certificate_file[i]} $(verify_retcode_helper "${verify_retcode[i]}") $notok_was"
fi fi
done done
#pr_litered "$notok_was " #pr_svrty_high "$notok_was "
#outln "$code" #outln "$code"
outln outln
# lf + green ones # lf + green ones
[[ "$DEBUG" -eq 0 ]] && out "$spaces" [[ "$DEBUG" -eq 0 ]] && out "$spaces"
pr_litegreen "OK: $ok_was" pr_done_good "OK: $ok_was"
fi fi
fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
fi fi
@ -2923,27 +2923,27 @@ certificate_info() {
out "$indent" ; pr_bold " Signature Algorithm " out "$indent" ; pr_bold " Signature Algorithm "
case $sig_algo in case $sig_algo in
sha1WithRSAEncryption) sha1WithRSAEncryption)
pr_brownln "SHA1 with RSA" pr_svrty_mediumln "SHA1 with RSA"
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)" fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
;; ;;
sha256WithRSAEncryption) sha256WithRSAEncryption)
pr_litegreenln "SHA256 with RSA" pr_done_goodln "SHA256 with RSA"
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
;; ;;
sha384WithRSAEncryption) sha384WithRSAEncryption)
pr_litegreenln "SHA384 with RSA" pr_done_goodln "SHA384 with RSA"
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
;; ;;
sha512WithRSAEncryption) sha512WithRSAEncryption)
pr_litegreenln "SHA512 with RSA" pr_done_goodln "SHA512 with RSA"
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
;; ;;
ecdsa-with-SHA256) ecdsa-with-SHA256)
pr_litegreenln "ECDSA with SHA256" pr_done_goodln "ECDSA with SHA256"
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
;; ;;
md5*) md5*)
pr_redln "MD5" pr_svrty_criticalln "MD5"
fileout "${json_prefix}algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)" fileout "${json_prefix}algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)"
;; ;;
*) *)
@ -2966,19 +2966,19 @@ certificate_info() {
# Table 2 @ chapter 5.6.1 (~ p64) # Table 2 @ chapter 5.6.1 (~ p64)
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
if [[ "$keysize" -le 110 ]]; then # a guess if [[ "$keysize" -le 110 ]]; then # a guess
pr_red "$keysize" pr_svrty_critical "$keysize"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 123 ]]; then # a guess elif [[ "$keysize" -le 123 ]]; then # a guess
pr_litered "$keysize" pr_svrty_high "$keysize"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 163 ]]; then elif [[ "$keysize" -le 163 ]]; then
pr_brown "$keysize" pr_svrty_medium "$keysize"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 224 ]]; then elif [[ "$keysize" -le 224 ]]; then
out "$keysize" out "$keysize"
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits" fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits"
elif [[ "$keysize" -le 533 ]]; then elif [[ "$keysize" -le 533 ]]; then
pr_litegreen "$keysize" pr_done_good "$keysize"
fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)" fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)"
else else
out "keysize: $keysize (not expected, FIXME)" out "keysize: $keysize (not expected, FIXME)"
@ -2987,22 +2987,22 @@ certificate_info() {
outln " bit" outln " bit"
elif [[ $sig_algo = *RSA* ]]; then elif [[ $sig_algo = *RSA* ]]; then
if [[ "$keysize" -le 512 ]]; then if [[ "$keysize" -le 512 ]]; then
pr_red "$keysize" pr_svrty_critical "$keysize"
outln " bits" outln " bits"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
elif [[ "$keysize" -le 768 ]]; then elif [[ "$keysize" -le 768 ]]; then
pr_litered "$keysize" pr_svrty_high "$keysize"
