mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
Merge pull request #112 from AntonioMeireles/cosmetics_1
trim all whitespace at EOL, plus spelling typos fixes.
This commit is contained in:
commit
d066e0868a
69
testssl.sh
69
testssl.sh
@ -3,7 +3,7 @@
|
|||||||
[ -z "$BASH_VERSINFO" ] && echo "\n$(tput setaf 5) Please make sure you're using bash! Bye...$(tput sgr0)\n" && exit 1
|
[ -z "$BASH_VERSINFO" ] && echo "\n$(tput setaf 5) Please make sure you're using bash! Bye...$(tput sgr0)\n" && exit 1
|
||||||
#
|
#
|
||||||
# testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some
|
# testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some
|
||||||
# vulnerablities or features
|
# vulnerabilities or features
|
||||||
#
|
#
|
||||||
# Devel version is available from https://github.com/drwetter/testssl.sh
|
# Devel version is available from https://github.com/drwetter/testssl.sh
|
||||||
# Stable version from https://testssl.sh
|
# Stable version from https://testssl.sh
|
||||||
@ -35,7 +35,7 @@ SWCONTACT="dirk aet testssl dot sh"
|
|||||||
# The socket checks in bash may sound cool and unique -- they are -- but probably you
|
# The socket checks in bash may sound cool and unique -- they are -- but probably you
|
||||||
# can achieve e.g. the same result with my favorite interactive shell: zsh (zmodload zsh/net/socket
|
# can achieve e.g. the same result with my favorite interactive shell: zsh (zmodload zsh/net/socket
|
||||||
# -- checkout zsh/net/tcp too!) /bin/bash is way more often used within Linux and it's perfect
|
# -- checkout zsh/net/tcp too!) /bin/bash is way more often used within Linux and it's perfect
|
||||||
# for cross plattform support, see MacOS X and also under Windows the MSYS2 extention.
|
# for cross platform support, see MacOS X and also under Windows the MSYS2 extension.
|
||||||
# Cross-platform is one of the three ideas of this script. Second: Ease of installation.
|
# Cross-platform is one of the three ideas of this script. Second: Ease of installation.
|
||||||
# No compiling, install gems, go to CPAN, use pip etc. Third: Easy to use and to interpret
|
# No compiling, install gems, go to CPAN, use pip etc. Third: Easy to use and to interpret
|
||||||
# the result.
|
# the result.
|
||||||
@ -52,7 +52,7 @@ SWCONTACT="dirk aet testssl dot sh"
|
|||||||
#
|
#
|
||||||
# Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities)
|
# Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities)
