mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Merge branch 'master' into openss2rfc_rfc2openssl
This commit is contained in:
commit
f17a09e1d9
148
testssl.sh
148
testssl.sh
@ -661,10 +661,12 @@ fi
|
|||||||
runs_HTTP() {
|
runs_HTTP() {
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
local -i was_killed
|
local -i was_killed
|
||||||
|
local addcmd=""
|
||||||
|
|
||||||
if ! $CLIENT_AUTH; then
|
if ! $CLIENT_AUTH; then
|
||||||
# SNI is nonsense for !HTTPS but fortunately for other protocols s_client doesn't seem to care
|
# SNI is nonsense for !HTTPS but fortunately for other protocols s_client doesn't seem to care
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $1 -quiet $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE &
|
[[ ! "$1" =~ ssl ]] && addcmd="$SNI"
|
||||||
|
printf "$GET_REQ11" | $OPENSSL s_client $1 -quiet $BUGS -connect $NODEIP:$PORT $PROXY $addcmd >$TMPFILE 2>$ERRFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
was_killed=$?
|
was_killed=$?
|
||||||
head $TMPFILE | grep -aq ^HTTP && SERVICE=HTTP
|
head $TMPFILE | grep -aq ^HTTP && SERVICE=HTTP
|
||||||
@ -714,7 +716,7 @@ runs_HTTP() {
|
|||||||
|
|
||||||
#problems not handled: chunked
|
#problems not handled: chunked
|
||||||
run_http_header() {
|
run_http_header() {
|
||||||
local header
|
local header addcmd=""
|
||||||
local -i ret
|
local -i ret
|
||||||
local referer useragent
|
local referer useragent
|
||||||
local url redirect
|
local url redirect
|
||||||
@ -724,12 +726,13 @@ run_http_header() {
|
|||||||
outln
|
outln
|
||||||
|
|
||||||
[[ -z "$1" ]] && url="/" || url="$1"
|
[[ -z "$1" ]] && url="/" || url="$1"
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE &
|
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI"
|
||||||
|
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $addcmd >$HEADERFILE 2>$ERRFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
# we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it
|
# we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it
|
||||||
# again in the foreground to get an accurate header time!
|
# again in the foreground to get an accurate header time!
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE
|
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $addcmd >$HEADERFILE 2>$ERRFILE
|
||||||
NOW_TIME=$(date "+%s")
|
NOW_TIME=$(date "+%s")
|
||||||
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
|
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
|
||||||
HAD_SLEPT=0
|
HAD_SLEPT=0
|
||||||
@ -1023,7 +1026,7 @@ run_hpkp() {
|
|||||||
# print key=value pair with awk, then strip non-numbers, to be improved with proper parsing of key-value with awk
|
# print key=value pair with awk, then strip non-numbers, to be improved with proper parsing of key-value with awk
|
||||||
hpkp_age_sec=$(awk -F= '/max-age/{max_age=$2; print max_age}' $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
hpkp_age_sec=$(awk -F= '/max-age/{max_age=$2; print max_age}' $TMPFILE | sed -E 's/[^[:digit:]]//g')
|
||||||
hpkp_age_days=$((hpkp_age_sec / 86400))
|
hpkp_age_days=$((hpkp_age_sec / 86400))
|
||||||
if [[ $hpkp_age_days -ge $HPKP_MIN ]]; then
|
if [[ $hpkp_age_sec -ge $HPKP_MIN ]]; then
|
||||||
pr_done_good "$hpkp_age_days days" ; out "=$hpkp_age_sec s"
|
pr_done_good "$hpkp_age_days days" ; out "=$hpkp_age_sec s"
|
||||||
fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)"
|
fileout "hpkp_age" "OK" "HPKP age is set to $hpkp_age_days days ($hpkp_age_sec sec)"
|
||||||
else
|
else
|
||||||
@ -1386,11 +1389,12 @@ prettyprint_local() {
|
|||||||
|
|
||||||
# list ciphers (and makes sure you have them locally configured)
|
# list ciphers (and makes sure you have them locally configured)
|
||||||
# arg[1]: cipher list (or anything else)
|
# arg[1]: cipher list (or anything else)
|
||||||
|
# arg[2]: protocol (e.g., -ssl2)
|
||||||
listciphers() {
|
listciphers() {
|
||||||
local -i ret
|
local -i ret
|
||||||
local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")"
|
local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")"
|
||||||
|
|
||||||
$OPENSSL ciphers "$1" &>$TMPFILE
|
$OPENSSL ciphers $2 "$1" &>$TMPFILE
|
||||||
ret=$?
