mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-10 02:30:58 +01:00
Logjam
This commit is contained in:
parent
b6e8b45ac1
commit
eaabc5d13d
37
testssl.sh
37
testssl.sh
@ -3967,17 +3967,24 @@ run_breach() {
|
||||
debugme grep '^Content-Encoding' $TMPFILE
|
||||
if [[ ! -s $TMPFILE ]]; then
|
||||
pr_litemagenta "failed (HTTP header request stalled"
|
||||
[[ $was_killed -ne 0 ]] && pr_litemagenta " and was terminated"
|
||||
if [[ $was_killed -ne 0 ]]; then
|
||||
pr_litemagenta " and was terminated"
|
||||
output_finding "breach" "$NODEIP" "$PORT" "WARN" "BREACH (CVE-2013-3587) : Test failed (HTTP request stalled and was terminated)"
|
||||
else
|
||||
output_finding "breach" "$NODEIP" "$PORT" "WARN" "BREACH (CVE-2013-3587) : Test failed (HTTP request stalled)"
|
||||
fi
|
||||
pr_litemagenta ") "
|
||||
ret=3
|
||||
elif [[ -z $result ]]; then
|
||||
pr_green "no HTTP compression (OK) "
|
||||
outln "$disclaimer"
|
||||
output_finding "breach" "$NODEIP" "$PORT" "OK" "BREACH (CVE-2013-3587) : no HTTP compression (OK) $disclaimer"
|
||||
ret=0
|
||||
else
|
||||
pr_litered "potentially NOT ok, uses $result HTTP compression."
|
||||
outln "$disclaimer"
|
||||
outln "$spaces Can be ignored for static pages or if no secrets in the page"
|
||||
output_finding "breach" "$NODEIP" "$PORT" "NOT OK" "BREACH (CVE-2013-3587) : potentially VULNERABLE, uses $result HTTP compression. $disclaimer\nCan be ignored for static pages or if no secrets in the page"
|
||||
ret=1
|
||||
fi
|
||||
# Any URL can be vulnerable. I am testing now only the given URL!
|
||||
@ -4005,8 +4012,10 @@ run_ssl_poodle() {
|
||||
[[ $DEBUG -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||
if [[ $sclient_success -eq 0 ]]; then
|
||||
pr_litered "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)"
|
||||
output_finding "poodle_ssl" "$NODEIP" "$PORT" "NOT OK" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)"
|
||||
else
|
||||
pr_green "not vulnerable (OK)"
|
||||
output_finding "poodle_ssl" "$NODEIP" "$PORT" "OK" "POODLE, SSL (CVE-2014-3566) : not vulnerable (OK)"
|
||||
fi
|
||||
outln
|
||||
tmpfile_handle $FUNCNAME.txt
|
||||
@ -4015,9 +4024,10 @@ run_ssl_poodle() {
|
||||
|
||||
# for appliance which use padding, no fallback needed
|
||||
run_tls_poodle() {
|
||||
pr_bold " POODLE, SSL"; out " CVE-2014-8730), experimental "
|
||||
pr_bold " POODLE, TLS"; out " (CVE-2014-8730), experimental "
|
||||
#FIXME
|
||||
echo "#FIXME"
|
||||
output_finding "poodle_tls" "$NODEIP" "$PORT" "WARN" "POODLE, TLS (CVE-2014-8730) : Not tested. Not yet implemented #FIXME"
|
||||
return 7
|
||||
}
|
||||
|
||||
@ -4050,13 +4060,16 @@ run_tls_fallback_scsv() {
|
||||
if grep -q "CONNECTED(00" "$TMPFILE"; then
|
||||
if grep -qa "BEGIN CERTIFICATE" "$TMPFILE"; then
|
||||
pr_brown "Downgrade attack prevention NOT supported"
|
||||
output_finding "fallback_scsv" "$NODEIP" "$PORT" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention NOT supported"
|
||||
ret=1
|
||||
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
|
||||
pr_litegreen "Downgrade attack prevention supported (OK)"
|
||||
output_finding "fallback_scsv" "$NODEIP" "$PORT" "OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Downgrade attack prevention supported (OK)"
|
||||
ret=0
|
||||
elif grep -qa "alert handshake failure" "$TMPFILE"; then
|
||||
# see RFC 7507, https://github.com/drwetter/testssl.sh/issues/121
|
||||
