further address #986
Error codes now done until run_server_defaults(). Previous sections modified so that execution errors are added. Modified in compare_server_name_to_cert() ret --> subret. From the code perspective a clear distinction between passing an error code and a functional return code would be great. Still has to be determined whether it maybe better to rename ret into something different. Removed a stale code line in run_server_preference() for STARTTLS.
This commit is contained in:
parent
b6d4a7d4cd
commit
f4918c8fd3
156
testssl.sh
156
testssl.sh
|
@ -1444,7 +1444,6 @@ s_client_options() {
|
||||||
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
|
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
|
||||||
# arg1 could be the protocol determined as "working". IIS6 needs that
|
# arg1 could be the protocol determined as "working". IIS6 needs that
|
||||||
service_detection() {
|
service_detection() {
|
||||||
local -i ret=0
|
|
||||||
local -i was_killed
|
local -i was_killed
|
||||||
|
|
||||||
if ! "$CLIENT_AUTH"; then
|
if ! "$CLIENT_AUTH"; then
|
||||||
|
@ -1470,12 +1469,10 @@ service_detection() {
|
||||||
HTTP)
|
HTTP)
|
||||||
out " $SERVICE"
|
out " $SERVICE"
|
||||||
fileout "${jsonID}" "INFO" "$SERVICE"
|
fileout "${jsonID}" "INFO" "$SERVICE"
|
||||||
ret=0
|
|
||||||
;;
|
;;
|
||||||
IMAP|POP|SMTP|NNTP|MongoDB)
|
IMAP|POP|SMTP|NNTP|MongoDB)
|
||||||
out " $SERVICE, thus skipping HTTP specific checks"
|
out " $SERVICE, thus skipping HTTP specific checks"
|
||||||
fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
|
fileout "${jsonID}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
|
||||||
ret=0
|
|
||||||
;;
|
;;
|
||||||
*) if "$CLIENT_AUTH"; then
|
*) if "$CLIENT_AUTH"; then
|
||||||
out " certificate-based authentication => skipping all HTTP checks"
|
out " certificate-based authentication => skipping all HTTP checks"
|
||||||
|
@ -1487,11 +1484,9 @@ service_detection() {
|
||||||
SERVICE=HTTP
|
SERVICE=HTTP
|
||||||
out " -- ASSUME_HTTP set though"
|
out " -- ASSUME_HTTP set though"
|
||||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
fileout "${jsonID}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
||||||
ret=0
|
|
||||||
else
|
else
|
||||||
out ", assuming no HTTP service => skipping all HTTP checks"
|
out ", assuming no HTTP service => skipping all HTTP checks"
|
||||||
fileout "${jsonID}" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
fileout "${jsonID}" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
||||||
ret=1
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
@ -1499,7 +1494,7 @@ service_detection() {
|
||||||
|
|
||||||
outln "\n"
|
outln "\n"
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -2548,7 +2543,7 @@ sub_cipherlists() {
|
||||||
pr_warning "SERVER_ERROR: test inconclusive."
|
pr_warning "SERVER_ERROR: test inconclusive."
|
||||||
fileout "${jsonID}_$4" "WARN" "SERVER_ERROR, test inconclusive."
|
fileout "${jsonID}_$4" "WARN" "SERVER_ERROR, test inconclusive."
|
||||||
fi
|
fi
|
||||||
ret=1
|
((ret++))
|
||||||
else
|
else
|
||||||
# Otherwise the error means the server doesn't support that cipher list.
|
# Otherwise the error means the server doesn't support that cipher list.
|
||||||
case $3 in
|
case $3 in
|
||||||
|
@ -2603,7 +2598,7 @@ sub_cipherlists() {
|
||||||
*) # we shouldn't reach this
|
*) # we shouldn't reach this
|
||||||
pr_warning "?: $3 (please report this)"
|
pr_warning "?: $3 (please report this)"
|
||||||
fileout "${jsonID}_$4" "WARN" "return condition $3 unclear"
|
fileout "${jsonID}_$4" "WARN" "return condition $3 unclear"
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
@ -2619,6 +2614,7 @@ sub_cipherlists() {
|
||||||
fi
|
fi
|
||||||
fileout "${jsonID}_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)"
|
fileout "${jsonID}_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)"
|
||||||
fi
|
fi
|
||||||
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -4305,7 +4301,7 @@ run_protocols() {
|
||||||
;;
|
;;
|
||||||
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
|
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm"
|
||||||
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
|
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)"
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
3) lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
3) lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
|
||||||
[[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) "
|
[[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) "
|
||||||
|
@ -4323,7 +4319,7 @@ run_protocols() {
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
debugme tmln_out
|
debugme tmln_out
|
||||||
|
@ -4343,7 +4339,7 @@ run_protocols() {
|
||||||
add_tls_offered ssl2 yes
|
add_tls_offered ssl2 yes
|
||||||
;;
|
;;
|
||||||
7) fileout "$jsonID" "INFO" "not tested due to lack of local support"
|
7) fileout "$jsonID" "INFO" "not tested due to lack of local support"
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
@ -4377,7 +4373,7 @@ run_protocols() {
|
||||||
else
|
else
|
||||||
prln_svrty_medium "strange, server ${DETECTED_TLS_VERSION}"
|
prln_svrty_medium "strange, server ${DETECTED_TLS_VERSION}"
