completed the commit 601c810240

started to use the ip parameter to decide where the dns resoultion
takes place (see #739 and #748). --ip=proxy or DNS_VIA_PROXY=true
will mean DNS resolutioni is done by proxy,

furthermore: swapped a few pr_magenta by pr_warning. Generally
testssl.sh should use for warnings a warning function and not
directly a color (we want to be flexible). There are still a few
remainders for fatal() which use bold magenta and thus I haven't
changed yet.

Also html_reserved() is being called also if no html output
is being requested. This could be fixed better probably.
This commit is contained in:
Dirk 2017-05-19 20:28:18 +02:00
parent 601c810240
commit d64fabafd5

View File

@ -83,6 +83,8 @@ readonly PS4='|${LINENO}> \011${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
# how to paste both in order to do performance analysis # how to paste both in order to do performance analysis
DEBUGTIME=${DEBUGTIME:-false} DEBUGTIME=${DEBUGTIME:-false}
DEBUG_ALLINONE=${DEBUG_ALLINONE:-false} # true: do debugging in one sceen (old behaviour for testssl.sh and bash3's default DEBUG_ALLINONE=${DEBUG_ALLINONE:-false} # true: do debugging in one sceen (old behaviour for testssl.sh and bash3's default
# false: needed for performance analysis or useful for just having an extra file
if grep -q xtrace <<< "$SHELLOPTS"; then if grep -q xtrace <<< "$SHELLOPTS"; then
if "$DEBUGTIME"; then if "$DEBUGTIME"; then
# separate debugging, doesn't mess up the screen, $DEBUGTIME determines whether we also do performance analysis # separate debugging, doesn't mess up the screen, $DEBUGTIME determines whether we also do performance analysis
@ -212,6 +214,7 @@ DAYS2WARN1=${DAYS2WARN1:-60} # days to warn before cert expires, thre
DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2 DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2
VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check
NODNS=${NODNS:-false} # always do DNS lookups per default. For some pentests it might save time to set this to true NODNS=${NODNS:-false} # always do DNS lookups per default. For some pentests it might save time to set this to true
DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # don't do DNS lookups via proxy. --ip=proxy reverses this
readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
HAD_SLEPT=0 HAD_SLEPT=0
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
@ -371,6 +374,7 @@ declare TLS_CIPHER_OSSL_SUPPORTED=()
# For HTML output, replace any HTML reserved characters with the entity name # For HTML output, replace any HTML reserved characters with the entity name
html_reserved(){ html_reserved(){
"$do_html" || return 0
sed -e 's/\&/\&amp;/g' -e 's/</\&lt;/g' -e 's/>/\&gt;/g' -e 's/"/\&quot;/g' -e "s/'/\&apos;/g" <<< "$1" sed -e 's/\&/\&amp;/g' -e 's/</\&lt;/g' -e 's/>/\&gt;/g' -e 's/"/\&quot;/g' -e "s/'/\&apos;/g" <<< "$1"
} }
@ -5687,7 +5691,7 @@ certificate_info() {
fileout "${json_prefix}key_size" "OK" "Server keys $cert_keysize bits" fileout "${json_prefix}key_size" "OK" "Server keys $cert_keysize bits"
outln " bits" outln " bits"
else else
pr_magenta "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)" pr_warning "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)"
fileout "${json_prefix}key_size" "WARN" "Server keys $cert_keysize bits (Odd)" fileout "${json_prefix}key_size" "WARN" "Server keys $cert_keysize bits (Odd)"
fi fi
else else
@ -6816,7 +6820,7 @@ starttls_line() {
debugme echo "---> reply with automated FAST_STARTTLS=false matched \"$2\"" debugme echo "---> reply with automated FAST_STARTTLS=false matched \"$2\""
else else
debugme echo "---> reply didn't match \"$2\", see $TMPFILE" debugme echo "---> reply didn't match \"$2\", see $TMPFILE"
pr_magenta "STARTTLS handshake problem. " pr_warning "STARTTLS handshake problem. "
outln "Either switch to native openssl (--ssl-native), " outln "Either switch to native openssl (--ssl-native), "
