From d4455081f08c4cd63ae5e0226a51690c6768e330 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 9 Feb 2017 11:36:24 -0500 Subject: [PATCH 1/8] Wrap long lines This PR addresses the issue raised in #623. This PR is based on the function `out_row_aligned_max_width()` that I proposed in #623, but the `out_row_aligned_max_width()` in this PR is a little different. It takes a fourth parameter, which is the function to use to print each word in the text string to be printed. This is used in `run_pfs()` so that the "Elliptic curves offered" can be printed using this function (some servers support 25 curves), while still having the curves printed using color-coding to indicate the quality of each curve. I somewhat arbitrarily have each line wrap at 120 characters, but that could be changed (e.g., to `$TERM_WIDTH`). --- testssl.sh | 163 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 129 insertions(+), 34 deletions(-) diff --git a/testssl.sh b/testssl.sh index 489995c..338789b 100755 --- a/testssl.sh +++ b/testssl.sh @@ -975,6 +975,64 @@ out_row_aligned() { done } +# prints text over multiple lines, trying to make no line longer than $max_width. +# Each line is indented with $spaces and each word in $text is printed using +# $print_function. +out_row_aligned_max_width() { + local text="$1" + local spaces="$2" + local -i max_width="$3" + local print_function="$4" + local -i i len cut_point + local cr=$'\n' + local line entry first=true last=false + + max_width=$max_width-${#spaces} + len=${#text} + while true; do + i=$max_width + if [[ $i -ge $len ]]; then + i=$len + else + while true; do + [[ "${text:i:1}" == " " ]] && break + [[ $i -eq 0 ]] && break + i=$i-1 + done + if [[ $i -eq 0 ]]; then + i=$max_width+1 + while true; do + [[ "${text:i:1}" == " " ]] && break + [[ $i -eq $len ]] && break + i+=1 + done + fi + fi + if [[ $i -eq $len ]]; then + line="$text" + if ! "$first"; then + out "${cr}${spaces}" + fi + last=true + else + line="${text:0:i}" + if ! "$first"; then + out "${cr}${spaces}" + fi + len=$len-$i-1 + i=$i+1 + text="${text:i:len}" + first=false + [[ $len -eq 0 ]] && last=true + fi + while read entry; do + $print_function "$entry" ; out " " + done <<< "$(echo "$line" | tr ' ' '\n')" + "$last" && break + done + return 0 +} + is_number() { [[ "$1" =~ ^[1-9][0-9]*$ ]] && \ return 0 || \ @@ -4540,6 +4598,59 @@ run_std_cipherlists() { return 0 } +pr_ecdh_curve_quality() { + curve="$1" + local -i bits=0 + + case "$curve" in + "sect163k1") bits=163 ;; + "sect163r1") bits=162 ;; + "sect163r2") bits=163 ;; + "sect193r1") bits=193 ;; + "sect193r2") bits=193 ;; + "sect233k1") bits=232 ;; + "sect233r1") bits=233 ;; + "sect239k1") bits=238 ;; + "sect283k1") bits=281 ;; + "sect283r1") bits=282 ;; + "sect409k1") bits=407 ;; + "sect409r1") bits=409 ;; + "sect571k1") bits=570 ;; + "sect571r1") bits=570 ;; + "secp160k1") bits=161 ;; + "secp160r1") bits=161 ;; + "secp160r2") bits=161 ;; + "secp192k1") bits=192 ;; + "prime192v1") bits=192 ;; + "secp224k1") bits=225 ;; + "secp224r1") bits=224 ;; + "secp256k1") bits=256 ;; + "prime256v1") bits=256 ;; + "secp384r1") bits=384 ;; + "secp521r1") bits=521 ;; + "brainpoolP256r1") bits=256 ;; + "brainpoolP384r1") bits=384 ;; + "brainpoolP512r1") bits=512 ;; + "X25519") bits=253 ;; + "X448") bits=448 ;; + esac + + if [[ "$bits" -le 80 ]]; then # has that ever existed? + pr_svrty_critical "$curve" + elif [[ "$bits" -le 108 ]]; then # has that ever existed? + pr_svrty_high "$curve" + elif [[ "$bits" -le 163 ]]; then + pr_svrty_medium "$curve" + elif [[ "$bits" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok + pr_svrty_low "$curve" # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416 + elif [[ "$bits" -le 224 ]]; then + out "$curve" + elif [[ "$bits" -gt 224 ]]; then + pr_done_good "$curve" + else + out "$curve" + fi +} # arg1: file with input for grepping the bit length for ECDH/DHE # arg2: whether to print warning "old fart" or not (empty: no) @@ -5149,7 +5260,7 @@ cipher_pref_check() { if [[ -n "$order" ]]; then outln printf " %-10s" "$proto: " - out "$order" + out_row_aligned_max_width "$order" " " 120 out fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order" fi done @@ -5163,7 +5274,7 @@ cipher_pref_check() { order="" $OPENSSL s_client $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI >$ERRFILE >$TMPFILE cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE) - printf " %-10s %s " "$p:" "$cipher" + printf " %-10s " "$p:" tested_cipher="-"$cipher order="$cipher" if ! "$FAST"; then @@ -5171,11 +5282,11 @@ cipher_pref_check() { $OPENSSL s_client -cipher "ALL:$tested_cipher" $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI >$ERRFILE >$TMPFILE sclient_connect_successful $? $TMPFILE || break cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE) - out "$cipher " tested_cipher="$tested_cipher:-$cipher" order+=" $cipher" done fi + out_row_aligned_max_width "$order" " " 120 out outln [[ -n $order ]] && fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p: $order" done @@ -5732,7 +5843,7 @@ certificate_info() { local ocsp_response_status=$6 local sni_used=$7 local cert_sig_algo cert_sig_hash_algo cert_key_algo - local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer sans san cn + local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn local issuer_DC issuerfinding cn_nosni="" local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial local policy_oid @@ -6012,10 +6123,10 @@ certificate_info() { out "$indent"; pr_bold " subjectAltName (SAN) " if [[ -n "$sans" ]]; then while read san; do - [[ -n "$san" ]] && pr_italic "$san" - out " " + [[ -n "$san" ]] && all_san+="$san " done <<< "$sans" - fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $sans" + out_row_aligned_max_width "$all_san" " " 120 pr_italic + fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $all_san" else out "-- " fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : --" @@ -6443,7 +6554,7 @@ run_server_defaults() { fileout "tls_extensions" "INFO" "TLS server extensions (std): (none)" else #FIXME: we rather want to have the chance to print each ext in italcs or another format. Atm is a string of quoted strings -- that needs to be fixed at the root - outln "$TLS_EXTENSIONS" + out_row_aligned_max_width "$TLS_EXTENSIONS" " " 120 out; outln fileout "tls_extensions" "INFO" "TLS server extensions (std): $TLS_EXTENSIONS" fi @@ -6493,7 +6604,7 @@ run_pfs() { local -a ffdhe_groups_output=("ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192") local -a supported_curve bits local -i nr_supported_ciphers=0 nr_curves=0 nr_ossl_curves=0 i j low high - local pfs_ciphers curves_offered="" curves_offered_text="" curves_to_test temp + local pfs_ciphers curves_offered="" curves_to_test temp local len1 len2 curve_found local has_dh_bits="$HAS_DH_BITS" local using_sockets=true @@ -6645,7 +6756,6 @@ run_pfs() { pfs_cipher="${rfc_ciph[i]}" fi pfs_ciphers+="$pfs_cipher " - ! "$WIDE" && out "$pfs_cipher " if [[ "${ciph[i]}" == "ECDHE-"* ]] || ( "$using_sockets" && [[ "${rfc_ciph[i]}" == "TLS_ECDHE_"* ]] ); then ecdhe_offered=true @@ -6669,10 +6779,9 @@ run_pfs() { outln "${sigalg[i]}" fi done - + ! "$WIDE" && out_row_aligned_max_width "$pfs_ciphers" " " 120 out debugme echo $pfs_offered "$WIDE" || outln - fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers" fi @@ -6752,22 +6861,13 @@ run_pfs() { fi if "$ecdhe_offered"; then for (( i=0; i < nr_curves; i++ )); do - if "${supported_curve[i]}"; then - curves_offered+="${curves_ossl[i]} " - if [[ "${bits[i]}" -le 163 ]]; then - curves_offered_text+="$(pr_svrty_medium "${curves_ossl[i]}") " - elif [[ "${bits[i]}" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok - curves_offered_text+="$(pr_svrty_low "${curves_ossl[i]}") " # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416 - elif [[ "${bits[i]}" -le 224 ]]; then - curves_offered_text+="${curves_ossl[i]} " - else - curves_offered_text+="$(pr_done_good "${curves_ossl[i]}") " - fi - fi + "${supported_curve[i]}" && curves_offered+="${curves_ossl[i]} " done