|
||||||
fileout "$jsonID" "MEDIUM" "strange, server ${DETECTED_TLS_VERSION}"
|
fileout "$jsonID" "MEDIUM" "strange, server ${DETECTED_TLS_VERSION}"
|
||||||
ret=1
|
((ret++))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
@ -4387,7 +4383,7 @@ run_protocols() {
|
||||||
5) pr_svrty_high "$supported_no_ciph2"
|
5) pr_svrty_high "$supported_no_ciph2"
|
||||||
fileout "$jsonID" "HIGH" "$supported_no_ciph1"
|
fileout "$jsonID" "HIGH" "$supported_no_ciph1"
|
||||||
outln "(may need debugging)"
|
outln "(may need debugging)"
|
||||||
ret=1
|
((ret++))
|
||||||
add_tls_offered ssl3 yes
|
add_tls_offered ssl3 yes
|
||||||
;;
|
;;
|
||||||
7) if "$using_sockets" ; then
|
7) if "$using_sockets" ; then
|
||||||
|
@ -4399,7 +4395,7 @@ run_protocols() {
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -4461,10 +4457,10 @@ run_protocols() {
|
||||||
# warning on screen came already from locally_supported()
|
# warning on screen came already from locally_supported()
|
||||||
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
||||||
fi
|
fi
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -4529,10 +4525,10 @@ run_protocols() {
|
||||||
# warning on screen came already from locally_supported()
|
# warning on screen came already from locally_supported()
|
||||||
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
||||||
fi
|
fi
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -4608,10 +4604,10 @@ run_protocols() {
|
||||||
# warning on screen came already from locally_supported()
|
# warning on screen came already from locally_supported()
|
||||||
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
||||||
fi
|
fi
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -4738,10 +4734,10 @@ run_protocols() {
|
||||||
# warning on screen came already from locally_supported()
|
# warning on screen came already from locally_supported()
|
||||||
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
fileout "$jsonID" "WARN" "not tested due to lack of local support"
|
||||||
fi
|
fi
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
*) pr_fixme "unexpected value around line $((LINENO))"; outln "$debug_recomm"
|
||||||
ret=1
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -5173,9 +5169,10 @@ run_server_preference() {
|
||||||
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
|
if ! sclient_connect_successful $? $TMPFILE && [[ -z "$STARTTLS_PROTOCOL" ]]; then
|
||||||
pr_warning "no matching cipher in this list found (pls report this): "
|
pr_warning "no matching cipher in this list found (pls report this): "
|
||||||
outln "$list_fwd . "
|
outln "$list_fwd . "
|
||||||
tmpfile_handle $FUNCNAME.txt
|
|
||||||
return 6
|
|
||||||
fileout "$jsonID" "WARN" "Could not determine server cipher order, no matching cipher in list found (pls report this): $list_fwd"
|
fileout "$jsonID" "WARN" "Could not determine server cipher order, no matching cipher in list found (pls report this): $list_fwd"
|
||||||
|
tmpfile_handle $FUNCNAME.txt
|
||||||
|
return 1
|
||||||
|
# we assume the problem is with testing here but it could be also the server side
|
||||||
elif [[ -n "$STARTTLS_PROTOCOL" ]]; then
|
elif [[ -n "$STARTTLS_PROTOCOL" ]]; then
|
||||||
# now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188
|
# now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188
|
||||||
# workaround is to connect with a protocol
|
# workaround is to connect with a protocol
|
||||||
|
@ -5187,7 +5184,7 @@ run_server_preference() {
|
||||||
outln "$list_fwd . "
|
outln "$list_fwd . "
|
||||||
fileout "$jsonID" "WARN" "Could not determine cipher order, no matching cipher in list found (pls report this): $list_fwd"
|
fileout "$jsonID" "WARN" "Could not determine cipher order, no matching cipher in list found (pls report this): $list_fwd"
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return 6
|
return 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -5233,7 +5230,7 @@ run_server_preference() {
|
||||||
13,03, 13,01, 00,3d, 00,3c, 00,35, 00,2f, 00,ff" \
|
13,03, 13,01, 00,3d, 00,3c, 00,35, 00,2f, 00,ff" \
|
||||||
"ephemeralkey"
|
"ephemeralkey"
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ $sclient_success -eq 2 ]] && sclient_success=0
|
[[ $sclient_success -eq 2 ]] && sclient_success=0 # 2: downgraded
|
||||||
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
|
[[ $sclient_success -eq 0 ]] && cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
|
||||||
fi
|
fi
|
||||||
if [[ $sclient_success -ne 0 ]]; then
|
if [[ $sclient_success -ne 0 ]]; then
|
||||||
|
@ -5241,7 +5238,10 @@ run_server_preference() {
|
||||||
if ! sclient_connect_successful $? $TMPFILE; then
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
# 2 second try with $OPTIMAL_PROTO especially for intolerant IIS6 servers:
|
# 2 second try with $OPTIMAL_PROTO especially for intolerant IIS6 servers:
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $OPTIMAL_PROTO $BUGS -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS $OPTIMAL_PROTO $BUGS -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE || pr_warning "Handshake error!"
|
if ! sclient_connect_successful $? $TMPFILE; then
|
||||||
|
pr_warning "Handshake error!"