outln " bits" outln " bits"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
elif [[ "$keysize" -le 1024 ]]; then elif [[ "$keysize" -le 1024 ]]; then
pr_brown "$keysize" pr_svrty_medium "$keysize"
outln " bits" outln " bits"
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
elif [[ "$keysize" -le 2048 ]]; then elif [[ "$keysize" -le 2048 ]]; then
outln "$keysize bits" outln "$keysize bits"
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits" fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits"
elif [[ "$keysize" -le 4096 ]]; then elif [[ "$keysize" -le 4096 ]]; then
pr_litegreen "$keysize" pr_done_good "$keysize"
fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)" fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)"
outln " bits" outln " bits"
else else
@ -3075,7 +3075,7 @@ certificate_info() {
if [[ $SERVICE != "HTTP" ]]; then if [[ $SERVICE != "HTTP" ]]; then
outln outln
cnfinding+="\n" cnfinding+="\n"
#pr_brownln " (non-SNI clients don't match CN but for non-HTTP services it might be ok)" #pr_svrty_mediumln " (non-SNI clients don't match CN but for non-HTTP services it might be ok)"
#FIXME: this is irritating and needs to be redone. Then also the wildcard match needs to be tested against "$cn_nosni" #FIXME: this is irritating and needs to be redone. Then also the wildcard match needs to be tested against "$cn_nosni"
elif [[ -z "$cn_nosni" ]]; then elif [[ -z "$cn_nosni" ]]; then
out " (request w/o SNI didn't succeed"; out " (request w/o SNI didn't succeed";
@ -3119,7 +3119,7 @@ certificate_info() {
issuer_C="$(awk -F'=' '/C=/ { print $2 }' <<< "$issuer")" issuer_C="$(awk -F'=' '/C=/ { print $2 }' <<< "$issuer")"
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then
pr_redln "self-signed (NOT ok)" pr_svrty_criticalln "self-signed (NOT ok)"
fileout "${json_prefix}issuer" "NOT OK" "Issuer: selfsigned (NOT ok)" fileout "${json_prefix}issuer" "NOT OK" "Issuer: selfsigned (NOT ok)"
else else
pr_dquoted "$issuer_CN" pr_dquoted "$issuer_CN"
@ -3174,7 +3174,7 @@ certificate_info() {
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE) expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
if ! echo $expire | grep -qw not; then if ! echo $expire | grep -qw not; then
pr_red "expired!" pr_svrty_critical "expired!"
expfinding="expired!" expfinding="expired!"
expok="NOT OK" expok="NOT OK"
else else
@ -3184,15 +3184,15 @@ certificate_info() {
secs2warn=$((24 * 60 * 60 * DAYS2WARN1)) secs2warn=$((24 * 60 * 60 * DAYS2WARN1))
expire=$($OPENSSL x509 -in $HOSTCERT -checkend $secs2warn 2>>$ERRFILE) expire=$($OPENSSL x509 -in $HOSTCERT -checkend $secs2warn 2>>$ERRFILE)
if echo "$expire" | grep -qw not; then if echo "$expire" | grep -qw not; then
pr_litegreen "$days2expire >= $DAYS2WARN1 days" pr_done_good "$days2expire >= $DAYS2WARN1 days"
expfinding+="$days2expire >= $DAYS2WARN1 days" expfinding+="$days2expire >= $DAYS2WARN1 days"
else else
pr_brown "expires < $DAYS2WARN1 days ($days2expire)" pr_svrty_medium "expires < $DAYS2WARN1 days ($days2expire)"
expfinding+="expires < $DAYS2WARN1 days ($days2expire)" expfinding+="expires < $DAYS2WARN1 days ($days2expire)"
expok="WARN" expok="WARN"
fi fi
else else
pr_litered "expires < $DAYS2WARN2 days ($days2expire) !" pr_svrty_high "expires < $DAYS2WARN2 days ($days2expire) !"
expfinding+="expires < $DAYS2WARN2 days ($days2expire) !" expfinding+="expires < $DAYS2WARN2 days ($days2expire) !"
