* heartbleed and ccs check enabled per default for STARTTLS
* performance improvements for sockets+STARTTLS (still only enabled via EXPERIMENTAL=yes)
This commit is contained in:
parent
ba09b84648
commit
f1d8471a3d
48
testssl.sh
48
testssl.sh
|
@ -115,6 +115,7 @@ readonly MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
|
||||||
readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each)
|
readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each)
|
||||||
readonly HEARTBLEED_MAX_WAITSOCK=8 # for the heartbleed payload
|
readonly HEARTBLEED_MAX_WAITSOCK=8 # for the heartbleed payload
|
||||||
readonly STARTTLS_SLEEP=1 # max time to wait on a socket replay for STARTTLS
|
readonly STARTTLS_SLEEP=1 # max time to wait on a socket replay for STARTTLS
|
||||||
|
FAST_STARTTLS=${FAST_STARTTLS:-true} #at the cost of reliabilty decrese the handshakes for STARTTLS
|
||||||
USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
|
USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
|
||||||
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
||||||
|
|
||||||
|
@ -1268,7 +1269,7 @@ run_protocols() {
|
||||||
|
|
||||||
if $SSL_NATIVE || [ -n "$STARTTLS" ] && [[ $EXPERIMENTAL != "yes" ]]; then
|
if $SSL_NATIVE || [ -n "$STARTTLS" ] && [[ $EXPERIMENTAL != "yes" ]]; then
|
||||||
using_sockets=false
|
using_sockets=false
|
||||||
outln "(via native openssl)\n"
|
outln "(via openssl)\n"
|
||||||
else
|
else
|
||||||
outln "(via sockets except TLS 1.2 and SPDY/NPN)\n"
|
outln "(via sockets except TLS 1.2 and SPDY/NPN)\n"
|
||||||
fi
|
fi
|
||||||
|
@ -2004,6 +2005,11 @@ starttls_line() {
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
starttls_just_send(){
|
||||||
|
debugme echo -e "\n=== sending \"$1\" ..."
|
||||||
|
echo -e "$1" >&5
|
||||||
|
}
|
||||||
|
|
||||||
starttls_just_read(){
|
starttls_just_read(){
|
||||||
debugme echo "=== just read banner ==="
|
debugme echo "=== just read banner ==="
|
||||||
if [[ "$DEBUG" -ge 2 ]] ; then
|
if [[ "$DEBUG" -ge 2 ]] ; then
|
||||||
|
@ -2054,27 +2060,27 @@ fd_socket() {
|
||||||
if [[ -n "$STARTTLS" ]]; then
|
if [[ -n "$STARTTLS" ]]; then
|
||||||
case "$PORT" in # port
|
case "$PORT" in # port
|
||||||
21) # https://tools.ietf.org/html/rfc4217
|
21) # https://tools.ietf.org/html/rfc4217
|
||||||
starttls_just_read
|
$FAST_STARTTLS || starttls_just_read
|
||||||
starttls_line "FEAT" "211"
|
$FAST_STARTTLS || starttls_line "FEAT" "211" && starttls_just_send "FEAT"
|
||||||
starttls_line "AUTH TLS" "successful|234"
|
starttls_line "AUTH TLS" "successful|234"
|
||||||
;;
|
;;
|
||||||
25) # SMTP, see https://tools.ietf.org/html/rfc4217
|
25) # SMTP, see https://tools.ietf.org/html/rfc4217
|
||||||
starttls_just_read
|
$FAST_STARTTLS || starttls_just_read
|
||||||
starttls_line "EHLO testssl.sh" "220|250"
|
$FAST_STARTTLS || starttls_line "EHLO testssl.sh" "220|250" && starttls_just_send "EHLO testssl.sh"
|
||||||
starttls_line "STARTTLS" "220"
|
starttls_line "STARTTLS" "220"
|
||||||
;;
|
;;
|
||||||
110) # POP, see https://tools.ietf.org/html/rfc2595
|
110) # POP, see https://tools.ietf.org/html/rfc2595
|
||||||
starttls_just_read
|
$FAST_STARTTLS || starttls_just_read
|
||||||
starttls_line "STLS" "OK"
|
starttls_line "STLS" "OK"
|
||||||
;;
|
;;
|
||||||
119|433) # NNTP, see https://tools.ietf.org/html/rfc4642
|
119|433) # NNTP, see https://tools.ietf.org/html/rfc4642
|
||||||
starttls_just_read
|
$FAST_STARTTLS || starttls_just_read
|
||||||
starttls_line "CAPABILITIES" "101|200"
|
$FAST_STARTTLS || starttls_line "CAPABILITIES" "101|200" && starttls_just_send "CAPABILITIES"
