Merge branch 'master' into more_sslv2_sslv3_fixes
This commit is contained in:
commit
c593675b8e
|
@ -65,7 +65,9 @@ Done so far:
|
||||||
* assistance for color-blind users
|
* assistance for color-blind users
|
||||||
* Even more compatibility improvements for FreeBSD, RH-ish and F5 systems
|
* Even more compatibility improvements for FreeBSD, RH-ish and F5 systems
|
||||||
* Considerable speed improvements for each cipher runs (-e/-E)
|
* Considerable speed improvements for each cipher runs (-e/-E)
|
||||||
|
* more robust socket interface
|
||||||
* OpenSSL 1.1.0 compliant
|
* OpenSSL 1.1.0 compliant
|
||||||
|
* whole number of busg squashed
|
||||||
|
|
||||||
Update notification here or @ [twitter](https://twitter.com/drwetter).
|
Update notification here or @ [twitter](https://twitter.com/drwetter).
|
||||||
|
|
||||||
|
|
133
testssl.sh
133
testssl.sh
|
@ -149,7 +149,8 @@ WIDE=${WIDE:-false} # whether to display for some options th
|
||||||
LOGFILE=${LOGFILE:-""} # logfile if used
|
LOGFILE=${LOGFILE:-""} # logfile if used
|
||||||
JSONFILE=${JSONFILE:-""} # jsonfile if used
|
JSONFILE=${JSONFILE:-""} # jsonfile if used
|
||||||
CSVFILE=${CSVFILE:-""} # csvfile if used
|
CSVFILE=${CSVFILE:-""} # csvfile if used
|
||||||
HAS_IPv6=${HAS_IPv6:-false} # if you have OPENSSL with IPv6 support AND IPv6 networking set it to yes and testssl.sh works!
|
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
||||||
|
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
|
||||||
|
|
||||||
# tuning vars, can not be set by a cmd line switch
|
# tuning vars, can not be set by a cmd line switch
|
||||||
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
||||||
|
@ -768,7 +769,7 @@ run_http_header() {
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
pr_warning ". Oh, didn't expect \"$status_code$msg_thereafter\""
|
pr_warning ". Oh, didn't expect \"$status_code$msg_thereafter\""
|
||||||
fileout "status_code" "WARN" \
|
fileout "status_code" "DEBUG" \
|
||||||
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter"
|
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
@ -891,7 +892,7 @@ run_hsts() {
|
||||||
else
|
else
|
||||||
out "$hsts_age_sec s = "
|
out "$hsts_age_sec s = "
|
||||||
pr_svrty_medium "$hsts_age_days days, <$HSTS_MIN days is too short"
|
pr_svrty_medium "$hsts_age_days days, <$HSTS_MIN days is too short"
|
||||||
fileout "hsts_time" "NOT ok" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days"
|
fileout "hsts_time" "MEDIUM" "HSTS timeout too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN days"
|
||||||
fi
|
fi
|
||||||
if includeSubDomains "$TMPFILE"; then
|
if includeSubDomains "$TMPFILE"; then
|
||||||
fileout "hsts_subdomains" "OK" "HSTS includes subdomains"
|
fileout "hsts_subdomains" "OK" "HSTS includes subdomains"
|
||||||
|
@ -978,7 +979,7 @@ run_hpkp() {
|
||||||
else
|
else
|
||||||
out "$hpkp_age_sec s = "
|
out "$hpkp_age_sec s = "
|
||||||
pr_svrty_medium "$hpkp_age_days days (<$HPKP_MIN days is not good enough)"
|
pr_svrty_medium "$hpkp_age_days days (<$HPKP_MIN days is not good enough)"
|
||||||
fileout "hpkp_age" "NOT ok" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough."