|
ret=$?
|
||||||
debugme cat $TMPFILE
|
debugme cat $TMPFILE
|
||||||
|
|
||||||
@ -1404,12 +1408,14 @@ listciphers() {
|
|||||||
# argv[3]: ok to offer? 0: yes, 1: no
|
# argv[3]: ok to offer? 0: yes, 1: no
|
||||||
std_cipherlists() {
|
std_cipherlists() {
|
||||||
local -i sclient_success
|
local -i sclient_success
|
||||||
local singlespaces
|
local singlespaces proto="" addcmd=""
|
||||||
local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")"
|
local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")"
|
||||||
|
|
||||||
|
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO" && proto="$OPTIMAL_PROTO"
|
||||||
|
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI"
|
||||||
pr_bold "$2 " # indent in order to be in the same row as server preferences
|
pr_bold "$2 " # indent in order to be in the same row as server preferences
|
||||||
if listciphers "$1"; then # is that locally available??
|
if listciphers "$1" $proto; then # is that locally available??
|
||||||
$OPENSSL s_client -cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI 2>$ERRFILE >$TMPFILE </dev/null
|
$OPENSSL s_client -cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $addcmd 2>$ERRFILE >$TMPFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
debugme cat $ERRFILE
|
debugme cat $ERRFILE
|
||||||
@ -1458,7 +1464,11 @@ std_cipherlists() {
|
|||||||
tmpfile_handle $FUNCNAME.$debugname.txt
|
tmpfile_handle $FUNCNAME.$debugname.txt
|
||||||
else
|
else
|
||||||
singlespaces=$(echo "$2" | sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g')
|
singlespaces=$(echo "$2" | sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g')
|
||||||
|
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then
|
||||||
|
local_problem_ln "No $singlespaces for SSLv2 configured in $OPENSSL"
|
||||||
|
else
|
||||||
local_problem_ln "No $singlespaces configured in $OPENSSL"
|
local_problem_ln "No $singlespaces configured in $OPENSSL"
|
||||||
|
fi
|
||||||
fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)"
|
fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)"
|
||||||
fi
|
fi
|
||||||
# we need 1xlf in those cases:
|
# we need 1xlf in those cases:
|
||||||
@ -3360,14 +3370,16 @@ run_server_preference() {
|
|||||||
# now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 :
|
# now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 :
|
||||||
local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA"
|
local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA"
|
||||||
local has_cipher_order=true
|
local has_cipher_order=true
|
||||||
local isok
|
local isok addcmd="" addcmd2="" sni=""
|
||||||
|
|
||||||
outln
|
outln
|
||||||
pr_headlineln " Testing server preferences "
|
pr_headlineln " Testing server preferences "
|
||||||
outln
|
outln
|
||||||
|
|
||||||
pr_bold " Has server cipher order? "
|
pr_bold " Has server cipher order? "
|
||||||
$OPENSSL s_client $STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
|
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO"
|
||||||
|
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI" && sni="$SNI"
|
||||||
|
$OPENSSL s_client $STARTTLS -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
|
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
|
||||||
pr_warning "no matching cipher in this list found (pls report this): "
|
pr_warning "no matching cipher in this list found (pls report this): "
|
||||||
outln "$list_fwd . "
|
outln "$list_fwd . "
|
||||||
@ -3379,7 +3391,8 @@ run_server_preference() {
|
|||||||
# workaround is to connect with a protocol
|
# workaround is to connect with a protocol
|
||||||
debugme out "(workaround #188) "
|
debugme out "(workaround #188) "
|
||||||
determine_optimal_proto $STARTTLS_PROTOCOL
|
determine_optimal_proto $STARTTLS_PROTOCOL
|
||||||
$OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>$ERRFILE >$TMPFILE
|
[[ ! "$STARTTLS_OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$SNI"
