mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
- NEW: check for Secure Client-Initiated Renegotiation
- debugging #1: PS4 and debugme - debugging statement tmpfile_handle where missing #2
This commit is contained in:
parent
c80fc50728
commit
d98aa626e7
63
testssl.sh
63
testssl.sh
@ -61,6 +61,7 @@ SSL_NATIVE=${SSL_NATIVE:-0} # we do per default bash sockets!
|
|||||||
#FIXME: still to be filled with (more) sense:
|
#FIXME: still to be filled with (more) sense:
|
||||||
DEBUG=${DEBUG:-0} # if 1 the temp files won't be erased. 2: list more what's going on (formerly: eq VERBOSE=1), 3: slight hexdumps
|
DEBUG=${DEBUG:-0} # if 1 the temp files won't be erased. 2: list more what's going on (formerly: eq VERBOSE=1), 3: slight hexdumps
|
||||||
# and other info, 4: the whole nine yards of output
|
# and other info, 4: the whole nine yards of output
|
||||||
|
PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
||||||
|
|
||||||
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet. FC has only a CA bundle per default, ==> openssl version -d
|
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet. FC has only a CA bundle per default, ==> openssl version -d
|
||||||
HSTS_MIN=180 # >180 days is ok for HSTS
|
HSTS_MIN=180 # >180 days is ok for HSTS
|
||||||
@ -223,6 +224,15 @@ fi
|
|||||||
|
|
||||||
###### function definitions
|
###### function definitions
|
||||||
|
|
||||||
|
debugme() {
|
||||||
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
|
echo "$@"
|
||||||
|
"$@"
|
||||||
|
else
|
||||||
|
:
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
tmpfile_handle() {
|
tmpfile_handle() {
|
||||||
if [[ "$DEBUG" -eq 0 ]] ; then
|
if [[ "$DEBUG" -eq 0 ]] ; then
|
||||||
rm $TMPFILE
|
rm $TMPFILE
|
||||||
@ -358,7 +368,7 @@ poodle() {
|
|||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1999,9 +2009,9 @@ heartbleed(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# This tests for CVE-2009-3555 / RFC5746, OSVDB: 59968-59974
|
||||||
renego() {
|
renego() {
|
||||||
ADDCMD=""
|
ADDCMD=""
|
||||||
# This tests for CVE-2009-3555 / RFC5746, OSVDB: 59968-59974
|
|
||||||
case "$OSSL_VER" in
|
case "$OSSL_VER" in
|
||||||
0.9.8*) # we need this for Mac OSX unfortunately
|
0.9.8*) # we need this for Mac OSX unfortunately
|
||||||
case "$OSSL_VER_APPENDIX" in
|
case "$OSSL_VER_APPENDIX" in
|
||||||
@ -2011,33 +2021,33 @@ renego() {
|
|||||||
[m-z])
|
[m-z])
|
||||||
# all ok ;;
|
# all ok ;;
|
||||||
esac ;;
|
esac ;;
|
||||||
1.0.1*)
|
1.0.1*|1.0.2*)
|
||||||
ADDCMD="-legacy_renegotiation" ;;
|
ADDCMD="-legacy_renegotiation" ;;
|
||||||
0.9.9*|1.0*)
|
0.9.9*|1.0*)
|
||||||
# all ok ;;
|
# all ok ;;
|
||||||
esac
|
esac
|
||||||
|
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
|
||||||
|
echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE
|
||||||
|
reneg_ok=$? # 0=client is renegotiating and does not get an error: vuln to DoS via client initiated renegotiation
|
||||||
|
case $reneg_ok in
|
||||||
|
0) pr_litered "IS vulnerable (NOT ok)"; outln ", DoS threat" ;;
|
||||||
|
1) pr_litegreenln "not vulnerable (OK)" ;;
|
||||||
|
*) outln "FIXME: $reneg_ok" ;;
|
||||||
|
esac
|
||||||
|
|
||||||
pr_bold " Renegotiation "; out "(CVE 2009-3555) "
|
pr_bold " Renegotiation "; out "(CVE 2009-3555) "
|
||||||
echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI &>/dev/null
|
|
||||||
reneg_ok=$? # 0=client is renegotiating and does not gets an error: that should not be!