|
||||||
starttls_line "STARTTLS" "382"
|
starttls_line "STARTTLS" "382"
|
||||||
;;
|
;;
|
||||||
143) # IMAP, https://tools.ietf.org/html/rfc2595
|
143) # IMAP, https://tools.ietf.org/html/rfc2595
|
||||||
starttls_just_read
|
$FAST_STARTTLS || starttls_just_read
|
||||||
starttls_line "a001 CAPABILITY" "OK"
|
$FAST_STARTTLS || starttls_line "a001 CAPABILITY" "OK" && starttls_just_send "a001 CAPABILITY"
|
||||||
starttls_line "a002 STARTTLS" "OK"
|
starttls_line "a002 STARTTLS" "OK"
|
||||||
;;
|
;;
|
||||||
389) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
|
389) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
|
||||||
|
@ -2550,10 +2556,10 @@ heartbleed(){
|
||||||
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for heartbleed vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for heartbleed vulnerability" && outln "\n"
|
||||||
pr_bold " Heartbleed\c"; out " (CVE-2014-0160) "
|
pr_bold " Heartbleed\c"; out " (CVE-2014-0160) "
|
||||||
|
|
||||||
if [[ -n "$STARTTLS" ]] && [[ $EXPERIMENTAL != "yes" ]] ; then
|
#if [[ -n "$STARTTLS" ]] && [[ $EXPERIMENTAL != "yes" ]] ; then
|
||||||
outln "(not yet implemented for STARTTLS)"
|
# outln "(not yet implemented for STARTTLS)"
|
||||||
return 0
|
# return 0
|
||||||
fi
|
#fi
|
||||||
|
|
||||||
# determine TLS versions available:
|
# determine TLS versions available:
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY -tlsextdebug &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY -tlsextdebug &>$TMPFILE </dev/null
|
||||||
|
@ -2670,10 +2676,10 @@ ccs_injection(){
|
||||||
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for CCS injection vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for CCS injection vulnerability" && outln "\n"
|
||||||
pr_bold " CCS"; out " (CVE-2014-0224) "
|
pr_bold " CCS"; out " (CVE-2014-0224) "
|
||||||
|
|
||||||
if [[ -n "$STARTTLS" ]] && [[ $EXPERIMENTAL != "yes" ]] ; then
|
#if [[ -n "$STARTTLS" ]] && [[ $EXPERIMENTAL != "yes" ]] ; then
|
||||||
outln "(not yet implemented for STARTTLS)"
|
# outln "(not yet implemented for STARTTLS)"
|
||||||
return 0
|
# return 0
|
||||||
fi
|
#fi
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY &>$TMPFILE </dev/null
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $PROXY &>$TMPFILE </dev/null
|
||||||
|
|
||||||
if $HAS_SED_E; then
|
if $HAS_SED_E; then
|
||||||
|
@ -3528,7 +3534,7 @@ mybanner() {
|
||||||
bb=$(cat <<EOF
|
bb=$(cat <<EOF
|
||||||
|
|
||||||
#########################################################
|
#########################################################
|
||||||
$PROG_NAME $VERSION $SWURL
|
$PROG_NAME ($VERSION) $SWURL
|
||||||
($idtag)
|
($idtag)
|
||||||
|
|
||||||
This program is free software. Redistribution +
|
This program is free software. Redistribution +
|
||||||
|
@ -3855,7 +3861,7 @@ determine_service() {
|
||||||
fi
|
fi
|
||||||
out " Service set: STARTTLS via "
|
out " Service set: STARTTLS via "
|
||||||
printf $protocol | tr '[a-z]' '[A-Z]'
|
printf $protocol | tr '[a-z]' '[A-Z]'
|
||||||
[[ -n "$XMPP_HOST" ]] && printf " (with to=\'$XMPP_HOST\')"
|
[[ -n "$XMPP_HOST" ]] && printf " (XMPP domain=\'$XMPP_HOST\')"
|
||||||
outln
|
outln
|
||||||
;;
|
;;
|
||||||
*) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2
|
*) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2
|
||||||
|
@ -4373,4 +4379,4 @@ fi
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.305 2015/07/08 09:26:59 dirkw Exp $
|
# $Id: testssl.sh,v 1.306 2015/07/08 19:30:08 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue