mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-23 17:09:31 +01:00
Merge branch 'master' of github.com:drwetter/testssl.sh
This commit is contained in:
commit
ec86845eb4
@ -19,8 +19,7 @@ work for me work correctly, it's also likely they'll disappear shortly
|
|||||||
General
|
General
|
||||||
-------
|
-------
|
||||||
|
|
||||||
* 64 bit versions were compiled under Opensuse 12.3
|
* 64+32 bit versions were compiled under Ubuntu 12.04 LTS
|
||||||
* 32 bit versions were compiled under Ubuntu 12.04 LTS
|
|
||||||
|
|
||||||
Likely you cannot use older distributions, younger should work.
|
Likely you cannot use older distributions, younger should work.
|
||||||
I provide for each distributions two sets of binaries:
|
I provide for each distributions two sets of binaries:
|
||||||
@ -47,23 +46,37 @@ If you want to compile OpenSSL yourself, here are the instructions:
|
|||||||
|
|
||||||
2.) configure the damned thing. Options I used:
|
2.) configure the damned thing. Options I used:
|
||||||
|
|
||||||
**for 64Bit:**
|
**for 64Bit including Kerberos ciphers:**
|
||||||
|
|
||||||
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
||||||
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
||||||
enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
|
enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
|
||||||
--with-krb5-flavor=MIT experimental-jpake
|
--with-krb5-flavor=MIT experimental-jpake
|
||||||
|
|
||||||
**for 32 Bit:**
|
**for 64Bit, static binaries:**
|
||||||
|
|
||||||
|
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
||||||
|
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
||||||
|
enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
|
||||||
|
-static experimental-jpake
|
||||||
|
|
||||||
|
**for 32 Bit including Kerberos ciphers:**
|
||||||
|
|
||||||
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
||||||
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
||||||
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
|
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
|
||||||
--with-krb5-flavor=MIT experimental-jpake
|
--with-krb5-flavor=MIT experimental-jpake
|
||||||
|
|
||||||
|
**for 32 Bit, static binaries:**
|
||||||
|
|
||||||
|
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
||||||
|
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
||||||
|
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
|
||||||
|
-static experimental-jpake
|
||||||
|
|
||||||
Don't use -DTEMP_GOST_TLS, it currently breaks things and it is not needed for general GOST [1] support.
|
Don't use -DTEMP_GOST_TLS, it currently breaks things and it is not needed for general GOST [1] support.
|
||||||
|
|
||||||
If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT". If you have other Kerberos flavors you need to figure out by yourself.
|
If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT" (see examples). If you have other Kerberos flavors you need to figure out by yourself.
|
||||||
|
|
||||||
3.) make depend
|
3.) make depend
|
||||||
|
|
||||||
@ -72,8 +85,8 @@ If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--w
|
|||||||
5.) make report (check whether it runs ok)
|
5.) make report (check whether it runs ok)
|
||||||
|
|
||||||
6.) "./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l" lists now for me
|
6.) "./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l" lists now for me
|
||||||
* 187(+4 GOST) ciphers -- including kerberos
|
* 191(+4 GOST) ciphers -- including kerberos
|
||||||
* 173(+4 GOST) ciphers without kerberos
|
* 177(+4 GOST) ciphers without kerberos
|
||||||
|
|
||||||
as opposed to 111/109 from Ubuntu or Opensuse.
|
as opposed to 111/109 from Ubuntu or Opensuse.
|
||||||
|
|
||||||
|
274
testssl.sh
274
testssl.sh
@ -620,7 +620,7 @@ std_cipherlists() {
|
|||||||
[ $SHOW_LOC_CIPH = "1" ] && out "local ciphers are: " && cat $TMPFILE | sed 's/:/, /g'
|
[ $SHOW_LOC_CIPH = "1" ] && out "local ciphers are: " && cat $TMPFILE | sed 's/:/, /g'
|
||||||
$OPENSSL s_client -cipher "$1" $STARTTLS -connect $NODEIP:$PORT $SNI 2>$TMPFILE >/dev/null </dev/null
|
$OPENSSL s_client -cipher "$1" $STARTTLS -connect $NODEIP:$PORT $SNI 2>$TMPFILE >/dev/null </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
[[ $DEBUG -eq 2 ]] && cat $TMPFILE
|
[[ $DEBUG -ge 2 ]] && cat $TMPFILE
|
||||||
case $3 in
|
case $3 in
|
||||||
0) # ok to offer
|
0) # ok to offer
|
||||||
if [[ $ret -eq 0 ]]; then # was offered
|
if [[ $ret -eq 0 ]]; then # was offered
|
||||||
@ -649,7 +649,7 @@ std_cipherlists() {
|
|||||||
fi
|
fi
|
||||||
# we need lf in those cases:
|
# we need lf in those cases:
|
||||||
[[ $LOCERR -eq 1 ]] && echo
|
[[ $LOCERR -eq 1 ]] && echo
|
||||||
[[ $DEBUG -eq 2 ]] && echo
|
[[ $DEBUG -ge 2 ]] && echo
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -943,7 +943,7 @@ server_preference() {
|
|||||||
pr_green "yes (OK)"
|
pr_green "yes (OK)"
|
||||||
remark4default_cipher=""
|
remark4default_cipher=""
|
||||||
fi
|
fi
|
||||||
[[ $DEBUG -eq 2 ]] && out " $cipher1 | $cipher2"
|
[[ $DEBUG -ge 2 ]] && out " $cipher1 | $cipher2"
|
||||||
outln
|
outln
|
||||||
|
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null 2>/dev/null >$TMPFILE
|
||||||
@ -980,7 +980,7 @@ server_preference() {
|
|||||||
proto[i]=`grep -w "Protocol" $TMPFILE | sed -e 's/^ \+Protocol \+://' -e 's/ //g'`
|
proto[i]=`grep -w "Protocol" $TMPFILE | sed -e 's/^ \+Protocol \+://' -e 's/ //g'`
|
||||||
cipher[i]=`grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g'`
|
cipher[i]=`grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g'`
|
||||||
[[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack!
|
[[ ${cipher[i]} == "0000" ]] && cipher[i]="" # Hack!
|
||||||
[[ $DEBUG -eq 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}"
|
[[ $DEBUG -ge 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}"
|
||||||
else
|
else
|
||||||
proto[i]=""
|
proto[i]=""
|
||||||
cipher[i]=""
|
cipher[i]=""
|
||||||
@ -996,7 +996,7 @@ server_preference() {
|
|||||||
cipher[i]=""
|
cipher[i]=""
|
||||||
else
|
else
|
||||||
cipher[i]=`grep -aw "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g'`
|
cipher[i]=`grep -aw "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g'`
|
||||||
[[ $DEBUG -eq 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}"
|
[[ $DEBUG -ge 2 ]] && outln "Default cipher for ${proto[i]}: ${cipher[i]}"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -1089,7 +1089,7 @@ server_defaults() {
|
|||||||
|
|
||||||
CN_nosni=`$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' | \
|
CN_nosni=`$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' | \
|
||||||
$OPENSSL x509 -noout -subject | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//'`
|
$OPENSSL x509 -noout -subject | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//'`
|
||||||
[[ $DEBUG -eq 2 ]] && out "$NODE | $CN | $CN_nosni"
|
[[ $DEBUG -ge 2 ]] && out "$NODE | $CN | $CN_nosni"
|
||||||
if [[ $NODE == $CN_nosni ]]; then
|
if [[ $NODE == $CN_nosni ]]; then
|
||||||
outln " (works w/o SNI)"
|
outln " (works w/o SNI)"
|
||||||
else
|
else
|
||||||
@ -1321,7 +1321,7 @@ lucky13() {
|
|||||||
|
|
||||||
spdy_pre(){
|
spdy_pre(){
|
||||||
if [ "x$STARTTLS" != "x" ]; then
|
if [ "x$STARTTLS" != "x" ]; then
|
||||||
[[ $DEBUG -eq 2 ]] && outln "SPDY doesn't work with !HTTP"
|
[[ $DEBUG -ge 2 ]] && outln "SPDY doesn't work with !HTTP"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