expok="NOT OK" expok="NOT OK"
fi fi
@ -3211,7 +3211,7 @@ certificate_info() {
out "$indent"; pr_bold " Certificate Revocation List " out "$indent"; pr_bold " Certificate Revocation List "
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')" crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
if [[ -z "$crl" ]]; then if [[ -z "$crl" ]]; then
pr_literedln "--" pr_svrty_highln "--"
fileout "${json_prefix}crl" "NOT OK" "No CRL provided (NOT ok)" fileout "${json_prefix}crl" "NOT OK" "No CRL provided (NOT ok)"
elif grep -q http <<< "$crl"; then elif grep -q http <<< "$crl"; then
if [[ $(count_lines "$crl") -eq 1 ]]; then if [[ $(count_lines "$crl") -eq 1 ]]; then
@ -3229,7 +3229,7 @@ certificate_info() {
out "$indent"; pr_bold " OCSP URI " out "$indent"; pr_bold " OCSP URI "
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE) ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
if [[ -z "$ocsp_uri" ]]; then if [[ -z "$ocsp_uri" ]]; then
pr_literedln "--" pr_svrty_highln "--"
fileout "${json_prefix}ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)" fileout "${json_prefix}ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)"
else else
outln "$ocsp_uri" outln "$ocsp_uri"
@ -3238,11 +3238,11 @@ certificate_info() {
out "$indent"; pr_bold " OCSP stapling " out "$indent"; pr_bold " OCSP stapling "
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
pr_yellow "--" pr_svrty_minor "--"
fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered" fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered"
else else
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
pr_litegreen "offered" pr_done_good "offered"
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered" fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
else else
if $GOST_STATUS_PROBLEM; then if $GOST_STATUS_PROBLEM; then
@ -3377,7 +3377,7 @@ run_server_defaults() {
lifetime=$(echo $sessticket_str | grep -a lifetime | sed 's/[A-Za-z:() ]//g') lifetime=$(echo $sessticket_str | grep -a lifetime | sed 's/[A-Za-z:() ]//g')
unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g') unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g')
out "$lifetime $unit " out "$lifetime $unit "
pr_yellowln "(PFS requires session ticket keys to be rotated <= daily)" pr_svrty_minorln "(PFS requires session ticket keys to be rotated <= daily)"
fileout "session_ticket" "INFO" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)" fileout "session_ticket" "INFO" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)"
fi fi
@ -3433,12 +3433,12 @@ run_pfs() {
sclient_success=$? sclient_success=$?
outln outln
if [[ $sclient_success -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then if [[ $sclient_success -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then
pr_brownln "Not OK: No ciphers supporting Forward Secrecy offered" pr_svrty_mediumln "Not OK: No ciphers supporting Forward Secrecy offered"
fileout "pfs" "NOT OK" "(Perfect) Forward Secrecy : Not OK: No ciphers supporting Forward Secrecy offered" fileout "pfs" "NOT OK" "(Perfect) Forward Secrecy : Not OK: No ciphers supporting Forward Secrecy offered"
else else
pfs_offered=true pfs_offered=true
pfs_ciphers="" pfs_ciphers=""
pr_litegreen " PFS is offered (OK)" pr_done_good " PFS is offered (OK)"
fileout "pfs" "OK" "(Perfect) Forward Secrecy : PFS is offered (OK)" fileout "pfs" "OK" "(Perfect) Forward Secrecy : PFS is offered (OK)"
if $WIDE; then if $WIDE; then
outln ", ciphers follow (client/browser support is important here) \n" outln ", ciphers follow (client/browser support is important here) \n"
@ -3464,7 +3464,7 @@ run_pfs() {
neat_list $HEXC $pfs_cipher "$kx" $enc $strength neat_list $HEXC $pfs_cipher "$kx" $enc $strength
