mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-10 10:40:57 +01:00
Cleanup for ticketbleed (and other who need x509 client auth)
run_ticketbleed() has now a check whether there's "$CLIENT_AUTH" set. If so a warn message is being issued and the test skipped. Empty replies for other reasons from the s_client connect are handled better within run_ticketbleed(). Otherwise it would lead to ugly errors on the console. Warning messages for vulneribility checks when client x509-based authentication is encountered are now all the same. CVE/CWE added. (run_renego(), run_breach() ).
This commit is contained in:
parent
d1cec5ecd2
commit
dc6f9d7129
25
testssl.sh
25
testssl.sh
@ -15220,14 +15220,19 @@ session_ticket_from_openssl() {
|
|||||||
local first=true
|
local first=true
|
||||||
|
|
||||||
sessticket_tls="$($OPENSSL s_client $(s_client_options "$BUGS $OPTIMAL_PROTO $PROXY $SNI -connect $NODEIP:$PORT") </dev/null 2>$ERRFILE | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')"
|
sessticket_tls="$($OPENSSL s_client $(s_client_options "$BUGS $OPTIMAL_PROTO $PROXY $SNI -connect $NODEIP:$PORT") </dev/null 2>$ERRFILE | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')"
|
||||||
|
# This needs to be on stderr (return value)
|
||||||
# This needs to be on stderr
|
|
||||||
debugme echo "$sessticket_tls" >&2
|
debugme echo "$sessticket_tls" >&2
|
||||||
|
if [[ -z "$sessticket_tls" ]] || [[ "$sessticket_tls" == " " ]]; then
|
||||||
|
echo ""
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
# Now we extract the session ticket. First we'll remove the ASCII garbage (len=16chars)
|
# Now we extract the session ticket. First we'll remove the ASCII garbage (len=16chars)
|
||||||
# at the rhs, then we'll sqush all white spaces (normally it's just 3x " " but we're
|
# at the rhs, then we'll sqush all white spaces (normally it's just 3x " " but we're
|
||||||
# tolerant here. Then we remove evryth. up to the address, replace the dash in the middle.
|
# tolerant here. Then we remove evryth. up to the address, replace the dash in the middle.
|
||||||
# In the end we want commas between all bytes.
|
# In the end we want commas between all bytes.
|
||||||
# Note the second expression requires "shopt -s extglob".
|
# Note the second expression requires "shopt -s extglob".
|
||||||
|
|
||||||
while read -r line; do
|
while read -r line; do
|
||||||
line="${line:0:$((${#line}-16))}"
|
line="${line:0:$((${#line}-16))}"
|
||||||
line="${line%%+([[:space:]])}"
|
line="${line%%+([[:space:]])}"
|
||||||
@ -15302,14 +15307,21 @@ run_ticketbleed() {
|
|||||||
fi
|
fi
|
||||||
debugme echo "using protocol $tls_hexcode"
|
debugme echo "using protocol $tls_hexcode"
|
||||||
|
|
||||||
|
if "$CLIENT_AUTH"; then
|
||||||
|
prln_warning "client x509-based authentication prevents this from being tested"
|
||||||
|
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" "$cve" "$cwe"
|
||||||
|
# not sure yet whether this test w client auth would make sense at all
|
||||||
|
return 0
|
||||||
|
else
|
||||||
session_tckt_tls="$(session_ticket_from_openssl)"
|
session_tckt_tls="$(session_ticket_from_openssl)"
|
||||||
if [[ "$session_tckt_tls" == , ]]; then
|
if [[ "$session_tckt_tls" == , ]] || [[ -z "$session_tckt_tls" ]] ; then
|
||||||
pr_svrty_best "not vulnerable (OK)"
|
pr_svrty_best "not vulnerable (OK)"
|
||||||
outln ", no session tickets"
|
outln ", no session tickets"
|
||||||
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
|
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
|
||||||
debugme echo " session ticket TLS \"$session_tckt_tls\""
|
debugme echo " session ticket TLS \"$session_tckt_tls\""
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
len_tckt_tls=${#session_tckt_tls}
|
len_tckt_tls=${#session_tckt_tls}
|
||||||
len_tckt_tls=$(( len_tckt_tls / 3)) # Attention: this also counts commas. So we have two bytes like 32,23,
|
len_tckt_tls=$(( len_tckt_tls / 3)) # Attention: this also counts commas. So we have two bytes like 32,23,
|
||||||
@ -15598,7 +15610,7 @@ run_renego() {
|
|||||||
fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe"
|
fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe"
|
||||||
elif "$CLIENT_AUTH"; then
|
elif "$CLIENT_AUTH"; then
|
||||||
prln_warning "client x509-based authentication prevents this from being tested"
|
prln_warning "client x509-based authentication prevents this from being tested"
|
||||||
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested"
|
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" "$cve" "$cwe"
|
||||||
sec_client_renego=1
|
sec_client_renego=1
|
||||||
else
|
else
|
||||||
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
|
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
|
||||||
@ -15789,8 +15801,9 @@ run_breach() {
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln
|
||||||
pr_bold " BREACH"; out " ($cve) "
|
pr_bold " BREACH"; out " ($cve) "
|
||||||
if "$CLIENT_AUTH"; then
|
if "$CLIENT_AUTH"; then
|
||||||
outln "cannot be tested (server side requires x509 authentication)"
|
prln_warning "client x509-based authentication prevents this from being tested"
|
||||||
fileout "$jsonID" "INFO" "was not tested, server side requires x509 authentication" "$cve" "$cwe"
|
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" "$cve" "$cwe"
|
||||||
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# if [[ $NR_HEADER_FAIL -ge $MAX_HEADER_FAIL ]]; then
|
# if [[ $NR_HEADER_FAIL -ge $MAX_HEADER_FAIL ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user