reordering of global vars, warning for client simulation of run w openssl more clear
This commit is contained in:
parent
8be7dcbf09
commit
e45d80eb40
37
testssl.sh
37
testssl.sh
|
@ -164,7 +164,6 @@ TERM_CURRPOS=0 # custom line wrappi
|
||||||
## CONFIGURATION PART ##
|
## CONFIGURATION PART ##
|
||||||
# following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
|
# following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
|
||||||
# 0 means (normally) true here. Some of the variables are also accessible with a command line switch, see --help
|
# 0 means (normally) true here. Some of the variables are also accessible with a command line switch, see --help
|
||||||
|
|
||||||
declare -x OPENSSL OPENSSL_TIMEOUT
|
declare -x OPENSSL OPENSSL_TIMEOUT
|
||||||
FAST_SOCKET=${FAST_SOCKET:-false} # EXPERIMENTAL feature to accelerate sockets -- DO NOT USE it for production
|
FAST_SOCKET=${FAST_SOCKET:-false} # EXPERIMENTAL feature to accelerate sockets -- DO NOT USE it for production
|
||||||
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
|
||||||
|
@ -190,18 +189,12 @@ LOGFILE="${LOGFILE:-""}" # logfile if used
|
||||||
JSONFILE="${JSONFILE:-""}" # jsonfile if used
|
JSONFILE="${JSONFILE:-""}" # jsonfile if used
|
||||||
CSVFILE="${CSVFILE:-""}" # csvfile if used
|
CSVFILE="${CSVFILE:-""}" # csvfile if used
|
||||||
HTMLFILE="${HTMLFILE:-""}" # HTML if used
|
HTMLFILE="${HTMLFILE:-""}" # HTML if used
|
||||||
FIRST_FINDING=true # Is this the first finding we are outputting to file?
|
FNAME=${FNAME:-""} # file name to read commands from
|
||||||
JSONHEADER=true # include JSON headers and footers in HTML file, if one is being created
|
|
||||||
CSVHEADER=true # same for CSV
|
|
||||||
HTMLHEADER=true # same for HTML
|
|
||||||
APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it
|
APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it
|
||||||
GIVE_HINTS=false # give an addtional info to findings
|
NODNS=${NODNS:-false} # always do DNS lookups per default. For some pentests it might save time to set this to true
|
||||||
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
||||||
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
|
|
||||||
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
|
|
||||||
CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false}
|
|
||||||
|
|
||||||
# tuning vars, can be set by a cmd line switch
|
# tuning vars which cannot be set by a cmd line switch
|
||||||
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
||||||
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
||||||
MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this.
|
MAX_WAITSOCK=${MAX_WAITSOCK:-10} # waiting at max 10 seconds for socket reply. There shouldn't be any reason to change this.
|
||||||
|
@ -218,13 +211,10 @@ HPKP_MIN=${HPKP_MIN:-30} # >=30 days should be ok for HPKP_MIN, p
|
||||||
DAYS2WARN1=${DAYS2WARN1:-60} # days to warn before cert expires, threshold 1
|
DAYS2WARN1=${DAYS2WARN1:-60} # days to warn before cert expires, threshold 1
|
||||||
DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2
|
DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2
|
||||||
VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check
|
VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check
|
||||||
NODNS=${NODNS:-false} # always do DNS lookups per default. For some pentests it might save time to set this to true
|
|
||||||
DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # don't do DNS lookups via proxy. --ip=proxy reverses this
|
DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # don't do DNS lookups via proxy. --ip=proxy reverses this
|
||||||
|
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
|
||||||
readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
||||||
HAD_SLEPT=0
|
|
||||||
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
||||||
FNAME=${FNAME:-""} # file name to read commands from
|
|
||||||
IKNOW_FNAME=false
|
|
||||||
MEASURE_TIME_FILE=${MEASURE_TIME_FILE:-""}
|
MEASURE_TIME_FILE=${MEASURE_TIME_FILE:-""}
|
||||||
if [[ -n "$MEASURE_TIME_FILE" ]] && [[ -z "$MEASURE_TIME" ]]; then
|
if [[ -n "$MEASURE_TIME_FILE" ]] && [[ -z "$MEASURE_TIME" ]]; then
|
||||||
MEASURE_TIME=true
|
MEASURE_TIME=true
|
||||||
|
@ -235,9 +225,16 @@ DISPLAY_CIPHERNAMES="openssl" # display OpenSSL ciphername (but both O
|
||||||
readonly UA_STD="TLS tester from $SWURL"
|
readonly UA_STD="TLS tester from $SWURL"
|
||||||
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
|
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
|
||||||
|
|
||||||
|
# initialization part, further global vars just declared here
|
||||||
## INITIALIZATION PART ##
|
IKNOW_FNAME=false
|
||||||
# further global vars just declared here
|
FIRST_FINDING=true # is this the first finding we are outputting to file?
|
||||||
|
JSONHEADER=true # include JSON headers and footers in HTML file, if one is being created
|
||||||
|
CSVHEADER=true # same for CSV
|
||||||
|
HTMLHEADER=true # same for HTML
|
||||||
|
GIVE_HINTS=false # give an addtional info to findings
|
||||||
|
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
|
||||||
|
CHILD_MASS_TESTING=${CHILD_MASS_TESTING:-false}
|
||||||
|
HAD_SLEPT=0
|
||||||
readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
readonly NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
|
||||||
# alpn_protos needs to be space-separated, not comma-seperated, including odd ones observerd @ facebook and others, old ones like h2-17 omitted as they could not be found
|
# alpn_protos needs to be space-separated, not comma-seperated, including odd ones observerd @ facebook and others, old ones like h2-17 omitted as they could not be found
|
||||||
readonly ALPN_PROTOs="h2 spdy/3.1 http/1.1 h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp"
|
readonly ALPN_PROTOs="h2 spdy/3.1 http/1.1 h2-fb spdy/1 spdy/2 spdy/3 stun.turn stun.nat-discovery webrtc c-webrtc ftp"
|
||||||
|
@ -3652,8 +3649,8 @@ run_client_simulation() {
|
||||||
pr_headlineln " Running client simulations via sockets "
|
pr_headlineln " Running client simulations via sockets "
|
||||||
else
|
else
|
||||||
pr_headline " Running client simulations via openssl "
|
pr_headline " Running client simulations via openssl "
|
||||||
prln_warning " Depending on your openssl client you may get false results"
|
prln_warning " -- you shouldn't run this with \"--ssl-native\" as you will get false results"
|
||||||
fileout "client_simulation_Problem" "WARN" "Depending on your openssl client you will encounter false results"
|
fileout "client_simulation_Problem" "WARN" "You shouldn't run this with \"--ssl-native\" as you will get false results"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
|
@ -3779,7 +3776,7 @@ run_client_simulation() {
|
||||||
outln "${warning[i]}"
|
outln "${warning[i]}"
|
||||||
fi
|
fi
|
||||||
fileout "client_${short[i]}" "INFO" \
|
fileout "client_${short[i]}" "INFO" \
|
||||||
"$(strip_spaces "${names[i]}") client simulation: $proto $cipher ${warning[i]}"
|
"$(strip_spaces "${names[i]}") client simulation: $proto $cipher ${warning[i]}"
|
||||||
debugme cat $TMPFILE
|
debugme cat $TMPFILE
|
||||||
fi
|
fi
|
||||||
fi # correct service?
|
fi # correct service?
|
||||||
|
|
Loading…
Reference in New Issue