- IPv6 formatting fixed, see #11 (points 3,4,5)
5 cannot be done automagically, see issue
This commit is contained in:
parent
a0d634f94a
commit
f8d6a2fb6d
66
testssl.sh
66
testssl.sh
|
@ -159,6 +159,7 @@ HAS_IPv6=${HAS_IPv6:-false} # if you have OPENSSL with IPv6 support
|
||||||
PORT=443 # unless otherwise auto-determined, see below
|
PORT=443 # unless otherwise auto-determined, see below
|
||||||
NODE=""
|
NODE=""
|
||||||
NODEIP=""
|
NODEIP=""
|
||||||
|
CORRECT_SPACES="" # used for IPv6 and proper output formatting
|
||||||
IPADDRs=""
|
IPADDRs=""
|
||||||
IP46ADDRs=""
|
IP46ADDRs=""
|
||||||
LOCAL_A=false # does the $NODEIP ceom from /etc/hosts?
|
LOCAL_A=false # does the $NODEIP ceom from /etc/hosts?
|
||||||
|
@ -501,6 +502,8 @@ wait_kill(){
|
||||||
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
|
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
|
||||||
# arg1 could be the protocol determined as "working". IIS6 needs that
|
# arg1 could be the protocol determined as "working". IIS6 needs that
|
||||||
runs_HTTP() {
|
runs_HTTP() {
|
||||||
|
local -i ret=0
|
||||||
|
|
||||||
# SNI is nonsense for !HTTPS but fortunately other protocols don't seem to care
|
# SNI is nonsense for !HTTPS but fortunately other protocols don't seem to care
|
||||||
printf "$GET_REQ11" | $OPENSSL s_client $1 -quiet -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE &
|
printf "$GET_REQ11" | $OPENSSL s_client $1 -quiet -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE &
|
||||||
wait_kill $! $HEADER_MAXSLEEP
|
wait_kill $! $HEADER_MAXSLEEP
|
||||||
|
@ -512,7 +515,7 @@ runs_HTTP() {
|
||||||
debugme head -50 $TMPFILE
|
debugme head -50 $TMPFILE
|
||||||
# $TMPFILE contains also a banner which we could use if there's a need for it
|
# $TMPFILE contains also a banner which we could use if there's a need for it
|
||||||
|
|
||||||
out " Service detected: "
|
out " Service detected: $CORRECT_SPACES"
|
||||||
case $SERVICE in
|
case $SERVICE in
|
||||||
HTTP)
|
HTTP)
|
||||||
out " $SERVICE"
|
out " $SERVICE"
|
||||||
|
@ -3933,6 +3936,7 @@ tuning options:
|
||||||
--ssl-native fallback to checks with OpenSSL where sockets are normally used
|
--ssl-native fallback to checks with OpenSSL where sockets are normally used
|
||||||
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME
|
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME
|
||||||
--proxy <host>:<port> connect via the specified HTTP proxy
|
--proxy <host>:<port> connect via the specified HTTP proxy
|
||||||
|
-6 use also IPv6 checks, works only with supporting OpenSSL version and IPv6 connectivity
|
||||||
--sneaky be less verbose wrt referer headers
|
--sneaky be less verbose wrt referer headers
|
||||||
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
|
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
|
||||||
--wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
|
--wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
|
||||||
|
@ -4355,7 +4359,7 @@ determine_rdns() {
|
||||||
rDNS=$(nslookup -type=PTR $NODEIP 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
|
rDNS=$(nslookup -type=PTR $NODEIP 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
|
||||||
fi
|
fi
|
||||||
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
rDNS=$(echo $rDNS)
|
#rDNS="$(echo $rDNS)"
|
||||||
[[ -z "$rDNS" ]] && rDNS=" --"
|
[[ -z "$rDNS" ]] && rDNS=" --"
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
@ -4434,7 +4438,12 @@ determine_optimal_proto() {
|
||||||
|
|
||||||
if [[ $all_failed -eq 0 ]]; then
|
if [[ $all_failed -eq 0 ]]; then