|
||||||
# are disabled as they'll impact security otherwise. For security testing though we need
|
# are disabled as they'll impact security otherwise. For security testing though we need
|
||||||
# all b0rken features. testssl.sh will over time replace those checks with bash sockets --
|
# all broken features. testssl.sh will over time replace those checks with bash sockets --
|
||||||
# however it's still recommended to use the supplied binaries or cook your own, see
|
# however it's still recommended to use the supplied binaries or cook your own, see
|
||||||
# https://github.com/drwetter/testssl.sh/blob/master/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md
|
# https://github.com/drwetter/testssl.sh/blob/master/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md
|
||||||
# Don't worry if feature X is not available you'll get a warning about this missing feature!
|
# Don't worry if feature X is not available you'll get a warning about this missing feature!
|
||||||
@ -66,27 +66,27 @@ readonly PROG_DIR=$(readlink "$BASH_SOURCE") 2>/dev/null
|
|||||||
|
|
||||||
OPENSSL=${OPENSSL:-/usr/bin/openssl}
|
OPENSSL=${OPENSSL:-/usr/bin/openssl}
|
||||||
MAP_RFC_FNAME=""
|
MAP_RFC_FNAME=""
|
||||||
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
||||||
SHOW_LOC_CIPH=${SHOW_LOC_CIPH:-1} # will client side ciphers displayed before an individual test (makes no sense normally)
|
SHOW_LOC_CIPH=${SHOW_LOC_CIPH:-1} # will client side ciphers displayed before an individual test (makes no sense normally)
|
||||||
SHOW_EACH_C=${SHOW_EACH_C:-0} # where individual ciphers are tested show just the positively ones tested #FIXME: wrong value
|
SHOW_EACH_C=${SHOW_EACH_C:-0} # where individual ciphers are tested show just the positively ones tested #FIXME: wrong value
|
||||||
SNEAKY=${SNEAKY:-1} # if zero: the referer and useragent we leave while checking the http header is just usual
|
SNEAKY=${SNEAKY:-1} # if zero: the referer and useragent we leave while checking the http header is just usual
|
||||||
SSL_NATIVE=${SSL_NATIVE:-1} # we do per default bash sockets where possible 0: switch back to native openssl
|
SSL_NATIVE=${SSL_NATIVE:-1} # we do per default bash sockets where possible 0: switch back to native openssl
|
||||||
ASSUMING_HTTP=${ASSUMING_HTTP:-1} # in seldom cases (WAF, old servers/grumpy SSL) the service detection fails. Set to 0 for forcing HTTP
|
ASSUMING_HTTP=${ASSUMING_HTTP:-1} # in seldom cases (WAF, old servers/grumpy SSL) the service detection fails. Set to 0 for forcing HTTP
|
||||||
DEBUG=${DEBUG:-0} # if 1 the temp files won't be erased. 2: list more what's going on (formerly: eq VERBOSE=1),
|
DEBUG=${DEBUG:-0} # if 1 the temp files won't be erased. 2: list more what's going on (formerly: eq VERBOSE=1),
|
||||||
# 3: slight hexdumps + other info, 4: send bytes via sockets, 5: received, 6: whole 9 yards
|
# 3: slight hexdumps + other info, 4: send bytes via sockets, 5: received, 6: whole 9 yards
|
||||||
#FIXME: still to be filled with (more) sense or following to be included:
|
# FIXME: still to be filled with (more) sense or following to be included:
|
||||||
VERBERR=${VERBERR:-1} # 0 means to be more verbose (handshake errors to be displayed so that one can tell better
|
VERBERR=${VERBERR:-1} # 0 means to be more verbose (handshake errors to be displayed so that one can tell better
|
||||||
# whether handshake succeeded or not. While testing individual ciphers you also need to have SHOW_EACH_C=1
|
# whether handshake succeeded or not. While testing individual ciphers you also need to have SHOW_EACH_C=1
|
||||||
WIDE=${WIDE:-1} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc.
|
WIDE=${WIDE:-1} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc.
|
||||||
|
|
||||||
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
||||||
readonly MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
|
readonly MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
|
||||||
readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each)
|
readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each)
|
||||||
readonly HEARTBLEED_MAX_WAITSOCK=8 # for the heartbleed payload
|
readonly HEARTBLEED_MAX_WAITSOCK=8 # for the heartbleed payload
|
||||||
USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
|
USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
|
||||||
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
||||||
|
|
||||||
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
||||||
readonly HSTS_MIN=179 # >179 days is ok for HSTS
|
readonly HSTS_MIN=179 # >179 days is ok for HSTS
|
||||||
readonly HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints?
|
readonly HPKP_MIN=30 # >=30 days should be ok for HPKP_MIN, practical hints?
|
||||||
readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
||||||
@ -95,8 +95,8 @@ readonly DAYS2WARN2=30 # days to warn before cert expires, threshold 2
|
