Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

- filled PROTOS_OFFERED w sense

Browse Source 
- minor fixes for fileout
- introduced "fixme()"
This commit is contained in:
Dirk 2016-06-07 23:06:58 +02:00
parent 8ed6214b6f
commit d858edca1b
1 changed files with 45 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
testssl.sh
View File

@ -324,14 +324,14 @@ pr_liteblueln() { pr_liteblue "$1"; outln; }
pr_blue() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;32m$1" || out "\033[1;34m$1" ) || out "$1"; pr_off; } # used for head lines of single tests pr_blue() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;32m$1" || out "\033[1;34m$1" ) || out "$1"; pr_off; } # used for head lines of single tests
pr_blueln() { pr_blue "$1"; outln; } pr_blueln() { pr_blue "$1"; outln; }
pr_warning() { [[ "$COLOR" -eq 2 ]] && out "\033[0;35m$1" || pr_underline "$1"; pr_off; } # litemagentai | local problem: one test cannot be done pr_warning() { [[ "$COLOR" -eq 2 ]] && out "\033[0;35m$1" || pr_underline "$1"; pr_off; } # some local problem: one test cannot be done
pr_warningln() { pr_warning "$1"; outln; } pr_warningln() { pr_warning "$1"; outln; } # litemagenya
pr_magenta() { [[ "$COLOR" -eq 2 ]] && out "\033[1;35m$1" || pr_underline "$1"; pr_off; } # Fatal error: quitting because of this! pr_magenta() { [[ "$COLOR" -eq 2 ]] && out "\033[1;35m$1" || pr_underline "$1"; pr_off; } # fatal error: quitting because of this!
pr_magentaln() { pr_magenta "$1"; outln; } pr_magentaln() { pr_magenta "$1"; outln; }
pr_litecyan() { [[ "$COLOR" -eq 2 ]] && out "\033[0;36m$1" || out "$1"; pr_off; } # not yet used pr_litecyan() { [[ "$COLOR" -eq 2 ]] && out "\033[0;36m$1" || out "$1"; pr_off; } # not yet used
pr_litecyanln() { pr_litecyan "$1"; outln; } pr_litecyanln() { pr_litecyan "$1"; outln; }
pr_cyan() { [[ "$COLOR" -eq 2 ]] && out "\033[1;36m$1" || out "$1"; pr_off; } # additional hint pr_cyan() { [[ "$COLOR" -eq 2 ]] && out "\033[1;36m$1" || out "$1"; pr_off; } # additional hint
pr_cyanln() { pr_cyan "$1"; outln; } pr_cyanln() { pr_cyan "$1"; outln; }
pr_litegreyln() { pr_litegrey "$1"; outln; } pr_litegreyln() { pr_litegrey "$1"; outln; }
@ -375,8 +375,11 @@ pr_headlineln() { pr_headline "$1" ; outln; }
pr_squoted() { out "'$1'"; } pr_squoted() { out "'$1'"; }
pr_dquoted() { out "\"$1\""; } pr_dquoted() { out "\"$1\""; }
local_problem_ln() { pr_warningln "Local problem: $1"; }
local_problem() { pr_warning "Local problem: $1"; } local_problem() { pr_warning "Local problem: $1"; }
local_problem_ln() { pr_warningln "Local problem: $1"; }
fixme() { pr_warning "fixme: $1"; }
fixme() { pr_warningln "fixme: $1"; }
### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/ ### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html ### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html
@ -642,17 +645,17 @@ runs_HTTP() {
*) if $CLIENT_AUTH; then *) if $CLIENT_AUTH; then
out "certificate based authentication => skipping all HTTP checks" out "certificate based authentication => skipping all HTTP checks"
echo "certificate based authentication => skipping all HTTP checks" >$TMPFILE echo "certificate based authentication => skipping all HTTP checks" >$TMPFILE
fileout "client_auth" "WARN" "certificate based authentication => skipping all HTTP checks" fileout "client_auth" "INFO" "certificate based authentication => skipping all HTTP checks"
else else
out " Couldn't determine what's running on port $PORT" out " Couldn't determine what's running on port $PORT"
if $ASSUMING_HTTP; then if $ASSUMING_HTTP; then
