mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-06 00:39:44 +01:00
Merge branch '2.9dev' into negotiated_cipher
This commit is contained in:
commit
d1ab98c5e2
71
testssl.sh
71
testssl.sh
@ -4505,8 +4505,9 @@ run_protocols() {
|
|||||||
add_tls_offered "tls1_2"
|
add_tls_offered "tls1_2"
|
||||||
;; # GCM cipher in TLS 1.2: very good!
|
;; # GCM cipher in TLS 1.2: very good!
|
||||||
1)
|
1)
|
||||||
pr_svrty_mediumln "not offered"
|
pr_svrty_medium "not offered"
|
||||||
if ! "$using_sockets" || ! "$EXPERIMENTAL" || [[ -z $latest_supported ]]; then
|
if ! "$using_sockets" || [[ -z $latest_supported ]]; then
|
||||||
|
outln
|
||||||
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
|
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
|
||||||
else
|
else
|
||||||
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
|
pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string"
|
||||||
@ -6986,7 +6987,7 @@ spdy_pre(){
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
if [[ -n "$PROXY" ]]; then
|
if [[ -n "$PROXY" ]]; then
|
||||||
[[ -n "$1" ]] && pr_warning " $1 "
|
[[ -n "$1" ]] && pr_warning "$1"
|
||||||
pr_warning "not tested as proxies do not support proxying it"
|
pr_warning "not tested as proxies do not support proxying it"
|
||||||
fileout "spdy_npn" "WARN" "SPDY/NPN : not tested as proxies do not support proxying it"
|
fileout "spdy_npn" "WARN" "SPDY/NPN : not tested as proxies do not support proxying it"
|
||||||
return 1
|
return 1
|
||||||
@ -7025,7 +7026,7 @@ run_spdy() {
|
|||||||
local -i ret=0
|
local -i ret=0
|
||||||
|
|
||||||
pr_bold " SPDY/NPN "
|
pr_bold " SPDY/NPN "
|
||||||
if ! spdy_pre ; then
|
if ! spdy_pre; then
|
||||||
outln
|
outln
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
@ -7063,7 +7064,7 @@ run_http2() {
|
|||||||
local alpn_finding=""
|
local alpn_finding=""
|
||||||
|
|
||||||
pr_bold " HTTP2/ALPN "
|
pr_bold " HTTP2/ALPN "
|
||||||
if ! http2_pre ; then
|
if ! http2_pre; then
|
||||||
outln
|
outln
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
@ -11130,8 +11131,8 @@ tuning / connect options (most also can be preset via environment variables):
|
|||||||
--assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks
|
--assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks
|
||||||
--ssl-native fallback to checks with OpenSSL where sockets are normally used
|
--ssl-native fallback to checks with OpenSSL where sockets are normally used
|
||||||
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME)
|
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME)
|
||||||
--proxy <host>:<port> connect via the specified HTTP proxy
|
--proxy <host:port|auto> connect via the specified HTTP proxy, auto: autodetermination from \$env (\$http(s)_proxy)
|
||||||
-6 use also IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
|
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
|
||||||
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
||||||
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
||||||
-n, --nodns do not try any DNS lookup
|
-n, --nodns do not try any DNS lookup
|
||||||
@ -11576,9 +11577,9 @@ check_resolver_bins() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# arg1: a host name. Returned will be 0-n IPv4 addresses
|
# arg1: a host name. Returned will be 0-n IPv4 addresses
|
||||||
|
# watch out: $1 can also be a cname! --> all checked
|
||||||
get_a_record() {
|
get_a_record() {
|
||||||
local ip4=""
|
local ip4=""
|
||||||
local cname_temp=""
|
|
||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
|
|
||||||