if [[ -n "$curves_offered" ]]; then "$WIDE" && outln - pr_bold " Elliptic curves offered: "; outln "$curves_offered_text" + pr_bold " Elliptic curves offered: " + out_row_aligned_max_width "$curves_offered" " " 120 pr_ecdh_curve_quality + outln fileout "ecdhe_curves" "INFO" "Elliptic curves offered $curves_offered" fi fi @@ -10304,17 +10404,13 @@ run_beast(){ if ! "$WIDE"; then if [[ -n "$detected_cbc_ciphers" ]]; then - detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | \ - sed -e "s/ /\\${cr} ${spaces}/12" \ - -e "s/ /\\${cr} ${spaces}/9" \ - -e "s/ /\\${cr} ${spaces}/6" \ - -e "s/ /\\${cr} ${spaces}/3") fileout "cbc_$proto" "MEDIUM" "BEAST: CBC ciphers for $(toupper $proto): $detected_cbc_ciphers" "$cve" "$cwe" "$hint" ! "$first" && out "$spaces" out "$(toupper $proto):" [[ -n "$higher_proto_supported" ]] && \ - pr_svrty_lowln "$detected_cbc_ciphers" || \ - pr_svrty_mediumln "$detected_cbc_ciphers" + out_row_aligned_max_width "$detected_cbc_ciphers" " " 120 pr_svrty_low || \ + out_row_aligned_max_width "$detected_cbc_ciphers" " " 120 pr_svrty_medium + outln detected_cbc_ciphers="" # empty for next round first=false else @@ -10640,11 +10736,10 @@ run_rc4() { fi fi outln "${sigalg[i]}" - elif "${ciphers_found[i]}"; then - pr_svrty_high "${ciph[i]} " fi "${ciphers_found[i]}" && rc4_detected+="${ciph[i]} " done + ! "$WIDE" && out_row_aligned_max_width "$rc4_detected" " " 120 pr_svrty_high outln "$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)" fileout "rc4" "HIGH" "RC4: VULNERABLE, Detected ciphers: $rc4_detected" "$cve" "$cwe" "$hint" From c92131c072563bb399d1fdce1e315257a0629277 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 9 Feb 2017 11:45:29 -0500 Subject: [PATCH 2/8] Don't collect number of bits in run_pfs() The `bits` array is no longer needed in `run_pfs()` since the information collected is not being used. --- testssl.sh | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index 338789b..ebf1cdd 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6602,7 +6602,7 @@ run_pfs() { local -a curves_ossl_output=("K-163" "sect163r1" "B-163" "sect193r1" "sect193r2" "K-233" "B-233" "sect239k1" "K-283" "B-283" "K-409" "B-409" "K-571" "B-571" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "P-192" "secp224k1" "P-224" "secp256k1" "P-256" "P-384" "P-521" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448") local -a ffdhe_groups_hex=("01,00" "01,01" "01,02" "01,03" "01,04") local -a ffdhe_groups_output=("ffdhe2048" "ffdhe3072" "ffdhe4096" "ffdhe6144" "ffdhe8192") - local -a supported_curve bits + local -a supported_curve local -i nr_supported_ciphers=0 nr_curves=0 nr_ossl_curves=0 i j low high local pfs_ciphers curves_offered="" curves_to_test temp local len1 len2 curve_found @@ -6828,9 +6828,6 @@ run_pfs() { done [[ $i -eq $high ]] && break supported_curve[i]=true - bits[i]=$(awk -F',' '{ print $3 }' <<< $temp) - grep -q bits <<< ${bits[i]} || bits[i]=$(awk -F',' '{ print $2 }' <<< $temp) - bits[i]=$(tr -d ' bits' <<< ${bits[i]}) done done fi @@ -6854,9 +6851,6 @@ run_pfs() { done [[ $i -eq $nr_curves ]] && break supported_curve[i]=true - bits[i]=$(awk -F',' '{ print $3 }' <<< $temp) - grep -q bits <<< ${bits[i]} || bits[i]=$(awk -F',' '{ print $2 }' <<< $temp) - bits[i]=$(tr -d ' bits' <<< ${bits[i]}) done fi if "$ecdhe_offered"; then From 45379ce1f9b7acbb53454d3c26f6f964ef437dcd Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 9 Feb 2017 13:29:22 -0500 Subject: [PATCH 3/8] Fix subjectAltName indendation The PR didn't account for the indentation of the subjectAltName differing depending on whether the server has one or more than one certificate. --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index ebf1cdd..e650d66 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6125,7 +6125,7 @@ certificate_info() { while read san; do [[ -n "$san" ]] && all_san+="$san " done <<< "$sans" - out_row_aligned_max_width "$all_san" " " 120 pr_italic + out_row_aligned_max_width "$all_san" "$indent " 120 