From 6fb15e83fa129fac043b47238b3113bac33e8044 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 26 May 2016 12:56:55 +0200 Subject: [PATCH 1/6] global $OPENSSL_NR_CIPHERS --- testssl.sh | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index 6ba1ff9..9ace22a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1295,8 +1295,10 @@ prettyprint_local() { fatal "pls supply x instead" 2 fi - pr_headline " Displaying all local ciphers "; - if [[ -n "$1" ]]; then + if [[ -z "$1" ]]; then + pr_headline " Displaying all $OPENSSL_NR_CIPHERS local ciphers "; + else + pr_headline " Displaying all local ciphers "; # pattern provided; which one? [[ $1 =~ $re ]] && \ pr_headline "matching number pattern \"$1\" " || \ @@ -1579,7 +1581,7 @@ run_allciphers() { done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) outln - pr_headlineln " Testing all $nr_ciphers locally available ciphers against the server, ordered by encryption strength " + pr_headlineln " Testing all $OPENSSL_NR_CIPHERS locally available ciphers against the server, ordered by encryption strength " "$HAS_DH_BITS" || pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)" outln neat_header @@ -5730,6 +5732,8 @@ find_openssl_binary() { pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!" fi + OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)") + $OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \ HAS_SSL2=true @@ -5883,13 +5887,13 @@ CVS_REL: $CVS_REL GIT_REL: $GIT_REL PID: $$ +commandline: "$CMDLINE" bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]} status: ${BASH_VERSINFO[4]} machine: ${BASH_VERSINFO[5]} operating system: $SYSTEM shellopts: $SHELLOPTS -$OPENSSL version -a: $($OPENSSL version -a) OSSL_VER_MAJOR: $OSSL_VER_MAJOR OSSL_VER_MINOR: $OSSL_VER_MINOR @@ -5897,6 +5901,7 @@ OSSL_VER_APPENDIX: $OSSL_VER_APPENDIX OSSL_BUILD_DATE: $OSSL_BUILD_DATE OSSL_VER_PLATFORM: $OSSL_VER_PLATFORM +OPENSSL_NR_CIPHERS: $OPENSSL_NR_CIPHERS OPENSSL_CONF: $OPENSSL_CONF HAS_IPv6: $HAS_IPv6 @@ -5912,7 +5917,6 @@ RUN_DIR: $RUN_DIR MAPPING_FILE_RFC: $MAPPING_FILE_RFC CAPATH: $CAPATH -ECHO: $ECHO COLOR: $COLOR COLORBLIND: $COLORBLIND TERM_DWITH: $TERM_DWITH @@ -5949,14 +5953,13 @@ EOF mybanner() { - local nr_ciphers local idtag local bb local openssl_location="$(which $OPENSSL)" local cwd="" $QUIET && return - nr_ciphers=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)") + OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)") [[ -z "$GIT_REL" ]] && \ idtag="$CVS_REL" || \ idtag="$GIT_REL -- $CVS_REL_SHORT" @@ -5978,7 +5981,7 @@ EOF ) pr_bold "$bb" outln "\n" - outln " Using \"$($OPENSSL version 2>/dev/null)\" [~$nr_ciphers ciphers]" + outln " Using \"$($OPENSSL version 2>/dev/null)\" [~$OPENSSL_NR_CIPHERS ciphers]" out " on $HNAME:" [[ -n "$GIT_REL" ]] && \ @@ -7252,4 +7255,4 @@ fi exit $? -# $Id: testssl.sh,v 1.487 2016/05/23 20:42:39 dirkw Exp $ +# $Id: testssl.sh,v 1.489 2016/05/26 10:56:54 dirkw Exp $ From 1ecad208fe930cfde1c93d3943b7df33cbcf7e80 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 26 May 2016 18:03:07 +0200 Subject: [PATCH 2/6] Update Readme.md --- Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Readme.md b/Readme.md index a246ab4..6853fc6 100644 --- a/Readme.md +++ b/Readme.md @@ -65,7 +65,9 @@ Done so far: * assistance for color-blind users * Even more compatibility improvements for FreeBSD, RH-ish and F5 systems * Considerable speed improvements for each cipher runs (-e/-E) +* more robust socket interface * OpenSSL 1.1.0 compliant +* whole number of busg squashed Update notification here or @ [twitter](https://twitter.com/drwetter). From e1a83062867855dda55163317114300307b92504 