# first, does the current openssl support it?
|
# first, does the current openssl support it?
|
||||||
@ -1420,6 +1420,7 @@ sockread_serverhello() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# arg1: name of file with socket reply
|
||||||
display_sslv2serverhello() {
|
display_sslv2serverhello() {
|
||||||
# server hello: in hex representation, see below
|
# server hello: in hex representation, see below
|
||||||
# byte 1+2: length of server hello 0123
|
# byte 1+2: length of server hello 0123
|
||||||
@ -1460,12 +1461,87 @@ display_sslv2serverhello() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# arg1: name of file with socket reply
|
||||||
|
display_tls_serverhello() {
|
||||||
|
# server hello:
|
||||||
|
# byte 0: 0x16=TLS, 0x15= TLS alert
|
||||||
|
# byte 1+2: 03, TLS version
|
||||||
|
# byte 3+4: length all
|
||||||
|
# byte 5: handshake type (2=hello) TLS alert: level (2=fatal), descr (0x28=handshake failure)
|
||||||
|
# byte 6+7+8: length server hello
|
||||||
|
# byte 9+10: 03, TLS version (00: SSLv3, 01: TLS 1.0, 02: TLS 1.1, 03: TLS 1.2)
|
||||||
|
# byte 11-14: TLS timestamp
|
||||||
|
# byte 15-42: random (28 bytes)
|
||||||
|
# byte 43 : session id length
|
||||||
|
# byte 44+45+sid-len: cipher suite!
|
||||||
|
# byte 46+sid-len: compression method: 00: none, 01: deflate
|
||||||
|
# byte 47+48+sid-len: extension length
|
||||||
|
|
||||||
|
tls_hello_ascii=`hexdump -v -e '16/1 "%02X"' $1`
|
||||||
|
[[ "$DEBUG" -eq 5 ]] && echo $tls_hello_ascii # one line without any blanks
|
||||||
|
[[ -z $tls_hello_ascii ]] && return 0 # no server hello received
|
||||||
|
|
||||||
|
# now scrape two bytes out of the reply per byte
|
||||||
|
tls_hello_initbyte="${tls_hello_ascii:0:2}" # normally this is x16
|
||||||
|
tls_hello_protocol="${tls_hello_ascii:2:4}"
|
||||||
|
tls_len_all=`printf "%d\n" ${tls_hello_ascii:6:4}`
|
||||||
|
|
||||||
|
if [[ $tls_hello_initbyte != "16" ]] ; then
|
||||||
|
[[ $DEBUG -ge 1 ]] && echo "tls_hello_initbyte: 0x$tls_hello_initbyte"
|
||||||
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
|
echo "tls_hello_protocol: 0x$tls_hello_protocol"
|
||||||
|
echo "tls_len_all: $tls_len_all"
|
||||||
|
echo "tls_err_level: ${tls_hello_ascii:10:2}"
|
||||||
|
echo "tls_err_descr: 0x${tls_hello_ascii:12:2}"
|
||||||
|
fi
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
DETECTED_TLS_VERSION=$tls_hello_protocol
|
||||||
|
|
||||||
|
tls_hello="${tls_hello_ascii:10:2}" # normally this is x02
|
||||||
|
tls_hello_protocol2="${tls_hello_ascii:18:4}"
|
||||||
|
