- TLS 1.0/1.1 is not green anymore, only TLS 1.2 is the real one!
- no bold for 3DES and medium - nslookup for MSYS2 etc. having no hosts (and fixing error message if host doesn't exist)
This commit is contained in:
parent
188e7f9095
commit
d2b833b2fa
36
testssl.sh
36
testssl.sh
|
@ -463,6 +463,8 @@ hpkp() {
|
||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
#FIXME: once checkcert.sh is here: fingerprints!
|
#FIXME: once checkcert.sh is here: fingerprints!
|
||||||
|
# FIXME: revoked, see checkcert.sh
|
||||||
|
# FIXME: Trust (only CN)
|
||||||
|
|
||||||
emphasize_numbers_in_headers(){
|
emphasize_numbers_in_headers(){
|
||||||
# see http://www.grymoire.com/Unix/Sed.html#uh-3
|
# see http://www.grymoire.com/Unix/Sed.html#uh-3
|
||||||
|
@ -631,9 +633,9 @@ std_cipherlists() {
|
||||||
fi ;;
|
fi ;;
|
||||||
2) # not really bad
|
2) # not really bad
|
||||||
if [[ $ret -eq 0 ]]; then
|
if [[ $ret -eq 0 ]]; then
|
||||||
ok 2 0 # offered in pr_bold
|
ok 2 0 # offered in normal
|
||||||
else
|
else
|
||||||
ok 0 0 # not offered also in pr_bold
|
ok 2 0 # not offered also in normal
|
||||||
fi;;
|
fi;;
|
||||||
*) # the ugly rest
|
*) # the ugly rest
|
||||||
if [[ $ret -eq 0 ]]; then
|
if [[ $ret -eq 0 ]]; then
|
||||||
|
@ -851,8 +853,6 @@ testprotohelper() {
|
||||||
|
|
||||||
runprotocols() {
|
runprotocols() {
|
||||||
pr_blue "--> Testing Protocols"; outln "\n"
|
pr_blue "--> Testing Protocols"; outln "\n"
|
||||||
# e.g. ubuntu's 12.04 openssl binary + soon others don't want sslv2 anymore: bugs.launchpad.net/ubuntu/+source/openssl/+bug/955675
|
|
||||||
|
|
||||||
if [ $SSL_NATIVE -eq 1 ] || [ -n "$STARTTLS" ]; then
|
if [ $SSL_NATIVE -eq 1 ] || [ -n "$STARTTLS" ]; then
|
||||||
testprotohelper "-ssl2" " SSLv2 "
|
testprotohelper "-ssl2" " SSLv2 "
|
||||||
case $? in
|
case $? in
|
||||||
|
@ -876,7 +876,7 @@ runprotocols() {
|
||||||
|
|
||||||
testprotohelper "-tls1" " TLSv1 "
|
testprotohelper "-tls1" " TLSv1 "
|
||||||
case $? in
|
case $? in
|
||||||
0) ok 4 0 ;; # no GCM, thus only in pr_litegreen
|
0) ok 2 0 ;; # no GCM, thus only normal print
|
||||||
1) ok 0 0 ;;
|
1) ok 0 0 ;;
|
||||||
5) ok 5 5 ;; # protocol ok, but no cipher
|
5) ok 5 5 ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
|
@ -884,7 +884,7 @@ runprotocols() {
|
||||||
|
|
||||||
testprotohelper "-tls1_1" " TLSv1.1 "
|
testprotohelper "-tls1_1" " TLSv1.1 "
|
||||||
case $? in
|
case $? in
|
||||||
0) ok 1 0 ;;
|
0) ok 2 0 ;; # normal print
|
||||||
1) ok 7 0 ;; # no GCM, penalty
|
1) ok 7 0 ;; # no GCM, penalty
|
||||||
5) ok 5 5 ;; # protocol ok, but no cipher
|
5) ok 5 5 ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
|
@ -1895,7 +1895,7 @@ beast(){
|
||||||
done
|
done
|
||||||
#detected_cbc_cipher=`echo $detected_cbc_cipher | sed 's/ //g'`
|
#detected_cbc_cipher=`echo $detected_cbc_cipher | sed 's/ //g'`
|
||||||
if [ -z "$detected_cbc_cipher" ]; then
|
if [ -z "$detected_cbc_cipher" ]; then
|
||||||
pr_litegreenln "no CBC ciphers for $proto (OK)"
|
pr_litegreenln "no CBC ciphers for $(echo $proto | tr '[a-z]' '[A-Z]') (OK)"
|
||||||
else
|
else
|
||||||
detected_cbc_cipher=$(echo "$detected_cbc_cipher" | sed -e 's/ /\n '"${spaces}"'/9' -e 's/ /\n '"${spaces}"'/6' -e 's/ /\n '"${spaces}"'/3')
|
detected_cbc_cipher=$(echo "$detected_cbc_cipher" | sed -e 's/ /\n '"${spaces}"'/9' -e 's/ /\n '"${spaces}"'/6' -e 's/ /\n '"${spaces}"'/3')
|
||||||
[ $ret -eq 1 ] && out "$spaces"
|
