mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-01 06:19:44 +01:00
Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev
This commit is contained in:
commit
d7a1236e9b
@ -1,7 +1,7 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "TESTSSL" "1" "December 2017" "" ""
|
||||
.TH "TESTSSL" "1" "January 2018" "" ""
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBtestssl\fR
|
||||
@ -25,7 +25,7 @@ testssl\.sh is a free command line tool which checks a server\'s service on any
|
||||
The output rates findings by color (screen) or severity (file output) so that you are able to tell whether something is good or bad\. The (screen) output has several sections in which classes of checks are being performed\. To ease readability on the screen it aligns and indents the output properly\.
|
||||
.
|
||||
.P
|
||||
Except DNS lookups it doesn\'t use any third parties for checks, it\'s only you who sees the result and you also can use it internally on your LAN\.
|
||||
Only you see the result\. You also can use it internally on your LAN\. Except DNS lookups it doesn\'t use any other hosts or even third parties for checks\.
|
||||
.
|
||||
.P
|
||||
It is out of the box pretty much portable: testssl\.sh runs under any Unix\-like stack (Linux, *BSD, MacOS X, WSL=bash on Windows, Cygwin and MSYS2)\. \fBbash\fR (also version 3 is still supported) is a prerequisite as well as standard utilities like awk, sed, tr and head\. This can be of BSD, System 5 or GNU flavor whereas grep from System V is not yet supported\.
|
||||
@ -64,7 +64,7 @@ It is out of the box pretty much portable: testssl\.sh runs under any Unix\-like
|
||||
9) client simulation
|
||||
.
|
||||
.SH "OPTIONS AND PARAMETERS"
|
||||
Options are either short or long options\. All options requiring a value can be called with or without an equal sign \'=\' e\.g\. \fBtestssl\.sh \-t=smtp \-\-wide \-\-openssl=/usr/bin/openssl <URI>\fR is equivalent to \fBtestssl\.sh \-\-starttls smtp \-\-wide \-\-openssl /usr/bin/openssl <URI>\fR\. Some command line options can also be preset via ENV variables\. \fBWIDE=true OPENSSL=/usr/bin/openssl testssl\.sh \-\-starttls smtp <URI>\fR would be the equivalent to the aforementioned examples\. Preference has the command line over any environment variables\.
|
||||
Options are either short or long options\. Any option requiring a value can be called with or without an equal sign \'=\' e\.g\. \fBtestssl\.sh \-t=smtp \-\-wide \-\-openssl=/usr/bin/openssl <URI>\fR (short option with equal sign) is equivalent to \fBtestssl\.sh \-\-starttls smtp \-\-wide \-\-openssl /usr/bin/openssl <URI>\fR (long option without equal sign)\. Some command line options can also be preset via ENV variables\. \fBWIDE=true OPENSSL=/usr/bin/openssl testssl\.sh \-\-starttls=smtp <URI>\fR would be the equivalent to the aforementioned examples\. Preference has the command line over any environment variables\.
|
||||
.
|
||||
.P
|
||||
\fB<URI>\fR or \fB\-\-file <FILE>\fR always needs to be the last parameter\.
|
||||
@ -134,7 +134,7 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri
|
||||
\fB\-\-proxy <host>:<port>\fR does the whole check via the specified HTTP proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. Proxying via IPv6 addresses is not possible\. The hostname supplied will only be resolved to the first A record\. Authentication to the proxy is not supported\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\.
|
||||
.
|
||||
.P
|
||||
\fB\-6\fR does (also) IPv6 checks\. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity\. testssl\.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fBHAS_IPv6\fR is the respective environment variable\.
|
||||
\fB\-6\fR does (also) IPv6 checks\. Please note if a supplied URI resolves (also) to an IPv6 address that testssl\.sh doesn\'t do checks on an IPv6 address automatically\. This is because testssl\.sh does no connectivity checks for IPv6\. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fB\-6\fR assumes both is the case\. If both conditions are met and you want in general enable IPv6 tests you might as well add \fBHAS_IPv6\fR to your shell environment\.
|
||||
.