|
||||||
|
$OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
pr_warning "no matching cipher in this list found (pls report this): "
|
pr_warning "no matching cipher in this list found (pls report this): "
|
||||||
outln "$list_fwd . "
|
outln "$list_fwd . "
|
||||||
@ -3391,7 +3404,15 @@ run_server_preference() {
|
|||||||
|
|
||||||
if $has_cipher_order; then
|
if $has_cipher_order; then
|
||||||
cipher1=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher1=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
$OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
addcmd2=""
|
||||||
|
if [[ -n "$STARTTLS_OPTIMAL_PROTO" ]]; then
|
||||||
|
addcmd2="$STARTTLS_OPTIMAL_PROTO"
|
||||||
|
[[ ! "$STARTTLS_OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
|
||||||
|
else
|
||||||
|
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd2="$OPTIMAL_PROTO"
|
||||||
|
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd2="$addcmd2 $SNI"
|
||||||
|
fi
|
||||||
|
$OPENSSL s_client $STARTTLS -cipher $list_reverse $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
# that worked above so no error handling here
|
# that worked above so no error handling here
|
||||||
cipher2=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
cipher2=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/^ \+Cipher \+://' -e 's/ //g')
|
||||||
|
|
||||||
@ -3408,10 +3429,10 @@ run_server_preference() {
|
|||||||
outln
|
outln
|
||||||
|
|
||||||
pr_bold " Negotiated protocol "
|
pr_bold " Negotiated protocol "
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $addcmd </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
# 2 second try with $OPTIMAL_PROTO especially for intolerant IIS6 servers:
|
# 2 second try with $OPTIMAL_PROTO especially for intolerant IIS6 servers:
|
||||||
$OPENSSL s_client $STARTTLS $OPTIMAL_PROTO $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS $OPTIMAL_PROTO $BUGS -connect $NODEIP:$PORT $PROXY $sni </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE || pr_warning "Handshake error!"
|
sclient_connect_successful $? $TMPFILE || pr_warning "Handshake error!"
|
||||||
fi
|
fi
|
||||||
default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g')
|
||||||
@ -3910,7 +3931,7 @@ sclient_connect_successful() {
|
|||||||
# arg1 is "-cipher <OpenSSL cipher>" or empty
|
# arg1 is "-cipher <OpenSSL cipher>" or empty
|
||||||
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
|
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
|
||||||
determine_tls_extensions() {
|
determine_tls_extensions() {
|
||||||
local proto
|
local proto addcmd
|
||||||
local success
|
local success
|
||||||
local alpn=""
|
local alpn=""
|
||||||
local savedir
|
local savedir
|
||||||
@ -3926,14 +3947,48 @@ determine_tls_extensions() {
|
|||||||
|
|
||||||
# throwing 1st every cipher/protocol at the server to know what works
|
# throwing 1st every cipher/protocol at the server to know what works
|
||||||
success=7
|
success=7
|
||||||
|
|
||||||
|
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then
|
||||||
|
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY -ssl2 </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
|
sclient_connect_successful $? $TMPFILE && success=0
|
||||||
|
if [[ $success -eq 0 ]]; then
|
||||||
|
# Place the server's certificate in $HOSTCERT and any intermediate
|
||||||
|
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
||||||
|
savedir=$(pwd); cd $TEMPDIR
|
||||||
|
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
|
||||||
|
awk -v n=-1 '/Server certificate/ {start=1}
|
||||||
|
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
|
||||||
|
inc { print > ("level" n ".crt") }
|
||||||
|
/---END CERTIFICATE-----/{ inc=0 }' $TMPFILE
|
||||||
|
nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
|
||||||
|
if [[ $nrsaved -eq 0 ]]; then
|
||||||
|
success=1
|
||||||
|
else
|
||||||
|
success=0
|
