From d98aa626e7f5ee902263f452fb84ad4d6761d819 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 11 Feb 2015 09:43:04 +0100 Subject: [PATCH] - NEW: check for Secure Client-Initiated Renegotiation - debugging #1: PS4 and debugme - debugging statement tmpfile_handle where missing #2 --- testssl.sh | 63 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 25 deletions(-) diff --git a/testssl.sh b/testssl.sh index 676e854..6ec6c4f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -61,6 +61,7 @@ SSL_NATIVE=${SSL_NATIVE:-0} # we do per default bash sockets! #FIXME: still to be filled with (more) sense: DEBUG=${DEBUG:-0} # if 1 the temp files won't be erased. 2: list more what's going on (formerly: eq VERBOSE=1), 3: slight hexdumps # and other info, 4: the whole nine yards of output +PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet. FC has only a CA bundle per default, ==> openssl version -d HSTS_MIN=180 # >180 days is ok for HSTS @@ -223,6 +224,15 @@ fi ###### function definitions +debugme() { + if [[ $DEBUG -ge 2 ]]; then + echo "$@" + "$@" + else + : + fi +} + tmpfile_handle() { if [[ "$DEBUG" -eq 0 ]] ; then rm $TMPFILE @@ -358,7 +368,7 @@ poodle() { fi outln - tmpfile_handle $FUNCNAME.txt + tmpfile_handle $FUNCNAME.txt return $ret } @@ -1999,9 +2009,9 @@ heartbleed(){ } +# This tests for CVE-2009-3555 / RFC5746, OSVDB: 59968-59974 renego() { ADDCMD="" - # This tests for CVE-2009-3555 / RFC5746, OSVDB: 59968-59974 case "$OSSL_VER" in 0.9.8*) # we need this for Mac OSX unfortunately case "$OSSL_VER_APPENDIX" in @@ -2011,33 +2021,33 @@ renego() { [m-z]) # all ok ;; esac ;; - 1.0.1*) + 1.0.1*|1.0.2*) ADDCMD="-legacy_renegotiation" ;; 0.9.9*|1.0*) # all ok ;; esac + pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks + echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE + reneg_ok=$? # 0=client is renegotiating and does not get an error: vuln to DoS via client initiated renegotiation + case $reneg_ok in + 0) pr_litered "IS vulnerable (NOT ok)"; outln ", DoS threat" ;; + 1) pr_litegreenln "not vulnerable (OK)" ;; + *) outln "FIXME: $reneg_ok" ;; + esac + pr_bold " Renegotiation "; out "(CVE 2009-3555) " - echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI &>/dev/null - reneg_ok=$? # 0=client is renegotiating and does not gets an error: that should not be! NEG_STR="Secure Renegotiation IS NOT" echo "R" | $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 | grep -iq "$NEG_STR" secreg=$? # 0= Secure Renegotiation IS NOT supported + case $secreg in + 0) pr_redln "IS vulnerable (NOT ok)" ;; + 1) pr_greenln "not vulnerable (OK)" ;; + *) outln "FIXME: $secreg" ;; + esac - if [ $reneg_ok -eq 0 ] && [ $secreg -eq 0 ]; then - # Client side renegotiation is accepted and secure renegotiation IS NOT supported - pr_redln "IS vulnerable (NOT ok)" - return 1 - fi - if [ $reneg_ok -eq 1 ] && [ $secreg -eq 1 ]; then - pr_greenln "not vulnerable (OK)" - return 0 - fi - if [ $reneg_ok -eq 1 ] ; then # 1,0 - pr_litegreenln "got an error from the server while renegotiating on client: should be ok ($reneg_ok,$secreg)" - return 0 - fi - pr_litegreenln "Patched Server detected ($reneg_ok,$secreg), probably ok" # 0,1 - return 0 + tmpfile_handle $FUNCNAME.txt + return $secreg + # https://community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered } crime() { @@ -2064,11 +2074,12 @@ crime() { $OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout &1 /dev/null; then + #STR=`$OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 &1 $TMPFILE + if grep Compression | grep -q NONE >/dev/null; then pr_green "not vulnerable (OK)" [[ $SERVICE == "HTTP" ]] || out " (not using HTTP anyway)" ret=0 @@ -2118,6 +2129,7 @@ crime() { # fi [ $VERBERR -eq 0 ] && outln "$STR" #echo + tmpfile_handle $FUNCNAME.txt return $ret } @@ -2175,6 +2187,7 @@ beast(){ # printf "For a full individual test of each CBC cipher suites support by your $OPENSSL run \"$0 -x CBC $NODE\"\n" shopt -u lastpipe # othwise for some reason it segfaults + tmpfile_handle $FUNCNAME.txt return $ret } @@ -2286,7 +2299,7 @@ starttls() { ret=2 ;; esac - + tmpfile_handle $FUNCNAME.txt return $ret } @@ -2812,6 +2825,6 @@ case "$1" in exit $ret ;; esac -# $Id: testssl.sh,v 1.181 2015/02/04 08:48:33 dirkw Exp $ +# $Id: testssl.sh,v 1.184 2015/02/11 08:43:03 dirkw Exp $ # vim:ts=5:sw=5