|
||||
.P
|
||||
\fB\-\-ssl\-native\fR instead of using a mixture of bash sockets and openssl s_client connects testssl\.sh uses the latter only\. This is at the moment faster but provides less accurate results, especially in the client simulation and if the openssl binary lacks cipher support\. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl\.sh internally can tell if one check cannot be performed or will give you inaccurate results\. For e\.g\. single cipher checks (\fB\-\-each\-cipher\fR and \fB\-\-cipher\-per\-proto\fR) you might end up getting false negatives without a warning\.
|
||||
@ -146,7 +146,7 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri
|
||||
\fB\-\-bugs\fR does some workarounds for buggy servers like padding for old F5 devices\. The option is passed as \fB\-bug\fR to openssl when needed, see \fBs_client(1)\fR\. For the socket part testssl\.sh tries its best also without that option to cope with broken server implementations (environment preset via \fBBUGS="\-bugs"\fR)
|
||||
.
|
||||
.P
|
||||
\fB\-\-assuming\-http\fR testssl\.sh does upfront a protocol detection on the application layer\. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option\. It tells testssl\.sh not to skip HTTP specific tests and to run the client simulation with browsers\. Sometimes also the severity depends on the application protocol, e\.g\. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server\.
|
||||
\fB\-\-assuming\-http\fR testssl\.sh does upfront an application protocol detection\. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option\. It tells testssl\.sh not to skip HTTP specific tests and to run the client simulation with browsers\. Sometimes also the severity depends on the application protocol, e\.g\. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-n, \-\-no\-dns\fR instructs testssl\.sh to not do any DNS lookups\. This is useful if you either can\'t or are not willing to perform DNS lookups\. The latter applies e\.g\. to some pentests, the former could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS=true\fR has the same effect\.
|
||||
@ -195,7 +195,7 @@ Any single check switch supplied as an argument prevents testssl\.sh from doing
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
\fB\-p, \-\-protocols\fR checks TLS/SSL protocols SSLv2, SSLv3, TLS 1\.0 \- TLS1\.2 and for HTTP: SPDY (NPN) and ALPN, a\.k\.a\. HTTP/2
|
||||
\fB\-p, \-\-protocols\fR checks TLS/SSL protocols SSLv2, SSLv3, TLS 1\.0 \- TLS 1\.3 and for HTTP: SPDY (NPN) and ALPN, a\.k\.a\. HTTP/2\. For TLS 1\.3 several drafts (18\-23) and TLS 1\.3 final are suuported\.
|
||||
.
|
||||
.P
|
||||
\fB\-P, \-\-preference\fR displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher\. If there\'s a cipher order enforced by the server it displays it for each protocol (openssl+sockets)\. If there\'s not, it displays instead which ciphers from the server were picked with each protocol (by using openssl only)
|
||||
|
@ -98,9 +98,13 @@
|
||||
|
||||
<p>The output rates findings by color (screen) or severity (file output) so that you are able to tell whether something is good or bad. The (screen) output has several sections in which classes of checks are being performed. To ease readability on the screen it aligns and indents the output properly.</p>
|
||||
|
||||
<p>Except DNS lookups it doesn't use any third parties for checks, it's only you who sees the result and you also can use it internally on your LAN.</p>
|
||||
<p>Only you see the result. You also can use it internally on your LAN. Except DNS lookups it doesn't use any other hosts or even third parties for checks.</p>
|
||||
|
||||
<p>It is out of the box pretty much portable: testssl.sh runs under any Unix-like stack (Linux, *BSD, MacOS X, WSL=bash on Windows, Cygwin and MSYS2). <code>bash</code> (also version 3 is still supported) is a prerequisite as well as standard utilities like awk, sed, tr and head. This can be of BSD, System 5 or GNU flavor whereas grep from System V is not yet supported.</p>
|
||||
<p>It is out of the box pretty much portable: testssl.sh runs under any Unix-like
|
||||
stack (Linux, *BSD, MacOS X, WSL=bash on Windows, Cygwin and MSYS2). <code>bash</code>
|
||||
(also version 3 is still supported) is a prerequisite as well as standard
|
||||
utilities like awk, sed, tr and head. This can be of BSD, System 5 or GNU
|
||||
flavor whereas grep from System V is not yet supported.</p>
|
||||
|
||||
<h2 id="GENERAL">GENERAL</h2>
|
||||
|
||||
@ -128,7 +132,7 @@
|
||||
|
||||
<h2 id="OPTIONS-AND-PARAMETERS">OPTIONS AND PARAMETERS</h2>
|
||||
|
||||