|||||||
|
|
||||||
# more global vars, here just declared
|
# more global vars, here just declared
|
||||||
readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
|
readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
|
||||||
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future costum line wrapping
|
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping
|
||||||
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
|
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
|
||||||
readonly SYSTEM=$(uname -s) # OS
|
readonly SYSTEM=$(uname -s) # OS
|
||||||
if date --help >/dev/null 2>&1; then
|
if date --help >/dev/null 2>&1; then
|
||||||
readonly HAS_GNUDATE=true
|
readonly HAS_GNUDATE=true
|
||||||
@ -122,19 +122,20 @@ LEN_STR=""
|
|||||||
SNI=""
|
SNI=""
|
||||||
IP4=""
|
IP4=""
|
||||||
IP6=""
|
IP6=""
|
||||||
OSSL_VER="" # openssl version, will be autodetermined
|
OSSL_VER="" # openssl version, will be auto-determined
|
||||||
OSSL_VER_MAJOR=0
|
OSSL_VER_MAJOR=0
|
||||||
OSSL_VER_MINOR=0
|
OSSL_VER_MINOR=0
|
||||||
OSSL_VER_APPENDIX="none"
|
OSSL_VER_APPENDIX="none"
|
||||||
HAS_DH_BITS=true
|
HAS_DH_BITS=true
|
||||||
NODEIP=""
|
NODEIP=""
|
||||||
VULN_COUNT=0
|
VULN_COUNT=0
|
||||||
readonly VULN_THRESHLD=1 # if bigger than this no we show a separate header in blue
|
readonly VULN_THRESHLD=1 # if bigger than this no we show a separate header in blue
|
||||||
IPS=""
|
IPS=""
|
||||||
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
|
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
|
||||||
URI=""
|
URI=""
|
||||||
STARTTLS_PROTOCOL=""
|
STARTTLS_PROTOCOL=""
|
||||||
OPTIMAL_PROTO="" # we need this for IIS6 (sigh) and OpenSSL 1.02, otherwise some handshakes will fail, see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
OPTIMAL_PROTO="" # we need this for IIS6 (sigh) and OpenSSL 1.02, otherwise some handshakes
|
||||||
|
# will fail, see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
||||||
|
|
||||||
TLS_TIME=""
|
TLS_TIME=""
|
||||||
TLS_NOW=""
|
TLS_NOW=""
|
||||||
@ -157,9 +158,9 @@ readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
|||||||
trap "cleanup" QUIT EXIT
|
trap "cleanup" QUIT EXIT
|
||||||
|
|
||||||
|
|
||||||
# The various hexdump commands we need to replace xxd (BSD compatability))
|
# The various hexdump commands we need to replace xxd (BSD compatibility))
|
||||||
HEXDUMPVIEW=(hexdump -C) # This is used in verbose mode to see what's going on
|
HEXDUMPVIEW=(hexdump -C) # This is used in verbose mode to see what's going on
|
||||||
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyse the reply
|
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyze the reply
|
||||||
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
|
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
|
||||||
|
|
||||||
|
|
||||||
@ -566,7 +567,7 @@ hpkp() {
|
|||||||
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
|
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -waq "1" || out "(two HPKP headers, using 1st one) "
|
egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -waq "1" || out "(two HPKP headers, using 1st one) "
|
||||||
# dirty trick so that grep -c really counts occurances and not lines w/ occurances:
|
# dirty trick so that grep -c really counts occurrences and not lines w/ occurrences:
|
||||||
hpkp_nr_keys=$(sed 's/pin-sha/pin-sha\n/g' < $TMPFILE | grep -ac pin-sha)
|
hpkp_nr_keys=$(sed 's/pin-sha/pin-sha\n/g' < $TMPFILE | grep -ac pin-sha)
|
||||||
if [ $hpkp_nr_keys -eq 1 ]; then
|
if [ $hpkp_nr_keys -eq 1 ]; then
|
||||||
pr_litered "One key is not sufficent, "
|
pr_litered "One key is not sufficent, "
|
||||||
@ -748,7 +749,7 @@ moreflags() {
|
|||||||
if [ $(echo "$result_str" | wc -l | sed 's/ //g') -eq 1 ]; then
|
if [ $(echo "$result_str" | wc -l | sed 's/ //g') -eq 1 ]; then
|
||||||
pr_litegreenln "$result_str"
|
pr_litegreenln "$result_str"
|
||||||
else # for the case we have two times the same header:
|
else # for the case we have two times the same header:
|
||||||
# exchange the linefeeds between the two lines only:
|
# exchange the line feeds between the two lines only:
|
||||||
pr_litecyan "double -->" ; echo "$result_str" | tr '\n\r' ' | ' | sed 's/| $//g'
|
pr_litecyan "double -->" ; echo "$result_str" | tr '\n\r' ' | ' | sed 's/| $//g'
|
||||||
pr_litecyanln "<-- double"
|
pr_litecyanln "<-- double"
|
||||||
#FIXME: https://report-uri.io has double here
|
#FIXME: https://report-uri.io has double here
|
||||||
@ -866,7 +867,7 @@ std_cipherlists() {
|
|||||||
|
|
||||||
|
|
||||||
# sockets inspired by http://blog.chris007.de/?p=238
|
# sockets inspired by http://blog.chris007.de/?p=238
|
||||||
# ARG1: hexbyte with a leading comma (!!), seperated by commas
|
# ARG1: hexbyte with a leading comma (!!), separated by commas
|
||||||
# ARG2: sleep
|
# ARG2: sleep
|
||||||
socksend() {
|
socksend() {
|
||||||