|
||||||
outln
|
outln
|
||||||
pr_boldln " $NODEIP:$PORT doesn't seem a TLS/SSL enabled server or it requires a certificate";
|
if $HAS_IPv6; then
|
||||||
|
pr_bold " Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT "
|
||||||
|
else
|
||||||
|
pr_bold " $NODEIP:$PORT "
|
||||||
|
fi
|
||||||
|
pr_boldln "doesn't seem a TLS/SSL enabled server or it requires a certificate";
|
||||||
ignore_no_or_lame " Note that the results might look ok but they are nonsense. Proceed ? "
|
ignore_no_or_lame " Note that the results might look ok but they are nonsense. Proceed ? "
|
||||||
[[ $? -ne 0 ]] && exit -2
|
[[ $? -ne 0 ]] && exit -2
|
||||||
fi
|
fi
|
||||||
|
@ -4490,7 +4499,7 @@ determine_service() {
|
||||||
fatal " $OPENSSL couldn't establish STARTTLS via $protocol to $NODEIP:$PORT" -2
|
fatal " $OPENSSL couldn't establish STARTTLS via $protocol to $NODEIP:$PORT" -2
|
||||||
fi
|
fi
|
||||||
grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190
|
grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190
|
||||||
out " Service set: STARTTLS via "
|
out " Service set:$CORRECT_SPACES STARTTLS via "
|
||||||
toupper "$protocol"
|
toupper "$protocol"
|
||||||
[[ -n "$XMPP_HOST" ]] && echo -n " (XMPP domain=\'$XMPP_HOST\')"
|
[[ -n "$XMPP_HOST" ]] && echo -n " (XMPP domain=\'$XMPP_HOST\')"
|
||||||
outln
|
outln
|
||||||
|
@ -4506,24 +4515,31 @@ determine_service() {
|
||||||
|
|
||||||
|
|
||||||
display_rdns_etc() {
|
display_rdns_etc() {
|
||||||
local i
|
local ip
|
||||||
|
|
||||||
if [[ -n "$PROXY" ]]; then
|
if [[ -n "$PROXY" ]]; then
|
||||||
out " Via Proxy: "
|
out " Via Proxy: $CORRECT_SPACES"
|
||||||
outln "$PROXYIP:$PROXYPORT "
|
outln "$PROXYIP:$PROXYPORT "
|
||||||
fi
|
fi
|
||||||
if [[ $(count_words "$(echo -n "$IP46ADDRs")") -gt 1 ]]; then
|
if [[ $(count_words "$IP46ADDRs") -gt 1 ]]; then
|
||||||
out " further IP addresses: "
|
out " further IP addresses: $CORRECT_SPACES"
|
||||||
for i in $IP46ADDRs; do
|
for ip in $IP46ADDRs; do
|
||||||
[[ "$i" == "$NODEIP" ]] && continue
|
if [[ "$ip" == "$NODEIP" ]] || [[ "[$ip]" == "$NODEIP" ]]; then
|
||||||
out " $i"
|
continue
|
||||||
|
else
|
||||||
|
out " $ip"
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
if "$LOCAL_A"; then
|
if "$LOCAL_A"; then
|
||||||
outln " A record via /etc/hosts "
|
outln " A record via /etc/hosts "
|
||||||
fi
|
fi
|
||||||
[[ -n "$rDNS" ]] && printf " %-23s %s" "rDNS ($NODEIP):" "$rDNS"
|
if [[ -n "$rDNS" ]]; then
|
||||||
|
$HAS_IPv6 || \
|
||||||
|
printf " %-23s %s" "rDNS ($NODEIP):" "$rDNS" && \
|
||||||
|
printf " %-23s %s" "rDNS $NODEIP:" "$rDNS"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
datebanner() {
|
datebanner() {
|
||||||
|
@ -4534,7 +4550,7 @@ datebanner() {
|
||||||
}
|
}
|
||||||
|
|
||||||
# one line with char $1 over screen width $2
|
# one line with char $1 over screen width $2
|
||||||
draw_dotted_line() {
|
draw_line() {
|
||||||
printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
|
printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -4554,7 +4570,7 @@ mx_all_ips() {
|
||||||
STARTTLS_PROTOCOL="" # no starttls for Port 465, on all other ports we speak starttls
|
STARTTLS_PROTOCOL="" # no starttls for Port 465, on all other ports we speak starttls
|
||||||
pr_bold "Testing now all MX records (on port $mxport): "; outln "$mxs"
|
pr_bold "Testing now all MX records (on port $mxport): "; outln "$mxs"
|
||||||
for mx in $mxs; do
|
for mx in $mxs; do
|
||||||
draw_dotted_line "-" $((TERM_DWITH * 2 / 3))
|
draw_line "-" $((TERM_DWITH * 2 / 3))
|
||||||
outln
|
outln
|
||||||