pr_brown "\"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
|
||||
output_finding "fallback_scsv" "$NODEIP" "$PORT" "NOT OK" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
|
||||
ret=2
|
||||
elif grep -qa "ssl handshake failure" "$TMPFILE"; then
|
||||
pr_brown "some unexpected \"handshake failure\" instead of \"inappropriate fallback\" (likely NOT ok)"
|
||||
@ -4064,9 +4077,11 @@ run_tls_fallback_scsv() {
|
||||
else
|
||||
pr_litemagenta "Check failed, unexpected result "
|
||||
out ", run $PROG_NAME -Z --debug=1 and look at $TEMPDIR/*tls_fallback_scsv.txt"
|
||||
output_finding "fallback_scsv" "$NODEIP" "$PORT" "WARN" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Check failed, unexpected result, run $PROG_NAME -Z --debug=1 and look at $TEMPDIR/*tls_fallback_scsv.txt"
|
||||
fi
|
||||
else
|
||||
pr_litemagenta "test failed (couldn't connect)"
|
||||
output_finding "fallback_scsv" "$NODEIP" "$PORT" "WARN" "TLS_FALLBACK_SCSV (RFC 7507) (experimental) : Check failed. (couldn't connect)"
|
||||
ret=7
|
||||
fi
|
||||
fi
|
||||
@ -4092,8 +4107,11 @@ run_freak() {
|
||||
#echo "========= ${PIPESTATUS[*]}
|
||||
|
||||
case $nr_supported_ciphers in
|
||||
0) local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured"
|
||||
return 7 ;;
|
||||
0)
|
||||
local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured"
|
||||
output_finding "freak" "$NODEIP" "$PORT" "WARN" "FREAK (CVE-2015-0204) : Not tested. $OPENSSL doesn't have any EXPORT RSA ciphers configured"
|
||||
return 7
|
||||
;;
|
||||
1|2|3)
|
||||
addtl_warning=" ($magenta""tested only with $nr_supported_ciphers out of 9 ciphers only!$off)" ;;
|
||||
8|9|10|11)
|
||||
@ -4107,8 +4125,10 @@ run_freak() {
|
||||
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||
if [[ $sclient_success -eq 0 ]]; then
|
||||
pr_red "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers"
|
||||
output_finding "freak" "$NODEIP" "$PORT" "NOT OK" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers"
|
||||
else
|
||||
pr_green "not vulnerable (OK)"; out "$addtl_warning"
|
||||
output_finding "freak" "$NODEIP" "$PORT" "OK" "FREAK (CVE-2015-0204) : not vulnerable (OK) $addtl_warning"
|
||||
fi
|
||||
outln
|
||||
|
||||
@ -4133,8 +4153,11 @@ run_logjam() {
|
||||
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list))
|
||||
|
||||
case $nr_supported_ciphers in
|
||||
0) local_problem "$OPENSSL doesn't have any DHE EXPORT ciphers configured"
|
||||
return 3 ;;
|
||||
0)
|
||||
local_problem "$OPENSSL doesn't have any DHE EXPORT ciphers configured"
|
||||
output_finding "logjam" "$NODEIP" "$PORT" "WARN" "LOGJAM (CVE-2015-4000) : Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured"
|
||||
return 3
|
||||
;;
|
||||
1|2) addtl_warning=" ($magenta""tested w/ $nr_supported_ciphers/4 ciphers only!$off)" ;;
|
||||
3) addtl_warning=" (tested w/ $nr_supported_ciphers/4 ciphers)" ;;
|
||||
4) ;;
|
||||
@ -4154,8 +4177,10 @@ run_logjam() {
|
||||
|
||||
if [[ $sclient_success -eq 0 ]]; then
|
||||
pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked."
|
||||
output_finding "logjam" "$NODEIP" "$PORT" "NOT OK" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked."
|
||||
else
|
||||
pr_green "not vulnerable (OK)"; out "$addtl_warning"
|
||||
output_finding "logjam" "$NODEIP" "$PORT" "OK" "LOGJAM (CVE-2015-4000) : not vulnerable (OK) $addtl_warning"
|
||||
fi
|
||||
outln
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user