SERVICE=HTTP SERVICE=HTTP
out " -- ASSUMING_HTTP set though" out " -- ASSUMING_HTTP set though"
fileout "service" "WARN" "Couldn't determine service, --ASSUMING_HTTP set" fileout "service" "DEBUG" "Couldn't determine service, --ASSUMING_HTTP set"
ret=0 ret=0
else else
out ", assuming no HTTP service => skipping all HTTP checks" out ", assuming no HTTP service => skipping all HTTP checks"
fileout "service" "WARN" "Couldn't determine service, skipping all HTTP checks" fileout "service" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
ret=1 ret=1
fi fi
fi fi
@ -1011,7 +1014,7 @@ run_hpkp() {
out "\n$spaces" out "\n$spaces"
pr_svrty_high " No matching key for pins found " pr_svrty_high " No matching key for pins found "
out "(CAs pinned? -- not checked for yet)" out "(CAs pinned? -- not checked for yet)"
fileout "hpkp_keymatch" "WARN" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this" fileout "hpkp_keymatch" "DEBUG" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this"
fi fi
else else
out "--" out "--"
@ -2217,6 +2220,12 @@ run_prototest_openssl() {
# 7: no local support # 7: no local support
} }
# idempotent function to add SSL/TLS protocols. It should ease testing
# PROTOS_OFFERED's content is in openssl terminology
add_tls_offered() {
grep -w "$1" <<< "$PROTOS_OFFERED" || PROTOS_OFFERED+="$1 "
}
# the protocol check needs to be revamped. It sucks, see above # the protocol check needs to be revamped. It sucks, see above
run_protocols() { run_protocols() {
@ -2256,6 +2265,7 @@ run_protocols() {
0) 0)
pr_svrty_criticalln "offered (NOT ok)" pr_svrty_criticalln "offered (NOT ok)"
fileout "sslv2" "NOT ok" "SSLv2 is offered (NOT ok)" fileout "sslv2" "NOT ok" "SSLv2 is offered (NOT ok)"
add_tls_offered "ssl2"
;; ;;
1) 1)
pr_done_bestln "not offered (OK)" pr_done_bestln "not offered (OK)"
@ -2264,6 +2274,7 @@ run_protocols() {
5) 5)
pr_svrty_high "CVE-2015-3197: $supported_no_ciph2"; pr_svrty_high "CVE-2015-3197: $supported_no_ciph2";
fileout "sslv2" "WARN" "CVE-2015-3197: SSLv2 is $supported_no_ciph2" fileout "sslv2" "WARN" "CVE-2015-3197: SSLv2 is $supported_no_ciph2"
add_tls_offered "ssl2"
;; ;;
7) 7)
fileout "sslv2" "INFO" "SSLv2 is not tested due to lack of local support" fileout "sslv2" "INFO" "SSLv2 is not tested due to lack of local support"
@ -2281,6 +2292,7 @@ run_protocols() {
0) 0)
pr_svrty_highln "offered (NOT ok)" pr_svrty_highln "offered (NOT ok)"
fileout "sslv3" "NOT ok" "SSLv3 is offered (NOT ok)" fileout "sslv3" "NOT ok" "SSLv3 is offered (NOT ok)"
add_tls_offered "ssl3"
;; ;;
1) 1)
pr_done_bestln "not offered (OK)" pr_done_bestln "not offered (OK)"
@ -2294,7 +2306,8 @@ run_protocols() {
fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1" fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1"
pr_svrty_high "$supported_no_ciph2" pr_svrty_high "$supported_no_ciph2"
outln "(may need debugging)" outln "(may need debugging)"
;; # protocol ok, but no cipher add_tls_offered "ssl3"
;;
7) 7)
fileout "sslv3" "INFO" "SSLv3 is not tested due to lack of local support" fileout "sslv3" "INFO" "SSLv3 is not tested due to lack of local support"
;; # no local support ;; # no local support
@ -2310,6 +2323,7 @@ run_protocols() {
0) 0)
outln "offered" outln "offered"
fileout "tls1" "INFO" "TLSv1.0 is offered" fileout "tls1" "INFO" "TLSv1.0 is offered"
add_tls_offered "tls1"
;; # nothing wrong with it -- per se ;; # nothing wrong with it -- per se
1) 1)
outln "not offered" outln "not offered"
@ -2320,10 +2334,12 @@ run_protocols() {