|
||||||
|
ret=1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
default_proto=$(get_protocol $TMPFILE)
|
default_proto=$(get_protocol $TMPFILE)
|
||||||
|
@ -5279,10 +5279,12 @@ run_server_preference() {
|
||||||
else
|
else
|
||||||
fileout "$jsonID" "WARN" "Default protocol empty"
|
fileout "$jsonID" "WARN" "Default protocol empty"
|
||||||
fi
|
fi
|
||||||
|
ret=1
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
pr_warning "FIXME line $LINENO: $default_proto"
|
pr_warning "FIXME line $LINENO: $default_proto"
|
||||||
fileout "$jsonID" "WARN" "FIXME line $LINENO: $default_proto"
|
fileout "$jsonID" "WARN" "FIXME line $LINENO: $default_proto"
|
||||||
|
ret=1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -5314,6 +5316,7 @@ run_server_preference() {
|
||||||
else
|
else
|
||||||
fileout "$jsonID" "WARN" "Default cipher empty $limitedsense"
|
fileout "$jsonID" "WARN" "Default cipher empty $limitedsense"
|
||||||
fi
|
fi
|
||||||
|
ret=1
|
||||||
;;
|
;;
|
||||||
*) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
*) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||||
;;
|
;;
|
||||||
|
@ -5402,8 +5405,6 @@ run_server_preference() {
|
||||||
i=$((i + 1))
|
i=$((i + 1))
|
||||||
done
|
done
|
||||||
|
|
||||||
[[ -n "$STARTTLS" ]] && arg=" "
|
|
||||||
|
|
||||||
for i in 1 2 3 4 5 6; do
|
for i in 1 2 3 4 5 6; do
|
||||||
if [[ -n "${cipher[i]}" ]]; then # cipher not empty
|
if [[ -n "${cipher[i]}" ]]; then # cipher not empty
|
||||||
if [[ -z "$prev_cipher" ]] || [[ "$prev_cipher" != "${cipher[i]}" ]]; then
|
if [[ -z "$prev_cipher" ]] || [[ "$prev_cipher" != "${cipher[i]}" ]]; then
|
||||||
|
@ -5800,7 +5801,7 @@ determine_trust() {
|
||||||
certificate_file[i]=$(basename ${bundle_fname//.pem})
|
certificate_file[i]=$(basename ${bundle_fname//.pem})
|
||||||
if [[ ! -r $bundle_fname ]]; then
|
if [[ ! -r $bundle_fname ]]; then
|
||||||
prln_warning "\"$bundle_fname\" cannot be found / not readable"
|
prln_warning "\"$bundle_fname\" cannot be found / not readable"
|
||||||
return 7
|
return 1
|
||||||
fi
|
fi
|
||||||
debugme printf -- " %-12s" "${certificate_file[i]}"
|
debugme printf -- " %-12s" "${certificate_file[i]}"
|
||||||
# set SSL_CERT_DIR to /dev/null so that $OPENSSL verify will only use certificates in $bundle_fname
|
# set SSL_CERT_DIR to /dev/null so that $OPENSSL verify will only use certificates in $bundle_fname
|
||||||
|
@ -5823,7 +5824,7 @@ determine_trust() {
|
||||||
debugme tm_svrty_high "not trusted "
|
debugme tm_svrty_high "not trusted "
|
||||||
debugme tmln_out "${verify_retcode[i]}"
|
debugme tmln_out "${verify_retcode[i]}"
|
||||||
fi
|
fi
|
||||||
i=$((i + 1))
|
((i++))
|
||||||
done
|
done
|
||||||
num_ca_bundles=$((i - 1))
|
num_ca_bundles=$((i - 1))
|
||||||
debugme tm_out " "
|
debugme tm_out " "
|
||||||
|
@ -6254,35 +6255,34 @@ wildcard_match()
|
||||||
# 9, if the server name provided matches a name in the SAN AND is a wildcard match against the CN
|
# 9, if the server name provided matches a name in the SAN AND is a wildcard match against the CN
|
||||||
# 10, if the server name provided is a wildcard match against the CN AND a name in the SAN
|
# 10, if the server name provided is a wildcard match against the CN AND a name in the SAN
|
||||||
|
|
||||||
compare_server_name_to_cert()
|
compare_server_name_to_cert() {
|
||||||
{
|
|
||||||
local servername="$(toupper "$1")"
|
local servername="$(toupper "$1")"
|
||||||
local cert="$2"
|
local cert="$2"
|
||||||
local cn dns_sans ip_sans san
|
local cn dns_sans ip_sans san
|
||||||
local -i ret=0
|
local -i subret=0 # no error condition, passing results
|
||||||
|
|
||||||
# Check whether any of the DNS names in the certificate match the servername
|
# Check whether any of the DNS names in the certificate match the servername
|
||||||
dns_sans="$(get_san_dns_from_cert "$cert")"
|
dns_sans="$(get_san_dns_from_cert "$cert")"
|
||||||
while read san; do
|
while read san; do
|
||||||
[[ -n "$san" ]] && [[ $(toupper "$san") == "$servername" ]] && ret=1 && break
|
[[ -n "$san" ]] && [[ $(toupper "$san") == "$servername" ]] && subret=1 && break
|
||||||
done <<< "$dns_sans"
|
done <<< "$dns_sans"
|
||||||
|
|
||||||
if [[ $ret -eq 0 ]]; then
|
if [[ $subret -eq 0 ]]; then
|
||||||
# Check whether any of the IP addresses in the certificate match the servername
|
# Check whether any of the IP addresses in the certificate match the servername
|
||||||
ip_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
ip_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||||
tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
|
tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
|
||||||
while read san; do
|
while read san; do
|
||||||
[[ -n "$san" ]] && [[ "$san" == "$servername" ]] && ret=1 && break
|
[[ -n "$san" ]] && [[ "$san" == "$servername" ]] && subret=1 && break
|
||||||
done <<< "$ip_sans"
|
done <<< "$ip_sans"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check whether any of the DNS names in the certificate are wildcard names
|
# Check whether any of the DNS names in the certificate are wildcard names
|
||||||
# that match the servername
|
# that match the servername
|
||||||
if [[ $ret -eq 0 ]]; then
|
if [[ $subret -eq 0 ]]; then
|
||||||
while read san; do
|
while read san; do
|
||||||
[[ -n "$san" ]] || continue
|
[[ -n "$san" ]] || continue
|
||||||
wildcard_match "$servername" "$san"
|
wildcard_match "$servername" "$san"
|
||||||
[[ $? -eq 0 ]] && ret=2 && break
|
[[ $? -eq 0 ]] && subret=2 && break
|
||||||
done <<< "$dns_sans"
|
done <<< "$dns_sans"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -6290,17 +6290,16 @@ compare_server_name_to_cert()