[ $ret -eq 1 ] && out "$spaces"
|
||||||
|
@ -2276,10 +2276,7 @@ parse_hn_port() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
datebanner "Testing"
|
datebanner "Testing"
|
||||||
|
[[ -z "$2" ]] && runs_HTTP # for starttls all is clear
|
||||||
[[ -z "$2" ]] && runs_HTTP # for starttl all is clear
|
|
||||||
|
|
||||||
#[ "$PORT" != 443 ] && pr_bold "A non standard port or testing no web servers might show lame reponses (then just wait)\n"
|
|
||||||
initialize_engine
|
initialize_engine
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2302,12 +2299,16 @@ get_dns_entries() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -z "$IP4" ] ; then # getent returned nothing:
|
if [ -z "$IP4" ] ; then # getent returned nothing:
|
||||||
IP4=`host -t a $NODE | grep -v alias | sed 's/^.*address //'`
|
IP4=`host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //'`
|
||||||
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
|
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
|
||||||
pr_magenta "Can't proceed: No IP address for \"$NODE\" available"; outln "\n"
|
pr_magenta "Can't proceed: No IP address for \"$NODE\" available"; outln "\n"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
# MSYS2 has no host or getent, so we do this
|
||||||
|
if [ -z "$IP4" ] ; then
|
||||||
|
IP4=`nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//'`
|
||||||
|
fi
|
||||||
|
|
||||||
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
|
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
|
||||||
#which getent 2>&1 >/dev/null && IP6=`getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq`
|
#which getent 2>&1 >/dev/null && IP6=`getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq`
|
||||||
|
@ -2318,15 +2319,20 @@ get_dns_entries() {
|
||||||
IP6=""
|
IP6=""
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
# MSYS2 has no host or getent, so we do this
|
||||||
|
if [ -z "$IP6" ] ; then
|
||||||
|
IP6=`nslookup -type=aaaa $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//'`
|
||||||
|
fi
|
||||||
|
|
||||||
fi # test4iponly
|
fi # test4iponly
|
||||||
|
|
||||||
IPADDRs=`echo $IP4`
|
IPADDRs=`echo $IP4`
|
||||||
[ ! -z "$IP6" ] && IPADDRs=`echo $IP4`" "`echo $IP6`
|
[ ! -z "$IP6" ] && IPADDRs=`echo $IP4`" "`echo $IP6`
|
||||||
|
|
||||||
# FIXME: we could test more than one IPv4 addresses if available, same IPv6. For now we test the first IPv4:
|
# FIXME: we could/should test more than one IPv4 addresses if available, same IPv6. For now we test the first IPv4:
|
||||||
NODEIP=`echo "$IP4" | head -1`
|
NODEIP=`echo "$IP4" | head -1`
|
||||||
|
|
||||||
# we can't do this as some checks and even openssl are not yet IPv6 safe
|
# we can't do this as some checks and even openssl are not yet IPv6 safe. BTW: bash sockets do IPv6 transparently!
|
||||||
#NODEIP=`echo "$IP6" | head -1`
|
#NODEIP=`echo "$IP6" | head -1`
|
||||||
rDNS=`host -t PTR $NODEIP 2>/dev/null | grep -v "is an alias for" | sed -e 's/^.*pointer //' -e 's/\.$//'`
|
rDNS=`host -t PTR $NODEIP 2>/dev/null | grep -v "is an alias for" | sed -e 's/^.*pointer //' -e 's/\.$//'`
|
||||||
echo $rDNS | grep -q NXDOMAIN && rDNS=" - "
|
echo $rDNS | grep -q NXDOMAIN && rDNS=" - "
|
||||||
|
@ -2551,6 +2557,6 @@ case "$1" in
|
||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.178 2015/01/30 15:26:54 dirkw Exp $
|
# $Id: testssl.sh,v 1.179 2015/02/03 22:20:58 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue