mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Extra warning for certificates >= 5yrs, italics handling for BSDs
This PR fixes #803 and emit an extra warning if the certificate has a lifetime longer or equal of five years which happens often on appliances with self signed certificates. (CAs do not offer such a long certificate lifetime.) This was tested under Linux, FreeBSD and OpenBSD. On the latter however we only check the years as opposed to other OS where we have a finer granularity (seconds). On the screen there's only an output if the lifetime is too long, using JSON or CSV formats, it is always displayed (ID: cert_validityPeriod). Also this PR changes the ID cert_expiration_status to cert_expirationStatus. Older FreeBSD and OpenBSD can't deal with italics characters but it output the escape codes which could result in a different markup. This PR detects such OS and just doesn't dsiplay the escape sequence. Also the manpage is reflecting the change and has updates in the server defaults and standard cipher checks section.
This commit is contained in:
parent
0e8807217d
commit
e92b7326bc
@ -1,7 +1,7 @@
|
|||||||
.\" generated with Ronn/v0.7.3
|
.\" generated with Ronn/v0.7.3
|
||||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||||
.
|
.
|
||||||
.TH "TESTSSL" "1" "January 2019" "" ""
|
.TH "TESTSSL" "1" "April 2019" "" ""
|
||||||
.
|
.
|
||||||
.SH "NAME"
|
.SH "NAME"
|
||||||
\fBtestssl\fR
|
\fBtestssl\fR
|
||||||
@ -185,16 +185,16 @@ Any single check switch supplied as an argument prevents testssl\.sh from doing
|
|||||||
\fBAnonymous NULL ciphers\fR: \'aNULL:ADH\'
|
\fBAnonymous NULL ciphers\fR: \'aNULL:ADH\'
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
\fBExport ciphers\fR (w/o the preceding ones): \'EXPORT:!ADH:!NULL\' * \fBLOW\fR (64 Bit + DES ciphers, without EXPORT ciphers): \'LOW:DES:!ADH:!EXP:!NULL\'
|
\fBExport ciphers\fR (w/o the preceding ones): \'EXPORT:!ADH:!NULL\'
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
\fBWeak 128 Bit ciphers\fR: \'MEDIUM:!aNULL:!AES:!CAMELLIA:!ARIA:!CHACHA20:!3DES\'
|
\fBLOW\fR (64 Bit + DES ciphers, without EXPORT ciphers): \'LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL\'
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
\fB3DES Ciphers\fR: \'3DES:!aNULL:!ADH\'
|
\fB3DES + IDEA Ciphers\fR: \'3DES:IDEA:!aNULL:!ADH\'
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
\fBHigh grade Ciphers\fR: \'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM\'
|
\fBAverage grade Ciphers\fR: \'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL\'
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
\fBStrong grade Ciphers\fR (AEAD): \'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM\'
|
\fBStrong grade Ciphers\fR (AEAD): \'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM\'
|
||||||
@ -211,7 +211,63 @@ Any single check switch supplied as an argument prevents testssl\.sh from doing
|
|||||||
\fB\-P, \-\-preference\fR displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher\. If there\'s a cipher order enforced by the server it displays it for each protocol (openssl+sockets)\. If there\'s not, it displays instead which ciphers from the server were picked with each protocol\.
|
\fB\-P, \-\-preference\fR displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher\. If there\'s a cipher order enforced by the server it displays it for each protocol (openssl+sockets)\. If there\'s not, it displays instead which ciphers from the server were picked with each protocol\.
|
||||||
.
|
.