if [[ "$SHOW_EACH_C" -ne 0 ]]; then if [[ "$SHOW_EACH_C" -ne 0 ]]; then
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_green "works" pr_done_best "works"
else else
out "not a/v" out "not a/v"
fi fi
@ -3480,7 +3480,7 @@ run_pfs() {
$WIDE || outln $WIDE || outln
if ! "$pfs_offered"; then if ! "$pfs_offered"; then
pr_brown "no PFS ciphers found" pr_svrty_medium "no PFS ciphers found"
fileout "pfs_ciphers" "NOT OK" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)" fileout "pfs_ciphers" "NOT OK" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
else else
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers" fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
@ -3988,12 +3988,12 @@ sslv2_sockets() {
fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 replay (rerun with DEBUG>=2)" fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 replay (rerun with DEBUG>=2)"
;; ;;
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP! 1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
pr_greenln "not offered (OK)" pr_done_bestln "not offered (OK)"
ret=0 ret=0
fileout "sslv2" "OK" "SSLv2 not offered (OK)" fileout "sslv2" "OK" "SSLv2 not offered (OK)"
;; ;;
0) # reset 0) # reset
pr_greenln "not offered (OK)" pr_done_bestln "not offered (OK)"
ret=0 ret=0
fileout "sslv2" "OK" "SSLv2 not offered (OK)" fileout "sslv2" "OK" "SSLv2 not offered (OK)"
;; ;;
@ -4003,11 +4003,11 @@ sslv2_sockets() {
if [[ "$lines" -gt 1 ]]; then if [[ "$lines" -gt 1 ]]; then
ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
if [[ 0 -eq "$ciphers_detected" ]]; then if [[ 0 -eq "$ciphers_detected" ]]; then
pr_litered "supported but couldn't detect a cipher"; pr_svrty_high "supported but couldn't detect a cipher";
outln " (may need further attention)" outln " (may need further attention)"
fileout "sslv2" "NOT OK" "SSLv2 offered (NOT ok), but could not detect a cipher (may need further attention)" fileout "sslv2" "NOT OK" "SSLv2 offered (NOT ok), but could not detect a cipher (may need further attention)"
else else
pr_red "offered (NOT ok)"; pr_svrty_critical "offered (NOT ok)";
outln " -- $ciphers_detected ciphers" outln " -- $ciphers_detected ciphers"
fileout "sslv2" "NOT OK" "SSLv2 offered (NOT ok).\nDetected ciphers: $ciphers_detected" fileout "sslv2" "NOT OK" "SSLv2 offered (NOT ok).\nDetected ciphers: $ciphers_detected"
fi fi
@ -4234,7 +4234,7 @@ run_heartbleed(){
[[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions
if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then
pr_green "not vulnerable (OK)" pr_done_best "not vulnerable (OK)"
outln " (no heartbeat extension)" outln " (no heartbeat extension)"
fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (no heartbeat extension)" fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (no heartbeat extension)"
return 0 return 0
@ -4329,7 +4329,7 @@ run_heartbleed(){
lines_returned=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l | sed 's/ //g') lines_returned=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l | sed 's/ //g')
if [[ $lines_returned -gt 1 ]]; then if [[ $lines_returned -gt 1 ]]; then
pr_red "VULNERABLE (NOT ok)" pr_svrty_critical "VULNERABLE (NOT ok)"
if [[ $retval -eq 3 ]]; then if [[ $retval -eq 3 ]]; then
fileout "heartbleed" "NOT OK" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok) (timed out)" fileout "heartbleed" "NOT OK" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok) (timed out)"
else else
@ -4337,7 +4337,7 @@ run_heartbleed(){
fi fi
ret=1 ret=1
else else
pr_green "not vulnerable (OK)" pr_done_best "not vulnerable (OK)"
if [[ $retval -eq 3 ]]; then if [[ $retval -eq 3 ]]; then
fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (timed out)" fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (timed out)"