|
fileout "hpkp_age" "MEDIUM" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec) < $HPKP_MIN days is not good enough."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if includeSubDomains "$TMPFILE"; then
|
if includeSubDomains "$TMPFILE"; then
|
||||||
|
@ -1298,8 +1299,10 @@ prettyprint_local() {
|
||||||
fatal "pls supply x<number> instead" 2
|
fatal "pls supply x<number> instead" 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_headline " Displaying all local ciphers ";
|
if [[ -z "$1" ]]; then
|
||||||
if [[ -n "$1" ]]; then
|
pr_headline " Displaying all $OPENSSL_NR_CIPHERS local ciphers ";
|
||||||
|
else
|
||||||
|
pr_headline " Displaying all local ciphers ";
|
||||||
# pattern provided; which one?
|
# pattern provided; which one?
|
||||||
[[ $1 =~ $re ]] && \
|
[[ $1 =~ $re ]] && \
|
||||||
pr_headline "matching number pattern \"$1\" " || \
|
pr_headline "matching number pattern \"$1\" " || \
|
||||||
|
@ -1369,8 +1372,8 @@ std_cipherlists() {
|
||||||
pr_done_bestln "offered (OK)"
|
pr_done_bestln "offered (OK)"
|
||||||
fileout "std_$4" "OK" "$2 offered (OK)"
|
fileout "std_$4" "OK" "$2 offered (OK)"
|
||||||
else
|
else
|
||||||
pr_svrty_mediumln "not offered (NOT ok)"
|
pr_svrty_mediumln "not offered"
|
||||||
fileout "std_$4" "NOT ok" "$2 not offered (NOT ok)"
|
fileout "std_$4" "MEDIUM" "$2 not offered (WARN)"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
1) # the ugly ones
|
1) # the ugly ones
|
||||||
|
@ -1394,7 +1397,7 @@ std_cipherlists() {
|
||||||
3) # not totally bad
|
3) # not totally bad
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_svrty_mediumln "offered"
|
pr_svrty_mediumln "offered"
|
||||||
fileout "std_$4" "NOT ok" "$2 offered - not too bad"
|
fileout "std_$4" "MEDIUM" "$2 offered - not too bad"
|
||||||
else
|
else
|
||||||
outln "not offered (OK)"
|
outln "not offered (OK)"
|
||||||
fileout "std_$4" "OK" "$2 not offered (OK)"
|
fileout "std_$4" "OK" "$2 not offered (OK)"
|
||||||
|
@ -1447,7 +1450,7 @@ sockread() {
|
||||||
dd bs=$1 of=$ddreply count=1 <&5 2>/dev/null &
|
dd bs=$1 of=$ddreply count=1 <&5 2>/dev/null &
|
||||||
wait_kill $! $maxsleep
|
wait_kill $! $maxsleep
|
||||||
ret=$?
|
ret=$?
|
||||||
SOCKREPLY=$(cat $ddreply)
|
SOCKREPLY=$(cat $ddreply 2>/dev/null)
|
||||||
rm $ddreply
|
rm $ddreply
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
@ -1593,7 +1596,7 @@ run_allciphers() {
|
||||||
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
|
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
|
||||||
|
|
||||||
outln
|
outln
|
||||||
pr_headlineln " Testing all $nr_ciphers locally available ciphers against the server, ordered by encryption strength "
|
pr_headlineln " Testing all $OPENSSL_NR_CIPHERS locally available ciphers against the server, ordered by encryption strength "
|
||||||
"$HAS_DH_BITS" || pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)"
|
"$HAS_DH_BITS" || pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)"
|
||||||
outln
|
outln
|
||||||
neat_header
|
neat_header
|
||||||
|
@ -2326,10 +2329,10 @@ run_protocols() {
|
||||||
fileout "tls1" "INFO" "TLSv1.0 is not offered"
|
fileout "tls1" "INFO" "TLSv1.0 is not offered"
|
||||||
;; # neither good or bad
|
;; # neither good or bad
|
||||||
2)
|
2)
|
||||||
pr_svrty_medium "not offered (NOT ok)"
|
pr_svrty_medium "not offered"
|
||||||
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
||||||
outln
|
outln
|
||||||
fileout "tls1" "NOT ok" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)"
|
fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL"
|
||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
outln "$supported_no_ciph1" # protocol ok, but no cipher
|
outln "$supported_no_ciph1" # protocol ok, but no cipher
|
||||||
|
@ -2382,14 +2385,14 @@ run_protocols() {
|
||||||
fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)"
|
fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)"
|
||||||
;; # GCM cipher in TLS 1.2: very good!