|
||||||
.P
|
.P
|
||||||
\fB\-S, \-\-server_defaults\fR displays information from the server hello(s): available TLS extensions, TLS ticket + session information/capabilities, session resumption capabilities, time skew relative to localhost (most server implementations return random values) and several certificate info: certificate signature algorithm, certificate key size, X509v3 key usage and extended key usage, certificate fingerprints and serial, revocation info (CRL, OCSP, OCSP stapling/must staple), certificate transparency info (if provided by server)\. When \fB\-\-phone\-out\fR supplied it checks against the certificate issuer whether the host certificate has been revoked\. This section also displays certificate start and expiration time in GMT\. In addition it checks the trust (CN, SAN, chain of trust)\. For the trust chain check there are 5 certificate stores provided\. If the test against one of the trust stores failed, the one is being identified and the reason for the failure is displayed \- in addition the ones which succeeded are displayed too\. You can configure your own CA via ADDITIONAL_CA_FILES, see section \fBFILES\fR below\. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be indicated as this is deprecated\. Also multiple server certificates are being checked for as well as the certificate reply to a non\-SNI (Server Name Indication) client hello to the IP address\. Also the Certification Authority Authorization (CAA) record is displayed and whether "Certificate Transparency" (CT) is supported (and if: how)\. TLS clock skew matches the time difference to the client\. Only a few TLS stacks nowadays still support this and return the local clock \fBgmt_unix_time\fR, e\.g\. IIS, openssl < 1\.0\.1f\. In addition to the HTTP date you could e\.g\. derive that there are different hosts where your TLS and your HTTP request ended \-\- if the time deltas differ significantly\.
|
\fB\-S, \-\-server_defaults\fR displays information from the server hello(s):
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Available TLS extensions,
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
TLS ticket + session ID information/capabilities,
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
session resumption capabilities,
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Time skew relative to localhost (most server implementations return random values)\.
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Several certificate information:
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
signature algorithm,
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
key size,
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
key usage and extended key usage,
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
fingerprints and serial
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Common Name (CN), Subject Alternative Name (SAN), Issuer,
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Trust via hostname + chain of trust against supplied certificates
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
EV certificate detection
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
experimental "eTLS" detection
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
validity: start + end time, how many days to go (warning for certificate lifetime >=5 years)
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
revocation info (CRL, OCSP, OCSP stapling + must staple)\. When \fB\-\-phone\-out\fR supplied it checks against the certificate issuer whether the host certificate has been revoked (plain OCSP, CRL)\.
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
displaying DNS Certification Authority Authorization resource record
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Certificate Transparency info (if provided by server)\.
|
||||||
|
.
|
||||||
|
.IP "" 0
|
||||||
|
.
|
||||||
|
.P
|
||||||
|
For the trust chain check 5 certificate stores are provided\. If the test against one of the trust stores failed, the one is being identified and the reason for the failure is displayed \- in addition the ones which succeeded are displayed too\. You can configure your own CA via ADDITIONAL_CA_FILES, see section \fBFILES\fR below\. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be indicated as this is deprecated\. Also for multiple server certificates are being checked for as well as for the certificate reply to a non\-SNI (Server Name Indication) client hello to the IP address\. Regarding the TLS clock skew: it displays the time difference to the client\. Only a few TLS stacks nowadays still support this and return the local clock \fBgmt_unix_time\fR, e\.g\. IIS, openssl < 1\.0\.1f\. In addition to the HTTP date you could e\.g\. derive that there are different hosts where your TLS and your HTTP request ended \-\- if the time deltas differ significantly\.
|
||||||
.
|
.
|
||||||
.P
|
.P
|
||||||
\fB\-x <pattern>, \-\-single\-cipher <pattern>\fR tests matched \fBpattern\fR of ciphers against a server\. Patterns are similar to \fB\-V pattern , \-\-local pattern\fR, see above about matching\.
|
\fB\-x <pattern>, \-\-single\-cipher <pattern>\fR tests matched \fBpattern\fR of ciphers against a server\. Patterns are similar to \fB\-V pattern , \-\-local pattern\fR, see above about matching\.
|
||||||
@ -350,7 +406,7 @@ Please note that in testssl\.sh 3,0 you can still use \fBrfc\fR instead of \fBia
|
|||||||
\fB\-\-show\-each\fR This is an option for all wide modes only: it displays all ciphers tested \-\- not only succeeded ones\. \fBSHOW_EACH_C\fR is your friend if you prefer to set this via the shell environment\.
|
\fB\-\-show\-each\fR This is an option for all wide modes only: it displays all ciphers tested \-\- not only succeeded ones\. \fBSHOW_EACH_C\fR is your friend if you prefer to set this via the shell environment\.
|
||||||
.
|
.
|
||||||
.P
|
.P
|
||||||
\fB\-\-color <0|1|2|3>\fR It determines the use of colors on the screen: \fB2\fR is the default and makes use of ANSI and termcap escape codes on your terminal\. \fB1\fR just uses non\-colored mark\-up like bold, italics, underline, reverse\. \fB0\fR means no mark\-up at all = no escape codes\. This is also what you want when you want a log file without any escape codes\. \fB3\fR will color ciphers and EC according to an internal (not yet perfect) rating\. Setting the environment variable \fBCOLOR\fR to the value achieves the same result\.
|
\fB\-\-color <0|1|2|3>\fR determines the use of colors on the screen and in the log file: \fB2\fR is the default and makes use of ANSI and termcap escape codes on your terminal\. \fB1\fR just uses non\-colored mark\-up like bold, italics, underline, reverse\. \fB0\fR means no mark\-up at all = no escape codes\. This is also what you want when you want a log file without any escape codes\. \fB3\fR will color ciphers and EC according to an internal (not yet perfect) rating\. Setting the environment variable \fBCOLOR\fR to the value achieves the same result\. Please not that OpenBSD and early FreeBSD do not support italics\.
|
||||||
.
|
.
|
||||||
.P
|
.P
|
||||||
\fB\-\-colorblind\fR Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en\.wikipedia\.org/wiki/Color_blindness) can distinguish those findings better\. \fBCOLORBLIND\fR is the according variable if you want to set this in the environment\.
|
\fB\-\-colorblind\fR Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en\.wikipedia\.org/wiki/Color_blindness) can distinguish those findings better\. \fBCOLORBLIND\fR is the according variable if you want to set this in the environment\.
|
||||||
@ -820,4 +876,4 @@ All native Windows platforms emulating Linux are known to be slow\.
|
|||||||
Probably\. Current known ones and interface for filing new ones: https://testssl\.sh/bugs/ \.
|
Probably\. Current known ones and interface for filing new ones: https://testssl\.sh/bugs/ \.
|
||||||
.
|
.
|
||||||
.SH "SEE ALSO"
|
.SH "SEE ALSO"
|
||||||
\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites \fBhttps://testssl\.sh/\fR and \fBhttps://github\.com/drwetter/testssl\.sh/\fR \.
|
\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites https://testssl\.sh/ and https://github\.com/drwetter/testssl\.sh/ \.
|
||||||
|
1032
doc/testssl.1.html
1032
doc/testssl.1.html
File diff suppressed because it is too large
Load Diff
@ -149,10 +149,10 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
|
|||||||
|
|
||||||
* `NULL encryption ciphers`: 'NULL:eNULL'
|
* `NULL encryption ciphers`: 'NULL:eNULL'
|
||||||
* `Anonymous NULL ciphers`: 'aNULL:ADH'
|
* `Anonymous NULL ciphers`: 'aNULL:ADH'
|
||||||
* `Export ciphers` (w/o the preceding ones): 'EXPORT:!ADH:!NULL' * `LOW` (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:!ADH:!EXP:!NULL'
|
* `Export ciphers` (w/o the preceding ones): 'EXPORT:!ADH:!NULL'
|
||||||
* `Weak 128 Bit ciphers`: 'MEDIUM:!aNULL:!AES:!CAMELLIA:!ARIA:!CHACHA20:!3DES'
|
* `LOW` (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL'
|
||||||
* `3DES Ciphers`: '3DES:!aNULL:!ADH'
|
* `3DES + IDEA Ciphers`: '3DES:IDEA:!aNULL:!ADH'
|
||||||
* `High grade Ciphers`: 'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM'
|
* `Average grade Ciphers`: 'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL'
|
||||||
* `Strong grade Ciphers` (AEAD): 'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM'
|
* `Strong grade Ciphers` (AEAD): 'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM'
|
||||||
|
|
||||||
`-f, --pfs, --fs,--nsa ` Checks robust (perfect) forward secrecy key exchange. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and TLS 1.3).
|
`-f, --pfs, --fs,--nsa ` Checks robust (perfect) forward secrecy key exchange. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and TLS 1.3).
|
||||||
@ -162,20 +162,28 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
|
|||||||
`-P, --preference` displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher. If there's a cipher order enforced by the server it displays it for each protocol (openssl+sockets). If there's not, it displays instead which ciphers from the server were picked with each protocol.