<p>Options are either short or long options. All options requiring a value can be called with or without an equal sign '=' e.g. <code>testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI></code> is equivalent to <code>testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl <URI></code>. Some command line options can also be preset via ENV variables. <code>WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls smtp <URI></code> would be the equivalent to the aforementioned examples. Preference has the command line over any environment variables.</p>
|
||||
<p>Options are either short or long options. Any option requiring a value can be called with or without an equal sign '=' e.g. <code>testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI></code> (short option with equal sign) is equivalent to <code>testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl <URI></code> (long option without equal sign). Some command line options can also be preset via ENV variables. <code>WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls=smtp <URI></code> would be the equivalent to the aforementioned examples. Preference has the command line over any environment variables.</p>
|
||||
|
||||
<p><code><URI></code> or <code>--file <FILE></code> always needs to be the last parameter.</p>
|
||||
|
||||
@ -181,7 +185,7 @@ host.example.com:631
|
||||
|
||||
<p><code>--proxy <host>:<port></code> does the whole check via the specified HTTP proxy. <code>--proxy=auto</code> inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify <code>DNS_VIA_PROXY=true</code>.</p>
|
||||
|
||||
<p><code>-6</code> does (also) IPv6 checks. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. <code>HAS_IPv6</code> is the respective environment variable.</p>
|
||||
<p><code>-6</code> does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. <code>-6</code> assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add <code>HAS_IPv6</code> to your shell environment.</p>
|
||||
|
||||
<p><code>--ssl-native</code> instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client
|
||||
simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (<code>--each-cipher</code> and <code>--cipher-per-proto</code>) you might end up getting false negatives without a warning.</p>
|
||||
@ -190,7 +194,7 @@ host.example.com:631
|
||||
|
||||
<p><code>--bugs</code> does some workarounds for buggy servers like padding for old F5 devices. The option is passed as <code>-bug</code> to openssl when needed, see <code>s_client(1)</code>. For the socket part testssl.sh tries its best also without that option to cope with broken server implementations (environment preset via <code>BUGS="-bugs"</code>)</p>
|
||||
|
||||
<p><code>--assuming-http</code> testssl.sh does upfront a protocol detection on the application layer. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.</p>
|
||||
<p><code>--assuming-http</code> testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.</p>
|
||||
|
||||
<ul>
|
||||
<li><p><code>-n, --no-dns</code> instructs testssl.sh to not do any DNS lookups. This is useful if you either can't or are not willing to perform DNS lookups. The latter applies e.g. to some pentests, the former could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS=true</code> has the same effect.</p></li>
|
||||
@ -220,7 +224,7 @@ host.example.com:631
|
||||
</ul>
|
||||
|
||||
|
||||
<p><code>-p, --protocols</code> checks TLS/SSL protocols SSLv2, SSLv3, TLS 1.0 - TLS1.2 and for HTTP: SPDY (NPN) and ALPN, a.k.a. HTTP/2</p>
|
||||
<p><code>-p, --protocols</code> checks TLS/SSL protocols SSLv2, SSLv3, TLS 1.0 - TLS 1.3 and for HTTP: SPDY (NPN) and ALPN, a.k.a. HTTP/2. For TLS 1.3 several drafts (18-23) and TLS 1.3 final are suuported.</p>
|
||||
|
||||
<p><code>-P, --preference</code> displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher. If there's a cipher order enforced by the server it displays it for each protocol (openssl+sockets). If there's not, it displays instead which ciphers from the server were picked with each protocol (by using openssl only)</p>
|
||||
|
||||
@ -519,7 +523,7 @@ to create the hashes for HPKP.</li>
|
||||
|
||||
<ol class='man-decor man-foot man foot'>
|
||||
<li class='tl'></li>
|
||||
<li class='tc'>December 2017</li>
|
||||
<li class='tc'>January 2018</li>
|
||||
<li class='tr'>testssl(1)</li>
|
||||
</ol>
|
||||
|
||||
|
@ -17,9 +17,13 @@ testssl.sh is a free command line tool which checks a server's service on any po
|
||||
|
||||
The output rates findings by color (screen) or severity (file output) so that you are able to tell whether something is good or bad. The (screen) output has several sections in which classes of checks are being performed. To ease readability on the screen it aligns and indents the output properly.