else else
@ -4355,7 +4355,7 @@ run_heartbleed(){
# helper function # helper function
ok_ids(){ ok_ids(){
pr_greenln "\n ok -- something resetted our ccs packets" pr_done_bestln "\n ok -- something resetted our ccs packets"
return 0 return 0
} }
@ -4458,7 +4458,7 @@ run_ccs_injection(){
debugme echo "lines: $lines, byte6: $byte6" debugme echo "lines: $lines, byte6: $byte6"
if [[ "$byte6" == "0a" ]] || [[ "$lines" -gt 1 ]]; then if [[ "$byte6" == "0a" ]] || [[ "$lines" -gt 1 ]]; then
pr_green "not vulnerable (OK)" pr_done_best "not vulnerable (OK)"
if [[ $retval -eq 3 ]]; then if [[ $retval -eq 3 ]]; then
fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK) (timed out)" fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK) (timed out)"
else else
@ -4466,7 +4466,7 @@ run_ccs_injection(){
fi fi
ret=0 ret=0
else else
pr_red "VULNERABLE (NOT ok)" pr_svrty_critical "VULNERABLE (NOT ok)"
if [[ $retval -eq 3 ]]; then if [[ $retval -eq 3 ]]; then
fileout "ccs" "NOT OK" "CCS (CVE-2014-0224): VULNERABLE (NOT ok) (timed out)" fileout "ccs" "NOT OK" "CCS (CVE-2014-0224): VULNERABLE (NOT ok) (timed out)"
else else
@ -4499,11 +4499,11 @@ run_renego() {
#FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported" #FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported"
case $sec_renego in case $sec_renego in
0) 0)
pr_redln "VULNERABLE (NOT ok)" pr_svrty_criticalln "VULNERABLE (NOT ok)"
fileout "secure_renego" "NOT OK" "Secure Renegotiation (CVE-2009-3555) : VULNERABLE (NOT ok)" fileout "secure_renego" "NOT OK" "Secure Renegotiation (CVE-2009-3555) : VULNERABLE (NOT ok)"
;; ;;
1) 1)
pr_greenln "not vulnerable (OK)" pr_done_bestln "not vulnerable (OK)"
fileout "secure_renego" "OK" "Secure Renegotiation (CVE-2009-3555) : not vulnerable (OK)" fileout "secure_renego" "OK" "Secure Renegotiation (CVE-2009-3555) : not vulnerable (OK)"
;; ;;
*) *)
@ -4548,7 +4548,7 @@ run_renego() {
echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE & echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $HEADER_MAXSLEEP
if [[ $? -eq 3 ]]; then if [[ $? -eq 3 ]]; then
pr_litegreen "likely not vulnerable (OK)"; outln " (timed out)" # it hung pr_done_good "likely not vulnerable (OK)"; outln " (timed out)" # it hung
fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : likely not vulnerable (OK) (timed out)" fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : likely not vulnerable (OK) (timed out)"
sec_client_renego=1 sec_client_renego=1
else else
@ -4557,11 +4557,11 @@ run_renego() {
sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln! sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln!
case "$sec_client_renego" in case "$sec_client_renego" in
0) 0)
pr_litered "VULNERABLE (NOT ok)"; outln ", DoS threat" pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat"
fileout "sec_client_renego" "NOT OK" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat" fileout "sec_client_renego" "NOT OK" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat"
;; ;;
1) 1)
pr_litegreenln "not vulnerable (OK)" pr_done_goodln "not vulnerable (OK)"
fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : not vulnerable (OK)" fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : not vulnerable (OK)"
;; ;;
*) *)
@ -4602,7 +4602,7 @@ run_crime() {
[[ "$OSSL_VER" == "0.9.8"* ]] && addcmd="-no_ssl2" [[ "$OSSL_VER" == "0.9.8"* ]] && addcmd="-no_ssl2"
$OPENSSL s_client $OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI </dev/null &>$TMPFILE $OPENSSL s_client $OPTIMAL_PROTO $BUGS $addcmd $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI </dev/null &>$TMPFILE