|
||||||
|
|
||||||
# If the CN contains any characters that are not valid for a DNS name,
|
# If the CN contains any characters that are not valid for a DNS name,
|
||||||
# then assume it does not contain a DNS name.
|
# then assume it does not contain a DNS name.
|
||||||
[[ -n $(sed 's/^[\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && return $ret
|
[[ -n $(sed 's/^[\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && return $subret
|
||||||
|
|
||||||
# Check whether the CN in the certificate matches the servername
|
# Check whether the CN in the certificate matches the servername
|
||||||
[[ $(toupper "$cn") == "$servername" ]] && ret+=4 && return $ret
|
[[ $(toupper "$cn") == "$servername" ]] && subret+=4 && return $subret
|
||||||
|
|
||||||
# Check whether the CN in the certificate is a wildcard name that matches
|
# Check whether the CN in the certificate is a wildcard name that matches
|
||||||
# the servername
|
# the servername
|
||||||
wildcard_match "$servername" "$cn"
|
wildcard_match "$servername" "$cn"
|
||||||
[[ $? -eq 0 ]] && ret+=8
|
[[ $? -eq 0 ]] && subret+=8
|
||||||
|
return $subret
|
||||||
return $ret
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# NOTE: arg3 must contain the text output of $HOSTCERT.
|
# NOTE: arg3 must contain the text output of $HOSTCERT.
|
||||||
|
@ -6352,10 +6351,12 @@ must_staple() {
|
||||||
outln "--"
|
outln "--"
|
||||||
fileout "${jsonID}${json_postfix}" "INFO" "--"
|
fileout "${jsonID}${json_postfix}" "INFO" "--"
|
||||||
fi
|
fi
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# TODO: This function checks for Certificate Transparency support based on RFC 6962.
|
# TODO: This function checks for Certificate Transparency support based on RFC 6962.
|
||||||
# It will need to be updated to add checks for Certificate Transparency support based on 6962bis.
|
# It will need to be updated to add checks for Certificate Transparency support based on 6962bis.
|
||||||
|
# return values are results, no error conditions
|
||||||
certificate_transparency() {
|
certificate_transparency() {
|
||||||
local cert_txt="$1"
|
local cert_txt="$1"
|
||||||
local ocsp_response="$2"
|
local ocsp_response="$2"
|
||||||
|
@ -6456,6 +6457,7 @@ certificate_info() {
|
||||||
local cnfinding trustfinding trustfinding_nosni
|
local cnfinding trustfinding trustfinding_nosni
|
||||||
local cnok="OK"
|
local cnok="OK"
|
||||||
local expfinding expok="OK"
|
local expfinding expok="OK"
|
||||||
|
local -i ret=0
|
||||||
local json_postfix="" # string to place at the end of JSON IDs when there is more than one certificate
|
local json_postfix="" # string to place at the end of JSON IDs when there is more than one certificate
|
||||||
local jsonID="" # string to place at beginning of JSON IDs
|
local jsonID="" # string to place at beginning of JSON IDs
|
||||||
local indent=""
|
local indent=""
|
||||||
|
@ -6587,15 +6589,17 @@ certificate_info() {
|
||||||
pr_warning "FIXME: can't tell whether this is good or not"
|
pr_warning "FIXME: can't tell whether this is good or not"
|
||||||
outln ")"
|
outln ")"
|
||||||
fileout "${jsonID}${json_postfix}" "DEBUG" "$cert_sig_algo"
|
fileout "${jsonID}${json_postfix}" "DEBUG" "$cert_sig_algo"
|
||||||
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
# old, but still interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
||||||
|
|
||||||
out "$indent"; pr_bold " Server key size "
|
out "$indent"; pr_bold " Server key size "
|
||||||
jsonID="cert_keySize"
|
jsonID="cert_keySize"
|
||||||
if [[ -z "$cert_keysize" ]]; then
|
if [[ -z "$cert_keysize" ]]; then
|
||||||
outln "(couldn't determine)"
|
outln "(couldn't determine)"
|
||||||
fileout "${jsonID}${json_postfix}" "cannot be determined"
|
fileout "${jsonID}${json_postfix}" "cannot be determined"
|
||||||
|
((ret++))
|
||||||
else
|
else
|
||||||
case $cert_key_algo in
|
case $cert_key_algo in
|
||||||
*RSA*|*rsa*) out "RSA ";;
|
*RSA*|*rsa*) out "RSA ";;
|
||||||
|
@ -6603,7 +6607,7 @@ certificate_info() {
|
||||||