|
`-P, --preference` displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher. If there's a cipher order enforced by the server it displays it for each protocol (openssl+sockets). If there's not, it displays instead which ciphers from the server were picked with each protocol.
|
||||||
|
|
||||||
`-S, --server_defaults` displays information from the server hello(s):
|
`-S, --server_defaults` displays information from the server hello(s):
|
||||||
available TLS extensions, TLS ticket + session information/capabilities, session resumption
|
|
||||||
capabilities, time skew relative to localhost (most server implementations return random values) and several certificate info: certificate signature algorithm, certificate key size, X509v3 key usage and extended key usage, certificate fingerprints and serial, revocation info (CRL, OCSP, OCSP
|
* Available TLS extensions,
|
||||||
stapling/must staple), certificate transparency info (if provided by
|
* TLS ticket + session ID information/capabilities,
|
||||||
server). When `--phone-out` supplied it checks against the certificate issuer
|
* session resumption capabilities,
|
||||||
whether the host certificate has been revoked.
|
* Time skew relative to localhost (most server implementations return random values).
|
||||||
This section also displays certificate start and expiration time in GMT. In addition it checks the trust (CN, SAN, chain of trust).
|
* Several certificate information
|
||||||
For the trust chain check there are 5 certificate stores provided. If the test against one of the trust stores failed, the one
|
- signature algorithm,
|
||||||
is being identified and the reason for the failure is displayed - in addition the ones which succeeded are displayed too.
|
- key size,
|
||||||
You can configure your own CA via ADDITIONAL_CA_FILES, see section `FILES` below. If the server provides
|
- key usage and extended key usage,
|
||||||
no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be indicated as this is deprecated.
|
- fingerprints and serial
|
||||||
Also multiple server certificates are
|
- Common Name (CN), Subject Alternative Name (SAN), Issuer,
|
||||||
being checked for as well as the certificate reply to a non-SNI (Server Name
|
- Trust via hostname + chain of trust against supplied certificates
|
||||||
Indication) client hello to the IP address. Also the Certification Authority Authorization (CAA) record is displayed and whether "Certificate Transparency" (CT) is supported (and if: how).
|
- EV certificate detection
|
||||||
TLS clock skew matches the time difference to the client. Only a few TLS stacks nowadays still support this and return the local clock `gmt_unix_time`, e.g. IIS, openssl < 1.0.1f. In addition to the HTTP date you could e.g. derive that there are different hosts where your TLS and your HTTP request ended -- if the time deltas differ significantly.
|
- experimental "eTLS" detection
|
||||||
|
- validity: start + end time, how many days to go (warning for certificate lifetime >=5 years)
|
||||||
|
- revocation info (CRL, OCSP, OCSP stapling + must staple). When `--phone-out` supplied it checks against the certificate issuer whether the host certificate has been revoked (plain OCSP, CRL).
|
||||||
|
- displaying DNS Certification Authority Authorization resource record
|
||||||
|
- Certificate Transparency info (if provided by server).
|
||||||
|
|
||||||
|
For the trust chain check 5 certificate stores are provided. If the test against one of the trust stores failed, the one is being identified and the reason for the failure is displayed - in addition the ones which succeeded are displayed too.
|
||||||
|
You can configure your own CA via ADDITIONAL_CA_FILES, see section `FILES` below. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be indicated as this is deprecated.
|
||||||
|
Also for multiple server certificates are being checked for as well as for the certificate reply to a non-SNI (Server Name Indication) client hello to the IP address. Regarding the TLS clock skew: it displays the time difference to the client. Only a few TLS stacks nowadays still support this and return the local clock `gmt_unix_time`, e.g. IIS, openssl < 1.0.1f. In addition to the HTTP date you could e.g. derive that there are different hosts where your TLS and your HTTP request ended -- if the time deltas differ significantly.
|
||||||
|
|
||||||
`-x <pattern>, --single-cipher <pattern>` tests matched `pattern` of ciphers against a server. Patterns are similar to `-V pattern , --local pattern`, see above about matching.
|
`-x <pattern>, --single-cipher <pattern>` tests matched `pattern` of ciphers against a server. Patterns are similar to `-V pattern , --local pattern`, see above about matching.