|
||||
|
||||
Except DNS lookups it doesn't use any third parties for checks, it's only you who sees the result and you also can use it internally on your LAN.
|
||||
Only you see the result. You also can use it internally on your LAN. Except DNS lookups it doesn't use any other hosts or even third parties for checks.
|
||||
|
||||
It is out of the box pretty much portable: testssl.sh runs under any Unix-like stack (Linux, *BSD, MacOS X, WSL=bash on Windows, Cygwin and MSYS2). `bash` (also version 3 is still supported) is a prerequisite as well as standard utilities like awk, sed, tr and head. This can be of BSD, System 5 or GNU flavor whereas grep from System V is not yet supported.
|
||||
It is out of the box pretty much portable: testssl.sh runs under any Unix-like
|
||||
stack (Linux, *BSD, MacOS X, WSL=bash on Windows, Cygwin and MSYS2). `bash`
|
||||
(also version 3 is still supported) is a prerequisite as well as standard
|
||||
utilities like awk, sed, tr and head. This can be of BSD, System 5 or GNU
|
||||
flavor whereas grep from System V is not yet supported.
|
||||
|
||||
|
||||
## GENERAL
|
||||
@ -46,9 +50,10 @@ It is out of the box pretty much portable: testssl.sh runs under any Unix-like s
|
||||
|
||||
9) client simulation
|
||||
|
||||
|
||||
## OPTIONS AND PARAMETERS
|
||||
|
||||
Options are either short or long options. All options requiring a value can be called with or without an equal sign '=' e.g. `testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>` is equivalent to `testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl <URI>`. Some command line options can also be preset via ENV variables. `WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls smtp <URI>` would be the equivalent to the aforementioned examples. Preference has the command line over any environment variables.
|
||||
Options are either short or long options. Any option requiring a value can be called with or without an equal sign '=' e.g. `testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>` (short option with equal sign) is equivalent to `testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl <URI>` (long option without equal sign). Some command line options can also be preset via ENV variables. `WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls=smtp <URI>` would be the equivalent to the aforementioned examples. Preference has the command line over any environment variables.
|
||||
|
||||
`<URI>` or `--file <FILE>` always needs to be the last parameter.
|
||||
|
||||
@ -103,7 +108,7 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r
|
||||
|
||||
`--proxy <host>:<port>` does the whole check via the specified HTTP proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`.
|
||||
|
||||
`-6` does (also) IPv6 checks. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `HAS_IPv6` is the respective environment variable.
|
||||
`-6` does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `-6` assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add `HAS_IPv6` to your shell environment.
|
||||
|
||||
`--ssl-native` instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client
|
||||
simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (`--each-cipher` and `--cipher-per-proto`) you might end up getting false negatives without a warning.
|
||||
@ -112,7 +117,7 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r
|
||||
|
||||
`--bugs` does some workarounds for buggy servers like padding for old F5 devices. The option is passed as `-bug` to openssl when needed, see `s_client(1)`. For the socket part testssl.sh tries its best also without that option to cope with broken server implementations (environment preset via `BUGS="-bugs"`)
|
||||
|
||||
`--assuming-http` testssl.sh does upfront a protocol detection on the application layer. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
|
||||
`--assuming-http` testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
|
||||
|
||||
|
||||
* `-n, --no-dns` instructs testssl.sh to not do any DNS lookups. This is useful if you either can't or are not willing to perform DNS lookups. The latter applies e.g. to some pentests, the former could e.g. help you to avoid timeouts by DNS lookups. `NODNS=true` has the same effect.
|
||||
@ -141,7 +146,7 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
|
||||
* `Strong grade Ciphers` (AEAD): 'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM'
|
||||
|
||||
|
||||
`-p, --protocols` checks TLS/SSL protocols SSLv2, SSLv3, TLS 1.0 - TLS1.2 and for HTTP: SPDY (NPN) and ALPN, a.k.a. HTTP/2
|
||||
`-p, --protocols` checks TLS/SSL protocols SSLv2, SSLv3, TLS 1.0 - TLS 1.3 and for HTTP: SPDY (NPN) and ALPN, a.k.a. HTTP/2. For TLS 1.3 several drafts (18-23) and TLS 1.3 final are suuported.
