mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-01 06:19:44 +01:00
- filled PROTOS_OFFERED w sense
- minor fixes for fileout - introduced "fixme()"
This commit is contained in:
Dirk
parent
8ed6214b6f
commit
d858edca1b
66
testssl.sh
66
testssl.sh
@ -324,14 +324,14 @@ pr_liteblueln() { pr_liteblue "$1"; outln; }
|
||||
pr_blue() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;32m$1" || out "\033[1;34m$1" ) || out "$1"; pr_off; } # used for head lines of single tests
|
||||
pr_blueln() { pr_blue "$1"; outln; }
|
||||
|
||||
pr_warning() { [[ "$COLOR" -eq 2 ]] && out "\033[0;35m$1" || pr_underline "$1"; pr_off; } # litemagentai | local problem: one test cannot be done
|
||||
pr_warningln() { pr_warning "$1"; outln; }
|
||||
pr_magenta() { [[ "$COLOR" -eq 2 ]] && out "\033[1;35m$1" || pr_underline "$1"; pr_off; } # Fatal error: quitting because of this!
|
||||
pr_warning() { [[ "$COLOR" -eq 2 ]] && out "\033[0;35m$1" || pr_underline "$1"; pr_off; } # some local problem: one test cannot be done
|
||||
pr_warningln() { pr_warning "$1"; outln; } # litemagenya
|
||||
pr_magenta() { [[ "$COLOR" -eq 2 ]] && out "\033[1;35m$1" || pr_underline "$1"; pr_off; } # fatal error: quitting because of this!
|
||||
pr_magentaln() { pr_magenta "$1"; outln; }
|
||||
|
||||
pr_litecyan() { [[ "$COLOR" -eq 2 ]] && out "\033[0;36m$1" || out "$1"; pr_off; } # not yet used
|
||||
pr_litecyan() { [[ "$COLOR" -eq 2 ]] && out "\033[0;36m$1" || out "$1"; pr_off; } # not yet used
|
||||
pr_litecyanln() { pr_litecyan "$1"; outln; }
|
||||
pr_cyan() { [[ "$COLOR" -eq 2 ]] && out "\033[1;36m$1" || out "$1"; pr_off; } # additional hint
|
||||
pr_cyan() { [[ "$COLOR" -eq 2 ]] && out "\033[1;36m$1" || out "$1"; pr_off; } # additional hint
|
||||
pr_cyanln() { pr_cyan "$1"; outln; }
|
||||
|
||||
pr_litegreyln() { pr_litegrey "$1"; outln; }
|
||||
@ -375,8 +375,11 @@ pr_headlineln() { pr_headline "$1" ; outln; }
|
||||
pr_squoted() { out "'$1'"; }
|
||||
pr_dquoted() { out "\"$1\""; }
|
||||
|
||||
local_problem_ln() { pr_warningln "Local problem: $1"; }
|
||||
local_problem() { pr_warning "Local problem: $1"; }
|
||||
local_problem_ln() { pr_warningln "Local problem: $1"; }
|
||||
|
||||
fixme() { pr_warning "fixme: $1"; }
|
||||
fixme() { pr_warningln "fixme: $1"; }
|
||||
|
||||
### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
|
||||
### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html
|
||||
@ -642,17 +645,17 @@ runs_HTTP() {
|
||||
*) if $CLIENT_AUTH; then
|
||||
out "certificate based authentication => skipping all HTTP checks"
|
||||
echo "certificate based authentication => skipping all HTTP checks" >$TMPFILE
|
||||
fileout "client_auth" "WARN" "certificate based authentication => skipping all HTTP checks"
|
||||
fileout "client_auth" "INFO" "certificate based authentication => skipping all HTTP checks"
|
||||
else
|
||||
out " Couldn't determine what's running on port $PORT"
|
||||
if $ASSUMING_HTTP; then
|
||||
SERVICE=HTTP
|
||||
out " -- ASSUMING_HTTP set though"
|
||||
fileout "service" "WARN" "Couldn't determine service, --ASSUMING_HTTP set"
|
||||
fileout "service" "DEBUG" "Couldn't determine service, --ASSUMING_HTTP set"
|
||||
ret=0
|
||||
else
|
||||
out ", assuming no HTTP service => skipping all HTTP checks"
|
||||
fileout "service" "WARN" "Couldn't determine service, skipping all HTTP checks"
|
||||
fileout "service" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
||||
ret=1
|
||||
fi
|
||||
fi
|
||||
@ -1011,7 +1014,7 @@ run_hpkp() {
|
||||