|
||||||
|
|
||||||
@ -260,7 +268,7 @@ Please note that in testssl.sh 3,0 you can still use `rfc` instead of `iana` and
|
|||||||
`--show-each` This is an option for all wide modes only: it displays all ciphers tested -- not only succeeded ones. `SHOW_EACH_C` is your friend if you prefer to set this via the shell environment.
|
`--show-each` This is an option for all wide modes only: it displays all ciphers tested -- not only succeeded ones. `SHOW_EACH_C` is your friend if you prefer to set this via the shell environment.
|
||||||
|
|
||||||
|
|
||||||
`--color <0|1|2|3>` It determines the use of colors on the screen: `2` is the default and makes use of ANSI and termcap escape codes on your terminal. `1` just uses non-colored mark-up like bold, italics, underline, reverse. `0` means no mark-up at all = no escape codes. This is also what you want when you want a log file without any escape codes. `3` will color ciphers and EC according to an internal (not yet perfect) rating. Setting the environment variable `COLOR` to the value achieves the same result.
|
`--color <0|1|2|3>` determines the use of colors on the screen and in the log file: `2` is the default and makes use of ANSI and termcap escape codes on your terminal. `1` just uses non-colored mark-up like bold, italics, underline, reverse. `0` means no mark-up at all = no escape codes. This is also what you want when you want a log file without any escape codes. `3` will color ciphers and EC according to an internal (not yet perfect) rating. Setting the environment variable `COLOR` to the value achieves the same result. Please not that OpenBSD and early FreeBSD do not support italics.
|
||||||
|
|
||||||
|
|
||||||
`--colorblind` Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en.wikipedia.org/wiki/Color_blindness) can distinguish those findings better. `COLORBLIND` is the according variable if you want to set this in the environment.
|
`--colorblind` Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en.wikipedia.org/wiki/Color_blindness) can distinguish those findings better. `COLORBLIND` is the according variable if you want to set this in the environment.
|
||||||
@ -495,5 +503,5 @@ Probably. Current known ones and interface for filing new ones: https://testssl.
|
|||||||
|
|
||||||
## SEE ALSO
|
## SEE ALSO
|
||||||
|
|
||||||
`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites __https://testssl.sh/__ and __https://github.com/drwetter/testssl.sh/__ .
|
`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites https://testssl.sh/ and https://github.com/drwetter/testssl.sh/ .
|
||||||
|
|
||||||
|
63
testssl.sh
63
testssl.sh
@ -134,6 +134,7 @@ fi
|
|||||||
declare -r PROG_NAME="$(basename "$0")"
|
declare -r PROG_NAME="$(basename "$0")"
|
||||||
declare -r RUN_DIR="$(dirname "$0")"
|
declare -r RUN_DIR="$(dirname "$0")"
|
||||||
declare -r SYSTEM="$(uname -s)"
|
declare -r SYSTEM="$(uname -s)"
|
||||||
|
declare -r SYSTEMREV="$(uname -r)"
|
||||||
SYSTEM2="" # currently only being used for WSL = bash on windows
|
SYSTEM2="" # currently only being used for WSL = bash on windows
|
||||||
TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
|
TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
|
||||||
CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your stores some place else
|
CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your stores some place else
|
||||||
@ -576,7 +577,15 @@ tmln_bold() { tm_bold "$1"; tmln_out; }
|
|||||||
pr_bold() { tm_bold "$1"; [[ "$COLOR" -ne 0 ]] && html_out "<span style=\"font-weight:bold;\">$(html_reserved "$1")</span>" || html_out "$(html_reserved "$1")"; }
