Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 10:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Logjam

Browse Source
This commit is contained in:
Frank Breedijk 2015-12-17 12:41:47 +01:00
parent b6e8b45ac1
commit eaabc5d13d
1 changed files with 33 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
testssl.sh
View File

@ -3967,18 +3967,25 @@ run_breach() {
debugme grep '^Content-Encoding' $TMPFILE debugme grep '^Content-Encoding' $TMPFILE
if [[ ! -s $TMPFILE ]]; then if [[ ! -s $TMPFILE ]]; then
pr_litemagenta "failed (HTTP header request stalled" pr_litemagenta "failed (HTTP header request stalled"
[[ $was_killed -ne 0 ]] && pr_litemagenta " and was terminated" if [[ $was_killed -ne 0 ]]; then
pr_litemagenta " and was terminated"
output_finding "breach" "$NODEIP" "$PORT" "WARN" "BREACH (CVE-2013-3587) : Test failed (HTTP request stalled and was terminated)"
else
output_finding "breach" "$NODEIP" "$PORT" "WARN" "BREACH (CVE-2013-3587) : Test failed (HTTP request stalled)"
fi
pr_litemagenta ") " pr_litemagenta ") "
ret=3 ret=3
elif [[ -z $result ]]; then elif [[ -z $result ]]; then
pr_green "no HTTP compression (OK) " pr_green "no HTTP compression (OK) "
outln "$disclaimer" outln "$disclaimer"
output_finding "breach" "$NODEIP" "$PORT" "OK" "BREACH (CVE-2013-3587) : no HTTP compression (OK) $disclaimer"
ret=0 ret=0
else else
pr_litered "potentially NOT ok, uses $result HTTP compression." pr_litered "potentially NOT ok, uses $result HTTP compression."
outln "$disclaimer" outln "$disclaimer"
outln "$spaces Can be ignored for static pages or if no secrets in the page" outln "$spaces Can be ignored for static pages or if no secrets in the page"
ret=1 output_finding "breach" "$NODEIP" "$PORT" "NOT OK" "BREACH (CVE-2013-3587) : potentially VULNERABLE, uses $result HTTP compression. $disclaimer\nCan be ignored for static pages or if no secrets in the page"
ret=1
fi fi
# Any URL can be vulnerable. I am testing now only the given URL! # Any URL can be vulnerable. I am testing now only the given URL!
@ -4005,8 +4012,10 @@ run_ssl_poodle() {
[[ $DEBUG -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" [[ $DEBUG -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)" pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
output_finding "poodle_ssl" "$NODEIP" "$PORT" "NOT OK" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)"
else else
pr_green "not vulnerable (OK)" pr_green "not vulnerable (OK)"
output_finding "poodle_ssl" "$NODEIP" "$PORT" "OK" "POODLE, SSL (CVE-2014-3566) : not vulnerable (OK)"
fi fi
outln outln
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
@ -4015,9 +4024,10 @@ run_ssl_poodle() {
# for appliance which use padding, no fallback needed # for appliance which use padding, no fallback needed
run_tls_poodle() { run_tls_poodle() {
pr_bold " POODLE, SSL"; out " CVE-2014-8730), experimental " pr_bold " POODLE, TLS"; out " (CVE-2014-8730), experimental "
#FIXME #FIXME
echo "#FIXME" echo "#FIXME"
output_finding "poodle_tls" "$NODEIP" "$PORT" "WARN" "POODLE, TLS (CVE-2014-8730) : Not tested. Not yet implemented #FIXME"
return 7 return 7
} }
@ -4050,13 +4060,16 @@ run_tls_fallback_scsv() {
if grep -q "CONNECTED(00" "$TMPFILE"; then if grep -q "CONNECTED(00" "$TMPFILE"; then
if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
pr_brown "Downgrade attack prevention NOT supported" pr_brown "Downgrade attack prevention NOT supported"
output_finding "fallback_scsv" "$NODEIP" "$PORT" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
ret=1 ret=1
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
pr_litegreen "Downgrade attack prevention supported (OK)" pr_litegreen "Downgrade attack prevention supported (OK)"
output_finding "fallback_scsv" "$NODEIP" "$PORT" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported (OK)"
ret=0 ret=0
elif grep -qa "alert handshake failure" "$TMPFILE"; then elif grep -qa "alert handshake failure" "$TMPFILE"; then
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121 # see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
