mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-06 00:39:44 +01:00
Added check for TLS_FALLBACK_SCSV support in local OpenSSL binary.
In TLS_FALLBACK_SCSV check, added unique socket address to temporary file name in order to support multiple simultaneous instances.
This commit is contained in:
parent
0e36255fb9
commit
dc548f1cfc
27
testssl.sh
27
testssl.sh
@ -9,7 +9,7 @@
|
|||||||
# Stable version from https://testssl.sh
|
# Stable version from https://testssl.sh
|
||||||
# Please file bugs at github! https://github.com/drwetter/testssl.sh/issues
|
# Please file bugs at github! https://github.com/drwetter/testssl.sh/issues
|
||||||
|
|
||||||
VERSION="2.6dev"
|
VERSION="2.5dev"
|
||||||
SWURL="http://dev.testssl.sh"
|
SWURL="http://dev.testssl.sh"
|
||||||
SWCONTACT="dirk aet testssl dot sh"
|
SWCONTACT="dirk aet testssl dot sh"
|
||||||
|
|
||||||
@ -2619,14 +2619,25 @@ EOF
|
|||||||
|
|
||||||
# Test for TLS_FALLBACK_SCSV
|
# Test for TLS_FALLBACK_SCSV
|
||||||
tls_fallback_scsv() {
|
tls_fallback_scsv() {
|
||||||
# This isn't a vulnerability check per se, but it is a strong countermeasure
|
# This isn't a vulnerability check per se, but checks for the existence of
|
||||||
# to protect against protocol downgrade attacks.
|
# the countermeasure to protect against protocol downgrade attacks.
|
||||||
local TMP="/tmp"
|
|
||||||
if [ ! -z "$HOME" ] && [ -w "$HOME" ]; then
|
# First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
|
||||||
TMP="$HOME"
|
$OPENSSL s_client -h 2>&1 | grep -q "\-fallback_scsv"
|
||||||
|
if [ $? -gt 0 ]; then
|
||||||
|
pr_magentaln "Local Problem: Your $OPENSSL lacks TLS_FALLBACK_SCSV support"
|
||||||
|
return 4
|
||||||
fi
|
fi
|
||||||
local scsv="$TMP/.testssl_scsv.txt"
|
|
||||||
|
# Set up a local temporary file in which to store OpenSSL's output...
|
||||||
|
local TEMP="/tmp"
|
||||||
|
if [ ! -z "$HOME" ] && [ -w "$HOME" ]; then
|
||||||
|
TEMP="$HOME"
|
||||||
|
fi
|
||||||
|
local scsv="$TEMP/.testssl_scsv-${NODEIP}-${PORT}.txt"
|
||||||
ret=1
|
ret=1
|
||||||
|
|
||||||
|
# ...and do the test
|
||||||
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for TLS_FALLBACK_SCSV Support" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for TLS_FALLBACK_SCSV Support" && outln "\n"
|
||||||
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507) "
|
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507) "
|
||||||
echo | $OPENSSL s_client -connect $NODEIP:$PORT -no_tls1_2 -fallback_scsv > "$scsv" 2>&1
|
echo | $OPENSSL s_client -connect $NODEIP:$PORT -no_tls1_2 -fallback_scsv > "$scsv" 2>&1
|
||||||
@ -2642,6 +2653,8 @@ tls_fallback_scsv() {
|
|||||||
pr_magentaln "test failed (couldn't connect)"
|
pr_magentaln "test failed (couldn't connect)"
|
||||||
ret=3
|
ret=3
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Quick cleanup
|
||||||
rm -f "$scsv"
|
rm -f "$scsv"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user