|
pr_bold() { tm_bold "$1"; [[ "$COLOR" -ne 0 ]] && html_out "<span style=\"font-weight:bold;\">$(html_reserved "$1")</span>" || html_out "$(html_reserved "$1")"; }
|
||||||
prln_bold() { pr_bold "$1" ; outln; }
|
prln_bold() { pr_bold "$1" ; outln; }
|
||||||
|
|
||||||
tm_italic() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[3m$1" || tm_out "$1"; tm_off; }
|
NO_ITALICS=false
|
||||||
|
if [[ $SYSTEM == OpenBSD ]]; then
|
||||||
|
NO_ITALICS=true
|
||||||
|
elif [[ $SYSTEM == FreeBSD ]]; then
|
||||||
|
if [[ ${SYSTEMREV%\.*} -le 9 ]]; then
|
||||||
|
NO_ITALICS=true
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
tm_italic() { ( [[ "$COLOR" -ne 0 ]] && ! "$NO_ITALICS" ) && tm_out "\033[3m$1" || tm_out "$1"; tm_off; }
|
||||||
tmln_italic() { tm_italic "$1" ; tmln_out; }
|
tmln_italic() { tm_italic "$1" ; tmln_out; }
|
||||||
pr_italic() { tm_italic "$1"; [[ "$COLOR" -ne 0 ]] && html_out "<i>$(html_reserved "$1")</i>" || html_out "$(html_reserved "$1")"; }
|
pr_italic() { tm_italic "$1"; [[ "$COLOR" -ne 0 ]] && html_out "<i>$(html_reserved "$1")</i>" || html_out "$(html_reserved "$1")"; }
|
||||||
prln_italic() { pr_italic "$1"; outln; }
|
prln_italic() { pr_italic "$1"; outln; }
|
||||||
@ -631,14 +640,14 @@ pr_boldurl() { tm_bold "$1"; html_out "<a href=\"$1\" style=\"font-weight:bold;c
|
|||||||
set_color_functions() {
|
set_color_functions() {
|
||||||
local ncurses_tput=true
|
local ncurses_tput=true
|
||||||
|
|
||||||
if [[ $(uname) == OpenBSD ]] && [[ "$TERM" =~ xterm-256 ]]; then
|
if [[ $SYSTEM == OpenBSD ]] && [[ "$TERM" =~ xterm-256 ]]; then
|
||||||
export TERM=xterm
|
export TERM=xterm
|
||||||
# openBSD can't handle 256 colors (yet) in xterm which might lead to ugly errors
|
# OpenBSD can't handle 256 colors (yet) in xterm which might lead to ugly errors
|
||||||
# like "tput: not enough arguments (3) for capability `AF'". Not our fault but
|
# like "tput: not enough arguments (3) for capability `AF'". Not our fault but
|
||||||
# before we get blamed we fix it here.
|
# before we get blamed we fix it here.
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# empty all vars if we have COLOR=0 equals no escape code:
|
# Empty all vars if we have COLOR=0 equals no escape code -- these are globals:
|
||||||
red=""
|
red=""
|
||||||
green=""
|
green=""
|
||||||
brown=""
|
brown=""
|
||||||
@ -677,25 +686,23 @@ set_color_functions() {
|
|||||||
yellow=$(tput AF 3; tput md)
|
yellow=$(tput AF 3; tput md)
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$COLOR" -ge 1 ]]; then
|
if [[ "$COLOR" -ge 1 ]]; then
|
||||||
if $ncurses_tput; then
|
if $ncurses_tput; then
|
||||||
bold=$(tput bold)
|
bold=$(tput bold)
|
||||||
underline=$(tput sgr 0 1 2>/dev/null)
|
underline=$(tput sgr 0 1 2>/dev/null)
|
||||||
italic=$(tput sitm)
|
italic=$(tput sitm) # This doesn't work on FreeBSDi (9,10) and OpenBSD ...
|
||||||
italic_end=$(tput ritm)
|
italic_end=$(tput ritm) # ... and this, too
|
||||||
off=$(tput sgr0)
|
off=$(tput sgr0)
|
||||||
else # this is a try for old BSD, see terminfo(5)
|
else # this is a try for old BSD, see terminfo(5)
|
||||||
bold=$(tput md)
|
bold=$(tput md)
|
||||||
underline=$(tput us)
|
underline=$(tput us)
|
||||||
italic=$(tput ZH) # that doesn't work on FreeBSD 9+10.x
|
italic=$(tput ZH 2>/dev/null) # This doesn't work on FreeBSDi (9,10) and OpenBSD
|
||||||
italic_end=$(tput ZR) # here too. Probably entry missing in /etc/termcap
|
italic_end=$(tput ZR 2>/dev/null) # ... probably entry missing in /etc/termcap
|
||||||
reverse=$(tput mr)
|
reverse=$(tput mr)
|
||||||
off=$(tput me)
|
off=$(tput me)
