Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 18:50:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use -s option with OpenSSL ciphers

Browse Source 
This PR is the same as #663, but for the 2.9dev_html branch.
This commit is contained in:
David Cooper 2017-03-15 11:15:58 -04:00 committed by GitHub
parent 939b6f0cb9
commit f606a7ea1e
1 changed files with 24 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
testssl.sh
View File

@ -229,6 +229,7 @@ HAS_FALLBACK_SCSV=false
HAS_PROXY=false HAS_PROXY=false
HAS_XMPP=false HAS_XMPP=false
HAS_POSTGRES=false HAS_POSTGRES=false
OSSL_CIPHERS_S=""
DISPLAY_CIPHERNAMES="openssl" # display OpenSSL ciphername (but both OpenSSL and RFC ciphernames in wide mode) DISPLAY_CIPHERNAMES="openssl" # display OpenSSL ciphername (but both OpenSSL and RFC ciphernames in wide mode)
PORT=443 # unless otherwise auto-determined, see below PORT=443 # unless otherwise auto-determined, see below
NODE="" NODE=""
@ -1078,7 +1079,7 @@ count_ciphers() {
} }
actually_supported_ciphers() { actually_supported_ciphers() {
$OPENSSL ciphers "$1" 2>/dev/null || echo "" $OPENSSL ciphers $OSSL_CIPHERS_S "$1" 2>/dev/null || echo ""
} }
newline_to_spaces() { newline_to_spaces() {
@ -2248,14 +2249,14 @@ prettyprint_local() {
neat_header neat_header
if [[ -z "$1" ]]; then if [[ -z "$1" ]]; then
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 $OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
normalize_ciphercode $hexcode normalize_ciphercode $hexcode
outln "$(neat_list "$HEXC" "$ciph" "$kx" "$enc")" outln "$(neat_list "$HEXC" "$ciph" "$kx" "$enc")"
done done
else else
#for arg in $(echo $@ | sed 's/,/ /g'); do #for arg in $(echo $@ | sed 's/,/ /g'); do
for arg in ${*//,/ /}; do for arg in ${*//,/ /}; do
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 $OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
normalize_ciphercode $hexcode normalize_ciphercode $hexcode
# for numbers we don't do word matching: # for numbers we don't do word matching:
[[ $arg =~ $re ]] && \ [[ $arg =~ $re ]] && \
@ -2277,7 +2278,7 @@ listciphers() {
local -i ret local -i ret
local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")" local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")"
$OPENSSL ciphers $2 "$1" &>$TMPFILE $OPENSSL ciphers $OSSL_CIPHERS_S $2 "$1" &>$TMPFILE
ret=$? ret=$?
debugme cat $TMPFILE debugme cat $TMPFILE
@ -2624,7 +2625,7 @@ test_just_one(){
ossl_supported[nr_ciphers]=true ossl_supported[nr_ciphers]=true
nr_ciphers+=1 nr_ciphers+=1
fi fi
done < <($OPENSSL ciphers $ossl_ciphers_proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) done < <($OPENSSL ciphers $OSSL_CIPHERS_S $ossl_ciphers_proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
fi fi
# Test the SSLv2 ciphers, if any. # Test the SSLv2 ciphers, if any.
@ -2865,7 +2866,7 @@ run_allciphers() {
sigalg[nr_ciphers]="" sigalg[nr_ciphers]=""
ossl_supported[nr_ciphers]=true ossl_supported[nr_ciphers]=true
nr_ciphers=$nr_ciphers+1 nr_ciphers=$nr_ciphers+1
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) done < <($OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
nr_ciphers_tested=$nr_ciphers nr_ciphers_tested=$nr_ciphers
fi fi
@ -3164,7 +3165,7 @@ run_cipher_per_proto() {
ossl_supported[nr_ciphers]=true ossl_supported[nr_ciphers]=true
nr_ciphers+=1 nr_ciphers+=1
fi fi
done < <($OPENSSL ciphers $ossl_ciphers_proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) done < <($OPENSSL ciphers $OSSL_CIPHERS_S $ossl_ciphers_proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
fi fi
if [[ "$proto" == "-ssl2" ]] && "$using_sockets"; then if [[ "$proto" == "-ssl2" ]] && "$using_sockets"; then
@ -6855,7 +6856,7 @@ run_server_defaults() {
# ciphers_to_test[7]: cipher suites using certificates with GOST R 34.10 (either 2001 or 94) public keys # ciphers_to_test[7]: cipher suites using certificates with GOST R 34.10 (either 2001 or 94) public keys
ciphers_to_test[1]="" ciphers_to_test[1]=""
ciphers_to_test[2]="" ciphers_to_test[2]=""
for ciph in $(colon_to_spaces $($OPENSSL ciphers "aRSA")); do for ciph in $(colon_to_spaces $($OPENSSL ciphers $OSSL_CIPHERS_S "aRSA")); do
if grep -q "\-RSA\-" <<<$ciph; then if grep -q "\-RSA\-" <<<$ciph; then
ciphers_to_test[1]="${ciphers_to_test[1]}:$ciph" ciphers_to_test[1]="${ciphers_to_test[1]}:$ciph"
else else
@ -6880,7 +6881,7 @@ run_server_defaults() {
[[ ${success[n-7]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-7]}" [[ ${success[n-7]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-7]}"
fi fi
if [[ -n "${ciphers_to_test[n]}" ]] && [[ $(count_ciphers $($OPENSSL ciphers "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]]; then if [[ -n "${ciphers_to_test[n]}" ]] && [[ $(count_ciphers $($OPENSSL ciphers $OSSL_CIPHERS_S "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]]; then
if [[ $n -ge 8 ]]; then if [[ $n -ge 8 ]]; then
sni="$SNI" sni="$SNI"
SNI="" SNI=""
@ -7087,7 +7088,7 @@ run_pfs() {
sigalg[nr_supported_ciphers]="" sigalg[nr_supported_ciphers]=""
ossl_supported[nr_supported_ciphers]=true ossl_supported[nr_supported_ciphers]=true
nr_supported_ciphers+=1 nr_supported_ciphers+=1
done < <($OPENSSL ciphers -V "$pfs_cipher_list" 2>$ERRFILE) done < <($OPENSSL ciphers $OSSL_CIPHERS_S -V "$pfs_cipher_list" 2>$ERRFILE)
fi fi
export="" export=""
@ -10699,7 +10700,7 @@ run_beast(){
fi fi
nr_ciphers+=1 nr_ciphers+=1
fi fi
done < <($OPENSSL ciphers -tls1 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) done < <($OPENSSL ciphers $OSSL_CIPHERS_S -tls1 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
fi fi
# first determine whether it's mitigated by higher protocols # first determine whether it's mitigated by higher protocols
@ -11038,7 +11039,7 @@ run_rc4() {
ossl_supported[nr_ciphers]=true ossl_supported[nr_ciphers]=true
nr_ciphers+=1 nr_ciphers+=1
fi fi
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) done < <($OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
fi fi
if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]]; then if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]]; then
@ -11360,7 +11361,10 @@ find_openssl_binary() {
initialize_engine initialize_engine
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)") $OPENSSL ciphers -s 2>&1 | grep -aq "unknown option" || \
OSSL_CIPHERS_S="-s"
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers $OSSL_CIPHERS_S 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
$OPENSSL s_client -ssl2 -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -ssl2 -connect x 2>&1 | grep -aq "unknown option" || \
HAS_SSL2=true HAS_SSL2=true
@ -11654,13 +11658,17 @@ USLEEP_REC $USLEEP_REC
EOF EOF
which locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt which locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' &>$TEMPDIR/all_local_ciphers.txt $OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL' &>$TEMPDIR/all_local_ciphers.txt
fi fi
# see also $TEMPDIR/s_client_has.txt from find_openssl_binary # see also $TEMPDIR/s_client_has.txt from find_openssl_binary
if [[ -e $CIPHERS_BY_STRENGTH_FILE ]]; then if [[ -e $CIPHERS_BY_STRENGTH_FILE ]]; then
"$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)" "$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
ossl_supported_tls="$($OPENSSL ciphers -tls1 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)" if "$HAS_SSL2"; then
ossl_supported_tls="$($OPENSSL ciphers $OSSL_CIPHERS_S -tls1 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
else
ossl_supported_tls="$($OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)"
fi
while read hexc n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] mac TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do while read hexc n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] mac TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do
TLS_CIPHER_HEXCODE[TLS_NR_CIPHERS]="$hexc" TLS_CIPHER_HEXCODE[TLS_NR_CIPHERS]="$hexc"
TLS_CIPHER_OSSL_SUPPORTED[TLS_NR_CIPHERS]=false TLS_CIPHER_OSSL_SUPPORTED[TLS_NR_CIPHERS]=false
@ -11692,7 +11700,7 @@ mybanner() {
local cwd="" local cwd=""
$QUIET && return $QUIET && return
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)") OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers $OSSL_CIPHERS_S 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
[[ -z "$GIT_REL" ]] && \ [[ -z "$GIT_REL" ]] && \
idtag="$CVS_REL" || \ idtag="$CVS_REL" || \
idtag="$GIT_REL -- $CVS_REL_SHORT" idtag="$GIT_REL -- $CVS_REL_SHORT"