"$NODNS" && return 0 # if no DNS lookup was instructed, leave here
|
"$NODNS" && return 0 # if no DNS lookup was instructed, leave here
|
||||||
@ -11594,25 +11595,20 @@ get_a_record() {
|
|||||||
fi
|
fi
|
||||||
if [[ -z "$ip4" ]]; then
|
if [[ -z "$ip4" ]]; then
|
||||||
if which dig &> /dev/null ; then
|
if which dig &> /dev/null ; then
|
||||||
cname_temp=$(dig +short -t CNAME "$1" 2>/dev/null)
|
ip4=$(filter_ip4_address $(dig +short -t a "$1" 2>/dev/null | awk '/^[0-9]/'))
|
||||||
if [[ -n "$cname_temp" ]]; then
|
|
||||||
ip4=$(filter_ip4_address $(dig +short -t a "$cname_temp" 2>/dev/null | sed '/^;;/d'))
|
|
||||||
else
|
|
||||||
ip4=$(filter_ip4_address $(dig +short -t a "$1" 2>/dev/null | sed '/^;;/d'))
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [[ -z "$ip4" ]]; then
|
if [[ -z "$ip4" ]]; then
|
||||||
which host &> /dev/null && \
|
which host &> /dev/null && \
|
||||||
ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | grep -v alias | sed 's/^.*address //'))
|
ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | awk '/address/ { print $NF }'))
|
||||||
fi
|
fi
|
||||||
if [[ -z "$ip4" ]]; then
|
if [[ -z "$ip4" ]]; then
|
||||||
which drill &> /dev/null && \
|
which drill &> /dev/null && \
|
||||||
ip4=$(filter_ip4_address $(drill a "$1" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d'))
|
ip4=$(filter_ip4_address $(drill a "$1" | awk '/ANSWER SECTION/,/AUTHORITY SECTION/ { print $NF }' | awk '/^[0-9]/'))
|
||||||
fi
|
fi
|
||||||
if [[ -z "$ip4" ]]; then
|
if [[ -z "$ip4" ]]; then
|
||||||
if which nslookup &>/dev/null; then
|
if which nslookup &>/dev/null; then
|
||||||
ip4=$(filter_ip4_address $(nslookup -querytype=a "$1" 2>/dev/null | awk '/^Name/,/EOF/ { print $0 }' | grep -v Name))
|
ip4=$(filter_ip4_address $(nslookup -querytype=a "$1" 2>/dev/null | awk '/^Name/ { getline; print $NF }'))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
@ -11620,6 +11616,7 @@ get_a_record() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# arg1: a host name. Returned will be 0-n IPv6 addresses
|
# arg1: a host name. Returned will be 0-n IPv6 addresses
|
||||||
|
# watch out: $1 can also be a cname! --> all checked
|
||||||
get_aaaa_record() {
|
get_aaaa_record() {
|
||||||
local ip6=""
|
local ip6=""
|
||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
@ -11629,20 +11626,20 @@ get_aaaa_record() {
|
|||||||
if [[ -z "$ip6" ]]; then
|
if [[ -z "$ip6" ]]; then
|
||||||
if [[ "$NODE" == *.local ]]; then
|
if [[ "$NODE" == *.local ]]; then
|
||||||
if which avahi-resolve &>/dev/null; then
|
if which avahi-resolve &>/dev/null; then
|
||||||
ip6=$(filter_ip6_address $(avahi-resolve -6 -n "$NODE" 2>/dev/null | awk '{ print $2 }'))
|
ip6=$(filter_ip6_address $(avahi-resolve -6 -n "$1" 2>/dev/null | awk '{ print $2 }'))
|
||||||
elif which dig &>/dev/null; then
|
elif which dig &>/dev/null; then
|
||||||
ip6=$(filter_ip6_address $(dig @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE"))
|
ip6=$(filter_ip6_address $(dig @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE"))
|
||||||
else
|
else
|
||||||
fatal "Local hostname given but no 'avahi-resolve' or 'dig' avaliable." -3
|
fatal "Local hostname given but no 'avahi-resolve' or 'dig' avaliable." -3
|
||||||
fi
|
fi
|
||||||
elif which host &> /dev/null ; then
|
elif which host &> /dev/null ; then
|
||||||
ip6=$(filter_ip6_address $(host -t aaaa "$NODE" | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //'))
|
ip6=$(filter_ip6_address $(host -t aaaa "$1" | awk '/address/ { print $NF }'))
|
||||||
elif which dig &> /dev/null; then
|
elif which dig &> /dev/null; then
|
||||||
ip6=$(filter_ip6_address $(dig +short -t aaaa "$NODE" 2>/dev/null))
|
ip6=$(filter_ip6_address $(dig +short -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/'))
|
||||||
elif which drill &> /dev/null; then
|
elif which drill &> /dev/null; then
|
||||||
ip6=$(filter_ip6_address $(drill aaaa "$NODE" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/^\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d'))
|
ip6=$(filter_ip6_address $(drill aaaa "$1" | awk '/ANSWER SECTION/,/AUTHORITY SECTION/ { print $NF }' | awk '/^[0-9]/'))
|
||||||
elif which nslookup &>/dev/null; then
|
elif which nslookup &>/dev/null; then
|
||||||
ip6=$(filter_ip6_address $(nslookup -type=aaaa "$NODE" 2>/dev/null | grep -A10 Name | grep -v Name))
|
ip6=$(filter_ip6_address $(nslookup -type=aaaa "$1" 2>/dev/null | awk '/'"^${a}"'.*AAAA/ { print $NF }'))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
@ -11670,8 +11667,7 @@ get_caa_rr_record() {
|
|||||||
raw_caa="$(dig $1 type257 +short)"
|
raw_caa="$(dig $1 type257 +short)"
|
||||||
# empty if no CAA record
|
# empty if no CAA record
|
||||||
elif which drill &> /dev/null; then
|
elif which drill &> /dev/null; then
|
||||||
a="$1"
|
raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')"
|
||||||
raw_caa="$(drill $a type257 | awk '/'"^${a}"'.*CAA/ { print $5,$6,$7 }')"
|
|
||||||
elif which host &> /dev/null; then
|
elif which host &> /dev/null; then
|
||||||
raw_caa="$(host -t type257 $1)"
|
raw_caa="$(host -t type257 $1)"
|
||||||
if egrep -wvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then
|
if egrep -wvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then
|
||||||
@ -11717,18 +11713,20 @@ get_caa_rr_record() {
|
|||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# watch out: $1 can also be a cname! --> all checked
|
||||||
get_mx_record() {
|
get_mx_record() {
|
||||||
local mx=""
|
local mx=""
|
||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
|
|
||||||
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
check_resolver_bins
|
check_resolver_bins
|
||||||
|
# we need tha last two columns here!
|
||||||
if which host &> /dev/null; then
|
if which host &> /dev/null; then
|
||||||
mxs=$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')
|
mxs=$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')
|
||||||
elif which dig &> /dev/null; then
|
elif which dig &> /dev/null; then
|
||||||
mxs=$(dig +short -t MX "$1" 2>/dev/null)
|
mxs=$(dig +short -t MX "$1" 2>/dev/null | awk '/^[0-9]/')
|
||||||
elif which drill &> /dev/null; then
|
elif which drill &> /dev/null; then
|
||||||
mxs=$(drill mx "$1" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')
|
mxs=$(drill mx $1 | | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')
|
||||||
elif which nslookup &> /dev/null; then
|
elif which nslookup &> /dev/null; then
|
||||||
mxs=$(nslookup -type=MX "$1" 2>/dev/null | awk '/mail exchanger/ { print $(NF-1), $NF }')
|
mxs=$(nslookup -type=MX "$1" 2>/dev/null | awk '/mail exchanger/ { print $(NF-1), $NF }')
|
||||||
else
|
else
|
||||||
@ -11816,7 +11814,7 @@ determine_rdns() {
|
|||||||
elif which host &> /dev/null; then
|
elif which host &> /dev/null; then
|
||||||
rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }')
|
rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }')
|
||||||
elif which drill &> /dev/null; then
|
elif which drill &> /dev/null; then
|
||||||
rDNS=$(drill -x ptr $nodeip 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')
|