|
||||||
fi
|
fi
|
||||||
# italic doesn't work under Linux, FreeBSD (9). But both work under OpenBSD.
|
|
||||||
# alternatively we could use escape codes
|
|
||||||
fi
|
fi
|
||||||
|
# FreeBSD 10 understands ESC codes like 'echo -e "\e[3mfoobar\e[23m"', but also no tput for italics
|
||||||
}
|
}
|
||||||
|
|
||||||
strip_quote() {
|
strip_quote() {
|
||||||
@ -1822,7 +1829,7 @@ s_client_options() {
|
|||||||
options="${options//-ciphersuites $tls13_ciphers/}"
|
options="${options//-ciphersuites $tls13_ciphers/}"
|
||||||
tls13_ciphers="${tls13_ciphers##\'}"
|
tls13_ciphers="${tls13_ciphers##\'}"
|
||||||
tls13_ciphers="${tls13_ciphers%%\'}"
|
tls13_ciphers="${tls13_ciphers%%\'}"
|
||||||
[[ "$tls13_ciphers" == "ALL" ]] && tls13_ciphers="$TLS13_OSSL_CIPHERS"
|
[[ "$tls13_ciphers" == ALL ]] && tls13_ciphers="$TLS13_OSSL_CIPHERS"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
|
# Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
|
||||||
@ -7795,7 +7802,7 @@ certificate_info() {
|
|||||||
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial
|
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial
|
||||||
local policy_oid
|
local policy_oid
|
||||||
local spaces=""
|
local spaces=""
|
||||||
local -i trust_sni=0 trust_nosni=0
|
local -i trust_sni=0 trust_nosni=0 diffseconds=0
|
||||||
local has_dns_sans has_dns_sans_nosni
|
local has_dns_sans has_dns_sans_nosni
|
||||||
local trust_sni_finding
|
local trust_sni_finding
|
||||||
local -i certificates_provided
|
local -i certificates_provided
|
||||||
@ -7811,6 +7818,7 @@ certificate_info() {
|
|||||||
local provides_stapling=false
|
local provides_stapling=false
|
||||||
local caa_node="" all_caa="" caa_property_name="" caa_property_value=""
|
local caa_node="" all_caa="" caa_property_name="" caa_property_value=""
|
||||||
local response=""
|
local response=""
|
||||||
|
local a b c yearstart yearend
|
||||||
|
|
||||||
if [[ $number_of_certificates -gt 1 ]]; then
|
if [[ $number_of_certificates -gt 1 ]]; then
|
||||||
[[ $certificate_number -eq 1 ]] && outln
|
[[ $certificate_number -eq 1 ]] && outln
|
||||||
@ -8368,12 +8376,20 @@ certificate_info() {
|
|||||||
enddate="${enddate%%GMT*}GMT"
|
enddate="${enddate%%GMT*}GMT"
|
||||||
startdate="${cert_txt#*Validity*Not Before: }"
|
startdate="${cert_txt#*Validity*Not Before: }"
|
||||||
startdate="${startdate%%GMT*}GMT"
|
startdate="${startdate%%GMT*}GMT"
|
||||||
|
# Now we have a normalized enddate and startdate like "Feb 27 10:03:20 2017 GMT" -- also for OpenBSD
|
||||||
|
debugme echo "$enddate - $startdate"
|
||||||
|
# In all OS except OpenBSD it'll be reduced to "2017-02-27 11:03"
|
||||||
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||||
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||||
|
|
||||||
if "$HAS_OPENBSDDATE"; then
|
if "$HAS_OPENBSDDATE"; then
|
||||||
# best we are able to do under OpenBSD
|
# best we are able to do under OpenBSD
|
||||||
days2expire=""
|
days2expire=""
|
||||||
|
read a b c yearstart tz <<< "$startdate"
|
||||||
|
read a b c yearend tz <<< "$enddate"
|
||||||
|
# we only take the year here as OpenBSD's date is not for conversion
|
||||||
|
diffseconds=$((yearend - yearstart))
|
||||||
|
diffseconds=$((diffseconds * 3600 * 24 * 365))
|
||||||
else
|
else
|
||||||
days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds
|
days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds
|
||||||
days2expire=$((days2expire / 3600 / 24 ))
|
days2expire=$((days2expire / 3600 / 24 ))
|
||||||
@ -8383,7 +8399,9 @@ certificate_info() {
|
|||||||
days2warn2=$((days2warn2 / 2))
|
days2warn2=$((days2warn2 / 2))
|
||||||
days2warn1=$((days2warn1 / 2))
|
days2warn1=$((days2warn1 / 2))
|
||||||
fi
|
fi
|
||||||
|
diffseconds=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(parse_date "$startdate" "+%s" $'%F %H:%M') ))
|
||||||
fi
|
fi
|
||||||
|
debugme echo -n "diffseconds: $diffseconds"
|
||||||
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
|
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
|
||||||
if ! grep -qw not <<< "$expire" ; then
|
if ! grep -qw not <<< "$expire" ; then
|
||||||
pr_svrty_critical "expired"
|
pr_svrty_critical "expired"
|
||||||
@ -8410,10 +8428,24 @@ certificate_info() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln " ($startdate --> $enddate)"
|
outln " ($startdate --> $enddate)"
|
||||||
fileout "cert_expiration_status${json_postfix}" "$expok" "$expfinding"
|
fileout "cert_expirationStatus${json_postfix}" "$expok" "$expfinding"
|
||||||
fileout "cert_notBefore${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future
|
fileout "cert_notBefore${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future
|
||||||
fileout "cert_notAfter${json_postfix}" "$expok" "$enddate" # They are in UTC
|
fileout "cert_notAfter${json_postfix}" "$expok" "$enddate" # They are in UTC
|
||||||
|
|
||||||
|
if [[ $diffseconds -ge $((3600 * 24 * 365 * 10)) ]]; then
|
||||||
|
# certificate is valid >= 10 years
|
||||||
|
out "$spaces"
|
||||||
|
prln_svrty_high ">= 10 years is way too long"
|
||||||
|
fileout "cert_validityPeriod${json_postfix}" "HIGH" "$((diffseconds / 3600 * 24 )) days"
|
||||||
|
elif [[ $diffseconds -ge $((3600 * 24 * 365 * 5)) ]]; then
|
||||||
|
out "$spaces"
|
||||||
|
prln_svrty_medium ">= 5 years is too long"
|
||||||
|
fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / 3600 * 24 )) days"
|
||||||
|
else
|
||||||
|
[[ "$DEBUG" -ge 1 ]] && outln "OK: below 5 years certificate life time"
|
||||||
|
fileout "cert_validityPeriod${json_postfix}" "INFO" "$((diffseconds / 3600 * 24 )) days"
|
||||||
|
fi
|
||||||
|
|
||||||
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
out "$indent"; pr_bold " # of certificates provided"; out " $certificates_provided"
|
out "$indent"; pr_bold " # of certificates provided"; out " $certificates_provided"
|
||||||
fileout "certs_countServer${json_postfix}" "INFO" "${certificates_provided}"
|
fileout "certs_countServer${json_postfix}" "INFO" "${certificates_provided}"
|
||||||
@ -16603,10 +16635,11 @@ commandline: "$CMDLINE"
|
|||||||
bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
|
bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
|
||||||
status: ${BASH_VERSINFO[4]}
|
status: ${BASH_VERSINFO[4]}
|
||||||
machine: ${BASH_VERSINFO[5]}
|
machine: ${BASH_VERSINFO[5]}
|
||||||
operating system: $SYSTEM
|
operating system: $SYSTEM $SYSTEMREV
|
||||||
os constraint: $SYSTEM2
|
os constraint: $SYSTEM2
|
||||||
shellopts: $SHELLOPTS
|
shellopts: $SHELLOPTS
|
||||||
printf: $PRINTF
|
printf: $PRINTF
|
||||||
|
NO_ITALICS: $NO_ITALICS
|
||||||
|
|
||||||
$($OPENSSL version -a 2>/dev/null)
|
$($OPENSSL version -a 2>/dev/null)
|
||||||
OSSL_VER_MAJOR: $OSSL_VER_MAJOR
|
OSSL_VER_MAJOR: $OSSL_VER_MAJOR
|
||||||
|
Loading…
Reference in New Issue
Block a user