Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 18:50:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Protocol detection fix for openssl client simulation

Browse Source 
New approach: try every protocol individually from high to low and stop as soon as one works
This commit is contained in:
Frank Breedijk 2016-06-27 13:26:15 +02:00
parent bba9905e62
commit d14badfd3c
3 changed files with 165 additions and 285 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

371
client-simulation-data.sh
View File

File diff suppressed because it is too large Load Diff

33
testssl.sh
View File

@ -160,7 +160,6 @@ SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello
# tuning vars, can not be set by a cmd line switch # tuning vars, can not be set by a cmd line switch
EXPERIMENTAL=${EXPERIMENTAL:-false} EXPERIMENTAL=${EXPERIMENTAL:-false}
#EXPERIMENTAL=true
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
readonly MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply readonly MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each) readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each)
@ -2052,10 +2051,13 @@ run_client_simulation() {
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE [[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE >$ERRFILE
fi fi
else else
$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} ${tlsvers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE for pflag in ${protos[i]}; do
debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} ${tlsvers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null" $OPENSSL s_client -cipher ${ciphers[i]} $pflag $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} $pflag $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? sclient_success=$?
[[ $sclient_success -eq 0 ]] && break; # Stop trying if a protocol works
done
fi fi
if [[ $sclient_success -ne 0 ]]; then if [[ $sclient_success -ne 0 ]]; then
outln "No connection" outln "No connection"
@ -2064,31 +2066,6 @@ run_client_simulation() {
#FIXME: awk #FIXME: awk
proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
[[ "$proto" == TLSv1 ]] && proto="TLSv1.0" [[ "$proto" == TLSv1 ]] && proto="TLSv1.0"
if [[ "$proto" == TLSv1.2 ]] && ( ! $using_sockets || [[ -z "${handshakebytes[i]}" ]] ); then
# OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is...
for tls in ${tlsvers[i]}; do
$OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
debugme echo "$OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} </dev/null"
sclient_connect_successful $? $TMPFILE
sclient_success=$?
if [[ $sclient_success -eq 0 ]]; then
case "$tls" in
"-tls1_2")
proto="TLSv1.2"
break
;;
"-tls1_1")
proto="TLSv1.1"
break
;;
"-tls1")
proto="TLSv1.0"
break
;;
esac
fi
done
fi
#FiXME: awk #FiXME: awk
cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://') cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://')
$using_sockets && [[ -n "${handshakebytes[i]}" ]] && [[ -n "$MAPPING_FILE_RFC" ]] && cipher="$(rfc2openssl "$cipher")" $using_sockets && [[ -n "${handshakebytes[i]}" ]] && [[ -n "$MAPPING_FILE_RFC" ]] && cipher="$(rfc2openssl "$cipher")"

42
utils/update_client_sim_data.pl
View File

@ -83,39 +83,28 @@ foreach my $client ( @$ssllabs ) {
# 512 = 0x200 = sslv2 # 512 = 0x200 = sslv2
# 768 = 0x300 = sslv3 # 768 = 0x300 = sslv3
push @proto_flags, "-ssl2"; push @proto_flags, "-ssl2";
} else {
push @proto_flags, "-no_ssl2";
} }
# Do we need to support SSL3? # Do we need to support SSL3?
if ( $client->{lowestProtocol} <= 768 && $client->{highestProtocol} >= 768 ) { if ( $client->{lowestProtocol} <= 768 && $client->{highestProtocol} >= 768 ) {
# 768 = 0x300 = sslv3 # 768 = 0x300 = sslv3
push @proto_flags, "-ssl3"; push @proto_flags, "-ssl3";
} else {
push @proto_flags, "-no_ssl3"
} }
# Do we need to support TLS 1.0? # Do we need to support TLS 1.0?
if ( $client->{lowestProtocol} <= 769 && $client->{highestProtocol} >= 769 ) { if ( $client->{lowestProtocol} <= 769 && $client->{highestProtocol} >= 769 ) {
# 769 = 0x301 = tls1.0 # 769 = 0x301 = tls1.0
push @tls_flags, "-tls1"; push @proto_flags, "-tls1";
} else {
push @proto_flags, "-no_tls1"
} }
# Do we need to support TLS 1.1? # Do we need to support TLS 1.1?
if ( $client->{lowestProtocol} <= 770 && $client->{highestProtocol} >= 770 ) { if ( $client->{lowestProtocol} <= 770 && $client->{highestProtocol} >= 770 ) {
# 770 = 0x302 = tls1.1 # 770 = 0x302 = tls1.1
push @tls_flags, "-tls1_1"; push @proto_flags, "-tls1_1";
} else {
push @proto_flags, "-no_tls1_1"
} }
# Do we need to support TLS 1.2? # Do we need to support TLS 1.2?
if ( $client->{lowestProtocol} <= 771 && $client->{highestProtocol} >= 771 ) { if ( $client->{lowestProtocol} <= 771 && $client->{highestProtocol} >= 771 ) {
# 771 = 0x303 = tls1.2 # 771 = 0x303 = tls1.2
push @tls_flags, "-tls1_2"; push @proto_flags, "-tls1_2";
} else {
push @proto_flags, "-no_tls1_2"
} }
print OUT "protos+=(\"" . (join " ", @proto_flags) . "\")\n"; print OUT "protos+=(\"" . (join " ", reverse @proto_flags) . "\")\n";
print OUT "tlsvers+=(\"" . (join " ", reverse @tls_flags) . "\")\n";
printf OUT "lowest_protocol+=(\"0x%04x\")\n", $client->{lowestProtocol}; printf OUT "lowest_protocol+=(\"0x%04x\")\n", $client->{lowestProtocol};
printf OUT "highest_protocol+=(\"0x%04x\")\n", $client->{highestProtocol}; printf OUT "highest_protocol+=(\"0x%04x\")\n", $client->{highestProtocol};
@ -154,8 +143,7 @@ ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES25
sni+=("$SNI") sni+=("$SNI")
warning+=("") warning+=("")
handshakebytes+=("16030100bb010000b703015767e6ae46f9abf3138e26a9f9880f9697bf3387f7eff709db1fa220e692d80420fb04b0979bae1664e11ef172d4dfba15af59dd200b7831992a35c73cde9efed9003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003c000000190017000014696d61702e73656374696f6e7a65726f2e6f7267000a00080006001700180019000b0002010000050005010000000000120000") handshakebytes+=("16030100bb010000b703015767e6ae46f9abf3138e26a9f9880f9697bf3387f7eff709db1fa220e692d80420fb04b0979bae1664e11ef172d4dfba15af59dd200b7831992a35c73cde9efed9003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003c000000190017000014696d61702e73656374696f6e7a65726f2e6f7267000a00080006001700180019000b0002010000050005010000000000120000")
protos+=("-no_ssl2 -ssl3") protos+=("-tls1_1 -tls1")
tlsvers+=("-tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("SMTP,POP,IMAP") service+=("SMTP,POP,IMAP")
@ -172,8 +160,7 @@ ciphers+=("ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES25
sni+=("$SNI") sni+=("$SNI")
warning+=("") warning+=("")
handshakebytes+=("16030100940100009003015770e928499e82df2eb7477200e2a828d9fa4109514385bd1602df44aaf2b0f400003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003500000012001000000d3137382e3233372e33342e3932000a00080006001700180019000b0002010000050005010000000000120000") handshakebytes+=("16030100940100009003015770e928499e82df2eb7477200e2a828d9fa4109514385bd1602df44aaf2b0f400003200ffc024c023c00ac009c008c028c027c014c013c012006b0067003900330016003d003c0035002f000ac007c011000500040100003500000012001000000d3137382e3233372e33342e3932000a00080006001700180019000b0002010000050005010000000000120000")
protos+=("-no_ssl2 -no_ssl3") protos+=("-tls1")
tlsvers+=("-tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("SMTP,POP,IMAP") service+=("SMTP,POP,IMAP")
@ -183,6 +170,23 @@ minRsaBits+=(-1)
maxRsaBits+=(-1) maxRsaBits+=(-1)
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
requiresSha2+=(false) requiresSha2+=(false)
names+=("Thunderbird 45.1.1 OSX 10.11 ")
short+=("thudnerbird_45.1.1_osx_101115")
ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
sni+=("$SNI")
warning+=("")
handshakebytes+=("160301009d010000990303c7c5b3ff80b3aa597c770c538b98ae34a94c9590ad8f947ba7bc28692061cb57000016c02bc02fc00ac009c013c01400330039002f0035000a0100005a0000001800160000136d78332e73656374696f6e7a65726f2e6f7267ff01000100000a00080006001700180019000b0002010000230000000500050100000000000d001600140401050106010201040305030603020304020202")
protos+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0303")
service+=("SMTP,POP,IMAP")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
requiresSha2+=(false)
'; ';
exit; exit;