Cleanup for ticketbleed (and other who need x509 client auth)

run_ticketbleed() has now a check whether there's "$CLIENT_AUTH"
set. If so a warn message is being issued and the test skipped.

Empty replies for other reasons from the s_client connect are
handled better within run_ticketbleed(). Otherwise it would
lead to ugly errors on the console.

Warning messages for vulneribility checks when client x509-based
authentication is encountered are now all the same. CVE/CWE added.
(run_renego(), run_breach() ).
This commit is contained in:
Dirk Wetter 2020-03-23 11:26:17 +01:00
parent d1cec5ecd2
commit dc6f9d7129

View File

@ -15220,14 +15220,19 @@ session_ticket_from_openssl() {
local first=true local first=true
sessticket_tls="$($OPENSSL s_client $(s_client_options "$BUGS $OPTIMAL_PROTO $PROXY $SNI -connect $NODEIP:$PORT") </dev/null 2>$ERRFILE | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')" sessticket_tls="$($OPENSSL s_client $(s_client_options "$BUGS $OPTIMAL_PROTO $PROXY $SNI -connect $NODEIP:$PORT") </dev/null 2>$ERRFILE | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')"
# This needs to be on stderr (return value)
# This needs to be on stderr
debugme echo "$sessticket_tls" >&2 debugme echo "$sessticket_tls" >&2
if [[ -z "$sessticket_tls" ]] || [[ "$sessticket_tls" == " " ]]; then
echo ""
return 0
fi
# Now we extract the session ticket. First we'll remove the ASCII garbage (len=16chars) # Now we extract the session ticket. First we'll remove the ASCII garbage (len=16chars)
# at the rhs, then we'll sqush all white spaces (normally it's just 3x " " but we're # at the rhs, then we'll sqush all white spaces (normally it's just 3x " " but we're
# tolerant here. Then we remove evryth. up to the address, replace the dash in the middle. # tolerant here. Then we remove evryth. up to the address, replace the dash in the middle.
# In the end we want commas between all bytes. # In the end we want commas between all bytes.
# Note the second expression requires "shopt -s extglob". # Note the second expression requires "shopt -s extglob".
while read -r line; do while read -r line; do
line="${line:0:$((${#line}-16))}" line="${line:0:$((${#line}-16))}"
line="${line%%+([[:space:]])}" line="${line%%+([[:space:]])}"
@ -15302,14 +15307,21 @@ run_ticketbleed() {
fi fi
debugme echo "using protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
if "$CLIENT_AUTH"; then
prln_warning "client x509-based authentication prevents this from being tested"
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" "$cve" "$cwe"
# not sure yet whether this test w client auth would make sense at all
return 0
else
session_tckt_tls="$(session_ticket_from_openssl)" session_tckt_tls="$(session_ticket_from_openssl)"
if [[ "$session_tckt_tls" == , ]]; then if [[ "$session_tckt_tls" == , ]] || [[ -z "$session_tckt_tls" ]] ; then
pr_svrty_best "not vulnerable (OK)" pr_svrty_best "not vulnerable (OK)"
outln ", no session tickets" outln ", no session tickets"
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
debugme echo " session ticket TLS \"$session_tckt_tls\"" debugme echo " session ticket TLS \"$session_tckt_tls\""
return 0 return 0
fi fi
fi
len_tckt_tls=${#session_tckt_tls} len_tckt_tls=${#session_tckt_tls}
len_tckt_tls=$(( len_tckt_tls / 3)) # Attention: this also counts commas. So we have two bytes like 32,23, len_tckt_tls=$(( len_tckt_tls / 3)) # Attention: this also counts commas. So we have two bytes like 32,23,
@ -15598,7 +15610,7 @@ run_renego() {
fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe"
elif "$CLIENT_AUTH"; then elif "$CLIENT_AUTH"; then
prln_warning "client x509-based authentication prevents this from being tested" prln_warning "client x509-based authentication prevents this from being tested"
fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" "$cve" "$cwe"
sec_client_renego=1 sec_client_renego=1
else else
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background # We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
@ -15789,8 +15801,9 @@ run_breach() {
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln
pr_bold " BREACH"; out " ($cve) " pr_bold " BREACH"; out " ($cve) "
if "$CLIENT_AUTH"; then if "$CLIENT_AUTH"; then
outln "cannot be tested (server side requires x509 authentication)" prln_warning "client x509-based authentication prevents this from being tested"
fileout "$jsonID" "INFO" "was not tested, server side requires x509 authentication" "$cve" "$cwe" fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" "$cve" "$cwe"
return 0
fi fi
# if [[ $NR_HEADER_FAIL -ge $MAX_HEADER_FAIL ]]; then # if [[ $NR_HEADER_FAIL -ge $MAX_HEADER_FAIL ]]; then