parse_hn_port "$mx:$mxport"
|
parse_hn_port "$mx:$mxport"
|
||||||
determine_ip_addresses || continue
|
determine_ip_addresses || continue
|
||||||
|
@ -4570,7 +4586,7 @@ mx_all_ips() {
|
||||||
fi
|
fi
|
||||||
ret=$(($? + ret))
|
ret=$(($? + ret))
|
||||||
done
|
done
|
||||||
draw_dotted_line "-" $((TERM_DWITH * 2 / 3))
|
draw_line "-" $((TERM_DWITH * 2 / 3))
|
||||||
outln
|
outln
|
||||||
pr_bold "Done testing now all MX records (on port $mxport): "; outln "$mxs"
|
pr_bold "Done testing now all MX records (on port $mxport): "; outln "$mxs"
|
||||||
else
|
else
|
||||||
|
@ -4591,7 +4607,7 @@ run_mass_testing() {
|
||||||
[[ -z "$cmdline" ]] && continue
|
[[ -z "$cmdline" ]] && continue
|
||||||
[[ "$cmdline" == "EOF" ]] && break
|
[[ "$cmdline" == "EOF" ]] && break
|
||||||
echo "$0 -q $cmdline"
|
echo "$0 -q $cmdline"
|
||||||
draw_dotted_line "=" $((TERM_DWITH / 2)); outln;
|
draw_line "=" $((TERM_DWITH / 2)); outln;
|
||||||
$0 -q $cmdline
|
$0 -q $cmdline
|
||||||
done < "$FNAME"
|
done < "$FNAME"
|
||||||
exit $?
|
exit $?
|
||||||
|
@ -4914,6 +4930,9 @@ parse_cmd_line() {
|
||||||
PROXY=$(parse_opt_equal_sign "$1" "$2")
|
PROXY=$(parse_opt_equal_sign "$1" "$2")
|
||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
;;
|
;;
|
||||||
|
-6) # doesn't work automagically. My versions have -DOPENSSL_USE_IPV6, CentOS/RHEL/FC do not
|
||||||
|
HAS_IPv6=true
|
||||||
|
;;
|
||||||
--has[-_]dhbits|--has[_-]dh[-_]bits) # For CentOS, RHEL and FC with openssl server temp key backport on version 1.0.1, see #190. But should work automagically
|
--has[-_]dhbits|--has[_-]dh[-_]bits) # For CentOS, RHEL and FC with openssl server temp key backport on version 1.0.1, see #190. But should work automagically
|
||||||
HAS_DH_BITS=true
|
HAS_DH_BITS=true
|
||||||
;;
|
;;
|
||||||
|
@ -4948,7 +4967,14 @@ parse_cmd_line() {
|
||||||
|
|
||||||
# connect call from openssl needs ipv6 in square brackets
|
# connect call from openssl needs ipv6 in square brackets
|
||||||
nodeip_to_proper_ip6() {
|
nodeip_to_proper_ip6() {
|
||||||
is_ipv6addr $NODEIP && NODEIP="[$NODEIP]"
|
local len_nodeip=0
|
||||||
|
|
||||||
|
if is_ipv6addr $NODEIP; then
|
||||||
|
NODEIP="[$NODEIP]"
|
||||||
|
len_nodeip=${#NODEIP}
|
||||||
|
CORRECT_SPACES="$(draw_line " " "$((len_nodeip - 16))" )"
|
||||||
|
# IPv6 addresses are longer, this varaible takes care that "further IP" and "Service" is properly aligned
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -5056,13 +5082,13 @@ else
|
||||||
if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check
|
if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check
|
||||||
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
||||||
for ip in $IPADDRs; do
|
for ip in $IPADDRs; do
|
||||||
draw_dotted_line "-" $((TERM_DWITH / 2))
|
draw_line "-" $((TERM_DWITH / 2))
|
||||||
outln
|
outln
|
||||||
NODEIP="$ip"
|
NODEIP="$ip"
|
||||||
lets_roll "${STARTTLS_PROTOCOL}"
|
lets_roll "${STARTTLS_PROTOCOL}"
|
||||||
ret=$(($? + ret))
|
ret=$(($? + ret))
|
||||||
done
|
done
|
||||||
draw_dotted_line "-" $((TERM_DWITH / 2))
|
draw_line "-" $((TERM_DWITH / 2))
|
||||||
outln
|
outln
|
||||||
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
|
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
|
||||||
else # we need just one ip4v to check
|
else # we need just one ip4v to check
|
||||||
|
@ -5076,4 +5102,4 @@ fi
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.399 2015/10/04 10:32:29 dirkw Exp $
|
# $Id: testssl.sh,v 1.400 2015/10/05 07:56:20 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue