mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
SSLv2 fixes for server preference
This PR addresses two issues related to SSLv2 for "--server-preference" checks.
First, some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options.
Second, the line for extracting the chosen cipher,`cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)`, fails for SSLv2. For SSLv2, the output from `$OPENSSL s_client` is as shown below, and the `cipher=` line extracts the word `between` from `Ciphers common between both SSL endpoints:` rather than `IDEA-CBC-MD5` from ` Cipher : IDEA-CBC-MD5`.
```
...
Ciphers common between both SSL endpoints:
RC4-MD5 RC2-CBC-MD5 IDEA-CBC-MD5
DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 1191 bytes and written 373 bytes
---
New, SSLv2, Cipher is IDEA-CBC-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv2
Cipher : IDEA-CBC-MD5
...
```
This commit is contained in:
David Cooper
GitHub
parent
5a763ff8e1
commit
d67fff3223
17
testssl.sh
17
testssl.sh
@ -3456,7 +3456,11 @@ run_server_preference() {
|
||||
out " (SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\"" ; outln ")";
|
||||
continue
|
||||
fi
|
||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
if [[ "$p" =~ ssl ]]; then
|
||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
else
|
||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
fi
|
||||
if sclient_connect_successful $? $TMPFILE; then
|
||||
proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
||||
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
|
||||
@ -3587,7 +3591,7 @@ check_tls12_pref() {
|
||||
|
||||
|
||||
cipher_pref_check() {
|
||||
local p proto protos npn_protos
|
||||
local p proto protos npn_protos sni
|
||||
local tested_cipher cipher order
|
||||
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
|
||||
|
||||
@ -3604,11 +3608,12 @@ cipher_pref_check() {
|
||||
continue
|
||||
fi
|
||||
# with the supplied binaries SNI works also for SSLv2 (+ SSLv3)
|
||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
|
||||
[[ "$p" =~ ssl ]] && sni="" || sni=$SNI
|
||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>$ERRFILE >$TMPFILE
|
||||
if sclient_connect_successful $? $TMPFILE; then
|
||||
tested_cipher=""
|
||||
proto=$(awk '/Protocol/ { print $3 }' $TMPFILE)
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE)
|
||||
[[ -z "$proto" ]] && continue # for early openssl versions sometimes needed
|
||||
outln
|
||||
printf " %-10s" "$proto: "
|
||||
@ -3631,9 +3636,9 @@ cipher_pref_check() {
|
||||
else
|
||||
out " $cipher" # this is the first cipher for protocol
|
||||
while true; do
|
||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
$OPENSSL s_client $STARTTLS -"$p" $BUGS -cipher "ALL:$tested_cipher" -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
sclient_connect_successful $? $TMPFILE || break
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
cipher=$(awk '/Cipher *:/ { print $3 }' $TMPFILE)
|
||||
out " $cipher"
|
||||
order+=" $cipher"
|
||||
tested_cipher="$tested_cipher:-$cipher"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user