||||||
|
mv level0.crt $HOSTCERT
|
||||||
|
if [[ $nrsaved -eq 1 ]]; then
|
||||||
|
echo "" > $TEMPDIR/intermediatecerts.pem
|
||||||
|
else
|
||||||
|
cat level?.crt > $TEMPDIR/intermediatecerts.pem
|
||||||
|
rm level?.crt
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
cd "$savedir"
|
||||||
|
fi
|
||||||
|
tmpfile_handle $FUNCNAME.txt
|
||||||
|
return $success
|
||||||
|
fi
|
||||||
|
|
||||||
for proto in $protocols_to_try; do
|
for proto in $protocols_to_try; do
|
||||||
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
|
# alpn: echo | openssl s_client -connect google.com:443 -tlsextdebug -alpn h2-14 -servername google.com <-- suport needs to be checked b4 -- see also: ssl/t1_trce.c
|
||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug -nextprotoneg $alpn -status </dev/null 2>$ERRFILE >$TMPFILE
|
addcmd=""
|
||||||
|
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
|
||||||
|
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug -nextprotoneg $alpn -status </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE && success=0 && break
|
sclient_connect_successful $? $TMPFILE && success=0 && break
|
||||||
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
done # this loop is needed for IIS6 and others which have a handshake size limitations
|
||||||
if [[ $success -eq 7 ]]; then
|
if [[ $success -eq 7 ]]; then
|
||||||
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
# "-status" above doesn't work for GOST only servers, so we do another test without it and see whether that works then:
|
||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $SNI -$proto -tlsextdebug </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
if [ -z "$1" ]; then
|
if [ -z "$1" ]; then
|
||||||
pr_warningln "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
|
pr_warningln "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))"
|
||||||
@ -5758,6 +5813,7 @@ socksend_tls_clienthello() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if [[ -n "$SNI" ]]; then
|
||||||
#formatted example for SNI
|
#formatted example for SNI
|
||||||
#00 00 # extension server_name
|
#00 00 # extension server_name
|
||||||
#00 1a # length = the following +2 = server_name length + 5
|
#00 1a # length = the following +2 = server_name length + 5
|
||||||
@ -5772,6 +5828,7 @@ socksend_tls_clienthello() {
|
|||||||
len_servername_hex=$(printf "%02x\n" $len_servername)
|
len_servername_hex=$(printf "%02x\n" $len_servername)
|
||||||
len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
|
len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
|
||||||
len_sni_ext=$(printf "%02x\n" $((len_servername+5)))
|
len_sni_ext=$(printf "%02x\n" $((len_servername+5)))
|
||||||
|
fi
|
||||||
|
|
||||||
extension_signature_algorithms="
|
extension_signature_algorithms="
|
||||||
00, 0d, # Type: signature_algorithms , see RFC 5246
|
00, 0d, # Type: signature_algorithms , see RFC 5246
|
||||||
@ -5801,15 +5858,19 @@ socksend_tls_clienthello() {
|
|||||||
01, 00"
|
01, 00"
|
||||||
|
|
||||||
all_extensions="
|
all_extensions="
|
||||||
00, 00 # extension server_name
|
$extension_heartbeat
|
||||||
|
,$extension_session_ticket
|
||||||
|
,$extension_next_protocol"
|
||||||
|
|
||||||
|
if [[ -n "$SNI" ]]; then
|
||||||
|
all_extensions="$all_extensions
|
||||||
|
,00, 00 # extension server_name
|
||||||
,00, $len_sni_ext # length SNI EXT
|
,00, $len_sni_ext # length SNI EXT
|
||||||
,00, $len_sni_listlen # server_name list_length
|
,00, $len_sni_listlen # server_name list_length
|
||||||
,00 # server_name type (hostname)
|
,00 # server_name type (hostname)
|
||||||
,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
|
,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
|
||||||
,$servername_hexstr # server_name target
|
,$servername_hexstr" # server_name target
|
||||||
,$extension_heartbeat
|
fi
|
||||||
,$extension_session_ticket
|
|
||||||
,$extension_next_protocol"