out "\n$spaces"
|
||||
pr_svrty_high " No matching key for pins found "
|
||||
out "(CAs pinned? -- not checked for yet)"
|
||||
fileout "hpkp_keymatch" "WARN" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this"
|
||||
fileout "hpkp_keymatch" "DEBUG" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this"
|
||||
fi
|
||||
else
|
||||
out "--"
|
||||
@ -2217,6 +2220,12 @@ run_prototest_openssl() {
|
||||
# 7: no local support
|
||||
}
|
||||
|
||||
# idempotent function to add SSL/TLS protocols. It should ease testing
|
||||
# PROTOS_OFFERED's content is in openssl terminology
|
||||
add_tls_offered() {
|
||||
grep -w "$1" <<< "$PROTOS_OFFERED" || PROTOS_OFFERED+="$1 "
|
||||
}
|
||||
|
||||
|
||||
# the protocol check needs to be revamped. It sucks, see above
|
||||
run_protocols() {
|
||||
@ -2256,6 +2265,7 @@ run_protocols() {
|
||||
0)
|
||||
pr_svrty_criticalln "offered (NOT ok)"
|
||||
fileout "sslv2" "NOT ok" "SSLv2 is offered (NOT ok)"
|
||||
add_tls_offered "ssl2"
|
||||
;;
|
||||
1)
|
||||
pr_done_bestln "not offered (OK)"
|
||||
@ -2264,6 +2274,7 @@ run_protocols() {
|
||||
5)
|
||||
pr_svrty_high "CVE-2015-3197: $supported_no_ciph2";
|
||||
fileout "sslv2" "WARN" "CVE-2015-3197: SSLv2 is $supported_no_ciph2"
|
||||
add_tls_offered "ssl2"
|
||||
;;
|
||||
7)
|
||||
fileout "sslv2" "INFO" "SSLv2 is not tested due to lack of local support"
|
||||
@ -2281,6 +2292,7 @@ run_protocols() {
|
||||
0)
|
||||
pr_svrty_highln "offered (NOT ok)"
|
||||
fileout "sslv3" "NOT ok" "SSLv3 is offered (NOT ok)"
|
||||
add_tls_offered "ssl3"
|
||||
;;
|
||||
1)
|
||||
pr_done_bestln "not offered (OK)"
|
||||
@ -2294,7 +2306,8 @@ run_protocols() {
|
||||
fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1"
|
||||
pr_svrty_high "$supported_no_ciph2"
|
||||
outln "(may need debugging)"
|
||||
;; # protocol ok, but no cipher
|
||||
add_tls_offered "ssl3"
|
||||
;;
|
||||
7)
|
||||
fileout "sslv3" "INFO" "SSLv3 is not tested due to lack of local support"
|
||||
;; # no local support
|
||||
@ -2310,6 +2323,7 @@ run_protocols() {
|
||||
0)
|
||||
outln "offered"
|
||||
fileout "tls1" "INFO" "TLSv1.0 is offered"
|
||||
add_tls_offered "tls1"
|
||||
;; # nothing wrong with it -- per se
|
||||
1)
|
||||
outln "not offered"
|
||||
@ -2320,10 +2334,12 @@ run_protocols() {
|
||||
[[ $DEBUG -eq 1 ]] && out " -- downgraded"
|
||||
outln
|
||||
fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL"
|
||||
add_tls_offered "tls1"
|
||||
;;
|
||||
5)
|
||||
outln "$supported_no_ciph1" # protocol ok, but no cipher
|
||||
fileout "tls1" "WARN" "TLSv1.0 is $supported_no_ciph1"
|
||||
add_tls_offered "tls1"
|
||||
;;
|
||||
7)
|
||||
fileout "tlsv1" "INFO" "TLSv1.0 is not tested due to lack of local support"
|
||||
@ -2340,6 +2356,7 @@ run_protocols() {
|
||||
0)
|
||||
outln "offered"
|
||||
fileout "tls1_1" "INFO" "TLSv1.1 is offered"
|
||||
add_tls_offered "tls1_1"
|
||||
;; # nothing wrong with it
|
||||
1)
|
||||
outln "not offered"
|
||||
@ -2354,6 +2371,7 @@ run_protocols() {
|
||||
5)
|
||||
outln "$supported_no_ciph1"
|
||||
fileout "tls1_1" "WARN" "TLSv1.1 is $supported_no_ciph1"
|
||||
add_tls_offered "tls1_1"
|
||||
;; # protocol ok, but no cipher
|
||||
7)
|
||||
fileout "tls1_1" "INFO" "TLSv1.1 is not tested due to lack of local support"
|
||||
@ -2370,6 +2388,7 @@ run_protocols() {
|
||||
0)
|
||||
pr_done_bestln "offered (OK)"
|
||||
fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)"
|
||||
add_tls_offered "tls1_2"
|
||||
;; # GCM cipher in TLS 1.2: very good!
