From 326a65e7ad43485b1955aad5321299f10f171aac Mon Sep 17 00:00:00 2001 From: Tomasz Kramkowski Date: Mon, 23 May 2022 13:53:38 +0100 Subject: [PATCH 1/2] Fix CRIME test on servers only supporting TLS 1.3 As jsonID is not set by run_crime, make the fileout invocation for servers supporting only TLS 1.3 use the literal "CRIME_TLS" instead. Previously running testssl with CSV or JSON output would produce an item with the wrong ID. --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 2c1900f..5990201 100755 --- a/testssl.sh +++ b/testssl.sh @@ -16710,7 +16710,7 @@ run_crime() { pr_svrty_best "not vulnerable (OK)" [[ $DEBUG -ge 1 ]] && out ", no compression in TLS 1.3 only servers" outln - fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe" + fileout "CRIME_TLS" "OK" "TLS 1.3 only server" "$cve" "$cwe" return 0 fi From fc0cc67d4794c6d3a3d5463dc9cd03d9c8d70df1 Mon Sep 17 00:00:00 2001 From: Tomasz Kramkowski Date: Mon, 23 May 2022 13:57:31 +0100 Subject: [PATCH 2/2] Make run_crime use $jsonID instead of repeating This also seems more consistent across the code. --- testssl.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index 5990201..88583f5 100755 --- a/testssl.sh +++ b/testssl.sh @@ -16705,19 +16705,20 @@ run_crime() { [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln pr_bold " CRIME, TLS " ; out "($cve) " + jsonID="CRIME_TLS" if "$TLS13_ONLY"; then pr_svrty_best "not vulnerable (OK)" [[ $DEBUG -ge 1 ]] && out ", no compression in TLS 1.3 only servers" outln - fileout "CRIME_TLS" "OK" "TLS 1.3 only server" "$cve" "$cwe" + fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe" return 0 fi if ! "$HAS_ZLIB"; then if "$SSL_NATIVE"; then prln_local_problem "$OPENSSL lacks zlib support" - fileout "CRIME_TLS" "WARN" "CRIME, TLS: Not tested. $OPENSSL lacks zlib support" "$cve" "$cwe" + fileout "$jsonID" "WARN" "CRIME, TLS: Not tested. $OPENSSL lacks zlib support" "$cve" "$cwe" return 1 else tls_sockets "03" "$TLS12_CIPHER" "" "" "true" @@ -16735,23 +16736,23 @@ run_crime() { if [[ $sclient_success -ne 0 ]]; then pr_warning "test failed (couldn't connect)" - fileout "CRIME_TLS" "WARN" "Check failed, couldn't connect" "$cve" "$cwe" + fileout "$jsonID" "WARN" "Check failed, couldn't connect" "$cve" "$cwe" ret=1 elif grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then pr_svrty_good "not vulnerable (OK)" if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != required ]]; then out " (not using HTTP anyway)" - fileout "CRIME_TLS" "OK" "not vulnerable (not using HTTP anyway)" "$cve" "$cwe" + fileout "$jsonID" "OK" "not vulnerable (not using HTTP anyway)" "$cve" "$cwe" else - fileout "CRIME_TLS" "OK" "not vulnerable" "$cve" "$cwe" + fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe" fi else if [[ $SERVICE == HTTP ]] || [[ "$CLIENT_AUTH" == required ]]; then pr_svrty_high "VULNERABLE (NOT ok)" - fileout "CRIME_TLS" "HIGH" "VULNERABLE" "$cve" "$cwe" "$hint" + fileout "$jsonID" "HIGH" "VULNERABLE" "$cve" "$cwe" "$hint" else pr_svrty_medium "VULNERABLE but not using HTTP: probably no exploit known" - fileout "CRIME_TLS" "MEDIUM" "VULNERABLE, but not using HTTP. Probably no exploit known" "$cve" "$cwe" "$hint" + fileout "$jsonID" "MEDIUM" "VULNERABLE, but not using HTTP. Probably no exploit known" "$cve" "$cwe" "$hint" # not clear whether a protocol != HTTP offers the ability to repeatedly modify the input # which is done e.g. via javascript in the context of HTTP fi