tls_hello_time="${tls_hello_ascii:22:8}"
|
||||||
|
tls_time=`printf "%d\n" 0x$tls_hello_time`
|
||||||
|
tls_time=`date --date="@$tls_time" "+%Y-%m-%d %r"`
|
||||||
|
tls_sid_len=`printf "%d\n" 0x${tls_hello_ascii:86:2}`
|
||||||
|
let sid_offset=88+$tls_sid_len*2
|
||||||
|
tls_cipher_suite="${tls_hello_ascii:$sid_offset:4}"
|
||||||
|
let sid_offset=92+$tls_sid_len*2
|
||||||
|
tls_compression_method="${tls_hello_ascii:$sid_offset:2}"
|
||||||
|
|
||||||
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
|
|
||||||
|
echo "tls_hello_initbyte: 0x$tls_hello_initbyte"
|
||||||
|
echo "tls_hello: 0x$tls_hello"
|
||||||
|
echo "tls_hello_protocol: 0x$tls_hello_protocol"
|
||||||
|
if [[ $DEBUG -ge 4 ]]; then
|
||||||
|
echo "tls_hello_protocol2: 0x$tls_hello_protocol2"
|
||||||
|
echo "tls_len_all: $tls_len_all"
|
||||||
|
echo "tls_sid_len: $tls_sid_len"
|
||||||
|
fi
|
||||||
|
echo "tls_hello_time: 0x$tls_hello_time ($tls_time)"
|
||||||
|
echo "tls_cipher_suite: 0x$tls_cipher_suite"
|
||||||
|
echo "tls_compression_method: 0x$tls_compression_method"
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# helper function for protocol checks
|
# helper function for protocol checks
|
||||||
# arg1: formatted string here in the code
|
# arg1: formatted string here in the code
|
||||||
code2network() {
|
code2network() {
|
||||||
NW_STR=`echo "$1" | sed -e 's/,/\\\x/g' | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t'`
|
NW_STR=`echo "$1" | sed -e 's/,/\\\x/g' | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t'`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
len2twobytes() {
|
||||||
|
len_arg1=`echo ${#1}`
|
||||||
|
[[ $len_arg1 -le 2 ]] && LEN_STR=`printf "00, %02s \n" $1`
|
||||||
|
[[ $len_arg1 -eq 3 ]] && LEN_STR=`printf "%02s, %02s \n" ${1:0:1} ${1:1:2}`
|
||||||
|
[[ $len_arg1 -eq 4 ]] && LEN_STR=`printf "%02s, %02s \n" ${1:0:2} ${1:2:2}`
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
sslv2_sockets() {
|
sslv2_sockets() {
|
||||||
V2_HELLO_CIPHERSPEC_LENGTH=0 # initialize
|
V2_HELLO_CIPHERSPEC_LENGTH=0 # initialize
|
||||||
@ -1534,6 +1610,185 @@ sslv2_sockets() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#for tls_low_byte in "00" "01" "02" "03"; do
|
||||||
|
tls_sockets() {
|
||||||
|
SN_HEX=""
|
||||||
|
LEN_SN_HEX=0
|
||||||
|
COL_WIDTH=32
|
||||||
|
USLEEP_REC=${USLEEP_REC:-0.2}
|
||||||
|
USLEEP_SND=${USLEEP_SND:-0.1} # 1 second wait until otherwise specified
|
||||||
|
MAX_WAITSOCK=2
|
||||||
|
SOCK_REPLY_FILE=""
|
||||||
|
NW_STR=""
|
||||||
|
LEN_STR=""
|
||||||
|
DETECTED_TLS_VERSION=""