|
||||
|
||||
`-P, --preference` displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher. If there's a cipher order enforced by the server it displays it for each protocol (openssl+sockets). If there's not, it displays instead which ciphers from the server were picked with each protocol (by using openssl only)
|
||||
|
||||
|
105
testssl.sh
105
testssl.sh
@ -6042,6 +6042,38 @@ get_server_certificate() {
|
||||
local success
|
||||
local npn_params="" line
|
||||
|
||||
if [[ "$1" =~ "-cipher tls1_3" ]]; then
|
||||
[[ $(has_server_protocol "tls1_3") -eq 1 ]] && return 1
|
||||
if "$HAS_TLS13"; then
|
||||
if [[ "$1" =~ "-cipher tls1_3_RSA" ]]; then
|
||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tls1_3 -tlsextdebug -status -sigalgs PSS+SHA256:PSS+SHA384") </dev/null 2>$ERRFILE >$TMPFILE
|
||||
elif [[ "$1" =~ "-cipher tls1_3_ECDSA" ]]; then
|
||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -showcerts -connect $NODEIP:$PORT $PROXY $SNI -tls1_3 -tlsextdebug -status -sigalgs ECDSA+SHA256:ECDSA+SHA384") </dev/null 2>$ERRFILE >$TMPFILE
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
sclient_connect_successful $? $TMPFILE || return 1
|
||||
DETECTED_TLS_VERSION="0304"
|
||||
extract_certificates "tls1_3"
|
||||
success=$?
|
||||
else
|
||||
if [[ "$1" =~ "-cipher tls1_3_RSA" ]]; then
|
||||
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01"
|
||||
elif [[ "$1" =~ "-cipher tls1_3_ECDSA" ]]; then
|
||||
tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,0a,00,08,04,03,05,03,06,03,02,03"
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
success=$?
|
||||
[[ $success -eq 0 ]] || return 1
|
||||
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
|
||||
fi
|
||||
[[ $success -eq 0 ]] && add_tls_offered tls1_3 yes
|
||||
extract_new_tls_extensions $TMPFILE
|
||||
tmpfile_handle $FUNCNAME.txt
|
||||
return $success
|
||||
fi
|
||||
|
||||
"$HAS_SPDY" && [[ -z "$STARTTLS" ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
|
||||
|
||||
if [[ -n "$2" ]]; then
|
||||
@ -6306,6 +6338,7 @@ certificate_transparency() {
|
||||
local sni=""
|
||||
local ciphers=""
|
||||
local hexc n ciph sslver kx auth enc mac export
|
||||
local extra_extns=""
|
||||
local -i success
|
||||
|
||||
# First check whether signed certificate timestamps (SCT) are included in the
|
||||
@ -6331,13 +6364,24 @@ certificate_transparency() {
|
||||
fi
|
||||
|
||||
if [[ $number_of_certificates -gt 1 ]] && ! "$SSL_NATIVE"; then
|
||||
while read hexc n ciph sslver kx auth enc mac export; do
|
||||
if [[ ${#hexc} -eq 9 ]]; then
|
||||
ciphers+=", ${hexc:2:2},${hexc:7:2}"
|
||||
if [[ "$tls_version" == "0304" ]]; then
|
||||
ciphers=", 13,01, 13,02, 13,03, 13,04, 13,05"
|
||||
if [[ "$cipher" == "tls1_3_RSA" ]]; then
|
||||
extra_extns=", 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01"
|
||||
elif [[ "$cipher" == "tls1_3_ECDSA" ]]; then
|
||||
extra_extns=", 00,0d,00,0a,00,08,04,03,05,03,06,03,02,03"
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
done < <($OPENSSL ciphers -V $cipher 2>>$ERRFILE)
|
||||
else
|
||||
while read hexc n ciph sslver kx auth enc mac export; do
|
||||
if [[ ${#hexc} -eq 9 ]]; then
|
||||
ciphers+=", ${hexc:2:2},${hexc:7:2}"
|
||||
fi
|
||||
done < <($OPENSSL ciphers -V $cipher 2>>$ERRFILE)
|
||||
fi
|
||||
[[ -z "$sni_used" ]] && sni="$SNI" && SNI=""
|
||||
tls_sockets "${tls_version:2:2}" "${ciphers:2}" "all" "00,12,00,00"
|
||||
tls_sockets "${tls_version:2:2}" "${ciphers:2}" "all" "00,12,00,00$extra_extns"
|
||||
success=$?