|
;; # GCM cipher in TLS 1.2: very good!
|
||||||
1)
|
1)
|
||||||
pr_svrty_mediumln "not offered (NOT ok)"
|
pr_svrty_mediumln "not offered"
|
||||||
fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered (NOT ok)"
|
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered"
|
||||||
;; # no GCM, penalty
|
;; # no GCM, penalty
|
||||||
2)
|
2)
|
||||||
pr_svrty_medium "not offered"
|
pr_svrty_medium "not offered"
|
||||||
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
||||||
outln
|
outln
|
||||||
fileout "tls1_2" "INFO" "TLSv1.2 is not offered and downgraded to a weaker protocol (medium)"
|
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered and downgraded to a weaker protocol"
|
||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
outln "$supported_no_ciph1"
|
outln "$supported_no_ciph1"
|
||||||
|
@ -2465,11 +2468,17 @@ read_dhbits_from_file() {
|
||||||
# https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography, http://www.keylength.com/en/compare/
|
# https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography, http://www.keylength.com/en/compare/
|
||||||
elif [[ $what_dh == "ECDH" ]]; then
|
elif [[ $what_dh == "ECDH" ]]; then
|
||||||
[[ -z "$2" ]] && add="bit ECDH"
|
[[ -z "$2" ]] && add="bit ECDH"
|
||||||
if [[ "$bits" -le 128 ]]; then # has that ever existed?
|
if [[ "$bits" -le 80 ]]; then # has that ever existed?
|
||||||
pr_svrty_critical "$bits $add"
|
pr_svrty_critical "$bits $add"
|
||||||
elif [[ "$bits" -le 163 ]]; then
|
elif [[ "$bits" -le 108 ]]; then # has that ever existed?
|
||||||
pr_svrty_high "$bits $add"
|
pr_svrty_high "$bits $add"
|
||||||
elif [[ "$bits" -ge 224 ]]; then
|
elif [[ "$bits" -le 163 ]]; then
|
||||||
|
pr_svrty_medium "$bits $add"
|
||||||
|
elif [[ "$bits" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok
|
||||||
|
pr_svrty_minor "$bits $add" # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416
|
||||||
|
elif [[ "$bits" -le 224 ]]; then
|
||||||
|
out "$bits $add"
|
||||||
|
elif [[ "$bits" -gt 224 ]]; then
|
||||||
pr_done_good "$bits $add"
|
pr_done_good "$bits $add"
|
||||||
else
|
else
|
||||||
out "$bits $add"
|
out "$bits $add"
|
||||||
|
@ -2598,7 +2607,6 @@ run_server_preference() {
|
||||||
case "$default_cipher" in
|
case "$default_cipher" in
|
||||||
*NULL*|*EXP*)
|
*NULL*|*EXP*)
|
||||||
pr_svrty_critical "$default_cipher"
|
pr_svrty_critical "$default_cipher"
|
||||||
|
|
||||||
fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
|
fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
|
||||||
;;
|
;;
|
||||||
*RC4*)
|
*RC4*)
|
||||||
|
@ -2607,7 +2615,7 @@ run_server_preference() {
|
||||||
;;
|
;;
|
||||||
*CBC*)
|
*CBC*)
|
||||||
pr_svrty_medium "$default_cipher"
|
pr_svrty_medium "$default_cipher"
|
||||||
fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
|
fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
||||||
;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
|
;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
|
||||||
*GCM*|*CHACHA20*)
|
*GCM*|*CHACHA20*)
|
||||||
pr_done_best "$default_cipher"
|
pr_done_best "$default_cipher"
|
||||||
|
@ -3112,7 +3120,7 @@ certificate_info() {
|
||||||
case $cert_sig_algo in
|
case $cert_sig_algo in
|
||||||
sha1WithRSAEncryption)
|
sha1WithRSAEncryption)
|
||||||