[[ $DEBUG -eq 1 ]] && out " -- downgraded" [[ $DEBUG -eq 1 ]] && out " -- downgraded"
outln outln
fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL" fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL"
add_tls_offered "tls1"
;; ;;
5) 5)
outln "$supported_no_ciph1" # protocol ok, but no cipher outln "$supported_no_ciph1" # protocol ok, but no cipher
fileout "tls1" "WARN" "TLSv1.0 is $supported_no_ciph1" fileout "tls1" "WARN" "TLSv1.0 is $supported_no_ciph1"
add_tls_offered "tls1"
;; ;;
7) 7)
fileout "tlsv1" "INFO" "TLSv1.0 is not tested due to lack of local support" fileout "tlsv1" "INFO" "TLSv1.0 is not tested due to lack of local support"
@ -2340,6 +2356,7 @@ run_protocols() {
0) 0)
outln "offered" outln "offered"
fileout "tls1_1" "INFO" "TLSv1.1 is offered" fileout "tls1_1" "INFO" "TLSv1.1 is offered"
add_tls_offered "tls1_1"
;; # nothing wrong with it ;; # nothing wrong with it
1) 1)
outln "not offered" outln "not offered"
@ -2354,6 +2371,7 @@ run_protocols() {
5) 5)
outln "$supported_no_ciph1" outln "$supported_no_ciph1"
fileout "tls1_1" "WARN" "TLSv1.1 is $supported_no_ciph1" fileout "tls1_1" "WARN" "TLSv1.1 is $supported_no_ciph1"
add_tls_offered "tls1_1"
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) 7)
fileout "tls1_1" "INFO" "TLSv1.1 is not tested due to lack of local support" fileout "tls1_1" "INFO" "TLSv1.1 is not tested due to lack of local support"
@ -2370,6 +2388,7 @@ run_protocols() {
0) 0)
pr_done_bestln "offered (OK)" pr_done_bestln "offered (OK)"
fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)" fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)"
add_tls_offered "tls1_2"
;; # GCM cipher in TLS 1.2: very good! ;; # GCM cipher in TLS 1.2: very good!
1) 1)
pr_svrty_mediumln "not offered" pr_svrty_mediumln "not offered"
@ -2384,11 +2403,13 @@ run_protocols() {
5) 5)
outln "$supported_no_ciph1" outln "$supported_no_ciph1"
fileout "tls1_2" "WARN" "TLSv1.2 is $supported_no_ciph1" fileout "tls1_2" "WARN" "TLSv1.2 is $supported_no_ciph1"
add_tls_offered "tls1_2"
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) 7)
fileout "tls1_2" "INFO" "TLSv1.2 is not tested due to lack of local support" fileout "tls1_2" "INFO" "TLSv1.2 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
return 0 return 0
} }
@ -2735,7 +2756,7 @@ check_tls12_pref() {
order="$cipher" order="$cipher"
tested_cipher="-$cipher" tested_cipher="-$cipher"
else else
pr_warningln "fixme: something weird happened around line $((LINENO - 6))" fixmeln "something weird happened around line $((LINENO - 6))"
return 1 return 1
fi fi
while true; do while true; do
@ -2755,6 +2776,8 @@ check_tls12_pref() {
# second cipher set didn't succeed: we can just output everything # second cipher set didn't succeed: we can just output everything
out " $order" out " $order"
fi fi
tmpfile_handle $FUNCNAME.txt
return 0 return 0
} }
@ -2790,7 +2813,7 @@ cipher_pref_check() {
# thus we reduce the number of ciphers we throw at the server and put later everything together # thus we reduce the number of ciphers we throw at the server and put later everything together
# see #189 # see #189
# so far, this was only observed in TLS 1.2 # so far, this was only observed in TLS 1.2
check_tls12_pref "$cipher" order=$(check_tls12_pref "$cipher")
else else
out " $cipher" # this is the first cipher for protocol out " $cipher" # this is the first cipher for protocol
while true; do while true; do
@ -2827,7 +2850,7 @@ cipher_pref_check() {
order+=" $cipher" order+=" $cipher"
done done
outln outln