if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then if grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
pr_litegreen "not vulnerable (OK)" pr_done_good "not vulnerable (OK)"
if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then if [[ $SERVICE != "HTTP" ]] && ! $CLIENT_AUTH; then
out " (not using HTTP anyway)" out " (not using HTTP anyway)"
fileout "crime" "OK" "CRIME, TLS (CVE-2012-4929) : Not vulnerable (OK) (not using HTTP anyway)" fileout "crime" "OK" "CRIME, TLS (CVE-2012-4929) : Not vulnerable (OK) (not using HTTP anyway)"
@ -4612,10 +4612,10 @@ run_crime() {
ret=0 ret=0
else else
if [[ $SERVICE == "HTTP" ]]; then if [[ $SERVICE == "HTTP" ]]; then
pr_litered "VULNERABLE (NOT ok)" pr_svrty_high "VULNERABLE (NOT ok)"
fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)" fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)"
else else
pr_brown "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" pr_svrty_medium "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known"
fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" fileout "crime" "NOT OK" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok), but not using HTTP: probably no exploit known"
fi fi
ret=1 ret=1
@ -4648,10 +4648,10 @@ run_crime() {
# STR=$(grep Compression $TMPFILE ) # STR=$(grep Compression $TMPFILE )
# if echo $STR | grep -q NONE >/dev/null; then # if echo $STR | grep -q NONE >/dev/null; then
# pr_green "not vulnerable (OK)" # pr_done_best "not vulnerable (OK)"
# ret=$((ret + 0)) # ret=$((ret + 0))
# else # else
# pr_red "VULNERABLE (NOT ok)" # pr_svrty_critical "VULNERABLE (NOT ok)"
# ret=$((ret + 1)) # ret=$((ret + 1))
# fi # fi
# fi # fi
@ -4706,12 +4706,12 @@ run_breach() {
pr_litemagenta ") " pr_litemagenta ") "
ret=3 ret=3
elif [[ -z $result ]]; then elif [[ -z $result ]]; then
pr_green "no HTTP compression (OK) " pr_done_best "no HTTP compression (OK) "
outln "$disclaimer" outln "$disclaimer"
fileout "breach" "OK" "BREACH (CVE-2013-3587) : no HTTP compression (OK) $disclaimer" fileout "breach" "OK" "BREACH (CVE-2013-3587) : no HTTP compression (OK) $disclaimer"
ret=0 ret=0
else else
pr_litered "potentially NOT ok, uses $result HTTP compression." pr_svrty_high "potentially NOT ok, uses $result HTTP compression."
outln "$disclaimer" outln "$disclaimer"
outln "$spaces$when_makesense" outln "$spaces$when_makesense"
fileout "breach" "NOT OK" "BREACH (CVE-2013-3587) : potentially VULNERABLE, uses $result HTTP compression. $disclaimer ($when_makesense)" fileout "breach" "NOT OK" "BREACH (CVE-2013-3587) : potentially VULNERABLE, uses $result HTTP compression. $disclaimer ($when_makesense)"
@ -4741,10 +4741,10 @@ run_ssl_poodle() {
sclient_success=$? sclient_success=$?
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" [[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)" pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
fileout "poodle_ssl" "NOT OK" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)" fileout "poodle_ssl" "NOT OK" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)"
else else
pr_green "not vulnerable (OK)" pr_done_best "not vulnerable (OK)"
fileout "poodle_ssl" "OK" "POODLE, SSL (CVE-2014-3566) : not vulnerable (OK)" fileout "poodle_ssl" "OK" "POODLE, SSL (CVE-2014-3566) : not vulnerable (OK)"
fi fi
outln outln
@ -4782,27 +4782,27 @@ run_tls_fallback_scsv() {
# first: make sure we have tls1_2: # first: make sure we have tls1_2:
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 >$TMPFILE 2>$ERRFILE </dev/null
if ! sclient_connect_successful $? $TMPFILE; then if ! sclient_connect_successful $? $TMPFILE; then
pr_litegreen "No fallback possible, TLS 1.2 is the only protocol (OK)" pr_done_good "No fallback possible, TLS 1.2 is the only protocol (OK)"