|
|
||||||
|
|
||||||
# RFC 5246 says that clients MUST NOT offer the signature algorithms
|
# RFC 5246 says that clients MUST NOT offer the signature algorithms
|
||||||
# extension if they are offering TLS versions prior to 1.2.
|
# extension if they are offering TLS versions prior to 1.2.
|
||||||
@ -6234,13 +6295,14 @@ run_renego() {
|
|||||||
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
|
# no SNI here. Not needed as there won't be two different SSL stacks for one IP
|
||||||
local legacycmd=""
|
local legacycmd=""
|
||||||
local insecure_renogo_str="Secure Renegotiation IS NOT"
|
local insecure_renogo_str="Secure Renegotiation IS NOT"
|
||||||
local sec_renego sec_client_renego
|
local sec_renego sec_client_renego addcmd=""
|
||||||
|
|
||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Renegotiation vulnerabilities " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Renegotiation vulnerabilities " && outln
|
||||||
|
|
||||||
pr_bold " Secure Renegotiation "; out "(CVE-2009-3555) " # and RFC5746, OSVDB 59968-59974
|
pr_bold " Secure Renegotiation "; out "(CVE-2009-3555) " # and RFC5746, OSVDB 59968-59974
|
||||||
# community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
|
# community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
|
||||||
$OPENSSL s_client $OPTIMAL_PROTO $STARTTLS $BUGS -connect $NODEIP:$PORT $SNI $PROXY 2>&1 </dev/null >$TMPFILE 2>$ERRFILE
|
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI"
|
||||||
|
$OPENSSL s_client $OPTIMAL_PROTO $STARTTLS $BUGS -connect $NODEIP:$PORT $addcmd $PROXY 2>&1 </dev/null >$TMPFILE 2>$ERRFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
grep -iaq "$insecure_renogo_str" $TMPFILE
|
grep -iaq "$insecure_renogo_str" $TMPFILE
|
||||||
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
|
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
|
||||||
@ -6293,7 +6355,7 @@ run_renego() {
|
|||||||
else
|
else
|
||||||
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
|
# We need up to two tries here, as some LiteSpeed servers don't answer on "R" and block. Thus first try in the background
|
||||||
# msg enables us to look deeper into it while debugging
|
# msg enables us to look deeper into it while debugging
|
||||||
echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE &
|
echo R | $OPENSSL s_client $OPTIMAL_PROTO $BUGS $legacycmd $STARTTLS -msg -connect $NODEIP:$PORT $addcmd $PROXY >$TMPFILE 2>>$ERRFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
if [[ $? -eq 3 ]]; then
|
if [[ $? -eq 3 ]]; then
|
||||||
pr_done_good "likely not vulnerable (OK)"; outln " (timed out)" # it hung
|
pr_done_good "likely not vulnerable (OK)"; outln " (timed out)" # it hung
|
||||||
@ -6301,7 +6363,7 @@ run_renego() {
|
|||||||
sec_client_renego=1
|
sec_client_renego=1
|
||||||
else
|
else
|
||||||
# second try in the foreground as we are sure now it won't hang
|
# second try in the foreground as we are sure now it won't hang
|
||||||
echo R | $OPENSSL s_client $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $SNI $PROXY >$TMPFILE 2>>$ERRFILE
|
echo R | $OPENSSL s_client $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $addcmd $PROXY >$TMPFILE 2>>$ERRFILE
|
||||||
sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln!
|
sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln!