[[ -z $order ]] || fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p:order" [[ -n $order ]] && fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p: $order"
done done
fi fi
@ -4482,6 +4505,7 @@ sslv2_sockets() {
[[ "$DEBUG" -ge 2 ]] && out " ($lines lines) " [[ "$DEBUG" -ge 2 ]] && out " ($lines lines) "
if [[ "$lines" -gt 1 ]]; then if [[ "$lines" -gt 1 ]]; then
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
add_tls_offered "ssl2"
if [[ 0 -eq "$nr_ciphers_detected" ]]; then if [[ 0 -eq "$nr_ciphers_detected" ]]; then
pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 "; pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197" fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197"
@ -5428,11 +5452,11 @@ run_drown() {
parse_sslv2_serverhello "$SOCK_REPLY_FILE" parse_sslv2_serverhello "$SOCK_REPLY_FILE"
case $? in case $? in
7) # strange reply, couldn't convert the cipher spec length to a hex number 7) # strange reply, couldn't convert the cipher spec length to a hex number
pr_cyan "strange v2 reply " fixme "strange v2 reply "
outln " (rerun with DEBUG >=2)" outln " (rerun with DEBUG >=2)"
[[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1 [[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1
ret=7 ret=7
fileout "DROWN" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)" fileout "drown" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)"
;; ;;
3) # vulnerable 3) # vulnerable
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)") lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)")
@ -5441,16 +5465,16 @@ run_drown() {
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
if [[ 0 -eq "$nr_ciphers_detected" ]]; then if [[ 0 -eq "$nr_ciphers_detected" ]]; then
pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)"; pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)";
fileout "DROWN" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher" fileout "drown" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher"
else else
pr_svrty_criticalln "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"; pr_svrty_criticalln "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers";
fileout "DROWN" "NOT ok" "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers" fileout "drown" "NOT ok" "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"
fi fi
fi fi
ret=1 ret=1
;; ;;
*) pr_done_bestln "not vulnerable on this port (OK)" *) pr_done_bestln "not vulnerable on this port (OK)"
fileout "DROWN" "OK" "not vulnerable to DROWN" fileout "drown" "OK" "not vulnerable to DROWN"
outln "$spaces make sure you don't use this certificate elsewhere with SSLv2 enabled services" outln "$spaces make sure you don't use this certificate elsewhere with SSLv2 enabled services"
if [[ "$DEBUG" -ge 1 ]] || "$SHOW_CENSYS_LINK"; then if [[ "$DEBUG" -ge 1 ]] || "$SHOW_CENSYS_LINK"; then
# not advertising it as it after 5 tries and account is needed # not advertising it as it after 5 tries and account is needed
@ -5725,7 +5749,7 @@ run_tls_truncation() {
old_fart() { old_fart() {
outln "Get precompiled bins or compile https://github.com/PeterMosmans/openssl ." outln "Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
fileout "old_fart" "WARN" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ." fileout "old_fart" "ERROR" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -2 fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -2
} }
@ -7354,4 +7378,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.495 2016/06/07 11:02:57 dirkw Exp $ # $Id: testssl.sh,v 1.496 2016/06/07 21:06:57 dirkw Exp $