mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
- protocol w/o cipher (only SSLv2 so far)
- for EVERY protocol now check whether $openssl supports it - better fail for PFS if there are no local ciphers
This commit is contained in:
Dirk
parent
52ef1fe684
commit
d77b667489
93
testssl.sh
93
testssl.sh
@ -67,6 +67,7 @@ VERB_CLIST="" # ... and if so, "-V" shows them row by row cipher, SSL-ver
|
|||||||
HSTS_MIN=180 #>180 days is ok for HSTS
|
HSTS_MIN=180 #>180 days is ok for HSTS
|
||||||
HPKP_MIN=9 #>9 days should be ok for HPKP_MIN, practical hiints?
|
HPKP_MIN=9 #>9 days should be ok for HPKP_MIN, practical hiints?
|
||||||
MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
|
MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
|
||||||
|
CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
||||||
NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
||||||
RUN_DIR=`dirname $0`
|
RUN_DIR=`dirname $0`
|
||||||
|
|
||||||
@ -679,16 +680,26 @@ locally_supported() {
|
|||||||
$OPENSSL s_client "$1" 2>&1 | grep -q "unknown option"
|
$OPENSSL s_client "$1" 2>&1 | grep -q "unknown option"
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
magentaln "Local problem: $OPENSSL doesn't support \"s_client $1\""
|
magentaln "Local problem: $OPENSSL doesn't support \"s_client $1\""
|
||||||
return 7
|
ret=7
|
||||||
else
|
else
|
||||||
return 0
|
ret=0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
return $ret
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
testversion_new() {
|
testversion_new() {
|
||||||
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
[ "$VERBERR" -eq 0 ] && cat $TMPFILE | egrep "error|failure" | egrep -v "unable to get local|verify error"
|
[ "$VERBERR" -eq 0 ] && cat $TMPFILE | egrep "error|failure" | egrep -v "unable to get local|verify error"
|
||||||
|
|
||||||
|
if grep -q "no cipher list" $TMPFILE ; then
|
||||||
|
litered "supported but couldn't detect a cipher"
|
||||||
|
outln "(check manually)"
|
||||||
|
ret=3
|
||||||
|
fi
|
||||||
|
|
||||||
rm $TMPFILE
|
rm $TMPFILE
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
@ -706,40 +717,59 @@ testprotohelper() {
|
|||||||
runprotocols() {
|
runprotocols() {
|
||||||
blue "--> Testing Protocols"; outln "\n"
|
blue "--> Testing Protocols"; outln "\n"
|
||||||
# e.g. ubuntu's 12.04 openssl binary + soon others don't want sslv2 anymore: bugs.launchpad.net/ubuntu/+source/openssl/+bug/955675
|
# e.g. ubuntu's 12.04 openssl binary + soon others don't want sslv2 anymore: bugs.launchpad.net/ubuntu/+source/openssl/+bug/955675
|
||||||
# Sonderlocke hier #FIXME kann woanders auch auftauchen!
|
|
||||||
testprotohelper "-ssl2" " SSLv2 "
|
testprotohelper "-ssl2" " SSLv2 "
|
||||||
ret=$?;
|
ret=$?;
|
||||||
if [ $ret -ne 7 ]; then
|
if [ $ret -ne 7 ]; then
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
ok 1 1 # red
|
ok 1 1 # red
|
||||||
|
elif [ $ret -eq 3 ] ; then
|
||||||
|
:
|
||||||
else
|
else
|
||||||
ok 0 1 # green "not offered (ok)"
|
ok 0 1 # green "not offered (ok)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if testprotohelper "-ssl3" " SSLv3 " ; then
|
testprotohelper "-ssl3" " SSLv3 "
|
||||||
ok 6 0 # poodle hack"
|
ret=$?;
|
||||||
else
|
if [ $ret -ne 7 ]; then
|
||||||
ok 0 1 # green "not offered (ok)"
|
if [ $ret -eq 0 ]; then
|
||||||
|
ok 6 0 # poodle hack"
|
||||||
|
else
|
||||||
|
ok 0 1 # green "not offered (ok)"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if testprotohelper "-tls1" " TLSv1 "; then
|
testprotohelper "-tls1" " TLSv1 "
|