*ecdsa*|*ecPublicKey) out "EC ";;
|
*ecdsa*|*ecPublicKey) out "EC ";;
|
||||||
*GOST*|*gost*) out "GOST ";;
|
*GOST*|*gost*) out "GOST ";;
|
||||||
*dh*|*DH*) out "DH " ;;
|
*dh*|*DH*) out "DH " ;;
|
||||||
*) pr_fixme "don't know $cert_key_algo " ;;
|
*) pr_fixme "don't know $cert_key_algo "; ((ret++);;
|
||||||
esac
|
esac
|
||||||
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
||||||
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
|
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
|
||||||
|
@ -6628,6 +6632,7 @@ certificate_info() {
|
||||||
else
|
else
|
||||||
out "keysize: $cert_keysize (not expected, FIXME)"
|
out "keysize: $cert_keysize (not expected, FIXME)"
|
||||||
fileout "${jsonID}${json_postfix}" "DEBUG" " $cert_keysize bits (not expected)"
|
fileout "${jsonID}${json_postfix}" "DEBUG" " $cert_keysize bits (not expected)"
|
||||||
|
((ret++))
|
||||||
fi
|
fi
|
||||||
outln " bits"
|
outln " bits"
|
||||||
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]] || \
|
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]] || \
|
||||||
|
@ -6654,12 +6659,14 @@ certificate_info() {
|
||||||
else
|
else
|
||||||
pr_warning "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)"
|
pr_warning "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)"
|
||||||
fileout "${jsonID}${json_postfix}" "WARN" "$cert_keysize bits (Odd)"
|
fileout "${jsonID}${json_postfix}" "WARN" "$cert_keysize bits (Odd)"
|
||||||
|
((ret++))
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
out "$cert_keysize bits ("
|
out "$cert_keysize bits ("
|
||||||
pr_warning "FIXME: can't tell whether this is good or not"
|
pr_warning "FIXME: can't tell whether this is good or not"
|
||||||
outln ")"
|
outln ")"
|
||||||
fileout "${jsonID}${json_postfix}" "WARN" "Server keys $cert_keysize bits (unknown signature algorithm)"
|
fileout "${jsonID}${json_postfix}" "WARN" "Server keys $cert_keysize bits (unknown signature algorithm)"
|
||||||
|
((ret++))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -6727,7 +6734,7 @@ certificate_info() {
|
||||||
fileout "cert_fingerprintSHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2//SHA256 /}"
|
fileout "cert_fingerprintSHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2//SHA256 /}"
|
||||||
outln "$spaces$cert_fingerprint_sha2"
|
outln "$spaces$cert_fingerprint_sha2"
|
||||||
|
|
||||||
# " " needs to be converted back to lf
|
# " " needs to be converted back to lf in JSON/CSV output
|
||||||
fileout "cert" "INFO" "$(< $HOSTCERT)"
|
fileout "cert" "INFO" "$(< $HOSTCERT)"
|
||||||
|
|
||||||
[[ -z $CERT_FINGERPRINT_SHA2 ]] && \
|
[[ -z $CERT_FINGERPRINT_SHA2 ]] && \
|
||||||
|
@ -6972,7 +6979,8 @@ certificate_info() {
|
||||||
pr_italic "WoSign/StartCom"; out " are " ; prln_svrty_critical "not trusted anymore (NOT ok)"
|
pr_italic "WoSign/StartCom"; out " are " ; prln_svrty_critical "not trusted anymore (NOT ok)"
|
||||||
fileout "${jsonID}${json_postfix}" "CRITICAL" "Issuer not trusted anymore (WoSign/StartCom)"
|
fileout "${jsonID}${json_postfix}" "CRITICAL" "Issuer not trusted anymore (WoSign/StartCom)"
|
||||||
else
|
else
|
||||||
determine_trust "$jsonID" "$json_postfix" # Also handles fileout
|
# Also handles fileout, keep error if happened
|
||||||
|
determine_trust "$jsonID" "$json_postfix" || ((ret++))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp
|
# http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp
|
||||||
|
@ -7110,12 +7118,12 @@ certificate_info() {
|
||||||
if $GOST_STATUS_PROBLEM; then
|
if $GOST_STATUS_PROBLEM; then
|
||||||
pr_warning "(GOST servers make problems here, sorry)"
|
pr_warning "(GOST servers make problems here, sorry)"
|
||||||
fileout "${jsonID}${json_postfix}" "WARN" "(The GOST server made a problem here, sorry)"
|
fileout "${jsonID}${json_postfix}" "WARN" "(The GOST server made a problem here, sorry)"
|
||||||
ret=0
|
((ret++))
|
||||||
else
|
else
|
||||||
out "(response status unknown)"
|
out "(response status unknown)"
|
||||||
fileout "${jsonID}${json_postfix}" "OK" " not sure what's going on here, \'$ocsp_response\'"