|
|
||||||
NEG_STR="Secure Renegotiation IS NOT"
|
NEG_STR="Secure Renegotiation IS NOT"
|
||||||
echo "R" | $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 | grep -iq "$NEG_STR"
|
echo "R" | $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 | grep -iq "$NEG_STR"
|
||||||
secreg=$? # 0= Secure Renegotiation IS NOT supported
|
secreg=$? # 0= Secure Renegotiation IS NOT supported
|
||||||
|
case $secreg in
|
||||||
|
0) pr_redln "IS vulnerable (NOT ok)" ;;
|
||||||
|
1) pr_greenln "not vulnerable (OK)" ;;
|
||||||
|
*) outln "FIXME: $secreg" ;;
|
||||||
|
esac
|
||||||
|
|
||||||
if [ $reneg_ok -eq 0 ] && [ $secreg -eq 0 ]; then
|
tmpfile_handle $FUNCNAME.txt
|
||||||
# Client side renegotiation is accepted and secure renegotiation IS NOT supported
|
return $secreg
|
||||||
pr_redln "IS vulnerable (NOT ok)"
|
# https://community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
if [ $reneg_ok -eq 1 ] && [ $secreg -eq 1 ]; then
|
|
||||||
pr_greenln "not vulnerable (OK)"
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
if [ $reneg_ok -eq 1 ] ; then # 1,0
|
|
||||||
pr_litegreenln "got an error from the server while renegotiating on client: should be ok ($reneg_ok,$secreg)"
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
pr_litegreenln "Patched Server detected ($reneg_ok,$secreg), probably ok" # 0,1
|
|
||||||
return 0
|
|
||||||
}
|
}
|
||||||
|
|
||||||
crime() {
|
crime() {
|
||||||
@ -2064,11 +2074,12 @@ crime() {
|
|||||||
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
|
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
pr_magentaln "Local Problem: Your $OPENSSL lacks zlib support"
|
pr_magentaln "Local Problem: Your $OPENSSL lacks zlib support"
|
||||||
return 0 #FIXME
|
return 7
|
||||||
fi
|
fi
|
||||||
|
|
||||||
STR=`$OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 </dev/null | grep Compression `
|
#STR=`$OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 </dev/null | grep Compression `
|
||||||
if echo $STR | grep -q NONE >/dev/null; then
|
$OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 </dev/null >$TMPFILE
|
||||||
|
if grep Compression | grep -q NONE >/dev/null; then
|
||||||
pr_green "not vulnerable (OK)"
|
pr_green "not vulnerable (OK)"
|
||||||
[[ $SERVICE == "HTTP" ]] || out " (not using HTTP anyway)"
|
[[ $SERVICE == "HTTP" ]] || out " (not using HTTP anyway)"
|
||||||
ret=0
|
ret=0
|
||||||
@ -2118,6 +2129,7 @@ crime() {
|
|||||||
# fi
|
# fi
|
||||||
[ $VERBERR -eq 0 ] && outln "$STR"
|
[ $VERBERR -eq 0 ] && outln "$STR"
|
||||||
#echo
|
#echo
|
||||||
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2175,6 +2187,7 @@ beast(){
|
|||||||
# printf "For a full individual test of each CBC cipher suites support by your $OPENSSL run \"$0 -x CBC $NODE\"\n"
|
# printf "For a full individual test of each CBC cipher suites support by your $OPENSSL run \"$0 -x CBC $NODE\"\n"
|
||||||
|
|
||||||
shopt -u lastpipe # othwise for some reason it segfaults
|
shopt -u lastpipe # othwise for some reason it segfaults
|
||||||
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2286,7 +2299,7 @@ starttls() {
|
|||||||
ret=2
|
ret=2
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2812,6 +2825,6 @@ case "$1" in
|
|||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.181 2015/02/04 08:48:33 dirkw Exp $
|
# $Id: testssl.sh,v 1.184 2015/02/11 08:43:03 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user