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Fri, 27 May 2016 17:43:45 +0200 Subject: [PATCH 3/6] - try to address #352 - WARNING in fileout is MEDIUM now - NOT ok for medium on screen squashed --- testssl.sh | 82 +++++++++++++++++++++++++++++------------------------- 1 file changed, 44 insertions(+), 38 deletions(-) diff --git a/testssl.sh b/testssl.sh index 9ace22a..7cc2e82 100755 --- a/testssl.sh +++ b/testssl.sh @@ -765,7 +765,7 @@ run_http_header() { ;; *) pr_warning ". Oh, didn't expect \"$status_code$msg_thereafter\"" - fileout "status_code" "WARN" \ + fileout "status_code" "DEBUG" \ "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter" ;; esac @@ -888,7 +888,7 @@ run_hsts() { else out "$hsts_age_sec s = " pr_svrty_medium "$hsts_age_days days, <$HSTS_MIN days is too short" - fileout "hsts_time" "NOT ok" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days" + fileout "hsts_time" "MEDIUM" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days" fi if includeSubDomains "$TMPFILE"; then fileout "hsts_subdomains" "OK" "HSTS includes subdomains" @@ -975,7 +975,7 @@ run_hpkp() { else out "$hpkp_age_sec s = " pr_svrty_medium "$hpkp_age_days days (<$HPKP_MIN days is not good enough)" - fileout "hpkp_age" "NOT ok" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough." + fileout "hpkp_age" "MEDIUM" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough." fi if includeSubDomains "$TMPFILE"; then @@ -1365,8 +1365,8 @@ std_cipherlists() { pr_done_bestln "offered (OK)" fileout "std_$4" "OK" "$2 offered (OK)" else - pr_svrty_mediumln "not offered (NOT ok)" - fileout "std_$4" "NOT ok" "$2 not offered (NOT ok)" + pr_svrty_mediumln "not offered" + fileout "std_$4" "MEDIUM" "$2 not offered (WARN)" fi ;; 1) # the ugly ones @@ -1390,7 +1390,7 @@ std_cipherlists() { 3) # not totally bad if [[ $sclient_success -eq 0 ]]; then pr_svrty_mediumln "offered" - fileout "std_$4" "NOT ok" "$2 offered - not too bad" + fileout "std_$4" "MEDIUM" "$2 offered - not too bad" else outln "not offered (OK)" fileout "std_$4" "OK" "$2 not offered (OK)" @@ -1439,7 +1439,7 @@ sockread() { dd bs=$1 of=$ddreply count=1 <&5 2>/dev/null & wait_kill $! $maxsleep ret=$? - SOCKREPLY=$(cat $ddreply) + SOCKREPLY=$(cat $ddreply 2>/dev/null) rm $ddreply return $ret } @@ -2314,10 +2314,10 @@ run_protocols() { fileout "tls1" "INFO" "TLSv1.0 is not offered" ;; # neither good or bad 2) - pr_svrty_medium "not offered (NOT ok)" + pr_svrty_medium "not offered" [[ $DEBUG -eq 1 ]] && out " -- downgraded" outln - fileout "tls1" "NOT ok" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)" + fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL" ;; 5) outln "$supported_no_ciph1" # protocol ok, but no cipher @@ -2370,14 +2370,14 @@ run_protocols() { fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)" ;; # GCM cipher in TLS 1.2: very good! 1) - pr_svrty_mediumln "not offered (NOT ok)" - fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered (NOT ok)" + pr_svrty_mediumln "not offered" + fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" ;; # no GCM, penalty 2) pr_svrty_medium "not offered" [[ $DEBUG -eq 1 ]] && out " -- downgraded" outln - fileout "tls1_2" "INFO" "TLSv1.2 is not offered and downgraded to a weaker protocol (medium)" + fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered and downgraded to a weaker protocol" ;; 5) outln "$supported_no_ciph1" @@ -2453,11 +2453,17 @@ read_dhbits_from_file() { # https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography, http://www.keylength.com/en/compare/ elif [[ $what_dh == "ECDH" ]]; then [[ -z "$2" ]] && add="bit ECDH" - if [[ "$bits" -le 128 ]]; then # has that ever existed? + if [[ "$bits" -le 