pr_svrty_mediumln "SHA1 with RSA"
|
pr_svrty_mediumln "SHA1 with RSA"
|
||||||
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
|
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)"
|
||||||
;;
|
;;
|
||||||
sha224WithRSAEncryption)
|
sha224WithRSAEncryption)
|
||||||
outln "SHA224 with RSA"
|
outln "SHA224 with RSA"
|
||||||
|
@ -3132,7 +3140,7 @@ certificate_info() {
|
||||||
;;
|
;;
|
||||||
ecdsa-with-SHA1)
|
ecdsa-with-SHA1)
|
||||||
pr_svrty_mediumln "ECDSA with SHA1"
|
pr_svrty_mediumln "ECDSA with SHA1"
|
||||||
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: ECDSA with SHA1 (warning)"
|
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: ECDSA with SHA1 (warning)"
|
||||||
;;
|
;;
|
||||||
ecdsa-with-SHA224)
|
ecdsa-with-SHA224)
|
||||||
outln "ECDSA with SHA224"
|
outln "ECDSA with SHA224"
|
||||||
|
@ -3152,7 +3160,7 @@ certificate_info() {
|
||||||
;;
|
;;
|
||||||
dsaWithSHA1)
|
dsaWithSHA1)
|
||||||
pr_svrty_mediumln "DSA with SHA1"
|
pr_svrty_mediumln "DSA with SHA1"
|
||||||
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: DSA with SHA1 (warning)"
|
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: DSA with SHA1 (warning)"
|
||||||
;;
|
;;
|
||||||
dsa_with_SHA224)
|
dsa_with_SHA224)
|
||||||
outln "DSA with SHA224"
|
outln "DSA with SHA224"
|
||||||
|
@ -3167,7 +3175,7 @@ certificate_info() {
|
||||||
case $cert_sig_hash_algo in
|
case $cert_sig_hash_algo in
|
||||||
sha1)
|
sha1)
|
||||||
pr_svrty_mediumln "RSASSA-PSS with SHA1"
|
pr_svrty_mediumln "RSASSA-PSS with SHA1"
|
||||||
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: RSASSA-PSS with SHA1 (warning)"
|
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: RSASSA-PSS with SHA1 (warning)"
|
||||||
;;
|
;;
|
||||||
sha224)
|
sha224)
|
||||||
outln "RSASSA-PSS with SHA224"
|
outln "RSASSA-PSS with SHA224"
|
||||||
|
@ -3230,7 +3238,7 @@ certificate_info() {
|
||||||
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)"
|
||||||
elif [[ "$cert_keysize" -le 163 ]]; then
|
elif [[ "$cert_keysize" -le 163 ]]; then
|
||||||
pr_svrty_medium "$cert_keysize"
|
pr_svrty_medium "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize EC bits"
|
||||||
elif [[ "$cert_keysize" -le 224 ]]; then
|
elif [[ "$cert_keysize" -le 224 ]]; then
|
||||||
out "$cert_keysize"
|
out "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize EC bits"
|
fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize EC bits"
|
||||||
|
@ -3239,7 +3247,7 @@ certificate_info() {
|
||||||
fileout "${json_prefix}key_size" "OK" "Server keys $cert_keysize EC bits (OK)"
|
fileout "${json_prefix}key_size" "OK" "Server keys $cert_keysize EC bits (OK)"
|
||||||
else
|
else
|
||||||
out "keysize: $cert_keysize (not expected, FIXME)"
|
out "keysize: $cert_keysize (not expected, FIXME)"
|
||||||
fileout "${json_prefix}key_size" "WARN" "Server keys $cert_keysize bits (not expected)"
|
fileout "${json_prefix}key_size" "DEBUG" "Server keys $cert_keysize bits (not expected)"
|
||||||
fi
|
fi
|
||||||
outln " bits"
|
outln " bits"
|
||||||
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]]; then
|
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]]; then
|
||||||
|
@ -3254,7 +3262,7 @@ certificate_info() {
|
||||||
elif [[ "$cert_keysize" -le 1024 ]]; then
|
