Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-09-10 22:12:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.9dev' into negotiated_cipher

Browse Source 
Conflicts:
	testssl.sh
This commit is contained in:
David Cooper
2017-02-27 09:06:17 -05:00
parent bd1f02d83f 2232929bc5
commit e3c94d2a92
3 changed files with 849 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
testssl.sh
View File

@ -227,8 +227,7 @@ HAS_FALLBACK_SCSV=false
HAS_PROXY=false
HAS_XMPP=false
HAS_POSTGRES=false
ADD_RFC_STR="rfc" # display RFC ciphernames
SHOW_RFC="" # display RFC ciphernames instead of OpenSSL ciphernames
DISPLAY_CIPHERNAMES="openssl" # display OpenSSL ciphername (but both OpenSSL and RFC ciphernames in wide mode)
PORT=443 # unless otherwise auto-determined, see below
NODE=""
NODEIP=""
@ -2266,8 +2265,21 @@ show_rfc_style(){
}
neat_header(){
printf -- "Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits${ADD_RFC_STR:+ Cipher Suite Name (RFC)}\n"
printf -- "%s--------------------------------------------------------------------------${ADD_RFC_STR:+---------------------------------------------------}\n"
if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then
printf -- "Hexcode Cipher Suite Name (RFC) KeyExch. Encryption Bits"
[[ "$DISPLAY_CIPHERNAMES" != "rfc-only" ]] && printf -- " Cipher Suite Name (OpenSSL)"
outln
printf -- "%s------------------------------------------------------------------------------------------"
[[ "$DISPLAY_CIPHERNAMES" != "rfc-only" ]] && printf -- "---------------------------------------"
outln
else
printf -- "Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits"
[[ "$DISPLAY_CIPHERNAMES" != "openssl-only" ]] && printf -- " Cipher Suite Name (RFC)"
outln
printf -- "%s--------------------------------------------------------------------------"
[[ "$DISPLAY_CIPHERNAMES" != "openssl-only" ]] && printf -- "---------------------------------------------------"
outln
fi
}
@ -2292,12 +2304,18 @@ neat_list(){
enc="${enc//POLY1305/}" # remove POLY1305
enc="${enc//\//}" # remove "/"
echo "$export" | grep -iq export && strength="$strength,exp"
grep -iq export <<< "$export" && strength="$strength,exp"
[[ -n "$ADD_RFC_STR" ]] && tls_cipher="$(show_rfc_style "$hexcode")"
[[ "$DISPLAY_CIPHERNAMES" != "openssl-only" ]] && tls_cipher="$(show_rfc_style "$hexcode")"
if [[ "$5" == "false" ]]; then
line="$(printf -- " %-7s %-33s %-10s %-12s%-8s${ADD_RFC_STR:+ %-49s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$tls_cipher")"
if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then
line="$(printf -- " %-7s %-49s %-10s %-12s%-8s" "$hexcode" "$tls_cipher" "$kx" "$enc" "$strength")"
[[ "$DISPLAY_CIPHERNAMES" != "rfc-only" ]] && line+="$(printf -- " %-33s${SHOW_EACH_C:+ %-0s}" "$ossl_cipher")"
else
line="$(printf -- " %-7s %-33s %-10s %-12s%-8s" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength")"
[[ "$DISPLAY_CIPHERNAMES" != "openssl-only" ]] && line+="$(printf -- " %-49s${SHOW_EACH_C:+ %-0s}" "$tls_cipher")"
fi
pr_deemphasize "$line"
return 0
fi
@ -2314,7 +2332,13 @@ neat_list(){
done
fi
#echo "${#kx}" # should be always 20 / 13
printf -- " %-7s %-33s %-10s %-12s%-8s${ADD_RFC_STR:+ %-49s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$tls_cipher"