|
||||||
|
|
||||||
|
# 133 cipher: spdy, TLS 1.2
|
||||||
|
TLS12_CIPHER="
|
||||||
|
cc, 14, cc, 13, cc, 15, c0, 30, c0, 2c, c0, 28, c0, 24, c0, 14,
|
||||||
|
c0, 0a, c0, 22, c0, 21, c0, 20, 00, a5, 00, a3, 00, a1, 00, 9f,
|
||||||
|
00, 6b, 00, 6a, 00, 69, 00, 68, 00, 39, 00, 38, 00, 37, 00, 36,
|
||||||
|
c0, 77, c0, 73, 00, c4, 00, c3, 00, c2, 00, c1, 00, 88, 00, 87,
|
||||||
|
00, 86, 00, 85, c0, 32, c0, 2e, c0, 2a, c0, 26, c0, 0f, c0, 05,
|
||||||
|
c0, 79, c0, 75, 00, 9d, 00, 3d, 00, 35, 00, c0, 00, 84, c0, 2f,
|
||||||
|
c0, 2b, c0, 27, c0, 23, c0, 13, c0, 09, c0, 1f, c0, 1e, c0, 1d,
|
||||||
|
00, a4, 00, a2, 00, a0, 00, 9e, 00, 67, 00, 40, 00, 3f, 00, 3e,
|
||||||
|
00, 33, 00, 32, 00, 31, 00, 30, c0, 76, c0, 72, 00, be, 00, bd,
|
||||||
|
00, bc, 00, bb, 00, 9a, 00, 99, 00, 98, 00, 97, 00, 45, 00, 44,
|
||||||
|
00, 43, 00, 42, c0, 31, c0, 2d, c0, 29, c0, 25, c0, 0e, c0, 04,
|
||||||
|
c0, 78, c0, 74, 00, 9c, 00, 3c, 00, 2f, 00, ba, 00, 96, 00, 41,
|
||||||
|
00, 07, c0, 11, c0, 07, 00, 66, c0, 0c, c0, 02, 00, 05, 00, 04,
|
||||||
|
c0, 12, c0, 08, c0, 1c, c0, 1b, c0, 1a, 00, 16, 00, 13, 00, 10,
|
||||||
|
00, 0d, c0, 0d, c0, 03, 00, 0a, 00, 63, 00, 15, 00, 12, 00, 0f,
|
||||||
|
00, 0c, 00, 62, 00, 09, 00, 65, 00, 64, 00, 14, 00, 11, 00, 0e,
|
||||||
|
00, 0b, 00, 08, 00, 06, 00, 03, 00, ff"
|
||||||
|
|
||||||
|
# 76 cipher for SSLv3, TLS 1, TLS 1.1:
|
||||||
|
TLS_CIPHER="
|
||||||
|
c0, 14, c0, 0a, c0, 22, c0, 21, c0, 20, 00, 39, 00, 38, 00, 37,
|
||||||
|
00, 36, 00, 88, 00, 87, 00, 86, 00, 85, c0, 0f, c0, 05, 00, 35,
|
||||||
|
00, 84, c0, 13, c0, 09, c0, 1f, c0, 1e, c0, 1d, 00, 33, 00, 32,
|
||||||
|
00, 31, 00, 30, 00, 9a, 00, 99, 00, 98, 00, 97, 00, 45, 00, 44,
|
||||||
|
00, 43, 00, 42, c0, 0e, c0, 04, 00, 2f, 00, 96, 00, 41, 00, 07,
|
||||||
|
c0, 11, c0, 07, 00, 66, c0, 0c, c0, 02, 00, 05, 00, 04, c0, 12,
|
||||||
|
c0, 08, c0, 1c, c0, 1b, c0, 1a, 00, 16, 00, 13, 00, 10, 00, 0d,
|
||||||
|
c0, 0d, c0, 03, 00, 0a, 00, 63, 00, 15, 00, 12, 00, 0f, 00, 0c,
|
||||||
|
00, 62, 00, 09, 00, 65, 00, 64, 00, 14, 00, 11, 00, 0e, 00, 0b,
|
||||||
|
00, 08, 00, 06, 00, 03, 00, ff"
|
||||||
|
|
||||||
|
#formatted example for SNI
|
||||||
|
#00 00 # extention server_name
|
||||||
|
#00 1a # length = the following +2 = server_name length + 5
|
||||||
|
#00 18 # server_name list_length = server_name length +3
|
||||||
|
#00 # server_name type (hostname)
|
||||||
|
#00 15 # server_name length
|
||||||
|
#66 66 66 66 66 66 2e 66 66 66 66 66 66 66 66 66 66 2e 66 66 66 target.mydomain1.tld # server_name target