rDNS=$(drill -x ptr $nodeip 2>/dev/null | awk '/ANSWER SECTION/ { getline; print $NF }')
|
||||||
elif which nslookup &> /dev/null; then
|
elif which nslookup &> /dev/null; then
|
||||||
rDNS=$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
|
rDNS=$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
|
||||||
fi
|
fi
|
||||||
@ -11833,18 +11831,23 @@ check_proxy() {
|
|||||||
if ! "$HAS_PROXY"; then
|
if ! "$HAS_PROXY"; then
|
||||||
fatal "Your $OPENSSL is too old to support the \"-proxy\" option" -5
|
fatal "Your $OPENSSL is too old to support the \"-proxy\" option" -5
|
||||||
fi
|
fi
|
||||||
|
if [[ "$PROXY" == "auto" ]]; then
|
||||||
|
# get $ENV
|
||||||
|
PROXY=${https_proxy#*\/\/}
|
||||||
|
[[ -z "$PROXY" ]] && PROXY=${http_proxy#*\/\/}
|
||||||
|
[[ -z "$PROXY" ]] && fatal "you specified \"--proxy=auto\" but \"\$http(s)_proxy\" is empty" 2
|
||||||
|
fi
|
||||||
PROXYNODE=${PROXY%:*}
|
PROXYNODE=${PROXY%:*}
|
||||||
PROXYPORT=${PROXY#*:}
|
PROXYPORT=${PROXY#*:}
|
||||||
is_number "$PROXYPORT" || fatal "Proxy port cannot be determined from \"$PROXY\"" "2"
|
is_number "$PROXYPORT" || fatal "Proxy port cannot be determined from \"$PROXY\"" 2
|
||||||
|
|
||||||
#if is_ipv4addr "$PROXYNODE" || is_ipv6addr "$PROXYNODE" ; then
|
#if is_ipv4addr "$PROXYNODE" || is_ipv6addr "$PROXYNODE" ; then
|
||||||
# IPv6 via openssl -proxy: that doesn't work. Sockets does
|
# IPv6 via openssl -proxy: that doesn't work. Sockets does
|
||||||
#FIXME: to finish this with LibreSSL which supports an IPv6 proxy
|
#FIXME: finish this with LibreSSL which supports an IPv6 proxy
|
||||||
if is_ipv4addr "$PROXYNODE"; then
|
if is_ipv4addr "$PROXYNODE"; then
|
||||||
PROXYIP="$PROXYNODE"
|
PROXYIP="$PROXYNODE"
|
||||||
else
|
else
|
||||||
check_resolver_bins
|
PROXYIP=$(get_a_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
||||||
PROXYIP=$(get_a_record $PROXYNODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
|
||||||
[[ -z "$PROXYIP" ]] && fatal "Proxy IP cannot be determined from \"$PROXYNODE\"" "2"
|
[[ -z "$PROXYIP" ]] && fatal "Proxy IP cannot be determined from \"$PROXYNODE\"" "2"
|
||||||
fi
|
fi
|
||||||
PROXY="-proxy $PROXYIP:$PROXYPORT"
|
PROXY="-proxy $PROXYIP:$PROXYPORT"
|
||||||
@ -12266,6 +12269,8 @@ parse_opt_equal_sign() {
|
|||||||
|
|
||||||
|
|
||||||
parse_cmd_line() {
|
parse_cmd_line() {
|
||||||
|
# Show usage if no options were specified
|
||||||
|
[[ -z "$1" ]] && help 0
|
||||||
# Set defaults if only an URI was specified, maybe ToDo: use "="-option, then: ${i#*=} i.e. substring removal
|
# Set defaults if only an URI was specified, maybe ToDo: use "="-option, then: ${i#*=} i.e. substring removal
|
||||||
[[ "$#" -eq 1 ]] && set_scanning_defaults
|
[[ "$#" -eq 1 ]] && set_scanning_defaults
|
||||||
|
|
||||||
@ -12596,7 +12601,7 @@ parse_cmd_line() {
|
|||||||
(--) shift
|
(--) shift
|
||||||
break
|
break
|
||||||
;;
|
;;
|
||||||
(-*) pr_magentaln "0: unrecognized option \"$1\"" 1>&2;
|
(-*) pr_warningln "0: unrecognized option \"$1\"" 1>&2;
|
||||||
help 1
|
help 1
|
||||||
;;
|
;;
|
||||||
(*) break
|
(*) break
|
||||||
@ -12605,7 +12610,7 @@ parse_cmd_line() {
|
|||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
# Show usage if no options were specified
|
# Show usage if no further options were specified
|
||||||
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! $do_display_only; then
|
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! $do_display_only; then
|
||||||
echo && fatal "URI missing" "1"
|
echo && fatal "URI missing" "1"
|
||||||
else
|
else
|
||||||
|
Loading…
Reference in New Issue
Block a user