|
||||||
case "$sec_client_renego" in
|
case "$sec_client_renego" in
|
||||||
0)
|
0)
|
||||||
@ -6413,7 +6475,7 @@ run_crime() {
|
|||||||
# to the version of TLS/SSL, more: http://www.breachattack.com/ . Foreign referrers are the important thing here!
|
# to the version of TLS/SSL, more: http://www.breachattack.com/ . Foreign referrers are the important thing here!
|
||||||
# Mitigation: see https://community.qualys.com/message/20360
|
# Mitigation: see https://community.qualys.com/message/20360
|
||||||
run_breach() {
|
run_breach() {
|
||||||
local header
|
local header addcmd=""
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
local -i was_killed=0
|
local -i was_killed=0
|
||||||
local referer useragent
|
local referer useragent
|
||||||
@ -6437,7 +6499,8 @@ run_breach() {
|
|||||||
useragent="$UA_STD"
|
useragent="$UA_STD"
|
||||||
$SNEAKY && useragent="$UA_SNEAKY"
|
$SNEAKY && useragent="$UA_SNEAKY"
|
||||||
|
|
||||||
printf "GET $url HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $useragent\r\nReferer: $referer\r\nConnection: Close\r\nAccept-encoding: gzip,deflate,compress\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI 1>$TMPFILE 2>$ERRFILE &
|
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI"
|
||||||
|
printf "GET $url HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $useragent\r\nReferer: $referer\r\nConnection: Close\r\nAccept-encoding: gzip,deflate,compress\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $addcmd 1>$TMPFILE 2>$ERRFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
was_killed=$? # !=0 was killed
|
was_killed=$? # !=0 was killed
|
||||||
result=$(awk '/^Content-Encoding/ { print $2 }' $TMPFILE)
|
result=$(awk '/^Content-Encoding/ { print $2 }' $TMPFILE)
|
||||||
@ -6525,7 +6588,12 @@ run_tls_fallback_scsv() {
|
|||||||
# c) best to make sure that we hit a specific protocol, see https://alpacapowered.wordpress.com/2014/10/20/ssl-poodle-attack-what-is-this-scsv-thingy/
|
# c) best to make sure that we hit a specific protocol, see https://alpacapowered.wordpress.com/2014/10/20/ssl-poodle-attack-what-is-this-scsv-thingy/
|
||||||
# d) minor: we should do "-state" here
|
# d) minor: we should do "-state" here
|
||||||
|
|
||||||
# first: make sure we have tls1_2:
|
# first: make sure SSLv3 or some TLS protocol is supported
|
||||||
|
if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then
|
||||||
|
pr_svrty_criticalln "No fallback possible, SSLv2 is the only protocol"
|
||||||
|
return 7
|
||||||
|
fi
|
||||||
|
# second: make sure we have tls1_2:
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI -no_tls1_2 >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
pr_done_good "No fallback possible, TLS 1.2 is the only protocol (OK)"
|
pr_done_good "No fallback possible, TLS 1.2 is the only protocol (OK)"
|
||||||
@ -6575,7 +6643,7 @@ run_freak() {
|
|||||||
local -i nr_supported_ciphers=0
|
local -i nr_supported_ciphers=0
|
||||||
# with correct build it should list these 7 ciphers (plus the two latter as SSLv2 ciphers):
|
# with correct build it should list these 7 ciphers (plus the two latter as SSLv2 ciphers):
|
||||||
local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5"
|
local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5"
|
||||||
local addtl_warning=""
|
local addcmd="" addtl_warning=""
|
||||||
|
|
||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for FREAK attack " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for FREAK attack " && outln
|
||||||
pr_bold " FREAK"; out " (CVE-2015-0204) "
|
pr_bold " FREAK"; out " (CVE-2015-0204) "
|
||||||
@ -6596,7 +6664,9 @@ run_freak() {
|
|||||||
4|5|6|7)
|
4|5|6|7)
|
||||||
addtl_warning=" (tested with $nr_supported_ciphers/9 ciphers)" ;;
|