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# arg1: TLS_VER_LSB
|
||||||
|
# arg2: CIPHER_SUITES string
|
||||||
|
# arg3: SERVERNAME
|
||||||
|
# ??? more extensions?
|
||||||
|
|
||||||
|
len_sni=`echo ${#3}`
|
||||||
|
#tls_ver=printf "%02x\n" $1"
|
||||||
|
|
||||||
|
code2network "$2"
|
||||||
|
cipher_suites="$NW_STR" # we don't have the leading \x here so string length is two byte less, see next
|
||||||
|
|
||||||
|
# convert length's from dec to hex:
|
||||||
|
hex_len_sn_hex=`printf "%02x\n" $LEN_SN_HEX`
|
||||||
|
hex_len_sn_hex3=`printf "%02x\n" $((LEN_SN_HEX+3))`
|
||||||
|
hex_len_sn_hex5=`printf "%02x\n" $((LEN_SN_HEX+5))`
|
||||||
|
hex_len_extention=`printf "%02x\n" $((LEN_SN_HEX+9))`
|
||||||
|
|
||||||
|
len_ciph_suites_byte=`echo ${#cipher_suites}`
|
||||||
|
let "len_ciph_suites_byte += 2"
|
||||||
|
|
||||||
|
# we have additional 2 chars \x in each 2 byte string and 2 byte ciphers, so we need to divide by 4:
|
||||||
|
len_ciph_suites=`printf "%02x\n" $(($len_ciph_suites_byte / 4 ))`
|
||||||
|
len2twobytes "$len_ciph_suites"
|
||||||
|
len_ciph_suites_word="$LEN_STR"
|
||||||
|
[[ $DEBUG -ge 4 ]] && echo $len_ciph_suites_word
|
||||||
|
|
||||||
|
len2twobytes `printf "%02x\n" $((0x$len_ciph_suites + 0x27 + 0x$hex_len_extention + 0x2))`
|
||||||
|
#len2twobytes `printf "%02x\n" $((0x$len_ciph_suites + 0x27))`
|
||||||
|
len_c_hello_word="$LEN_STR"
|
||||||
|
[[ $DEBUG -ge 4 ]] && echo $len_c_hello_word
|
||||||
|
|
||||||
|
len2twobytes `printf "%02x\n" $((0x$len_ciph_suites + 0x2b + 0x$hex_len_extention + 0x2))`
|
||||||
|
#len2twobytes `printf "%02x\n" $((0x$len_ciph_suites + 0x2b))`
|
||||||
|
len_all_word="$LEN_STR"
|
||||||
|
[[ $DEBUG -ge 4 ]] && echo $len_all_word
|
||||||
|
|
||||||
|
TLS_CLIENT_HELLO="
|
||||||
|
# TLS header ( 5 bytes)
|
||||||
|
,16, 03, $1 # TLS Version
|
||||||
|
,$len_all_word # Length <---
|
||||||
|
# Handshake header:
|
||||||
|
,01 # Type (x01 for ClientHello)
|
||||||
|
,00, $len_c_hello_word # Length ClientHello
|
||||||
|
,03, $1 # TLS Version (again)
|
||||||
|
,54, 51, 1e, 7a # Unix time since see www.moserware.com/2009/06/first-few-milliseconds-of-https.html
|
||||||
|
,de, ad, be, ef # Random 28 bytes
|
||||||
|
,31, 33, 07, 00, 00, 00, 00, 00
|
||||||
|
,cf, bd, 39, 04, cc, 16, 0a, 85
|
||||||
|
,03, 90, 9f, 77, 04, 33, d4, de
|
||||||
|
,00 # Session ID length
|
||||||
|
,$len_ciph_suites_word # Cipher suites length
|
||||||
|
# Cipher suites
|
||||||
|
,$cipher_suites
|
||||||
|
,01 # Compression methods length
|
||||||
|
,00" # Compression method (x00 for NULL)
|
||||||
|
|
||||||
|
EXTENSION_CONTAINING_SNI="
|
||||||
|
,00, $hex_len_extention # first the len of all (here: 1) extentions. We assume len(hostname) < FF - 9
|
||||||
|
,00, 00 # extention server_name
|
||||||
|
,00, $hex_len_sn_hex5 # length SNI EXT
|
||||||
|
,00, $hex_len_sn_hex3 # server_name list_length
|
||||||
|
,00 # server_name type (hostname)
|
||||||
|
,00, $hex_len_sn_hex # server_name length
|
||||||
|
,$SN_HEX" # server_name target
|
||||||
|
|
||||||
|
fd_socket 5 || return 6
|
||||||
|
|
||||||
|
code2network "$TLS_CLIENT_HELLO$EXTENSION_CONTAINING_SNI"
|
||||||
|
#code2network "$TLS_CLIENT_HELLO"
|
||||||
|
data=`echo $NW_STR`
|
||||||
|
|
||||||
|
[[ "$DEBUG" -ge 2 ]] && printf "sending client hello..."