||||||
ok 1 0
|
ret=$?;
|
||||||
else
|
if [ $ret -ne 7 ]; then
|
||||||
ok 0 0
|
if [ $ret -eq 0 ]; then
|
||||||
|
ok 1 0
|
||||||
|
else
|
||||||
|
ok 0 0
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if testprotohelper "-tls1_1" " TLSv1.1 "; then
|
testprotohelper "-tls1_1" " TLSv1.1 "
|
||||||
ok 1 0
|
ret=$?;
|
||||||
else
|
if [ $ret -ne 7 ]; then
|
||||||
ok 0 0
|
if [ $ret -eq 0 ]; then
|
||||||
|
ok 1 0
|
||||||
|
else
|
||||||
|
ok 0 0
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if testprotohelper "-tls1_2" " TLSv1.2 "; then
|
testprotohelper "-tls1_2" " TLSv1.2 "
|
||||||
ok 1 0
|
ret=$?;
|
||||||
else
|
if [ $ret -ne 7 ]; then
|
||||||
ok 0 0
|
if [ $ret -eq 0 ]; then
|
||||||
|
ok 1 0
|
||||||
|
else
|
||||||
|
ok 0 0
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -870,12 +900,16 @@ pfs() {
|
|||||||
# PFSOK='EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH'
|
# PFSOK='EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH'
|
||||||
# this catches also ECDHE-ECDSA-NULL-SHA or ECDHE-RSA-RC4-SHA
|
# this catches also ECDHE-ECDSA-NULL-SHA or ECDHE-RSA-RC4-SHA
|
||||||
|
|
||||||
$OPENSSL ciphers -V "$PFSOK" >$TMPFILE
|
$OPENSSL ciphers -V "$PFSOK" >$TMPFILE 2>/dev/null
|
||||||
if [ $? -ne 0 ] || [ `wc -l $TMPFILE | awk '{ print $1 }' ` -lt 3 ]; then
|
if [ $? -ne 0 ] ; then
|
||||||
out "Note: you have the following client side ciphers only for PFS. "
|
number_pfs=`wc -l $TMPFILE | awk '{ print $1 }'`
|
||||||
out "Thus it doesn't make sense to test PFS"
|
if [ "$number_pfs" -le "$CLIENT_MIN_PFS" ] ; then
|
||||||
cat $TMPFILE
|
outln
|
||||||
return 1
|
magentaln " Local problem: you have only $number_pfs client side PFS ciphers "
|
||||||
|
outln " Thus it doesn't make sense to test PFS"
|
||||||
|
[ $number_pfs -ne 0 ] && cat $TMPFILE
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
savedciphers=`cat $TMPFILE`
|
savedciphers=`cat $TMPFILE`
|
||||||
[ x$SHOW_LCIPHERS = "xyes" ] && echo "local ciphers available for testing PFS:" && echo `cat $TMPFILE`
|
[ x$SHOW_LCIPHERS = "xyes" ] && echo "local ciphers available for testing PFS:" && echo `cat $TMPFILE`
|
||||||
@ -992,8 +1026,8 @@ spdy(){
|
|||||||
# first, does the current openssl support it?
|
# first, does the current openssl support it?
|
||||||
$OPENSSL s_client help 2>&1 | grep -qw nextprotoneg
|
$OPENSSL s_client help 2>&1 | grep -qw nextprotoneg
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
magenta "Local problem: $OPENSSL cannot test SPDY"; outln
|
magenta "Local problem: $OPENSSL doesn't support SPDY"; outln
|
||||||
ret=3
|
return 0
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs </dev/null 2>/dev/null >$TMPFILE
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
@ -1431,7 +1465,8 @@ find_openssl_binary() {
|
|||||||
esac
|
esac
|
||||||
if [ $OSSL_VER_MAJOR -lt 1 ]; then ## mm: Patch for libressl
|
if [ $OSSL_VER_MAJOR -lt 1 ]; then ## mm: Patch for libressl
|
||||||
outln
|
outln
|
||||||
magentaln " ¡¡¡ <Enter> at your own risk !!!\n $OPENSSL version < 1.0 is too old"
|
magentaln " ¡¡¡ <Enter> at your own risk !!! $OPENSSL is way too old (< version 1.0)"
|
||||||
|
outln " Proceeding may likely result in false negatives or positives\n"
|
||||||
read a
|
read a
|
||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
@ -1938,7 +1973,7 @@ case "$1" in
|
|||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.142 2014/11/19 12:22:21 dirkw Exp $
|
# $Id: testssl.sh,v 1.143 2014/11/19 16:08:58 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user