* heartbleed and ccs check enabled per default for STARTTLS

* performance improvements for sockets+STARTTLS (still only enabled via EXPERIMENTAL=yes)
This commit is contained in:
Dirk Wetter 2015-07-08 21:30:31 +02:00
parent ba09b84648
commit f1d8471a3d
1 changed files with 27 additions and 21 deletions

View File

@ -115,6 +115,7 @@ readonly MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each) readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each)
readonly HEARTBLEED_MAX_WAITSOCK=8 # for the heartbleed payload readonly HEARTBLEED_MAX_WAITSOCK=8 # for the heartbleed payload
readonly STARTTLS_SLEEP=1 # max time to wait on a socket replay for STARTTLS readonly STARTTLS_SLEEP=1 # max time to wait on a socket replay for STARTTLS
FAST_STARTTLS=${FAST_STARTTLS:-true} #at the cost of reliabilty decrese the handshakes for STARTTLS
USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
@ -1268,7 +1269,7 @@ run_protocols() {
if $SSL_NATIVE || [ -n "$STARTTLS" ] && [[ $EXPERIMENTAL != "yes" ]]; then if $SSL_NATIVE || [ -n "$STARTTLS" ] && [[ $EXPERIMENTAL != "yes" ]]; then
using_sockets=false using_sockets=false
outln "(via native openssl)\n" outln "(via openssl)\n"
else else
outln "(via sockets except TLS 1.2 and SPDY/NPN)\n" outln "(via sockets except TLS 1.2 and SPDY/NPN)\n"
fi fi
@ -2004,6 +2005,11 @@ starttls_line() {
return 0 return 0
} }
starttls_just_send(){
debugme echo -e "\n=== sending \"$1\" ..."
echo -e "$1" >&5
}
starttls_just_read(){ starttls_just_read(){
debugme echo "=== just read banner ===" debugme echo "=== just read banner ==="
if [[ "$DEBUG" -ge 2 ]] ; then if [[ "$DEBUG" -ge 2 ]] ; then
@ -2054,27 +2060,27 @@ fd_socket() {
if [[ -n "$STARTTLS" ]]; then if [[ -n "$STARTTLS" ]]; then
case "$PORT" in # port case "$PORT" in # port
21) # https://tools.ietf.org/html/rfc4217 21) # https://tools.ietf.org/html/rfc4217
starttls_just_read $FAST_STARTTLS || starttls_just_read
starttls_line "FEAT" "211" $FAST_STARTTLS || starttls_line "FEAT" "211" && starttls_just_send "FEAT"
starttls_line "AUTH TLS" "successful|234" starttls_line "AUTH TLS" "successful|234"
;; ;;
25) # SMTP, see https://tools.ietf.org/html/rfc4217 25) # SMTP, see https://tools.ietf.org/html/rfc4217
starttls_just_read $FAST_STARTTLS || starttls_just_read
starttls_line "EHLO testssl.sh" "220|250" $FAST_STARTTLS || starttls_line "EHLO testssl.sh" "220|250" && starttls_just_send "EHLO testssl.sh"
starttls_line "STARTTLS" "220" starttls_line "STARTTLS" "220"
;; ;;
110) # POP, see https://tools.ietf.org/html/rfc2595 110) # POP, see https://tools.ietf.org/html/rfc2595
starttls_just_read $FAST_STARTTLS || starttls_just_read
starttls_line "STLS" "OK" starttls_line "STLS" "OK"
;; ;;
119|433) # NNTP, see https://tools.ietf.org/html/rfc4642 119|433) # NNTP, see https://tools.ietf.org/html/rfc4642
starttls_just_read $FAST_STARTTLS || starttls_just_read
starttls_line "CAPABILITIES" "101|200" $FAST_STARTTLS || starttls_line "CAPABILITIES" "101|200" && starttls_just_send "CAPABILITIES"
starttls_line "STARTTLS" "382" starttls_line "STARTTLS" "382"
;; ;;
143) # IMAP, https://tools.ietf.org/html/rfc2595 143) # IMAP, https://tools.ietf.org/html/rfc2595
starttls_just_read $FAST_STARTTLS || starttls_just_read
starttls_line "a001 CAPABILITY" "OK" $FAST_STARTTLS || starttls_line "a001 CAPABILITY" "OK" && starttls_just_send "a001 CAPABILITY"
starttls_line "a002 STARTTLS" "OK" starttls_line "a002 STARTTLS" "OK"
;; ;;
389) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511 389) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
@ -2550,10 +2556,10 @@ heartbleed(){
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for heartbleed vulnerability" && outln "\n" [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for heartbleed vulnerability" && outln "\n"
pr_bold " Heartbleed\c"; out " (CVE-2014-0160) " pr_bold " Heartbleed\c"; out " (CVE-2014-0160) "
if [[ -n "$STARTTLS" ]] && [[ $EXPERIMENTAL != "yes" ]] ; then #if [[ -n "$STARTTLS" ]] && [[ $EXPERIMENTAL != "yes" ]] ; then
outln "(not yet implemented for STARTTLS)" # outln "(not yet implemented for STARTTLS)"
return 0 # return 0
fi #fi
# determine TLS versions available: # determine TLS versions available:
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY -tlsextdebug &>$TMPFILE </dev/null $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY -tlsextdebug &>$TMPFILE </dev/null
@ -2670,10 +2676,10 @@ ccs_injection(){
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for CCS injection vulnerability" && outln "\n" [ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for CCS injection vulnerability" && outln "\n"
pr_bold " CCS"; out " (CVE-2014-0224) " pr_bold " CCS"; out " (CVE-2014-0224) "
if [[ -n "$STARTTLS" ]] && [[ $EXPERIMENTAL != "yes" ]] ; then #if [[ -n "$STARTTLS" ]] && [[ $EXPERIMENTAL != "yes" ]] ; then
outln "(not yet implemented for STARTTLS)" # outln "(not yet implemented for STARTTLS)"
return 0 # return 0
fi #fi
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY &>$TMPFILE </dev/null $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY &>$TMPFILE </dev/null
if $HAS_SED_E; then if $HAS_SED_E; then
@ -3528,7 +3534,7 @@ mybanner() {
bb=$(cat <<EOF bb=$(cat <<EOF
######################################################### #########################################################
$PROG_NAME $VERSION $SWURL $PROG_NAME ($VERSION) $SWURL
($idtag) ($idtag)
This program is free software. Redistribution + This program is free software. Redistribution +
@ -3855,7 +3861,7 @@ determine_service() {
fi fi
out " Service set: STARTTLS via " out " Service set: STARTTLS via "
printf $protocol | tr '[a-z]' '[A-Z]' printf $protocol | tr '[a-z]' '[A-Z]'
[[ -n "$XMPP_HOST" ]] && printf " (with to=\'$XMPP_HOST\')" [[ -n "$XMPP_HOST" ]] && printf " (XMPP domain=\'$XMPP_HOST\')"
outln outln
;; ;;
*) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2 *) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2
@ -4373,4 +4379,4 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.305 2015/07/08 09:26:59 dirkw Exp $ # $Id: testssl.sh,v 1.306 2015/07/08 19:30:08 dirkw Exp $