mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-10 02:30:58 +01:00
JSON all done...
This commit is contained in:
Frank Breedijk
parent
eaabc5d13d
commit
d69bd246a9
31
testssl.sh
31
testssl.sh
@ -4233,8 +4233,9 @@ run_beast(){
|
||||
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
||||
if $continued; then # second round: we hit TLS1:
|
||||
pr_litegreenln "no SSL3 or TLS1"
|
||||
output_finding "beast" "$NODEIP" "$PORT" "OK" "BEAST (CVE-2011-3389) : not vulnerable (OK) no SSL3 or TLS1"
|
||||
return 0
|
||||
else # protocol not succeeded but it';s the first time
|
||||
else # protocol not succeeded but it's the first time
|
||||
continued=true
|
||||
continue # protocol not supported, so we do not need to check each cipher with that protocol
|
||||
fi
|
||||
@ -4278,8 +4279,9 @@ run_beast(){
|
||||
fi
|
||||
done
|
||||
|
||||
if ! $WIDE; then
|
||||
if [[ -n "$detected_cbc_ciphers" ]]; then
|
||||
if [[ -n "$detected_cbc_ciphers" ]]; then
|
||||
output_finding "cbc_$proto" "$NODEIP" "$PORT" "NOT OK" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
|
||||
if ! $WIDE; then
|
||||
detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
||||
! $first && out "$spaces"
|
||||
out "$(toupper $proto):"
|
||||
@ -4288,13 +4290,14 @@ run_beast(){
|
||||
pr_brownln "$detected_cbc_ciphers"
|
||||
detected_cbc_ciphers="" # empty for next round
|
||||
first=false
|
||||
else
|
||||
[[ $proto == "tls1" ]] && ! $first && echo -n "$spaces"
|
||||
pr_litegreenln "no CBC ciphers for $(toupper $proto) (OK)"
|
||||
first=false
|
||||
fi
|
||||
else
|
||||
$vuln_beast || pr_litegreenln " no CBC ciphers for $(toupper $proto) (OK)"
|
||||
output_finding "cbc_$proto" "$NODEIP" "$PORT" "OK" "BEAST (CVE-2011-3389) : No CBC ciphers for $(toupper $proto) (OK)"
|
||||
if ! $WIDE; then
|
||||
[[ $proto == "tls1" ]] && ! $first && echo -n "$spaces "
|
||||
first=false
|
||||
fi
|
||||
pr_litegreenln "no CBC ciphers for $(toupper $proto) (OK)"
|
||||
fi
|
||||
done # for proto in ssl3 tls1
|
||||
|
||||
@ -4310,6 +4313,7 @@ run_beast(){
|
||||
pr_yellow "VULNERABLE"
|
||||
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||
fi
|
||||
output_finding "beast" "$NODEIP" "$PORT" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||
else
|
||||
if $WIDE; then
|
||||
outln
|
||||
@ -4318,6 +4322,7 @@ run_beast(){
|
||||
fi
|
||||
pr_brown "VULNERABLE (NOT ok)"
|
||||
outln " -- and no higher protocols as mitigation supported"
|
||||
output_finding "beast" "$NODEIP" "$PORT" "NOT OK" "BEAST (CVE-2011-3389) : VULNERABLE -- and no higher protocols as mitigation supported"
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -4329,6 +4334,7 @@ run_lucky13() {
|
||||
#FIXME: to do . CVE-2013-0169
|
||||
# in a nutshell: don't offer CBC suites (again). MAC as a fix for padding oracles is not enough. Best: TLS v1.2+ AES GCM
|
||||
echo "FIXME"
|
||||
output_finding "lucky13" "$NODEIP" "$PORT" "WARN" "LUCKY13 (CVE-2013-0169) : No tested. Not implemented. #FIXME"
|
||||
return -1
|
||||
}
|
||||
|
||||
@ -4341,6 +4347,7 @@ run_rc4() {
|
||||
local -i sclient_success
|
||||
local hexcode dash rc4_cipher sslvers kx auth enc mac export
|
||||
local rc4_ciphers_list="ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:DHE-DSS-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:RSA-PSK-RC4-SHA:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP-ADH-RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5"
|
||||
local rc4_detected=""
|
||||
|
||||
if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || $WIDE; then
|
||||
outln
|
||||
@ -4379,10 +4386,13 @@ run_rc4() {
|
||||
else
|
||||
pr_litered "$rc4_cipher "
|
||||
fi
|
||||
rc4_detected+="$c4_cipher "
|
||||
done < <($OPENSSL ciphers -V $rc4_ciphers_list:@STRENGTH)
|
||||
outln
|
||||
output_finding "rc4" "$NODEIP" "$PORT" "NOT OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected"
|
||||
else
|
||||
pr_litegreenln "no RC4 ciphers detected (OK)"
|
||||
output_finding "rc4" "$NODEIP" "$PORT" "OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : not vulnerable (OK)"
|
||||
rc4_offered=0
|
||||
fi
|
||||
outln
|
||||
@ -4409,6 +4419,7 @@ run_tls_truncation() {
|
||||
|
||||
|
||||
old_fart() {
|
||||
output_finding "old_fart" "$NODEIP" "$PORT" "WARN" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed.\nGet precompiled bins or compile https://github.com/PeterMosmans/openssl ."
|
||||
outln "Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
|
||||
fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -2
|
||||
}
|
||||
@ -4630,6 +4641,10 @@ tuning options (can also be preset via environment variables):
|
||||
--color <0|1|2> 0: no escape or other codes, 1: b/w escape codes, 2: color (default)
|
||||
--debug <0-6> 1: screen output normal but debug output in temp files. 2-6: see line ~120
|
||||
|
||||
output options:
|
||||
--json output all findngs to a json file (defaults to testssl.json unless set)
|
||||
--jsonfile <fname> set output to json and output to the specified file
|
||||
|
||||
All options requiring a value can also be called with '=' (e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
|
||||
<URI> is always the last parameter.
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user