if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then
printf -- " %-7s %-49s %-10s %-12s%-8s" "$hexcode" "$tls_cipher" "$kx" "$enc" "$strength"
[[ "$DISPLAY_CIPHERNAMES" != "rfc-only" ]] && printf -- " %-33s${SHOW_EACH_C:+ %-0s}" "$ossl_cipher"
else
printf -- " %-7s %-33s %-10s %-12s%-8s" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength"
[[ "$DISPLAY_CIPHERNAMES" != "openssl-only" ]] && printf -- " %-49s${SHOW_EACH_C:+ %-0s}" "$tls_cipher"
fi
}
test_just_one(){
@ -4172,10 +4196,10 @@ run_client_simulation() {
fi
#FiXME: awk
cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://')
if [[ -z "$SHOW_RFC" ]] && ( [[ "$cipher" == TLS_* ]] || [[ "$cipher" == SSL_* ]] ); then
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && ( [[ "$cipher" == TLS_* ]] || [[ "$cipher" == SSL_* ]] ); then
cipher="$(rfc2openssl "$cipher")"
[[ -z "$cipher" ]] && cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://')
elif [[ -n "$SHOW_RFC" ]] && [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then
elif [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then
cipher="$(openssl2rfc "$cipher")"
[[ -z "$cipher" ]] && cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://')
fi
@ -4658,14 +4682,14 @@ pr_ecdh_curve_quality() {
# The return value is an indicator of the quality of the cipher in $1:
# 0 = $1 is empty
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
# 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best
# 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best
pr_cipher_quality() {
local cipher="$1"
local text="$2"
[[ -z "$1" ]] && return 0
[[ -z "$text" ]] && text="$cipher"
if [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then
# This must be the OpenSSL name for a cipher
if [[ $TLS_NR_CIPHERS -eq 0 ]]; then
@ -4938,7 +4962,7 @@ run_server_preference() {
pr_bold " Negotiated cipher "
default_cipher_ossl=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
if [[ -z "$SHOW_RFC" ]]; then
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
default_cipher="$default_cipher_ossl"
else
default_cipher="$(openssl2rfc "$default_cipher_ossl")"
@ -4997,7 +5021,7 @@ run_server_preference() {
cipher1="${TLS_CIPHER_HEXCODE[j]}"
cipher1="$(tolower "x${cipher1:2:2}${cipher1:7:2}${cipher1:12:2}")"
if [[ "$supported_sslv2_ciphers" =~ "$cipher1" ]]; then
if ( [[ -z "$SHOW_RFC" ]] && [[ "${TLS_CIPHER_OSSL_NAME[j]}" != "-" ]] ) || [[ "${TLS_CIPHER_RFC_NAME[j]}" == "-" ]]; then
if ( [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && [[ "${TLS_CIPHER_OSSL_NAME[j]}" != "-" ]] ) || [[ "${TLS_CIPHER_RFC_NAME[j]}" == "-" ]]; then
cipher[i]="${TLS_CIPHER_OSSL_NAME[j]}"
else
cipher[i]="${TLS_CIPHER_RFC_NAME[j]}"
@ -5022,7 +5046,7 @@ run_server_preference() {
proto[i]="SSLv3"
cipher[i]=""
cipher1=$(awk '/Cipher *:/ { print $3 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
if [[ -z "$SHOW_RFC" ]] && [[ $TLS_NR_CIPHERS -ne 0 ]]; then
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && [[ $TLS_NR_CIPHERS -ne 0 ]]; then
cipher[i]="$(rfc2openssl "$cipher1")"
[[ -z "${cipher[i]}" ]] && cipher[i]="$cipher1"
fi
@ -5039,7 +5063,7 @@ run_server_preference() {
proto[i]=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
[[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack!
if [[ -n "$SHOW_RFC" ]] && [[ -n "${cipher[i]}" ]]; then
if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ -n "${cipher[i]}" ]]; then
cipher[i]="$(openssl2rfc "${cipher[i]}")"
[[ -z "${cipher[i]}" ]] && cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
fi
@ -5063,7 +5087,7 @@ run_server_preference() {
cipher[i]=""
else
cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
if [[ -n "$SHOW_RFC" ]] && [[ -n "${cipher[i]}" ]]; then
if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ -n "${cipher[i]}" ]]; then
cipher[i]="$(openssl2rfc "${cipher[i]}")"
[[ -z "${cipher[i]}" ]] && cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
fi
@ -5078,7 +5102,7 @@ run_server_preference() {
if [[ -n "${cipher[i]}" ]]; then # cipher not empty
if [[ -z "$prev_cipher" ]] || [[ "$prev_cipher" != "${cipher[i]}" ]]; then
[[ -n "$prev_cipher" ]] && outln
if [[ -z "$SHOW_RFC" ]]; then
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
printf -- " %-30s %s" "${cipher[i]}:" "${proto[i]}" # print out both
else
printf -- " %-51s %s" "${cipher[i]}:" "${proto[i]}" # print out both
@ -5341,14 +5365,14 @@ cipher_pref_check() {
for (( i=0; i < nr_ciphers; i++ )); do
[[ "$cipher" == "${rfc_ciph[i]}" ]] && ciphers_found2[i]=true && break
done
if [[ -z "$SHOW_RFC" ]] && [[ $TLS_NR_CIPHERS -ne 0 ]]; then
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && [[ $TLS_NR_CIPHERS -ne 0 ]]; then
cipher="$(rfc2openssl "$cipher")"
# If there is no OpenSSL name for the cipher, then use the RFC name
[[ -z "$cipher" ]] && cipher=$(awk '/Cipher *:/ { print $3 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
fi
order+="$cipher "
done
elif [[ -n "$order" ]] && [[ -n "$SHOW_RFC" ]]; then
elif [[ -n "$order" ]] && [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then
rfc_order=""
while read -d " " cipher; do
rfc_ciph="$(openssl2rfc "$cipher")"
@ -5390,7 +5414,7 @@ cipher_pref_check() {
order+="$cipher "
done
fi
if [[ -n "$order" ]] && [[ -n "$SHOW_RFC" ]]; then
if [[ -n "$order" ]] && [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then
rfc_order=""
while read -d " " cipher; do
rfc_ciph="$(openssl2rfc "$cipher")"
@ -5965,11 +5989,11 @@ must_staple() {
local cert extn
local -i extn_len
local supported=false
# Note this function is only looking for status_request (5) and not
# status_request_v2 (17), since OpenSSL seems to only include status_request (5)
# in its ClientHello when the "-status" option is used.
# OpenSSL 1.1.0 supports pretty-printing the "TLS Feature extension." For any
# previous versions of OpenSSL, OpenSSL can only show if the extension OID is present.
if $OPENSSL x509 -in "$HOSTCERT" -noout -text 2>>$ERRFILE | grep -A 1 "TLS Feature:" | grep -q "status_request"; then
@ -6932,7 +6956,7 @@ run_pfs() {
for (( i=0; i < nr_supported_ciphers; i++ )); do
! "${ciphers_found[i]}" && ! "$SHOW_EACH_C" && continue
if "${ciphers_found[i]}"; then
if ( [[ -z "$SHOW_RFC" ]] && [[ "${ciph[i]}" != "-" ]] ) || [[ "${rfc_ciph[i]}" == "-" ]]; then
if ( [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && [[ "${ciph[i]}" != "-" ]] ) || [[ "${rfc_ciph[i]}" == "-" ]]; then
pfs_cipher="${ciph[i]}"
else
pfs_cipher="${rfc_ciph[i]}"
@ -10524,7 +10548,7 @@ run_beast(){
[[ "$cbc_cipher" == "${ciph[i]}" ]] && break
done
ciphers_found[i]=true
if [[ -z "$SHOW_RFC" ]] || [[ "${rfc_ciph[i]}" == "-" ]]; then
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] || [[ "${rfc_ciph[i]}" == "-" ]]; then
detected_cbc_ciphers+="${ciph[i]} "
else
detected_cbc_ciphers+="${rfc_ciph[i]} "
@ -10555,7 +10579,7 @@ run_beast(){
[[ "$cbc_cipher" == "${rfc_ciph[i]}" ]] && break
done
ciphers_found[i]=true
if ( [[ -z "$SHOW_RFC" ]] && [[ "${ciph[i]}" != "-" ]] ) || [[ "${rfc_ciph[i]}" == "-" ]]; then
if ( [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && [[ "${ciph[i]}" != "-" ]] ) || [[ "${rfc_ciph[i]}" == "-" ]]; then
detected_cbc_ciphers+=" ${ciph[i]}"
else
detected_cbc_ciphers+=" ${rfc_ciph[i]}"
@ -10933,7 +10957,7 @@ run_rc4() {
outln "${sigalg[i]}"
fi
if "${ciphers_found[i]}"; then
if ( [[ -z "$SHOW_RFC" ]] && [[ "${ciph[i]}" != "-" ]] ) || [[ "${rfc_ciph[i]}" == "-" ]]; then
if ( [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && [[ "${ciph[i]}" != "-" ]] ) || [[ "${rfc_ciph[i]}" == "-" ]]; then
rc4_detected+="${ciph[i]} "
else
rc4_detected+="${rfc_ciph[i]} "
@ -10992,7 +11016,7 @@ get_install_dir() {
CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/etc/cipher-mapping.txt"
[[ -z "$TESTSSL_INSTALL_DIR" ]] && TESTSSL_INSTALL_DIR="$RUN_DIR" # probably TESTSSL_INSTALL_DIR
fi
[[ -r "$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt"
if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]]; then
[[ -r "$RUN_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/cipher-mapping.txt"
@ -11028,8 +11052,7 @@ get_install_dir() {
fi
if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]]; then
unset ADD_RFC_STR
unset SHOW_RFC
DISPLAY_CIPHERNAMES="no-rfc"
debugme echo "$CIPHERS_BY_STRENGTH_FILE"
pr_warningln "\nATTENTION: No cipher mapping file found!"
outln "Please note from 2.9dev on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/\" to function correctly."
@ -11094,7 +11117,7 @@ find_openssl_binary() {
OSSL_VER=$($OPENSSL version 2>/dev/null | awk -F' ' '{ print $2 }')
OSSL_VER_MAJOR=$(sed 's/\..*$//' <<< "$OSSL_VER")
OSSL_VER_MINOR=$(sed -e 's/^.\.//' <<< "$OSSL_VER" | tr -d '[a-zA-Z]-')
OSSL_VER_APPENDIX=$(tr -d '0-9.' "$OSSL_VER")
OSSL_VER_APPENDIX=$(tr -d '0-9.' <<< "$OSSL_VER")
OSSL_VER_PLATFORM=$($OPENSSL version -p 2>/dev/null | sed 's/^platform: //')
OSSL_BUILD_DATE=$($OPENSSL version -a 2>/dev/null | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//')
grep -q "not available" <<< "$OSSL_BUILD_DATE" && OSSL_BUILD_DATE=""
@ -11285,8 +11308,10 @@ output options (can also be preset via environment variables):
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
--wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
--show-each for wide outputs: display all ciphers tested -- not only succeeded ones
--mapping <rfc|no-rfc> (rfc: display the RFC Cipher Suite name instead of the OpenSSL name;
no-rfc: don't display the RFC Cipher Suite Name)
--mapping <openssl| openssl: use the OpenSSL Cipher suite name as the primary name cipher suite name form (default)
rfc| rfc: use the RFC Cipher suite name as the primary name cipher suite name form
no-openssl| no-openssl: don't display the OpenSSL Cipher Suite Name, display RFC names only
no-rfc> no-rfc: don't display the RFC Cipher Suite Name, display OpenSSL names only
--color <0|1|2> 0: no escape or other codes, 1: b/w escape codes, 2: color (default)
--colorblind swap green and blue in the output
--debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
@ -11978,7 +12003,7 @@ check_proxy() {
fatal "Your $OPENSSL is too old to support the \"-proxy\" option" -5
fi
if [[ "$PROXY" == "auto" ]]; then
# get $ENV
# get $ENV
PROXY=${https_proxy#*\/\/}
[[ -z "$PROXY" ]] && PROXY=${http_proxy#*\/\/}
[[ -z "$PROXY" ]] && fatal "you specified \"--proxy=auto\" but \"\$http(s)_proxy\" is empty" 2
@ -12727,9 +12752,11 @@ parse_cmd_line() {
cipher_mapping=$(parse_opt_equal_sign "$1" "$2")
[[ $? -eq 0 ]] && shift
case "$cipher_mapping" in
no-rfc) unset ADD_RFC_STR; unset SHOW_RFC;;
rfc) SHOW_RFC="rfc" ;;
*) pr_magentaln "\nmapping can only be \"rfc\" or \"no-rfc\""
no-openssl) DISPLAY_CIPHERNAMES="rfc-only" ;;
no-rfc) DISPLAY_CIPHERNAMES="openssl-only" ;;
openssl) DISPLAY_CIPHERNAMES="openssl" ;;
rfc) DISPLAY_CIPHERNAMES="rfc" ;;
*) pr_warningln "\nmapping can only be \"no-openssl\", \"no-rfc\", \"openssl\" or \"rfc\""
help 1 ;;
esac
;;