elif [[ "$cert_keysize" -le 1024 ]]; then
|
||||||
pr_svrty_medium "$cert_keysize"
|
pr_svrty_medium "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize bits (NOT ok)"
|
fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 2048 ]]; then
|
elif [[ "$cert_keysize" -le 2048 ]]; then
|
||||||
outln "$cert_keysize bits"
|
outln "$cert_keysize bits"
|
||||||
fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize bits"
|
fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize bits"
|
||||||
|
@ -3697,8 +3705,8 @@ run_pfs() {
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
if [[ $? -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then
|
if [[ $? -ne 0 ]] || [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]]; then
|
||||||
outln
|
outln
|
||||||
pr_svrty_mediumln "NOT ok: No ciphers supporting Forward Secrecy offered"
|
pr_svrty_mediumln "No ciphers supporting Forward Secrecy offered"
|
||||||
fileout "pfs" "NOT ok" "(Perfect) Forward Secrecy : NOT ok: No ciphers supporting Forward Secrecy offered"
|
fileout "pfs" "MEDIUM" "(Perfect) Forward Secrecy : No ciphers supporting Forward Secrecy offered"
|
||||||
else
|
else
|
||||||
outln
|
outln
|
||||||
pfs_offered=true
|
pfs_offered=true
|
||||||
|
@ -3749,7 +3757,7 @@ run_pfs() {
|
||||||
"$WIDE" || outln
|
"$WIDE" || outln
|
||||||
|
|
||||||
if ! "$pfs_offered"; then
|
if ! "$pfs_offered"; then
|
||||||
pr_svrty_medium "no PFS ciphers found"
|
pr_svrty_medium "WARN: no PFS ciphers found"
|
||||||
fileout "pfs_ciphers" "NOT ok" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
|
fileout "pfs_ciphers" "NOT ok" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
|
||||||
else
|
else
|
||||||
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
|
fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers"
|
||||||
|
@ -5057,8 +5065,8 @@ run_crime() {
|
||||||
pr_svrty_high "VULNERABLE (NOT ok)"
|
pr_svrty_high "VULNERABLE (NOT ok)"
|
||||||
fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)"
|
fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_svrty_medium "VULNERABLE (NOT ok), but not using HTTP: probably no exploit known"
|
pr_svrty_medium "VULNERABLE but not using HTTP: probably no exploit known"
|
||||||
fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok), but not using HTTP: probably no exploit known"
|
fileout "crime" "MEDIUM" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (WARN), but not using HTTP: probably no exploit known"
|
||||||
fi
|
fi
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
|
@ -5238,7 +5246,7 @@ run_tls_fallback_scsv() {
|
||||||
if grep -q "CONNECTED(00" "$TMPFILE"; then
|
if grep -q "CONNECTED(00" "$TMPFILE"; then
|
||||||
if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
|
if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
|
||||||
pr_svrty_medium "Downgrade attack prevention NOT supported"
|
pr_svrty_medium "Downgrade attack prevention NOT supported"
|
||||||
fileout "fallback_scsv" "NOT ok" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
|
fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
|
||||||
ret=1
|
ret=1
|
||||||
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
|
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
|
||||||
pr_done_good "Downgrade attack prevention supported (OK)"
|
pr_done_good "Downgrade attack prevention supported (OK)"
|
||||||
|
@ -5246,11 +5254,12 @@ run_tls_fallback_scsv() {
|
||||||
ret=0
|
ret=0
|
||||||
elif grep -qa "alert handshake failure" "$TMPFILE"; then
|
elif grep -qa "alert handshake failure" "$TMPFILE"; then
|
||||||
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
|
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
|
||||||
pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
|
pr_svrty_medium "\"handshake failure\" instead of \"inappropriate fallback\""
|
||||||
fileout "fallback_scsv" "NOT ok" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
|
fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely: warning)"
|
||||||
ret=2
|
ret=2
|
||||||
elif grep -qa "ssl handshake failure" "$TMPFILE"; then
|
elif grep -qa "ssl handshake failure" "$TMPFILE"; then
|
||||||
pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
|
pr_svrty_medium "some unexpected \"handshake failure\" instead of \"inappropriate fallback\""
|
||||||
|
fileout "fallback_scsv" "MEDIUM" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely: warning)"
|
||||||
ret=3
|
ret=3
|
||||||
else
|
else
|
||||||
pr_warning "Check failed, unexpected result "
|
pr_warning "Check failed, unexpected result "
|
||||||
|
@ -5549,7 +5558,7 @@ run_beast(){
|
||||||
-e "s/ /\\${cr} ${spaces}/9" \
|
-e "s/ /\\${cr} ${spaces}/9" \
|
||||||
-e "s/ /\\${cr} ${spaces}/6" \
|
-e "s/ /\\${cr} ${spaces}/6" \
|
||||||
-e "s/ /\\${cr} ${spaces}/3")
|
-e "s/ /\\${cr} ${spaces}/3")
|
||||||
fileout "cbc_$proto" "NOT ok" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
|
fileout "cbc_$proto" "MEDIUM" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
|
||||||
! "$first" && out "$spaces"
|
! "$first" && out "$spaces"
|
||||||
out "$(toupper $proto):"
|
out "$(toupper $proto):"
|
||||||
[[ -n "$higher_proto_supported" ]] && \
|
[[ -n "$higher_proto_supported" ]] && \
|
||||||
|
@ -5582,16 +5591,16 @@ run_beast(){
|
||||||
pr_svrty_minor "VULNERABLE"
|
pr_svrty_minor "VULNERABLE"
|
||||||
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
fi
|
fi
|
||||||
fileout "beast" "NOT ok" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
fileout "beast" "MINOR" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
else
|
else
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
out "$spaces"
|
out "$spaces"
|
||||||
fi
|
fi
|
||||||
pr_svrty_medium "VULNERABLE (NOT ok)"
|
pr_svrty_medium "VULNERABLE"
|
||||||
outln " -- and no higher protocols as mitigation supported"
|
outln " -- and no higher protocols as mitigation supported"
|
||||||
fileout "beast" "NOT ok" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
|
fileout "beast" "MEDIUM" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
"$first" && ! "$vuln_beast" && pr_done_goodln "no CBC ciphers found for any protocol (OK)"
|
"$first" && ! "$vuln_beast" && pr_done_goodln "no CBC ciphers found for any protocol (OK)"
|
||||||
|
@ -5810,6 +5819,8 @@ find_openssl_binary() {
|
||||||
pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!"
|
pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
|
||||||
|
|
||||||
$OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \
|
||||||
HAS_SSL2=true
|
HAS_SSL2=true
|
||||||
|
|
||||||
|
@ -5963,13 +5974,13 @@ CVS_REL: $CVS_REL
|
||||||