outln " give the server more time to reply (STARTTLS_SLEEP=<seconds> ./testssh.sh ..) -- " outln " give the server more time to reply (STARTTLS_SLEEP=<seconds> ./testssh.sh ..) -- "
outln " or debug what happened (add --debug=2)" outln " or debug what happened (add --debug=2)"
@ -6967,16 +6971,20 @@ fd_socket() {
if [[ -n "$PROXY" ]]; then if [[ -n "$PROXY" ]]; then
if ! exec 5<> /dev/tcp/${PROXYIP}/${PROXYPORT}; then if ! exec 5<> /dev/tcp/${PROXYIP}/${PROXYPORT}; then
outln outln
pr_magenta "$PROG_NAME: unable to open a socket to proxy $PROXYIP:$PROXYPORT" pr_warning "$PROG_NAME: unable to open a socket to proxy $PROXYIP:$PROXYPORT"
return 6 return 6
fi fi
if "$DNS_VIA_PROXY"; then
echo -e "CONNECT $NODE:$PORT HTTP/1.0\n" >&5
else
echo -e "CONNECT $nodeip:$PORT HTTP/1.0\n" >&5 echo -e "CONNECT $nodeip:$PORT HTTP/1.0\n" >&5
fi
while true ; do while true ; do
read proyxline <&5 read proyxline <&5
if [[ "${proyxline%/*}" == "HTTP" ]]; then if [[ "${proyxline%/*}" == "HTTP" ]]; then
proyxline=${proyxline#* } proyxline=${proyxline#* }
if [[ "${proyxline%% *}" != "200" ]]; then if [[ "${proyxline%% *}" != "200" ]]; then
pr_magenta "Unable to CONNECT via proxy. " pr_warning "Unable to CONNECT via proxy. "
[[ "$PORT" != 443 ]] && prln_magenta "Check whether your proxy supports port $PORT and the underlying protocol." [[ "$PORT" != 443 ]] && prln_magenta "Check whether your proxy supports port $PORT and the underlying protocol."
return 6 return 6
fi fi
@ -6987,7 +6995,7 @@ fd_socket() {
done done
elif ! exec 5<>/dev/tcp/$nodeip/$PORT; then # 2>/dev/null would remove an error message, but disables debugging elif ! exec 5<>/dev/tcp/$nodeip/$PORT; then # 2>/dev/null would remove an error message, but disables debugging
outln outln
pr_magenta "Unable to open a socket to $NODEIP:$PORT. " pr_warning "Unable to open a socket to $NODEIP:$PORT. "
# It can last ~2 minutes but for for those rare occasions we don't do a timeout handler here, KISS # It can last ~2 minutes but for for those rare occasions we don't do a timeout handler here, KISS
return 6 return 6
fi fi
@ -12383,7 +12391,7 @@ run_mass_testing_parallel() {
[[ $wait_time -gt $MAX_WAIT_TEST ]] && wait_time=$MAX_WAIT_TEST [[ $wait_time -gt $MAX_WAIT_TEST ]] && wait_time=$MAX_WAIT_TEST
if "$INTERACTIVE"; then if "$INTERACTIVE"; then
echo -en "\r \r" 1>&2 echo -en "\r \r" 1>&2
echo -n "Waiting for test #$NEXT_PARALLEL_TEST_TO_FINISH to finish" >&2 echo -n "Waiting for test #$NEXT_PARALLEL_TEST_TO_FINISH to finish" 1>&2
if [[ $((MAX_WAIT_TEST-wait_time)) -le 60 ]]; then if [[ $((MAX_WAIT_TEST-wait_time)) -le 60 ]]; then
echo -n " ($((MAX_WAIT_TEST-wait_time)) seconds to timeout)" 1>&2 echo -n " ($((MAX_WAIT_TEST-wait_time)) seconds to timeout)" 1>&2
else else
@ -12419,7 +12427,7 @@ run_mass_testing_parallel() {
echo -en "\r \r" 1>&2 echo -en "\r \r" 1>&2
wait_time=$((curr_time-start_time[NEXT_PARALLEL_TEST_TO_FINISH])) wait_time=$((curr_time-start_time[NEXT_PARALLEL_TEST_TO_FINISH]))
[[ $wait_time -gt $MAX_WAIT_TEST ]] && wait_time=$MAX_WAIT_TEST [[ $wait_time -gt $MAX_WAIT_TEST ]] && wait_time=$MAX_WAIT_TEST
echo -n "Waiting for test #$NEXT_PARALLEL_TEST_TO_FINISH to finish" echo -n "Waiting for test #$NEXT_PARALLEL_TEST_TO_FINISH to finish" 1>&2
if [[ $((MAX_WAIT_TEST-wait_time)) -le 60 ]]; then if [[ $((MAX_WAIT_TEST-wait_time)) -le 60 ]]; then
echo -n " ($((MAX_WAIT_TEST-wait_time)) seconds to timeout)" 1>&2 echo -n " ($((MAX_WAIT_TEST-wait_time)) seconds to timeout)" 1>&2
else else
@ -12604,6 +12612,10 @@ parse_cmd_line() {
--ip|--ip=*) --ip|--ip=*)
CMDLINE_IP="$(parse_opt_equal_sign "$1" "$2")" CMDLINE_IP="$(parse_opt_equal_sign "$1" "$2")"
[[ $? -eq 0 ]] && shift [[ $? -eq 0 ]] && shift
if [[ $CMDLINE_IP == "proxy" ]]; then
DNS_VIA_PROXY=true
unset CMDLINE_IP
fi
;; ;;
-n|--nodns) -n|--nodns)
NODNS=true NODNS=true