# the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do
|
# the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do
|
||||||
@ -1134,9 +1135,9 @@ runprotocols() {
|
|||||||
case $? in
|
case $? in
|
||||||
0) pr_literedln "offered (NOT ok)" ;;
|
0) pr_literedln "offered (NOT ok)" ;;
|
||||||
1) pr_greenln "not offered (OK)" ;;
|
1) pr_greenln "not offered (OK)" ;;
|
||||||
2) pr_magentaln "#FIXME: downgraded. still missing a testcase here" ;;
|
2) pr_magentaln "#FIXME: downgraded. still missing a test case here" ;;
|
||||||
5) pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)" ;; # protocol ok, but no cipher
|
5) pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)" ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
esac
|
esac
|
||||||
|
|
||||||
out " TLS 1 ";
|
out " TLS 1 ";
|
||||||
@ -1458,7 +1459,7 @@ server_defaults() {
|
|||||||
# HTTP date:
|
# HTTP date:
|
||||||
out " HTTP clock skew: "
|
out " HTTP clock skew: "
|
||||||
if [[ $SERVICE != "HTTP" ]] ; then
|
if [[ $SERVICE != "HTTP" ]] ; then
|
||||||
out "not tested as we're not tagetting HTTP"
|
out "not tested as we're not targeting HTTP"
|
||||||
else
|
else
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO -ign_eof -connect $NODEIP:$PORT $SNI &>$TMPFILE
|
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO -ign_eof -connect $NODEIP:$PORT $SNI &>$TMPFILE
|
||||||
now=$(date "+%s")
|
now=$(date "+%s")
|
||||||
@ -1713,7 +1714,7 @@ pfs() {
|
|||||||
pr_litegreen " PFS ciphers (OK): "
|
pr_litegreen " PFS ciphers (OK): "
|
||||||
else
|
else
|
||||||
pr_litegreen " PFS is offered (OK) "
|
pr_litegreen " PFS is offered (OK) "
|
||||||
outln "Cipher follow (Client/browser support is here escpecially important) \n"
|
outln "Cipher follow (Client/browser support is here specially important) \n"
|
||||||
neat_header
|
neat_header
|
||||||
fi
|
fi
|
||||||
while read hexcode dash pfs_cipher sslvers kx auth enc mac; do
|
while read hexcode dash pfs_cipher sslvers kx auth enc mac; do
|
||||||
@ -1811,7 +1812,7 @@ fd_socket() {
|
|||||||
if ! exec 5<>/dev/tcp/$NODEIP/$PORT; then # 2>/dev/null removes an error message, but disables debugging
|
if ! exec 5<>/dev/tcp/$NODEIP/$PORT; then # 2>/dev/null removes an error message, but disables debugging
|
||||||
outln
|
outln
|
||||||
pr_magenta "Unable to open a socket to $NODEIP:$PORT. "
|
pr_magenta "Unable to open a socket to $NODEIP:$PORT. "
|
||||||
# It can last ~2 minutes but for for those rare occasions we don't do a tiemout handler here, KISS
|
# It can last ~2 minutes but for for those rare occasions we don't do a timeout handler here, KISS
|
||||||
return 6
|
return 6
|
||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
@ -2561,7 +2562,7 @@ crime() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# BREACH is a HTTP-level compression & an attack which works against any cipher suite and is agnostic
|
# BREACH is a HTTP-level compression & an attack which works against any cipher suite and is agnostic
|
||||||
# to the version of TLS/SSL, more: http://www.breachattack.com/ . Foreign referers are the important thing here!
|
# to the version of TLS/SSL, more: http://www.breachattack.com/ . Foreign referrers are the important thing here!
|
||||||
breach() {
|
breach() {
|
||||||
[[ $SERVICE != "HTTP" ]] && return 7
|
[[ $SERVICE != "HTTP" ]] && return 7
|
||||||
|
|
||||||
@ -2639,7 +2640,7 @@ ssl_poodle() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
# for appliance which use padding, no fallack needed
|
# for appliance which use padding, no fallback needed
|
||||||
tls_poodle() {
|
tls_poodle() {
|
||||||
pr_bold " POODLE, SSL"; out " CVE-2014-8730), experimental "
|
pr_bold " POODLE, SSL"; out " CVE-2014-8730), experimental "
|
||||||
#FIXME
|
#FIXME
|
||||||
@ -3336,7 +3337,7 @@ get_dns_entries() {
|
|||||||
IP4=$NODE
|
IP4=$NODE
|
||||||
SNI="" # override Server Name Indication as we test the IP only
|
SNI="" # override Server Name Indication as we test the IP only
|
||||||
else
|
else
|
||||||
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resulution
|
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
|
||||||
IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
|
IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
|
||||||
if which host &> /dev/null && [ -z "$IP4" ] ; then
|
if which host &> /dev/null && [ -z "$IP4" ] ; then
|
||||||
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
||||||
@ -3451,7 +3452,7 @@ draw_dotted_line() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# This intializes boolean global do_* variables, meant primarily to keep track of what to do
|
# This initializes boolean global do_* variables, meant primarily to keep track of what to do
|
||||||
initialize_globals() {
|
initialize_globals() {
|
||||||
do_allciphers=false
|
do_allciphers=false
|
||||||
do_vulnerabilities=false
|
do_vulnerabilities=false
|
||||||
|
Loading…
Reference in New Issue
Block a user