|
||||
1)
|
||||
pr_svrty_mediumln "not offered"
|
||||
@ -2384,11 +2403,13 @@ run_protocols() {
|
||||
5)
|
||||
outln "$supported_no_ciph1"
|
||||
fileout "tls1_2" "WARN" "TLSv1.2 is $supported_no_ciph1"
|
||||
add_tls_offered "tls1_2"
|
||||
;; # protocol ok, but no cipher
|
||||
7)
|
||||
fileout "tls1_2" "INFO" "TLSv1.2 is not tested due to lack of local support"
|
||||
;; # no local support
|
||||
esac
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -2735,7 +2756,7 @@ check_tls12_pref() {
|
||||
order="$cipher"
|
||||
tested_cipher="-$cipher"
|
||||
else
|
||||
pr_warningln "fixme: something weird happened around line $((LINENO - 6))"
|
||||
fixmeln "something weird happened around line $((LINENO - 6))"
|
||||
return 1
|
||||
fi
|
||||
while true; do
|
||||
@ -2755,6 +2776,8 @@ check_tls12_pref() {
|
||||
# second cipher set didn't succeed: we can just output everything
|
||||
out " $order"
|
||||
fi
|
||||
|
||||
tmpfile_handle $FUNCNAME.txt
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -2790,7 +2813,7 @@ cipher_pref_check() {
|
||||
# thus we reduce the number of ciphers we throw at the server and put later everything together
|
||||
# see #189
|
||||
# so far, this was only observed in TLS 1.2
|
||||
check_tls12_pref "$cipher"
|
||||
order=$(check_tls12_pref "$cipher")
|
||||
else
|
||||
out " $cipher" # this is the first cipher for protocol
|
||||
while true; do
|
||||
@ -2827,7 +2850,7 @@ cipher_pref_check() {
|
||||
order+=" $cipher"
|
||||
done
|
||||
outln
|
||||
[[ -z $order ]] || fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p:order"
|
||||
[[ -n $order ]] && fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p: $order"
|
||||
done
|
||||
fi
|
||||
|
||||
@ -4482,6 +4505,7 @@ sslv2_sockets() {
|
||||
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
|
||||
if [[ "$lines" -gt 1 ]]; then
|
||||
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
||||
add_tls_offered "ssl2"
|
||||
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
||||
pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
|
||||
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197"
|
||||
@ -5428,11 +5452,11 @@ run_drown() {
|
||||
parse_sslv2_serverhello "$SOCK_REPLY_FILE"
|
||||
case $? in
|
||||
7) # strange reply, couldn't convert the cipher spec length to a hex number
|
||||
pr_cyan "strange v2 reply "
|
||||
fixme "strange v2 reply "
|
||||
outln " (rerun with DEBUG >=2)"
|
||||
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
|
||||
ret=7
|
||||
fileout "DROWN" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
||||
fileout "drown" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
|
||||
;;
|
||||
3) # vulnerable
|
||||
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)")
|
||||
@ -5441,16 +5465,16 @@ run_drown() {
|
||||
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
|
||||
if [[ 0 -eq "$nr_ciphers_detected" ]]; then
|
||||
pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)";
|
||||
fileout "DROWN" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher"
|
||||
fileout "drown" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher"
|
||||
else
|
||||
pr_svrty_criticalln "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers";
|
||||
fileout "DROWN" "NOT ok" "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"
|
||||
fileout "drown" "NOT ok" "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"
|
||||
fi
|
||||
fi
|
||||
ret=1
|
||||
;;
|
||||
*) pr_done_bestln "not vulnerable on this port (OK)"
|
||||
fileout "DROWN" "OK" "not vulnerable to DROWN"
|
||||
fileout "drown" "OK" "not vulnerable to DROWN"
|
||||
outln "$spaces make sure you don't use this certificate elsewhere with SSLv2 enabled services"
|
||||
if [[ "$DEBUG" -ge 1 ]] || "$SHOW_CENSYS_LINK"; then
|
||||
# not advertising it as it after 5 tries and account is needed
|
||||
@ -5725,7 +5749,7 @@ run_tls_truncation() {
|
||||
|
||||
old_fart() {
|
||||
outln "Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
|
||||
fileout "old_fart" "WARN" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
|
||||
fileout "old_fart" "ERROR" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
|
||||
fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -2
|
||||
}
|
||||
|
||||
@ -7354,4 +7378,4 @@ fi
|
||||
exit $?
|
||||
|
||||
|
||||
# $Id: testssl.sh,v 1.495 2016/06/07 11:02:57 dirkw Exp $
|
||||
# $Id: testssl.sh,v 1.496 2016/06/07 21:06:57 dirkw Exp $
|
||||
|
||||
Loading…
Reference in New Issue
Block a user