addtl_warning=" (tested with $nr_supported_ciphers/9 ciphers)" ;;
|
||||||
esac
|
esac
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO"
|
||||||
|
[[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI"
|
||||||
|
$OPENSSL s_client $STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $addcmd >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
@ -6732,7 +6802,7 @@ run_drown() {
|
|||||||
|
|
||||||
# Browser Exploit Against SSL/TLS: don't use CBC Ciphers in SSLv3 TLSv1.0
|
# Browser Exploit Against SSL/TLS: don't use CBC Ciphers in SSLv3 TLSv1.0
|
||||||
run_beast(){
|
run_beast(){
|
||||||
local hexcode dash cbc_cipher sslvers kx auth enc mac export
|
local hexcode dash cbc_cipher sslvers kx auth enc mac export addcmd
|
||||||
local detected_proto
|
local detected_proto
|
||||||
local -i sclient_success=0
|
local -i sclient_success=0
|
||||||
local detected_cbc_ciphers=""
|
local detected_cbc_ciphers=""
|
||||||
@ -6771,7 +6841,9 @@ run_beast(){
|
|||||||
out " "
|
out " "
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
addcmd=""
|
||||||
|
[[ ! "$proto" =~ ssl ]] && addcmd="$SNI"
|
||||||
|
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $addcmd >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
if ! sclient_connect_successful $? $TMPFILE; then # protocol supported?
|
||||||
if "$continued"; then # second round: we hit TLS1
|
if "$continued"; then # second round: we hit TLS1
|
||||||
if "$HAS_SSL3"; then
|
if "$HAS_SSL3"; then
|
||||||
@ -6791,7 +6863,7 @@ run_beast(){
|
|||||||
|
|
||||||
|
|
||||||
# now we test in one shot with the precompiled ciphers
|
# now we test in one shot with the precompiled ciphers
|
||||||
$OPENSSL s_client -"$proto" -cipher "$cbc_cipher_list" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -"$proto" -cipher "$cbc_cipher_list" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $addcmd >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE || continue
|
sclient_connect_successful $? $TMPFILE || continue
|
||||||
|
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
@ -6803,7 +6875,7 @@ run_beast(){
|
|||||||
for ciph in $(colon_to_spaces "$cbc_cipher_list"); do
|
for ciph in $(colon_to_spaces "$cbc_cipher_list"); do
|
||||||
read hexcode dash cbc_cipher sslvers kx auth enc mac < <($OPENSSL ciphers -V "$ciph" 2>>$ERRFILE) # -V doesn't work with openssl < 1.0
|
read hexcode dash cbc_cipher sslvers kx auth enc mac < <($OPENSSL ciphers -V "$ciph" 2>>$ERRFILE) # -V doesn't work with openssl < 1.0
|
||||||
# ^^^^^ process substitution as shopt will either segfault or doesn't work with old bash versions
|
# ^^^^^ process substitution as shopt will either segfault or doesn't work with old bash versions
|
||||||
$OPENSSL s_client -cipher "$cbc_cipher" -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -cipher "$cbc_cipher" -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $addcmd >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
@ -7986,7 +8058,7 @@ get_local_a() {
|
|||||||
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
|
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
|
||||||
|
|
||||||
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
|
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
|
||||||
ip4=$(grep -wh "$1" $etchosts 2>/dev/null | egrep -v ':|^#' | egrep "[[:space:]]$1" | awk '{ print $1 }')
|
ip4=$(grep -wh "$1[^\.]" $etchosts 2>/dev/null | egrep -v ':|^#' | egrep "[[:space:]]$1" | awk '{ print $1 }')
|
||||||
if is_ipv4addr "$ip4"; then
|
if is_ipv4addr "$ip4"; then
|
||||||
echo "$ip4"
|
echo "$ip4"
|
||||||
else
|
else
|
||||||
@ -9060,4 +9132,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.535 2016/09/01 10:42:53 dirkw Exp $
|
# $Id: testssl.sh,v 1.537 2016/09/01 17:09:11 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user