pr_italic fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $all_san" else out "-- " From 8dabc2828045e25a6b5cb69f3d0bd1e9d7d5edaa Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 11 Feb 2017 14:01:51 +0100 Subject: [PATCH 4/8] also made sure that all old dns binaries work (SLES 11, FreeBSD 9) --- testssl.sh | 57 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/testssl.sh b/testssl.sh index 489995c..0e2cb37 100755 --- a/testssl.sh +++ b/testssl.sh @@ -11492,41 +11492,64 @@ get_aaaa_record() { # RFC6844: DNS Certification Authority Authorization (CAA) Resource Record # arg1: domain to check for get_caa_rr_record() { - local caa="" + local raw_caa="" + local caa_flag + local -i len_caa_property + local caa_property_name + local caa_property_value local saved_openssl_conf="$OPENSSL_CONF" + # if there's a type257 record there are two output formats here, mostly depending on age of distribution + # rougly that's the difference between text and binary format + # 1) 'google.com has CAA record 0 issue "symantec.com"' + # 2) 'google.com has TYPE257 record \# 19 0005697373756573796D616E7465632E636F6D' + # for dig +short the output always starts with '0 issue [..]' or '\# 19 [..]' so we normalize thereto to keep caa_flag, caa_property + # caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3 OPENSSL_CONF="" if which dig &> /dev/null; then - caa="$(dig $1 type257 +short | awk '{ print $3 }')" + raw_caa="$(dig $1 type257 +short)" # empty if no CAA record elif which host &> /dev/null; then - caa="$(host -t type257 $1)" - if grep -wq issue <<< "$caa" && grep -wvq "has no CAA" <<< "$caa"; then - caa="$(awk '/issue/ { print $NF }' <<< "$caa")" + raw_caa="$(host -t type257 $1)" + if egrep -wvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then + raw_caa="$(sed -e 's/^.*has CAA record //' -e 's/^.*has TYPE257 record //' <<< "$raw_caa")" fi elif which nslookup &> /dev/null; then - caa="$(nslookup -type=type257 $1)" - if grep -wq issue <<< "$caa" && grep -wvq "No answer" <<< "$caa"; then - caa="$(awk '/issue/ { print $NF }' <<< "$caa")" + raw_caa="$(nslookup -type=type257 $1 | grep -w rdata_257)" + if [[ -n "$raw_caa" ]]; then + raw_caa="$(sed 's/^.*rdata_257 = //' <<< "$raw_caa")" fi else return 1 # No dig, host, or nslookup --> complaint was elsewhere already and except for one which has drill only we don't get here fi OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134 + debugme echo $raw_caa - # try to convert old return values - if [[ "$caa" =~ ^[A-F0-9]+$ ]]; then - caa=${caa:4:100} # ignore the first 4 bytes - caa=$(hex2ascii "$caa" | sed 's/^issue//g') + # '# 19' for google.com is the tag length probably --> we use this also to identify the binary format + if [[ "$raw_caa" =~ \#\ [0-9][0-9]\ [A-F0-9]+$ ]]; then + raw_caa=$(awk '{ print $NF }' <<< $raw_caa) # caa_length would be awk '{ print $(NF-1) }' but we don't need it + if [[ "${raw_caa:0:2}" == "00" ]]; then # probably the flag + caa_flag="0" + len_caa_property=${raw_caa:2:2} # implicit type casting, for google we have 05 here as a string + len_caa_property=$((len_caa_property*2)) # =>word! Now get name from 4th and value from 4th+len position... + caa_property_name=$(hex2ascii ${raw_caa:4:$len_caa_property}) + caa_property_value=$(hex2ascii ${raw_caa:$((4+len_caa_property)):100}) + else + outln "please report unknown CAA flag $caa_flag @ $NODE" + fi + elif grep -q '"' <<< $raw_caa; then + raw_caa=${raw_caa//\"/} # strip " first. Now we should have flag, name, value + caa_flag=$(awk '{ print $1 }' <<< $raw_caa) + caa_property_name=$(awk '{ print $2 }' <<< $raw_caa) + caa_property_value=$(awk '{ print $3 }' <<< $raw_caa) else - caa=${caa//\"/} # strip " + # no caa record + return 1 fi - echo "$caa" + echo "$caa_property_name: $caa_property_value" + # to do: -# 1: check old binaries whether they support this record at all -# done (2: check whether hexstring is returned and deal with it) -# 3: check more than domainname, see https://tools.ietf.org/html/rfc6844#section-3 # 4: check whether $1 is a CNAME and take this # 5: query with drill return 0 From d2f688e925d1baf768c285f095ad6c7e8001008c Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 11 Feb 2017 14:16:18 +0100 Subject: [PATCH 5/8] CAA RR belongs also in JSON, see #588 --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 0e2cb37..96366d6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6280,7 +6280,7 @@ certificate_info() { caa="$(get_caa_rr_record $NODE)" if [[ -n "$caa" ]]; then pr_done_good "OK"; out " (" ; pr_italic "$caa"; out ")" - fileout "${json_prefix}CAA_record" "OK" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : offered" + fileout "${json_prefix}CAA_record" "OK" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : \"$caa\" " else pr_svrty_low "--" fileout "${json_prefix}CAA_record" "LOW" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : not offered" From 7d6f1eb46f4015ef0557221375cfb66eaea56c71 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 13 Feb 2017 09:06:10 +0100 Subject: [PATCH 6/8] polishing #628, mostly make sure we automatically align to terminal width --- testssl.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/testssl.sh b/testssl.sh index b568bef..e4b21bb 100755 --- a/testssl.sh +++ b/testssl.sh @@ -987,6 +987,7 @@ out_row_aligned_max_width() { local cr=$'\n' local line entry first=true last=false + max_width=$max_width-1 # at the moment we align to terminal width. This makes sure we don't wrap too late max_width=$max_width-${#spaces} len=${#text} while true; do @@ -1027,7 +1028,7 @@ out_row_aligned_max_width() { fi while read entry; do $print_function "$entry" ; out " " - done <<< "$(echo "$line" | tr ' ' '\n')" + done <<< "$(tr ' ' '\n' <<< "$line")" "$last" && break done return 0 @@ -5260,7 +5261,7 @@ cipher_pref_check() { if [[ -n "$order" ]]; then outln printf " %-10s" "$proto: " - out_row_aligned_max_width "$order" " " 120 out + out_row_aligned_max_width "$order" " " $TERM_WIDTH out fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order" fi done @@ -5286,7 +5287,7 @@ cipher_pref_check() { order+=" $cipher" done fi - out_row_aligned_max_width "$order" " " 120 out + out_row_aligned_max_width "$order" " " $TERM_WIDTH out outln [[ -n $order ]] && fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p: $order" done @@ -6125,7 +6126,7 @@ certificate_info() { while read san; do [[ -n "$san" ]] && all_san+="$san " done <<< "$sans" - out_row_aligned_max_width "$all_san" "$indent " 120 pr_italic + out_row_aligned_max_width "$all_san" "$indent " $TERM_WIDTH pr_italic fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $all_san" else out "-- " @@ -6554,7 +6555,7 @@ run_server_defaults() { fileout "tls_extensions" "INFO" "TLS server extensions (std): (none)" else #FIXME: we rather want to have the chance to print each ext in italcs or another format. Atm is a string of quoted strings -- that needs to be fixed at the root - out_row_aligned_max_width "$TLS_EXTENSIONS" " " 120 out; outln + out_row_aligned_max_width "$TLS_EXTENSIONS" " " $TERM_WIDTH out; outln fileout "tls_extensions" "INFO" "TLS server extensions (std): $TLS_EXTENSIONS" fi @@ -6779,7 +6780,7 @@ run_pfs() { outln "${sigalg[i]}" fi done - ! "$WIDE" && out_row_aligned_max_width "$pfs_ciphers" " " 120 out + ! "$WIDE" && out_row_aligned_max_width "$pfs_ciphers" " " $TERM_WIDTH out debugme echo $pfs_offered "$WIDE" || outln fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers" @@ -6860,7 +6861,7 @@ run_pfs() { if [[ -n "$curves_offered" ]]; then "$WIDE" && outln pr_bold " Elliptic curves offered: " - out_row_aligned_max_width "$curves_offered" " " 120 pr_ecdh_curve_quality + out_row_aligned_max_width "$curves_offered" " " $TERM_WIDTH pr_ecdh_curve_quality outln fileout "ecdhe_curves" "INFO" "Elliptic curves offered $curves_offered" fi @@ -10402,8 +10403,8 @@ run_beast(){ ! "$first" && out "$spaces" out "$(toupper $proto):" [[ -n "$higher_proto_supported" ]] && \ - out_row_aligned_max_width "$detected_cbc_ciphers" " " 120 pr_svrty_low || \ - out_row_aligned_max_width "$detected_cbc_ciphers" " " 120 pr_svrty_medium + out_row_aligned_max_width "$detected_cbc_ciphers" " " $TERM_WIDTH pr_svrty_low || \ + out_row_aligned_max_width "$detected_cbc_ciphers" " " $TERM_WIDTH pr_svrty_medium outln detected_cbc_ciphers="" # empty for next round first=false @@ -10733,7 +10734,7 @@ run_rc4() { fi "${ciphers_found[i]}" && rc4_detected+="${ciph[i]} " done - ! "$WIDE" && out_row_aligned_max_width "$rc4_detected" " " 120 pr_svrty_high + ! "$WIDE" && out_row_aligned_max_width "$rc4_detected" " " $TERM_WIDTH pr_svrty_high outln "$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)" fileout "rc4" "HIGH" "RC4: VULNERABLE, Detected ciphers: $rc4_detected" "$cve" "$cwe" "$hint" From c252d5ab2830179cc62b9f9bc11737b8dd9b51c9 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Feb 2017 09:33:03 +0100 Subject: [PATCH 7/8] Update Readme.md --- Readme.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/Readme.md b/Readme.md index d67d546..727cf52 100644 --- a/Readme.md +++ b/Readme.md @@ -36,14 +36,13 @@ and more documentation") or https://github.com/drwetter/testssl.sh/wiki/Usage-Do #### Compatibility -testssl.sh is working on every Linux/BSD distribution out of the box with -some limitations of disabled features from the openssl client -- some -workarounds are done with bash-socket-based checks. It also works on other -unixoid system out of the box, supposed they have `/bin/bash` and standard -tools like sed and awk installed. MacOS X and Windows (using MSYS2 or -cygwin) work too. OpenSSL version >= 1 is a must. OpenSSL version >= 1.0.2 -is needed for better LOGJAM checks and to display bit strengths for key -exchanges. +testssl.sh is working on every Linux/BSD distribution out of the box. In 2.9dev most +of the limitations of disabled features from the openssl client are gone due to bash-socket-based +checks. testssl.sh also works on otherunixoid system out of the box, supposed they have +`/bin/bash` and standard tools like sed and awk installed. System V needs to have GNU versions +of grep and sed installed. MacOS X and Windows (using MSYS2 or cygwin) work too. OpenSSL version +>= 1 is a must. OpenSSL version >= 1.0.2 is needed for better LOGJAM checks and to +display bit strengths for key exchanges. Update notification here or @ [twitter](https://twitter.com/drwetter). @@ -56,6 +55,11 @@ Update notification here or @ [twitter](https://twitter.com/drwetter). * testing 359 default ciphers (``testssl.sh -e``) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc. * finding more TLS extensions via sockets * TLS Supported Groups Registry (RFC 7919), key shares extension +* using bash sockets where ever possible +* LUCKY13 and SWEET32 checks +* LOGJAM: now checking also for known DH parameters +* Check for CAA RR +* better formatting of output #### Features planned in 2.9dev From 971c8e8b639021dc5d59c6fe43ef52f5e6cfe2c5 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Feb 2017 09:33:50 +0100 Subject: [PATCH 8/8] Update Readme.md --- Readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index 727cf52..7403f12 100644 --- a/Readme.md +++ b/Readme.md @@ -40,8 +40,8 @@ testssl.sh is working on every Linux/BSD distribution out of the box. In 2.9dev of the limitations of disabled features from the openssl client are gone due to bash-socket-based checks. testssl.sh also works on otherunixoid system out of the box, supposed they have `/bin/bash` and standard tools like sed and awk installed. System V needs to have GNU versions -of grep and sed installed. MacOS X and Windows (using MSYS2 or cygwin) work too. OpenSSL version ->= 1 is a must. OpenSSL version >= 1.0.2 is needed for better LOGJAM checks and to +of grep and sed installed. MacOS X and Windows (using MSYS2 or cygwin) work too. OpenSSL +version >= 1 is a must. OpenSSL version >= 1.0.2 is needed for better LOGJAM checks and to display bit strengths for key exchanges. Update notification here or @ [twitter](https://twitter.com/drwetter).