|
||||||
|
if [[ "$tls_low_byte" == "03" ]] ; then
|
||||||
|
socksend_clienthello $tls_low_byte "$TLS12_CIPHER" $SNIHEX
|
||||||
|
else
|
||||||
|
socksend_clienthello $tls_low_byte "$TLS_CIPHER" $SNIHEX
|
||||||
|
fi
|
||||||
|
|
||||||
|
sockread_serverhello 32768 0
|
||||||
|
[[ "$DEBUG" -ge 2 ]] && printf "reading server hello..."
|
||||||
|
if [[ "$DEBUG" -ge 3 ]]; then
|
||||||
|
hexdump -C $SOCK_REPLY_FILE | head -6
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
|
||||||
|
display_tls_serverhello "$SOCK_REPLY_FILE"
|
||||||
|
ret=$?
|
||||||
|
|
||||||
|
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
|
||||||
|
lines=`cat "$SOCK_REPLY_FILE" 2>/dev/null | hexdump -C | wc -l`
|
||||||
|
[[ "$DEBUG" -ge 2 ]] && out " (returned $lines lines) "
|
||||||
|
|
||||||
|
# case $tls_low_byte in
|
||||||
|
# 00) tls_str="SSLv3" ;;
|
||||||
|
# 01) tls_str="TLS 1" ;;
|
||||||
|
# 02) tls_str="TLS 1.1" ;;
|
||||||
|
# 03) tls_str="TLS 1.2" ;;
|
||||||
|
# esac
|
||||||
|
|
||||||
|
# printf "Protokoll "; tput bold; printf "$tls_low_byte = $tls_str"; tput sgr0; printf ": "
|
||||||
|
|
||||||
|
if [[ $ret -eq 1 ]] || [[ $lines -eq 1 ]] ; then
|
||||||
|
outln "NOT available"
|
||||||
|
ret=1
|
||||||
|
else
|
||||||
|
if [[ 03$tls_low_byte -eq $DETECTED_TLS_VERSION ]]; then
|
||||||
|
outln "available"
|
||||||
|
ret=0
|
||||||
|
else
|
||||||
|
out "NOT available "
|
||||||
|
[[ $DEBUG -ge 2 ]] && echo -n "send: 0x03$tls_low_byte, returned: 0x$DETECTED_TLS_VERSION"
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
close_socket
|
||||||
|
TMPFILE=$SOCK_REPLY_FILE
|
||||||
|
tmpfile_handle $FUNCNAME.dd
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
ok_ids(){
|
ok_ids(){
|
||||||
greenln "\n ok -- something resetted our ccs packets"
|
greenln "\n ok -- something resetted our ccs packets"
|
||||||
@ -2223,7 +2478,6 @@ ignore_no_or_lame() {
|
|||||||
default)
|
default)
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2277,7 +2531,7 @@ parse_hn_port() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
datebanner "Testing"
|
datebanner "Testing"
|
||||||
[[ -z "$2" ]] && runs_HTTP # for starttls all is clear
|
[[ -z "$2" ]] && runs_HTTP # for starttls we don't check the protocol as it is supplied on the cmd line
|
||||||
initialize_engine
|
initialize_engine
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2558,6 +2812,6 @@ case "$1" in
|
|||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.180 2015/02/03 22:46:46 dirkw Exp $
|
# $Id: testssl.sh,v 1.181 2015/02/04 08:48:33 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user