ret=7 ret=7
else else
# ...and do the test (we need to parse the error here!) # ...and do the test (we need to parse the error here!)
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE </dev/null
if grep -q "CONNECTED(00" "$TMPFILE"; then if grep -q "CONNECTED(00" "$TMPFILE"; then
if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
pr_brown "Downgrade attack prevention NOT supported" pr_svrty_medium "Downgrade attack prevention NOT supported"
fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported" fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
ret=1 ret=1
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
pr_litegreen "Downgrade attack prevention supported (OK)" pr_done_good "Downgrade attack prevention supported (OK)"
fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported (OK)" fileout "fallback_scsv" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported (OK)"
ret=0 ret=0
elif grep -qa "alert handshake failure" "$TMPFILE"; then elif grep -qa "alert handshake failure" "$TMPFILE"; then
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121 # see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
pr_brown "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" fileout "fallback_scsv" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
ret=2 ret=2
elif grep -qa "ssl handshake failure" "$TMPFILE"; then elif grep -qa "ssl handshake failure" "$TMPFILE"; then
pr_brown "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
ret=3 ret=3
else else
pr_litemagenta "Check failed, unexpected result " pr_litemagenta "Check failed, unexpected result "
@ -4854,10 +4854,10 @@ run_freak() {
sclient_success=$? sclient_success=$?
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" [[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_red "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers" pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers"
fileout "freak" "NOT OK" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers" fileout "freak" "NOT OK" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers"
else else
pr_green "not vulnerable (OK)"; out "$addtl_warning" pr_done_best "not vulnerable (OK)"; out "$addtl_warning"
fileout "freak" "OK" "FREAK (CVE-2015-0204) : not vulnerable (OK) $addtl_warning" fileout "freak" "OK" "FREAK (CVE-2015-0204) : not vulnerable (OK) $addtl_warning"
fi fi
outln outln
@ -4906,10 +4906,10 @@ run_logjam() {
fi fi
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked." pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked."
fileout "logjam" "NOT OK" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked." fileout "logjam" "NOT OK" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked."
else else
pr_green "not vulnerable (OK)"; out "$addtl_warning" pr_done_best "not vulnerable (OK)"; out "$addtl_warning"
fileout "logjam" "OK" "LOGJAM (CVE-2015-4000) : not vulnerable (OK) $addtl_warning" fileout "logjam" "OK" "LOGJAM (CVE-2015-4000) : not vulnerable (OK) $addtl_warning"
fi fi
outln outln
@ -4963,7 +4963,7 @@ run_beast(){
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null $OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported? if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
if "$continued"; then # second round: we hit TLS1 if "$continued"; then # second round: we hit TLS1
pr_litegreenln "no SSL3 or TLS1 (OK)" pr_done_goodln "no SSL3 or TLS1 (OK)"
fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1" fileout "beast" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
return 0 return 0
else # protocol not succeeded but it's the first time else # protocol not succeeded but it's the first time
@ -4997,8 +4997,8 @@ run_beast(){
neat_list $HEXC $cbc_cipher $kx $enc neat_list $HEXC $cbc_cipher $kx $enc
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
[[ -n "$higher_proto_supported" ]] && \ [[ -n "$higher_proto_supported" ]] && \
pr_yellowln "available" || \ pr_svrty_minorln "available" || \
pr_brownln "available" pr_svrty_mediumln "available"
else else