GIT_REL: $GIT_REL
|
GIT_REL: $GIT_REL
|
||||||
|
|
||||||
PID: $$
|
PID: $$
|
||||||
|
commandline: "$CMDLINE"
|
||||||
bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
|
bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
|
||||||
status: ${BASH_VERSINFO[4]}
|
status: ${BASH_VERSINFO[4]}
|
||||||
machine: ${BASH_VERSINFO[5]}
|
machine: ${BASH_VERSINFO[5]}
|
||||||
operating system: $SYSTEM
|
operating system: $SYSTEM
|
||||||
shellopts: $SHELLOPTS
|
shellopts: $SHELLOPTS
|
||||||
|
|
||||||
$OPENSSL version -a:
|
|
||||||
$($OPENSSL version -a)
|
$($OPENSSL version -a)
|
||||||
OSSL_VER_MAJOR: $OSSL_VER_MAJOR
|
OSSL_VER_MAJOR: $OSSL_VER_MAJOR
|
||||||
OSSL_VER_MINOR: $OSSL_VER_MINOR
|
OSSL_VER_MINOR: $OSSL_VER_MINOR
|
||||||
|
@ -5977,6 +5988,7 @@ OSSL_VER_APPENDIX: $OSSL_VER_APPENDIX
|
||||||
OSSL_BUILD_DATE: $OSSL_BUILD_DATE
|
OSSL_BUILD_DATE: $OSSL_BUILD_DATE
|
||||||
OSSL_VER_PLATFORM: $OSSL_VER_PLATFORM
|
OSSL_VER_PLATFORM: $OSSL_VER_PLATFORM
|
||||||
|
|
||||||
|
OPENSSL_NR_CIPHERS: $OPENSSL_NR_CIPHERS
|
||||||
OPENSSL_CONF: $OPENSSL_CONF
|
OPENSSL_CONF: $OPENSSL_CONF
|
||||||
|
|
||||||
HAS_IPv6: $HAS_IPv6
|
HAS_IPv6: $HAS_IPv6
|
||||||
|
@ -5992,7 +6004,6 @@ RUN_DIR: $RUN_DIR
|
||||||
MAPPING_FILE_RFC: $MAPPING_FILE_RFC
|
MAPPING_FILE_RFC: $MAPPING_FILE_RFC
|
||||||
|
|
||||||
CAPATH: $CAPATH
|
CAPATH: $CAPATH
|
||||||
ECHO: $ECHO
|
|
||||||
COLOR: $COLOR
|
COLOR: $COLOR
|
||||||
COLORBLIND: $COLORBLIND
|
COLORBLIND: $COLORBLIND
|
||||||
TERM_DWITH: $TERM_DWITH
|
TERM_DWITH: $TERM_DWITH
|
||||||
|
@ -6029,14 +6040,13 @@ EOF
|
||||||
|
|
||||||
|
|
||||||
mybanner() {
|
mybanner() {
|
||||||
local nr_ciphers
|
|
||||||
local idtag
|
local idtag
|
||||||
local bb
|
local bb
|
||||||
local openssl_location="$(which $OPENSSL)"
|
local openssl_location="$(which $OPENSSL)"
|
||||||
local cwd=""
|
local cwd=""
|
||||||
|
|
||||||
$QUIET && return
|
$QUIET && return
|
||||||
nr_ciphers=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
|
||||||
[[ -z "$GIT_REL" ]] && \
|
[[ -z "$GIT_REL" ]] && \
|
||||||
idtag="$CVS_REL" || \
|
idtag="$CVS_REL" || \
|
||||||
idtag="$GIT_REL -- $CVS_REL_SHORT"
|
idtag="$GIT_REL -- $CVS_REL_SHORT"
|
||||||
|
@ -6058,7 +6068,7 @@ EOF
|
||||||
)
|
)
|
||||||
pr_bold "$bb"
|
pr_bold "$bb"
|
||||||
outln "\n"
|
outln "\n"
|
||||||
outln " Using \"$($OPENSSL version 2>/dev/null)\" [~$nr_ciphers ciphers]"
|
outln " Using \"$($OPENSSL version 2>/dev/null)\" [~$OPENSSL_NR_CIPHERS ciphers]"
|
||||||
out " on $HNAME:"
|
out " on $HNAME:"
|
||||||
|
|
||||||
[[ -n "$GIT_REL" ]] && \
|
[[ -n "$GIT_REL" ]] && \
|
||||||
|
@ -6408,26 +6418,27 @@ determine_ip_addresses() {
|
||||||
|
|
||||||
determine_rdns() {
|
determine_rdns() {
|
||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
|
local nodeip="$(tr -d '[]' <<< $NODEIP)" # for DNS we do not need the square brackets of IPv6 addresses
|
||||||
|
|
||||||
if [[ "$NODE" == *.local ]]; then
|
if [[ "$NODE" == *.local ]]; then
|
||||||
if which avahi-resolve &>/dev/null; then
|
if which avahi-resolve &>/dev/null; then
|
||||||
rDNS=$(avahi-resolve -a $NODEIP 2>/dev/null | awk '{ print $2 }')
|
rDNS=$(avahi-resolve -a $nodeip 2>/dev/null | awk '{ print $2 }')
|
||||||
elif which dig &>/dev/null; then
|
elif which dig &>/dev/null; then
|
||||||