80 ]]; then # has that ever existed? pr_svrty_critical "$bits $add" - elif [[ "$bits" -le 163 ]]; then + elif [[ "$bits" -le 108 ]]; then # has that ever existed? pr_svrty_high "$bits $add" - elif [[ "$bits" -ge 224 ]]; then + elif [[ "$bits" -le 163 ]]; then + pr_svrty_medium "$bits $add" + elif [[ "$bits" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok + pr_svrty_minor "$bits $add" # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416 + elif [[ "$bits" -le 224 ]]; then + out "$bits $add" + elif [[ "$bits" -gt 224 ]]; then pr_done_good "$bits $add" else out "$bits $add" @@ -2575,7 +2581,6 @@ run_server_preference() { case "$default_cipher" in *NULL*|*EXP*) pr_svrty_critical "$default_cipher" - fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" ;; *RC4*) @@ -2584,7 +2589,7 @@ run_server_preference() { ;; *CBC*) pr_svrty_medium "$default_cipher" - fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" + fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher" ;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list *GCM*|*CHACHA20*) pr_done_best "$default_cipher" @@ -3051,7 +3056,7 @@ certificate_info() { case $cert_sig_algo in sha1WithRSAEncryption) pr_svrty_mediumln "SHA1 with RSA" - fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)" + fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)" ;; sha224WithRSAEncryption) outln "SHA224 with RSA" @@ -3071,7 +3076,7 @@ certificate_info() { ;; ecdsa-with-SHA1) pr_svrty_mediumln "ECDSA with SHA1" - fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: ECDSA with SHA1 (warning)" + fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: ECDSA with SHA1 (warning)" ;; ecdsa-with-SHA224) outln "ECDSA with SHA224" @@ -3091,7 +3096,7 @@ certificate_info() { ;; dsaWithSHA1) pr_svrty_mediumln "DSA with SHA1" - fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: DSA with SHA1 (warning)" + fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: DSA with SHA1 (warning)" ;; dsa_with_SHA224) outln "DSA with SHA224" @@ -3106,7 +3111,7 @@ certificate_info() { case $cert_sig_hash_algo in sha1) pr_svrty_mediumln "RSASSA-PSS with SHA1" - fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: RSASSA-PSS with SHA1 (warning)" + fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: RSASSA-PSS with SHA1 (warning)" ;; sha224) outln "RSASSA-PSS with SHA224" @@ -3169,7 +3174,7 @@ certificate_info() { fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)" elif [[ "$cert_keysize" -le 163 ]]; then pr_svrty_medium "$cert_keysize" - fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)" + fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize EC bits" elif [[ "$cert_keysize" -le 224 ]]; then out "$cert_keysize" fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize EC bits" @@ -3178,7 +3183,7 @@ certificate_info() { fileout "${json_prefix}key_size" "OK" "Server keys $cert_keysize EC bits (OK)" else out "keysize: $cert_keysize (not expected, FIXME)" - fileout "${json_prefix}key_size" "WARN" "Server keys $cert_keysize bits (not expected)" + fileout "${json_prefix}key_size" "DEBUG" "Server keys $cert_keysize bits (not expected)" fi outln " bits" elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]]; then @@ -3193,7 +3198,7 @@ certificate_info() { elif [[ "$cert_keysize" -le 1024 ]]; then pr_svrty_medium "$cert_keysize" outln " bits" - fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize bits (NOT ok)" + fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize bits" elif [[ "$cert_keysize" -le 2048 ]]; then outln "$cert_keysize bits" fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize bits" @@ -3636,8 +3641,8 @@ run_pfs() { sclient_connect_successful $? $TMPFILE if [[ $? -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then outln - pr_svrty_mediumln "NOT ok: No ciphers supporting Forward Secrecy offered" - fileout "pfs" "NOT ok" "(Perfect) Forward Secrecy : NOT ok: No ciphers supporting Forward Secrecy offered" + pr_svrty_mediumln "No ciphers supporting Forward Secrecy offered" + fileout "pfs" "MEDIUM" "(Perfect) Forward Secrecy : No ciphers supporting Forward Secrecy offered" else outln pfs_offered=true @@ -3688,7 +3693,7 @@ run_pfs() { "$WIDE" || outln if ! "$pfs_offered"; then - pr_svrty_medium "no PFS ciphers found" + pr_svrty_medium "WARN: no PFS ciphers found" fileout "pfs_ciphers" "NOT ok" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)" else fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers" @@ -4995,8 +5000,8 @@ run_crime() { pr_svrty_high "VULNERABLE (NOT ok)" fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)" else - pr_svrty_medium "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" - fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok), but not using HTTP: probably no exploit known" + pr_svrty_medium "VULNERABLE but not using HTTP: probably no exploit known" + fileout "crime" "MEDIUM" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (WARN), but not using HTTP: probably no exploit known" fi ret=1 fi @@ -5170,7 +5175,7 @@ run_tls_fallback_scsv() { if grep -q "CONNECTED(00" "$TMPFILE"; then if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then pr_svrty_medium "Downgrade attack prevention NOT supported" - fileout "fallback_scsv" "NOT ok" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported" + fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported" ret=1 elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then pr_done_good "Downgrade attack prevention supported (OK)" @@ -5178,11 +5183,12 @@ run_tls_fallback_scsv() { ret=0 elif grep -qa "alert handshake failure" "$TMPFILE"; then # see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121 - pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" - fileout "fallback_scsv" "NOT ok" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" + pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\"" + fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely: warning)" ret=2 elif grep -qa "ssl handshake failure" "$TMPFILE"; then - pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" + pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\"" + fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely: warning)" ret=3 else pr_warning "Check failed, unexpected result " @@ -5477,7 +5483,7 @@ run_beast(){ -e "s/ /\\${cr} ${spaces}/9" \ -e "s/ /\\${cr} ${spaces}/6" \ -e "s/ /\\${cr} ${spaces}/3") - fileout "cbc_$proto" "NOT ok" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers" + fileout "cbc_$proto" "MEDIUM" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers" ! "$first" && out "$spaces" out "$(toupper $proto):" [[ -n "$higher_proto_supported" ]] && \ @@ -5510,16 +5516,16 @@ run_beast(){ pr_svrty_minor "VULNERABLE" outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported" fi - fileout "beast" "NOT ok" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported" + fileout "beast" "MINOR" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported" else if "$WIDE"; then outln else out "$spaces" fi - pr_svrty_medium "VULNERABLE (NOT ok)" + pr_svrty_medium "VULNERABLE" outln " -- and no higher protocols as mitigation supported" - fileout "beast" "NOT ok" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported" + fileout "beast" "MEDIUM" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported" fi fi "$first" && ! "$vuln_beast" && pr_done_goodln "no CBC ciphers found for any protocol (OK)" @@ -7255,4 +7261,4 @@ fi exit $? -# $Id: testssl.sh,v 1.489 2016/05/26 10:56:54 dirkw Exp $ +# $Id: testssl.sh,v 1.490 2016/05/27 15:43:44 dirkw Exp $ From cf62353fc6d55322b927baad8467f67521a7b497 Mon Sep 17 00:00:00 2001 From: typingArtist Date: Fri, 27 May 2016 19:54:23 +0200 Subject: [PATCH 4/6] https://github.com/drwetter/testssl.sh/issues/365 ensure DNS PTR lookups use un-bracketed IPv6 address MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While standard OpenSSL requires the literal IPv6 address enclosed in [brackets], standard DNS lookup tools don’t support the additional characters. Before making reverse PTR lookups, these brackets have to be removed from the IPv6 addresses. --- testssl.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 7cc2e82..4600269 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6338,21 +6338,23 @@ determine_ip_addresses() { determine_rdns() { local saved_openssl_conf="$OPENSSL_CONF" OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 + local nodeip="$(tr -d '[]' <<< $NODEIP)" # sockets do not need the square brackets we have of IPv6 addresses + # we just need do it here, that's all! if [[ "$NODE" == *.local ]]; then if which avahi-resolve &>/dev/null; then - rDNS=$(avahi-resolve -a $NODEIP 2>/dev/null | awk '{ print $2 }') + rDNS=$(avahi-resolve -a $nodeip 2>/dev/null | awk '{ print $2 }') elif which dig &>/dev/null; then - rDNS=$(dig -x $NODEIP @224.0.0.251 -p 5353 +notcp +noall +answer | awk '/PTR/ { print $NF }') + rDNS=$(dig -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer | awk '/PTR/ { print $NF }') fi elif which dig &> /dev/null; then - rDNS=$(dig -x $NODEIP +noall +answer | awk '/PTR/ { print $NF }') # +short returns also CNAME, e.g. openssl.org + rDNS=$(dig -x $nodeip +noall +answer | awk '/PTR/ { print $NF }') # +short returns also CNAME, e.g. openssl.org elif which host &> /dev/null; then - rDNS=$(host -t PTR $NODEIP 2>/dev/null | awk '/pointer/ { print $NF }') + rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }') elif which drill &> /dev/null; then - rDNS=$(drill -x ptr $NODEIP 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d') + rDNS=$(drill -x ptr $nodeip 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d') elif which nslookup &> /dev/null; then - rDNS=$(nslookup -type=PTR $NODEIP 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//') + rDNS=$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//') fi OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134 rDNS="$(echo $rDNS)" From 2c69e83f5b98974ffe87422fa45a30d4824ed4a9 Mon Sep 17 00:00:00 2001 From: typingArtist Date: Fri, 27 May 2016 20:11:47 +0200 Subject: [PATCH 5/6] https://github.com/drwetter/testssl.sh/issues/365 add UNBRACKETED_IPV6 quirks option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since some OpenSSL binaries, namely Gentoo’s, don’t support bracketed IPv6 addresses but unbracketed ones, specified as the -connect option, the UNBRACKETED_IPV6 environment variable can be set to true for disabling the automatic addition of brackets around IPv6 addresses on such platforms. --- testssl.