pr_brown "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" pr_brown "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
output_finding "fallback_scsv" "$NODEIP" "$PORT" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
ret=2 ret=2
elif grep -qa "ssl handshake failure" "$TMPFILE"; then elif grep -qa "ssl handshake failure" "$TMPFILE"; then
pr_brown "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)" pr_brown "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
@ -4064,9 +4077,11 @@ run_tls_fallback_scsv() {
else else
pr_litemagenta "Check failed, unexpected result " pr_litemagenta "Check failed, unexpected result "
out ", run $PROG_NAME -Z --debug=1 and look at $TEMPDIR/*tls_fallback_scsv.txt" out ", run $PROG_NAME -Z --debug=1 and look at $TEMPDIR/*tls_fallback_scsv.txt"
output_finding "fallback_scsv" "$NODEIP" "$PORT" "WARN" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Check failed, unexpected result, run $PROG_NAME -Z --debug=1 and look at $TEMPDIR/*tls_fallback_scsv.txt"
fi fi
else else
pr_litemagenta "test failed (couldn't connect)" pr_litemagenta "test failed (couldn't connect)"
output_finding "fallback_scsv" "$NODEIP" "$PORT" "WARN" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Check failed. (couldn't connect)"
ret=7 ret=7
fi fi
fi fi
@ -4092,8 +4107,11 @@ run_freak() {
#echo "========= ${PIPESTATUS[*]} #echo "========= ${PIPESTATUS[*]}
case $nr_supported_ciphers in case $nr_supported_ciphers in
0) local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured" 0)
return 7 ;; local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured"
output_finding "freak" "$NODEIP" "$PORT" "WARN" "FREAK (CVE-2015-0204) : Not tested. $OPENSSL doesn't have any EXPORT RSA ciphers configured"
return 7
;;
1|2|3) 1|2|3)
addtl_warning=" ($magenta""tested only with $nr_supported_ciphers out of 9 ciphers only!$off)" ;; addtl_warning=" ($magenta""tested only with $nr_supported_ciphers out of 9 ciphers only!$off)" ;;
8|9|10|11) 8|9|10|11)
@ -4107,8 +4125,10 @@ run_freak() {
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" [[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_red "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers" pr_red "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers"
output_finding "freak" "$NODEIP" "$PORT" "NOT OK" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers"
else else
pr_green "not vulnerable (OK)"; out "$addtl_warning" pr_green "not vulnerable (OK)"; out "$addtl_warning"
output_finding "freak" "$NODEIP" "$PORT" "OK" "FREAK (CVE-2015-0204) : not vulnerable (OK) $addtl_warning"
fi fi
outln outln
@ -4133,10 +4153,13 @@ run_logjam() {
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list)) nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list))
case $nr_supported_ciphers in case $nr_supported_ciphers in
0) local_problem "$OPENSSL doesn't have any DHE EXPORT ciphers configured" 0)
return 3 ;; local_problem "$OPENSSL doesn't have any DHE EXPORT ciphers configured"
output_finding "logjam" "$NODEIP" "$PORT" "WARN" "LOGJAM (CVE-2015-4000) : Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured"
return 3
;;
1|2) addtl_warning=" ($magenta""tested w/ $nr_supported_ciphers/4 ciphers only!$off)" ;; 1|2) addtl_warning=" ($magenta""tested w/ $nr_supported_ciphers/4 ciphers only!$off)" ;;
3) addtl_warning=" (tested w/ $nr_supported_ciphers/4 ciphers)" ;; 3) addtl_warning=" (tested w/ $nr_supported_ciphers/4 ciphers)" ;;
4) ;; 4) ;;
esac esac
$OPENSSL s_client $STARTTLS $BUGS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
@ -4154,8 +4177,10 @@ run_logjam() {
if [[ $sclient_success -eq 0 ]]; then if [[ $sclient_success -eq 0 ]]; then
pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked." pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked."
output_finding "logjam" "$NODEIP" "$PORT" "NOT OK" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked."
else else
pr_green "not vulnerable (OK)"; out "$addtl_warning" pr_green "not vulnerable (OK)"; out "$addtl_warning"
output_finding "logjam" "$NODEIP" "$PORT" "OK" "LOGJAM (CVE-2015-4000) : not vulnerable (OK) $addtl_warning"
fi fi
outln outln