rDNS=$(dig -x $NODEIP @224.0.0.251 -p 5353 +notcp +noall +answer | awk '/PTR/ { print $NF }')
|
rDNS=$(dig -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer | awk '/PTR/ { print $NF }')
|
||||||
fi
|
fi
|
||||||
elif which dig &> /dev/null; then
|
elif which dig &> /dev/null; then
|
||||||
rDNS=$(dig -x $NODEIP +noall +answer | awk '/PTR/ { print $NF }') # +short returns also CNAME, e.g. openssl.org
|
rDNS=$(dig -x $nodeip +noall +answer | awk '/PTR/ { print $NF }') # +short returns also CNAME, e.g. openssl.org
|
||||||
elif which host &> /dev/null; then
|
elif which host &> /dev/null; then
|
||||||
rDNS=$(host -t PTR $NODEIP 2>/dev/null | awk '/pointer/ { print $NF }')
|
rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }')
|
||||||
elif which drill &> /dev/null; then
|
elif which drill &> /dev/null; then
|
||||||
rDNS=$(drill -x ptr $NODEIP 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')
|
rDNS=$(drill -x ptr $nodeip 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')
|
||||||
elif which nslookup &> /dev/null; then
|
elif which nslookup &> /dev/null; then
|
||||||
rDNS=$(nslookup -type=PTR $NODEIP 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
|
rDNS=$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
|
||||||
fi
|
fi
|
||||||
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
rDNS="$(echo $rDNS)"
|
rDNS="$(echo $rDNS)"
|
||||||
[[ -z "$rDNS" ]] && rDNS=" --"
|
[[ -z "$rDNS" ]] && rDNS="--"
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -6627,6 +6638,8 @@ determine_service() {
|
||||||
|
|
||||||
display_rdns_etc() {
|
display_rdns_etc() {
|
||||||
local ip
|
local ip
|
||||||
|
local nodeip="$(tr -d '[]' <<< $NODEIP)" # for displaying IPv6 addresses we don't need []
|
||||||
|
|
||||||
|
|
||||||
if [[ -n "$PROXY" ]]; then
|
if [[ -n "$PROXY" ]]; then
|
||||||
out " Via Proxy: $CORRECT_SPACES"
|
out " Via Proxy: $CORRECT_SPACES"
|
||||||
|
@ -6649,11 +6662,7 @@ display_rdns_etc() {
|
||||||
outln " A record via supplied IP \"$CMDLINE_IP\""
|
outln " A record via supplied IP \"$CMDLINE_IP\""
|
||||||
fi
|
fi
|
||||||
if [[ -n "$rDNS" ]]; then
|
if [[ -n "$rDNS" ]]; then
|
||||||
if "$HAS_IPv6"; then
|
printf " %-23s %s" "rDNS ($nodeip):" "$rDNS"
|
||||||
printf " %-23s %s" "rDNS $NODEIP:" "$rDNS"
|
|
||||||
else
|
|
||||||
printf " %-23s %s" "rDNS ($NODEIP):" "$rDNS"
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -7183,9 +7192,9 @@ nodeip_to_proper_ip6() {
|
||||||
local len_nodeip=0
|
local len_nodeip=0
|
||||||
|
|
||||||
if is_ipv6addr $NODEIP; then
|
if is_ipv6addr $NODEIP; then
|
||||||
NODEIP="[$NODEIP]"
|
${UNBRACKTD_IPV6} || NODEIP="[$NODEIP]"
|
||||||
len_nodeip=${#NODEIP}
|
len_nodeip=${#NODEIP}
|
||||||
CORRECT_SPACES="$(draw_line " " "$((len_nodeip - 16))" )"
|
CORRECT_SPACES="$(draw_line " " "$((len_nodeip - 17))" )"
|
||||||
# IPv6 addresses are longer, this varaible takes care that "further IP" and "Service" is properly aligned
|
# IPv6 addresses are longer, this varaible takes care that "further IP" and "Service" is properly aligned
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -7334,4 +7343,4 @@ fi
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.487 2016/05/23 20:42:39 dirkw Exp $
|
# $Id: testssl.sh,v 1.491 2016/06/02 07:59:51 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue