Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-08 09:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #546 from dcooper16/drown_and_non_RSA_certs

Browse Source 
run_drown() when server has non-RSA certificates
This commit is contained in:
Dirk Wetter 2016-12-02 17:10:16 +01:00 committed by GitHub
commit e67d3646e9
1 changed files with 26 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
testssl.sh
View File

@ -243,6 +243,7 @@ IPS=""
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP? SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
URI="" URI=""
CERT_FINGERPRINT_SHA2="" CERT_FINGERPRINT_SHA2=""
RSA_CERT_FINGERPRINT_SHA2=""
SHOW_CENSYS_LINK=${SHOW_CENSYS_LINK:-true} SHOW_CENSYS_LINK=${SHOW_CENSYS_LINK:-true}
STARTTLS_PROTOCOL="" STARTTLS_PROTOCOL=""
OPTIMAL_PROTO="" # we need this for IIS6 (sigh) and OpenSSL 1.0.2, otherwise some handshakes OPTIMAL_PROTO="" # we need this for IIS6 (sigh) and OpenSSL 1.0.2, otherwise some handshakes
@ -4503,7 +4504,7 @@ cipher_pref_check() {
} }
# arg1 is proto or empty # arg1 is OpenSSL s_client parameter or empty
get_host_cert() { get_host_cert() {
local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE
@ -4512,7 +4513,7 @@ get_host_cert() {
awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT
return 0 return 0
else else
pr_warningln "could not retrieve host certificate!" [[ -z "$1" ]] && pr_warningln "could not retrieve host certificate!"
#fileout "host_certificate" "WARN" "Could not retrieve host certificate!" #fileout "host_certificate" "WARN" "Could not retrieve host certificate!"
return 1 return 1
fi fi
@ -5247,6 +5248,9 @@ certificate_info() {
[[ -z $CERT_FINGERPRINT_SHA2 ]] && \ [[ -z $CERT_FINGERPRINT_SHA2 ]] && \
CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" || CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" ||
CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2 $CERT_FINGERPRINT_SHA2" CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2 $CERT_FINGERPRINT_SHA2"
[[ -z $RSA_CERT_FINGERPRINT_SHA2 ]] && \
( [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] ) &&
RSA_CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2"
out "$indent"; pr_bold " Common Name (CN) " out "$indent"; pr_bold " Common Name (CN) "
cnfinding="Common Name (CN) : " cnfinding="Common Name (CN) : "
@ -8674,11 +8678,10 @@ run_logjam() {
run_drown() { run_drown() {
local nr_ciphers_detected local nr_ciphers_detected ret
local spaces=" " local spaces=" "
local cert_fingerprint_sha2="" local cert_fingerprint_sha2=""
#FIXME: test for iexistence of RSA key exchange
if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
outln outln
pr_headlineln " Testing for DROWN vulnerability " pr_headlineln " Testing for DROWN vulnerability "
@ -8713,22 +8716,29 @@ run_drown() {
;; ;;
*) pr_done_bestln "not vulnerable on this port (OK)" *) pr_done_bestln "not vulnerable on this port (OK)"
fileout "drown" "OK" "not vulnerable to DROWN" fileout "drown" "OK" "not vulnerable to DROWN"
outln "$spaces make sure you don't use this certificate elsewhere with SSLv2 enabled services" # Any fingerprint that is placed in $RSA_CERT_FINGERPRINT_SHA2 is
if [[ "$DEBUG" -ge 1 ]] || "$SHOW_CENSYS_LINK"; then # also added to $CERT_FINGERPRINT_SHA2, so if $CERT_FINGERPRINT_SHA2
# not advertising it as it after 5 tries and account is needed # is not empty, but $RSA_CERT_FINGERPRINT_SHA2 is empty, then the server
if [[ -z "$CERT_FINGERPRINT_SHA2" ]]; then # doesn't have an RSA certificate.
get_host_cert || return 7 if [[ -z "$CERT_FINGERPRINT_SHA2" ]]; then
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed -e 's/^.*Fingerprint=//' -e 's/://g' )" get_host_cert "-cipher aRSA"
else [[ $? -eq 0 ]] && cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed -e 's/^.*Fingerprint=//' -e 's/://g' )"
cert_fingerprint_sha2="$CERT_FINGERPRINT_SHA2" else
fi cert_fingerprint_sha2="$RSA_CERT_FINGERPRINT_SHA2"
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
outln "$spaces https://censys.io/ipv4?q=$cert_fingerprint_sha2 could help you to find out"
fi fi
if [[ -n "$cert_fingerprint_sha2" ]]; then
outln "$spaces make sure you don't use this certificate elsewhere with SSLv2 enabled services"
if [[ "$DEBUG" -ge 1 ]] || "$SHOW_CENSYS_LINK"; then
# not advertising it as it after 5 tries and account is needed
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
outln "$spaces https://censys.io/ipv4?q=$cert_fingerprint_sha2 could help you to find out"
fi
fi
ret=0
;; ;;
esac esac
return $? return $ret
} }