|
fileout "${jsonID}${json_postfix}" "OK" " not sure what's going on here, \'$ocsp_response\'"
|
||||||
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
|
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
|
||||||
ret=2
|
((ret++))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -7176,6 +7184,7 @@ run_server_defaults() {
|
||||||
local sessticket_lifetime_hint="" lifetime unit
|
local sessticket_lifetime_hint="" lifetime unit
|
||||||
local -i i n
|
local -i i n
|
||||||
local -i certs_found=0
|
local -i certs_found=0
|
||||||
|
local -i ret=0
|
||||||
local -a previous_hostcert previous_hostcert_txt previous_hostcert_type previous_intermediates keysize cipher
|
local -a previous_hostcert previous_hostcert_txt previous_hostcert_type previous_intermediates keysize cipher
|
||||||
local -a ocsp_response ocsp_response_status sni_used tls_version ct
|
local -a ocsp_response ocsp_response_status sni_used tls_version ct
|
||||||
local -a ciphers_to_test certificate_type
|
local -a ciphers_to_test certificate_type
|
||||||
|
@ -7224,7 +7233,8 @@ run_server_defaults() {
|
||||||
[[ ${success[n-9]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}"
|
[[ ${success[n-9]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-9]}" && certificate_type[n]="${certificate_type[n-9]}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -n "${ciphers_to_test[n]}" ]] && ( [[ "${ciphers_to_test[n]}" =~ "tls1_3" ]] || [[ $(count_ciphers $($OPENSSL ciphers "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]] ); then
|
if [[ -n "${ciphers_to_test[n]}" ]] && \
|
||||||
|
( [[ "${ciphers_to_test[n]}" =~ "tls1_3" ]] || [[ $(count_ciphers $($OPENSSL ciphers "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]] ); then
|
||||||
if [[ $n -ge 10 ]]; then
|
if [[ $n -ge 10 ]]; then
|
||||||
sni="$SNI"
|
sni="$SNI"
|
||||||
SNI=""
|
SNI=""
|
||||||
|
@ -7240,7 +7250,7 @@ run_server_defaults() {
|
||||||
cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE
|
cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE
|
||||||
>$ERRFILE
|
>$ERRFILE
|
||||||
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
||||||
sessticket_lifetime_hint=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime)
|
sessticket_lifetime_hint=$(awk '/session ticket life/' $TMPFILE)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# check whether the host's certificate has been seen before
|
# check whether the host's certificate has been seen before
|
||||||
|
@ -7324,15 +7334,15 @@ run_server_defaults() {
|
||||||
if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != "-ssl2" ]]; then
|
if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != "-ssl2" ]]; then
|
||||||
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
|
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
|
||||||
>$ERRFILE
|
>$ERRFILE
|
||||||
[[ -z "$sessticket_lifetime_hint" ]] && sessticket_lifetime_hint=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime)
|
[[ -z "$sessticket_lifetime_hint" ]] && sessticket_lifetime_hint=$(awk '/session ticket lifetime/' $TMPFILE)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Now that all of the server's certificates have been found, determine for
|
# Now that all of the server's certificates have been found, determine for
|
||||||
# each certificate whether certificate transparency information is provided.
|
# each certificate whether certificate transparency information is provided.
|
||||||
for (( i=1; i <= certs_found; i++ )); do
|
for (( i=1; i <= certs_found; i++ )); do
|
||||||
ct[i]="$(certificate_transparency "${previous_hostcert_txt[i]}" "${ocsp_response[i]}" "$certs_found" "${cipher[i]}" "${sni_used[i]}" "${tls_version[i]}")"
|
ct[i]="$(certificate_transparency "${previous_hostcert_txt[i]}" "${ocsp_response[i]}" "$certs_found" "${cipher[i]}" "${sni_used[i]}" "${tls_version[i]}")"
|
||||||
# If certificate_transparency() called tls_sockets() and found a "signed certificate timestamps" extension, then add it to $TLS_EXTENSIONS,