|
||||
[[ -z "$sni_used" ]] && SNI="$sni"
|
||||
if ( [[ $success -eq 0 ]] || [[ $success -eq 2 ]] ) && \
|
||||
@ -6527,7 +6571,7 @@ certificate_info() {
|
||||
case $cert_key_algo in
|
||||
*RSA*|*rsa*) out "RSA ";;
|
||||
*DSA*|*dsa*) out "DSA ";;
|
||||
*ecdsa*|*ecPublicKey) out "ECDSA ";;
|
||||
*ecdsa*|*ecPublicKey) out "EC ";;
|
||||
*GOST*|*gost*) out "GOST ";;
|
||||
*dh*|*DH*) out "DH " ;;
|
||||
*) pr_fixme "don't know $cert_key_algo " ;;
|
||||
@ -7128,23 +7172,26 @@ run_server_defaults() {
|
||||
ciphers_to_test[5]="aECDH"
|
||||
ciphers_to_test[6]="aECDSA"
|
||||
ciphers_to_test[7]="aGOST"
|
||||
ciphers_to_test[8]="tls1_3_RSA"
|
||||
ciphers_to_test[9]="tls1_3_ECDSA"
|
||||
certificate_type[1]="RSASig" ; certificate_type[2]="RSAKMK"
|
||||
certificate_type[3]="DSA"; certificate_type[4]="DH"
|
||||
certificate_type[5]="ECDH" ; certificate_type[6]="ECDSA"
|
||||
certificate_type[7]="GOST"
|
||||
certificate_type[7]="GOST" ; certificate_type[8]="RSASig"
|
||||
certificate_type[9]="ECDSA"
|
||||
|
||||
for (( n=1; n <= 14 ; n++ )); do
|
||||
for (( n=1; n <= 16 ; n++ )); do
|
||||
# Some servers use a different certificate if the ClientHello
|
||||
# specifies TLSv1.1 and doesn't include a server name extension.
|
||||
# So, for each public key type for which a certificate was found,
|
||||
# try again, but only with TLSv1.1 and without SNI.
|
||||
if [[ $n -ge 8 ]]; then
|
||||
if [[ $n -ge 10 ]]; then
|
||||
ciphers_to_test[n]=""
|
||||
[[ ${success[n-7]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-7]}" && certificate_type[n]="${certificate_type[n-7]}"
|
||||
[[ ${success[n-9]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}"
|
||||
fi
|
||||
|
||||
if [[ -n "${ciphers_to_test[n]}" ]] && [[ $(count_ciphers $($OPENSSL ciphers "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]]; then
|
||||
if [[ $n -ge 8 ]]; then
|
||||
if [[ -n "${ciphers_to_test[n]}" ]] && ( [[ "${ciphers_to_test[n]}" =~ "tls1_3" ]] || [[ $(count_ciphers $($OPENSSL ciphers "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]] ); then
|
||||
if [[ $n -ge 10 ]]; then
|
||||
sni="$SNI"
|
||||
SNI=""
|
||||
get_server_certificate "-cipher ${ciphers_to_test[n]}" "tls1_1"
|
||||
@ -7154,8 +7201,8 @@ run_server_defaults() {
|
||||
get_server_certificate "-cipher ${ciphers_to_test[n]}"
|
||||
success[n]=$?
|
||||
fi
|
||||
if [[ ${success[n]} -eq 0 ]]; then
|
||||
[[ $n -ge 8 ]] && [[ ! -e $HOSTCERT.nosni ]] && cp $HOSTCERT $HOSTCERT.nosni
|
||||
if [[ ${success[n]} -eq 0 ]] && [[ -s "$HOSTCERT" ]]; then
|
||||
[[ $n -ge 10 ]] && [[ ! -e $HOSTCERT.nosni ]] && cp $HOSTCERT $HOSTCERT.nosni
|
||||
cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE
|
||||
>$ERRFILE
|
||||
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
||||
@ -7173,7 +7220,7 @@ run_server_defaults() {
|
||||
fi
|
||||
i=$((i + 1))
|
||||
done
|
||||
if ! "$match_found" && [[ $n -ge 8 ]] && [[ $certs_found -ne 0 ]]; then
|
||||
if ! "$match_found" && [[ $n -ge 10 ]] && [[ $certs_found -ne 0 ]]; then
|
||||
# A new certificate was found using TLSv1.1 without SNI.
|
||||
# Check to see if the new certificate should be displayed.
|
||||
# It should be displayed if it is either a match for the
|
||||
@ -7224,7 +7271,7 @@ run_server_defaults() {
|
||||
ocsp_response_status[certs_found]=$(grep -a "OCSP Response Status" $TMPFILE)
|
||||
previous_hostcert[certs_found]=$newhostcert
|
||||
previous_intermediates[certs_found]=$(cat $TEMPDIR/intermediatecerts.pem)
|
||||
[[ $n -ge 8 ]] && sni_used[certs_found]="" || sni_used[certs_found]="$SNI"
|
||||
[[ $n -ge 10 ]] && sni_used[certs_found]="" || sni_used[certs_found]="$SNI"
|
||||
tls_version[certs_found]="$DETECTED_TLS_VERSION"
|
||||
previous_hostcert_type[certs_found]=" ${certificate_type[n]}"
|
||||
else
|
||||
@ -7358,7 +7405,29 @@ run_server_defaults() {
|
||||
|
||||
if [[ -n "$SNI" ]] && [[ $certs_found -ne 0 ]] && [[ ! -e $HOSTCERT.nosni ]]; then
|
||||
# no cipher suites specified here. We just want the default vhost subject
|
||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
||||
if ! "$HAS_TLS13" && [[ $(has_server_protocol "tls1_3") -eq 0 ]]; then
|
||||
sni="$SNI" ; SNI=""
|
||||
mv $HOSTCERT $HOSTCERT.save
|
||||
# Send same list of cipher suites as OpenSSL 1.1.1 sends (but with
|
||||
# all 5 TLSv1.3 ciphers offered.
|
||||
tls_sockets "04" \
|
||||
"c0,2c, c0,30, 00,9f, cc,a9, cc,a8, cc,aa, c0,2b, c0,2f,
|
||||
00,9e, c0,24, c0,28, 00,6b, c0,23, c0,27, 00,67, c0,0a,
|
||||
c0,14, 00,39, c0,09, c0,13, 00,33, 00,9d, 00,9c, 13,02,
|
||||
13,03, 13,01, 13,04, 13,05, 00,3d, 00,3c, 00,35, 00,2f,
|
||||
00,ff" \
|
||||
"all"
|
||||
success[0]=$?
|
||||
if [[ ${success[0]} -eq 0 ]] || [[ ${success[0]} -eq 2 ]]; then
|
||||
mv $HOSTCERT $HOSTCERT.nosni
|
||||
else
|
||||
echo "" > $HOSTCERT.nosni
|
||||
fi
|
||||
mv $HOSTCERT.save $HOSTCERT
|
||||
SNI="$sni"
|
||||
else
|
||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
||||
fi
|
||||
fi
|
||||
|
||||
for (( i=1; i <= certs_found; i++ )); do
|
||||
@ -11179,7 +11248,7 @@ resend_if_hello_retry_request() {
|
||||
part2=$j+3
|
||||
len_extn=3*$(hex2dec "${extra_extensions:j:2}${extra_extensions:part2:2}")
|
||||
if [[ "$extn_type" != "00$KEY_SHARE_EXTN_NR" ]] && [[ "$extn_type" != "002c" ]]; then
|
||||
j=12+$len_extn
|
||||
j=11+$len_extn
|
||||
new_extra_extns+=",${extra_extensions:i:j}"
|
||||
fi
|
||||
done
|
||||
|
Loading…
Reference in New Issue
Block a user