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 4600269..666afc8 100755 --- a/testssl.sh +++ b/testssl.sh @@ -167,6 +167,7 @@ readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test DAYS2WARN1=${DAYS2WARN1:-60} # days to warn before cert expires, threshold 1 DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2 VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check +UNBRACKETED_IPV6=${UNBRACKETED_IPV6:-false} # some versions of OpenSSL don't support [bracketed] IPv6 addresses as a connect parameter HAD_SLEPT=0 CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) @@ -7112,7 +7113,7 @@ nodeip_to_proper_ip6() { local len_nodeip=0 if is_ipv6addr $NODEIP; then - NODEIP="[$NODEIP]" + ${UNBRACKETED_IPV6} || NODEIP="[$NODEIP]" len_nodeip=${#NODEIP} CORRECT_SPACES="$(draw_line " " "$((len_nodeip - 16))" )" # IPv6 addresses are longer, this varaible takes care that "further IP" and "Service" is properly aligned From 6a9b0e01fc4f370e0d1036cd0fff41c2d046513e Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 2 Jun 2016 09:59:52 +0200 Subject: [PATCH 6/6] - polishing #366 and IPv6-related --- testssl.sh | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/testssl.sh b/testssl.sh index 666afc8..dbf9dc6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -149,7 +149,8 @@ WIDE=${WIDE:-false} # whether to display for some options th LOGFILE=${LOGFILE:-""} # logfile if used JSONFILE=${JSONFILE:-""} # jsonfile if used CSVFILE=${CSVFILE:-""} # csvfile if used -HAS_IPv6=${HAS_IPv6:-false} # if you have OPENSSL with IPv6 support AND IPv6 networking set it to yes and testssl.sh works! +HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes +UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses # tuning vars, can not be set by a cmd line switch EXPERIMENTAL=${EXPERIMENTAL:-false} @@ -167,7 +168,6 @@ readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test DAYS2WARN1=${DAYS2WARN1:-60} # days to warn before cert expires, threshold 1 DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2 VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check -UNBRACKETED_IPV6=${UNBRACKETED_IPV6:-false} # some versions of OpenSSL don't support [bracketed] IPv6 addresses as a connect parameter HAD_SLEPT=0 CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) @@ -6338,9 +6338,8 @@ determine_ip_addresses() { determine_rdns() { local saved_openssl_conf="$OPENSSL_CONF" - OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 - local nodeip="$(tr -d '[]' <<< $NODEIP)" # sockets do not need the square brackets we have of IPv6 addresses - # we just need do it here, that's all! + OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 + local nodeip="$(tr -d '[]' <<< $NODEIP)" # for DNS we do not need the square brackets of IPv6 addresses if [[ "$NODE" == *.local ]]; then if which avahi-resolve &>/dev/null; then @@ -6359,7 +6358,7 @@ determine_rdns() { fi OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134 rDNS="$(echo $rDNS)" - [[ -z "$rDNS" ]] && rDNS=" --" + [[ -z "$rDNS" ]] && rDNS="--" return 0 } @@ -6557,6 +6556,8 @@ determine_service() { display_rdns_etc() { local ip + local nodeip="$(tr -d '[]' <<< $NODEIP)" # for displaying IPv6 addresses we don't need [] + if [[ -n "$PROXY" ]]; then out " Via Proxy: $CORRECT_SPACES" @@ -6579,11 +6580,7 @@ display_rdns_etc() { outln " A record via supplied IP \"$CMDLINE_IP\"" fi if [[ -n "$rDNS" ]]; then - if "$HAS_IPv6"; then - printf " %-23s %s" "rDNS $NODEIP:" "$rDNS" - else - printf " %-23s %s" "rDNS ($NODEIP):" "$rDNS" - fi + printf " %-23s %s" "rDNS ($nodeip):" "$rDNS" fi } @@ -7113,9 +7110,9 @@ nodeip_to_proper_ip6() { local len_nodeip=0 if is_ipv6addr $NODEIP; then - ${UNBRACKETED_IPV6} || NODEIP="[$NODEIP]" + ${UNBRACKTD_IPV6} || NODEIP="[$NODEIP]" len_nodeip=${#NODEIP} - CORRECT_SPACES="$(draw_line " " "$((len_nodeip - 16))" )" + CORRECT_SPACES="$(draw_line " " "$((len_nodeip - 17))" )" # IPv6 addresses are longer, this varaible takes care that "further IP" and "Service" is properly aligned fi } @@ -7264,4 +7261,4 @@ fi exit $? -# $Id: testssl.sh,v 1.490 2016/05/27 15:43:44 dirkw Exp $ +# $Id: testssl.sh,v 1.491 2016/06/02 07:59:51 dirkw Exp $