outln "not a/v" outln "not a/v"
@ -5025,18 +5025,18 @@ run_beast(){
! "$first" && out "$spaces" ! "$first" && out "$spaces"
out "$(toupper $proto):" out "$(toupper $proto):"
[[ -n "$higher_proto_supported" ]] && \ [[ -n "$higher_proto_supported" ]] && \
pr_yellowln "$detected_cbc_ciphers" || \ pr_svrty_minorln "$detected_cbc_ciphers" || \
pr_brownln "$detected_cbc_ciphers" pr_svrty_mediumln "$detected_cbc_ciphers"
detected_cbc_ciphers="" # empty for next round detected_cbc_ciphers="" # empty for next round
first=false first=false
else else
[[ $proto == "tls1" ]] && ! $first && echo -n "$spaces " [[ $proto == "tls1" ]] && ! $first && echo -n "$spaces "
pr_litegreenln "no CBC ciphers for $(toupper $proto) (OK)" pr_done_goodln "no CBC ciphers for $(toupper $proto) (OK)"
first=false first=false
fi fi
else else
if ! "$vuln_beast" ; then if ! "$vuln_beast" ; then
pr_litegreenln " no CBC ciphers for $(toupper $proto) (OK)" pr_done_goodln " no CBC ciphers for $(toupper $proto) (OK)"
fileout "cbc_$proto" "OK" "BEAST (CVE-2011-3389) : No CBC ciphers for $(toupper $proto) (OK)" fileout "cbc_$proto" "OK" "BEAST (CVE-2011-3389) : No CBC ciphers for $(toupper $proto) (OK)"
fi fi
fi fi
@ -5047,11 +5047,11 @@ run_beast(){
if "$WIDE"; then if "$WIDE"; then
outln outln
# NOT ok seems too harsh for me if we have TLS >1.0 # NOT ok seems too harsh for me if we have TLS >1.0
pr_yellow "VULNERABLE" pr_svrty_minor "VULNERABLE"
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported" outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
else else
out "$spaces" out "$spaces"
pr_yellow "VULNERABLE" pr_svrty_minor "VULNERABLE"
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported" outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
fi fi
fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported" fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
@ -5061,12 +5061,12 @@ run_beast(){
else else
out "$spaces" out "$spaces"
fi fi
pr_brown "VULNERABLE (NOT ok)" pr_svrty_medium "VULNERABLE (NOT ok)"
outln " -- and no higher protocols as mitigation supported" outln " -- and no higher protocols as mitigation supported"
fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported" fileout "beast" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
fi fi
fi fi
"$first" && ! "$vuln_beast" && pr_litegreenln "no CBC ciphers found for any protocol (OK)" "$first" && ! "$vuln_beast" && pr_done_goodln "no CBC ciphers found for any protocol (OK)"
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return 0 return 0
@ -5103,7 +5103,7 @@ run_rc4() {
$OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
"$WIDE" || pr_litered "VULNERABLE (NOT ok): " "$WIDE" || pr_svrty_high "VULNERABLE (NOT ok): "
rc4_offered=1 rc4_offered=1
if "$WIDE"; then if "$WIDE"; then
outln "\n" outln "\n"
@ -5122,7 +5122,7 @@ run_rc4() {
neat_list "$HEXC" "$rc4_cipher" "$kx" "$enc" neat_list "$HEXC" "$rc4_cipher" "$kx" "$enc"
if [[ "$SHOW_EACH_C" -ne 0 ]]; then if [[ "$SHOW_EACH_C" -ne 0 ]]; then
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_litered "available" pr_svrty_high "available"
else else
out "not a/v" out "not a/v"
fi fi
@ -5132,15 +5132,15 @@ run_rc4() {
fi fi
outln outln
else else
pr_litered "$rc4_cipher " pr_svrty_high "$rc4_cipher "
fi fi
rc4_detected+="$rc4_cipher " rc4_detected+="$rc4_cipher "
done < <($OPENSSL ciphers -V $rc4_ciphers_list:@STRENGTH) done < <($OPENSSL ciphers -V $rc4_ciphers_list:@STRENGTH)
outln outln
"$WIDE" && pr_litered "VULNERABLE (NOT ok)" "$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)"
fileout "rc4" "NOT OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected" fileout "rc4" "NOT OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected"
else else
pr_litegreenln "no RC4 ciphers detected (OK)" pr_done_goodln "no RC4 ciphers detected (OK)"
fileout "rc4" "OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : not vulnerable (OK)" fileout "rc4" "OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : not vulnerable (OK)"
rc4_offered=0 rc4_offered=0
fi fi