|
# If certificate_transparency() called tls_sockets() and found a "signed certificate timestamps" extension,
|
||||||
# since it may not have been found by determine_tls_extensions().
|
# then add it to $TLS_EXTENSIONS, since it may not have been found by determine_tls_extensions().
|
||||||
[[ $certs_found -gt 1 ]] && [[ "${ct[i]}" == "TLS extension" ]] && extract_new_tls_extensions "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt"
|
[[ $certs_found -gt 1 ]] && [[ "${ct[i]}" == "TLS extension" ]] && extract_new_tls_extensions "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -7409,6 +7419,7 @@ run_server_defaults() {
|
||||||
7) SESS_RESUMPTION[2]="ticket=noclue"
|
7) SESS_RESUMPTION[2]="ticket=noclue"
|
||||||
pr_warning "Ticket resumption test failed, pls report / "
|
pr_warning "Ticket resumption test failed, pls report / "
|
||||||
fileout "$jsonID" "WARN" "check failed, pls report"
|
fileout "$jsonID" "WARN" "check failed, pls report"
|
||||||
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -7436,6 +7447,7 @@ run_server_defaults() {
|
||||||
7) SESS_RESUMPTION[1]="ID=noclue"
|
7) SESS_RESUMPTION[1]="ID=noclue"
|
||||||
prln_warning "ID resumption test failed, pls report"
|
prln_warning "ID resumption test failed, pls report"
|
||||||
fileout "$jsonID" "WARN" "check failed, pls report"
|
fileout "$jsonID" "WARN" "check failed, pls report"
|
||||||
|
((ret++))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
@ -7460,12 +7472,13 @@ run_server_defaults() {
|
||||||
if [[ ${success[0]} -eq 0 ]] || [[ ${success[0]} -eq 2 ]]; then
|
if [[ ${success[0]} -eq 0 ]] || [[ ${success[0]} -eq 2 ]]; then
|
||||||
mv $HOSTCERT $HOSTCERT.nosni
|
mv $HOSTCERT $HOSTCERT.nosni
|
||||||
else
|
else
|
||||||
echo "" > $HOSTCERT.nosni
|
>$HOSTCERT.nosni
|
||||||
fi
|
fi
|
||||||
mv $HOSTCERT.save $HOSTCERT
|
mv $HOSTCERT.save $HOSTCERT
|
||||||
SNI="$sni"
|
SNI="$sni"
|
||||||
else
|
else
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | \
|
||||||
|
awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
[[ $DEBUG -ge 1 ]] && [[ -e $HOSTCERT.nosni ]] && $OPENSSL x509 -in $HOSTCERT.nosni -text -noout 2>>$ERRFILE > $HOSTCERT.nosni.txt
|
[[ $DEBUG -ge 1 ]] && [[ -e $HOSTCERT.nosni ]] && $OPENSSL x509 -in $HOSTCERT.nosni -text -noout 2>>$ERRFILE > $HOSTCERT.nosni.txt
|
||||||
|
@ -7477,6 +7490,7 @@ run_server_defaults() {
|
||||||
"${cipher[i]}" "${keysize[i]}" "${previous_hostcert_type[i]}" \
|
"${cipher[i]}" "${keysize[i]}" "${previous_hostcert_type[i]}" \
|
||||||
"${ocsp_response[i]}" "${ocsp_response_status[i]}" "${sni_used[i]}" "${ct[i]}"
|
"${ocsp_response[i]}" "${ocsp_response_status[i]}" "${sni_used[i]}" "${ct[i]}"
|
||||||
done
|
done
|
||||||
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
get_session_ticket_lifetime_from_serverhello() {
|
get_session_ticket_lifetime_from_serverhello() {
|
||||||
|
@ -7490,8 +7504,6 @@ get_san_dns_from_cert() {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
run_pfs() {
|
run_pfs() {
|
||||||
local -i sclient_success
|
local -i sclient_success
|
||||||
local pfs_offered=false ecdhe_offered=false ffdhe_offered=false
|
local pfs_offered=false ecdhe_offered=false ffdhe_offered=false
|
||||||
|
@ -7887,14 +7899,12 @@ run_pfs() {
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
|
||||||
# sub1_curves
|
|
||||||
#if "$pfs_offered"; then
|
#if "$pfs_offered"; then
|
||||||
# return 0
|
# return 0
|
||||||
#else
|
#else
|
||||||
# :
|
# :
|
||||||
#fi
|
#fi
|
||||||
return 0
|
return 0
|
||||||
#FIXME: we don't have any error condition here --> that probably doesn't reflect all cases
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -7949,7 +7959,7 @@ run_npn() {
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client $(s_client_options "-connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg "$NPN_PROTOs"") </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $(s_client_options "-connect $NODEIP:$PORT $BUGS $SNI -nextprotoneg "$NPN_PROTOs"") </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
[[ $? -ne 0 ]] && ret=1
|
[[ $? -ne 0 ]] && ret=1
|
||||||
tmpstr=$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')
|
tmpstr="$(grep -a '^Protocols' $TMPFILE | sed 's/Protocols.*: //')"
|
||||||
if [[ -z "$tmpstr" ]] || [[ "$tmpstr" == " " ]]; then
|
if [[ -z "$tmpstr" ]] || [[ "$tmpstr" == " " ]]; then
|
||||||
outln "not offered"
|
outln "not offered"
|
||||||
fileout "$jsonID" "INFO" "not offered"
|
fileout "$jsonID" "INFO" "not offered"
|
||||||
|
@ -7962,7 +7972,7 @@ run_npn() {
|
||||||
else
|
else
|
||||||
prln_cyan "please check manually, server response was ambiguous ..."
|
prln_cyan "please check manually, server response was ambiguous ..."
|
||||||
fileout "$jsonID" "INFO" "please check manually, server response was ambiguous ..."
|
fileout "$jsonID" "INFO" "please check manually, server response was ambiguous ..."
|
||||||
ret=1
|
((ret++))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# btw: nmap can do that too http://nmap.org/nsedoc/scripts/tls-nextprotoneg.html
|
# btw: nmap can do that too http://nmap.org/nsedoc/scripts/tls-nextprotoneg.html
|
||||||
|
@ -8003,7 +8013,7 @@ run_alpn() {
|
||||||
echo "" > $TMPFILE
|
echo "" > $TMPFILE
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
tmpstr=$(awk -F':' '/^ALPN protocol*:/ { print $2 }' $TMPFILE)
|
tmpstr="$(awk -F':' '/^ALPN protocol*:/ { print $2 }' $TMPFILE)"
|
||||||
if [[ "$tmpstr" == *"$proto" ]]; then
|
if [[ "$tmpstr" == *"$proto" ]]; then
|
||||||
if ! $has_alpn_proto; then
|
if ! $has_alpn_proto; then
|
||||||
has_alpn_proto=true
|
has_alpn_proto=true
|
||||||
|
@ -11822,9 +11832,10 @@ run_ccs_injection(){
|
||||||
get_session_ticket_tls() {
|
get_session_ticket_tls() {
|
||||||
local sessticket_tls=""
|
local sessticket_tls=""
|
||||||
|
|
||||||
#FIXME: we likely have done this already before (either @ run_server_defaults() or at least the output from a previous handshake) --> would save 1x connect
|
#FIXME: we likely have done this already before (either @ run_server_defaults() or at least the output
|
||||||
#ATTENTION: we DO NOT do SNI here as we assume this is a vulnerabilty of the TLS stack. If we do SNI here, we'd also need to do it in the ClientHello
|
# from a previous handshake) --> would save 1x connect
|
||||||
# of run_ticketbleed() otherwise the ticket will be different and the whole thing won't work!
|
#ATTENTION: we DO NOT do SNI here as we assume this is a vulnerabilty of the TLS stack. If we'd do SNI here, we'd also need
|
||||||
|
# it in the ClientHello of run_ticketbleed() otherwise the ticket will be different and the whole thing won't work!
|
||||||
sessticket_tls="$($OPENSSL s_client $(s_client_options "$BUGS $OPTIMAL_PROTO $PROXY -connect $NODEIP:$PORT") </dev/null 2>$ERRFILE | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')"
|
sessticket_tls="$($OPENSSL s_client $(s_client_options "$BUGS $OPTIMAL_PROTO $PROXY -connect $NODEIP:$PORT") </dev/null 2>$ERRFILE | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')"
|
||||||
sessticket_tls="$(sed -e 's/^.* - /x/g' -e 's/ .*$//g' <<< "$sessticket_tls" | tr '\n' ',')"
|
sessticket_tls="$(sed -e 's/^.* - /x/g' -e 's/ .*$//g' <<< "$sessticket_tls" | tr '\n' ',')"
|
||||||
sed -e 's/ /,x/g' -e 's/-/,x/g' <<< "$sessticket_tls"
|
sed -e 's/ /,x/g' -e 's/-/,x/g' <<< "$sessticket_tls"
|
||||||
|
@ -15100,6 +15111,7 @@ get_local_a() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# does a hard exit if no lookup binary is provided
|
||||||
check_resolver_bins() {
|
check_resolver_bins() {
|
||||||
if ! type -p dig &> /dev/null && ! type -p host &> /dev/null && ! type -p drill &> /dev/null && ! type -p nslookup &>/dev/null; then
|
if ! type -p dig &> /dev/null && ! type -p host &> /dev/null && ! type -p drill &> /dev/null && ! type -p nslookup &>/dev/null; then
|
||||||
fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" "-3"
|
fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" "-3"
|
||||||
|
@ -15552,12 +15564,14 @@ determine_service() {
|
||||||
|
|
||||||
datebanner " Start"
|
datebanner " Start"
|
||||||
outln
|
outln
|
||||||
if [[ -z "$1" ]]; then # no STARTTLS.
|
if [[ -z "$1" ]]; then
|
||||||
|
# no STARTTLS.
|
||||||
determine_optimal_proto "$1"
|
determine_optimal_proto "$1"
|
||||||
$SNEAKY && \
|
$SNEAKY && \
|
||||||
ua="$UA_SNEAKY" || \
|
ua="$UA_SNEAKY" || \
|
||||||
ua="$UA_STD"
|
ua="$UA_STD"
|
||||||
GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nAccept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
|
GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nAccept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
|
||||||
|
# returns always 0:
|
||||||
service_detection $OPTIMAL_PROTO
|
service_detection $OPTIMAL_PROTO
|
||||||
else # STARTTLS
|
else # STARTTLS
|
||||||
if [[ "$1" == postgres ]]; then
|
if [[ "$1" == postgres ]]; then
|
||||||
|
@ -15621,7 +15635,6 @@ determine_service() {
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return 0 # OPTIMAL_PROTO, GET_REQ*/HEAD_REQ* is set now
|
return 0 # OPTIMAL_PROTO, GET_REQ*/HEAD_REQ* is set now
|
||||||
}
|
}
|
||||||
|
@ -16766,11 +16779,12 @@ lets_roll() {
|
||||||
[[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" 2
|
[[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" 2
|
||||||
nodeip_to_proper_ip6
|
nodeip_to_proper_ip6
|
||||||
reset_hostdepended_vars
|
reset_hostdepended_vars
|
||||||
determine_rdns
|
determine_rdns # Returns always zero or has already exited if fatal error occured
|
||||||
|
|
||||||
((SERVER_COUNTER++))
|
((SERVER_COUNTER++))
|
||||||
determine_service "$1" # any starttls service goes here
|
determine_service "$1" # STARTTLS service? Other will be determined here too. Returns always 0 or has already exited if fatal error occured
|
||||||
|
|
||||||
|
# "secret" devel options --devel:
|
||||||
$do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets "" "true"; echo "$?" ; exit 0; }
|
$do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets "" "true"; echo "$?" ; exit 0; }
|
||||||
$do_tls_sockets && [[ $TLS_LOW_BYTE -ne 22 ]] && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all"; echo "$?" ; exit 0; }
|
$do_tls_sockets && [[ $TLS_LOW_BYTE -ne 22 ]] && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all"; echo "$?" ; exit 0; }
|
||||||
$do_cipher_match && { fileout_section_header $section_number false; run_cipher_match ${single_cipher}; }
|
$do_cipher_match && { fileout_section_header $section_number false; run_cipher_match ${single_cipher}; }
|
||||||
|
|
Loading…
Reference in New Issue