mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-19 15:09:30 +01:00
Merge branch 'master' of https://github.com/drwetter/testssl.sh into severity
This commit is contained in:
commit
f90f1a91e4
11
Readme.md
11
Readme.md
@ -45,11 +45,18 @@ Done so far:
|
|||||||
* Even more compatibilty improvements for FreeBSD, RH-ish and F5 systems
|
* Even more compatibilty improvements for FreeBSD, RH-ish and F5 systems
|
||||||
* OpenSSL 1.1.0 compliant
|
* OpenSSL 1.1.0 compliant
|
||||||
|
|
||||||
Contributions, feedback, also bug reports are welcome! For contributions please note: One patch per feature -- bug fix/improvement. Please test your changes thouroughly as reliability is important for this project.
|
Update notification here or @ [twitter](https://twitter.com/drwetter).
|
||||||
|
|
||||||
|
####Contributions
|
||||||
|
Contributions, feedback, bug reports are welcome! For contributions please note: One patch per feature -- bug fix/improvement. Please test your changes thouroughly as reliability is important for this project.
|
||||||
|
|
||||||
|
There's [coding guide line](https://github.com/drwetter/testssl.sh/wiki/Coding-Style).
|
||||||
|
|
||||||
Please file bug reports @ https://github.com/drwetter/testssl.sh/issues .
|
Please file bug reports @ https://github.com/drwetter/testssl.sh/issues .
|
||||||
|
|
||||||
Update notification here or @ [twitter](https://twitter.com/drwetter).
|
####Documentation
|
||||||
|
|
||||||
|
For a start see the [wiki](https://github.com/drwetter/testssl.sh/wiki/Usage-Documentation). Help is needed here.
|
||||||
|
|
||||||
----
|
----
|
||||||
|
|
||||||
|
60
testssl.sh
60
testssl.sh
@ -720,7 +720,7 @@ run_http_header() {
|
|||||||
301|302|307|308)
|
301|302|307|308)
|
||||||
redirect=$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')
|
redirect=$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')
|
||||||
out ", redirecting to \"$redirect\""
|
out ", redirecting to \"$redirect\""
|
||||||
if [[ $redirect != "https://"* ]]; then
|
if [[ $redirect == "http://"* ]]; then
|
||||||
pr_litered " -- Redirect to insecure URL (NOT ok)"
|
pr_litered " -- Redirect to insecure URL (NOT ok)"
|
||||||
fileout "status_code" "NOT OK" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\""
|
fileout "status_code" "NOT OK" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\""
|
||||||
fi
|
fi
|
||||||
@ -985,10 +985,13 @@ run_hpkp() {
|
|||||||
fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading"
|
fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[[ -s "$HOSTCERT" ]] || get_host_cert
|
if [[ ! -s "$HOSTCERT" ]]; then
|
||||||
# get the key fingerprints
|
get_host_cert || return 1
|
||||||
|
fi
|
||||||
|
# get the key fingerprint from the host certificate
|
||||||
hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \
|
hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \
|
||||||
$OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)"
|
$OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)"
|
||||||
|
# compare it with the ones provided in the header
|
||||||
while read hpkp_key; do
|
while read hpkp_key; do
|
||||||
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
|
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
|
||||||
out "\n$spaces matching host key: "
|
out "\n$spaces matching host key: "
|
||||||
@ -2626,13 +2629,15 @@ cipher_pref_check() {
|
|||||||
get_host_cert() {
|
get_host_cert() {
|
||||||
local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE
|
local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE
|
||||||
|
|
||||||
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$tmpdir
|
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$tmpvar
|
||||||
if sclient_connect_successful $? $tmpvar; then
|
if sclient_connect_successful $? $tmpvar; then
|
||||||
awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT
|
awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT
|
||||||
|
return 0
|
||||||
else
|
else
|
||||||
|
pr_litemagentaln "could not retrieve host certificate!"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
tmpfile_handle $FUNCNAME.txt
|
#tmpfile_handle $FUNCNAME.txt
|
||||||
#return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]}))
|
#return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]}))
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3399,7 +3404,7 @@ run_server_defaults() {
|
|||||||
# http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1932806.html
|
# http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1932806.html
|
||||||
run_pfs() {
|
run_pfs() {
|
||||||
local -i sclient_success
|
local -i sclient_success
|
||||||
local -i pfs_offered=1
|
local pfs_offered=false
|
||||||
local tmpfile
|
local tmpfile
|
||||||
local dhlen
|
local dhlen
|
||||||
local hexcode dash pfs_cipher sslvers kx auth enc mac
|
local hexcode dash pfs_cipher sslvers kx auth enc mac
|
||||||
@ -3431,12 +3436,12 @@ run_pfs() {
|
|||||||
pr_brownln "Not OK: No ciphers supporting Forward Secrecy offered"
|
pr_brownln "Not OK: No ciphers supporting Forward Secrecy offered"
|
||||||
fileout "pfs" "NOT OK" "(Perfect) Forward Secrecy : Not OK: No ciphers supporting Forward Secrecy offered"
|
fileout "pfs" "NOT OK" "(Perfect) Forward Secrecy : Not OK: No ciphers supporting Forward Secrecy offered"
|
||||||
else
|
else
|
||||||
pfs_offered=0
|
pfs_offered=true
|
||||||
pfs_ciphers=""
|
pfs_ciphers=""
|
||||||
pr_litegreen " PFS is offered (OK)"
|
pr_litegreen " PFS is offered (OK)"
|
||||||
fileout "pfs" "OK" "(Perfect) Forward Secrecy : PFS is offered (OK)"
|
fileout "pfs" "OK" "(Perfect) Forward Secrecy : PFS is offered (OK)"
|
||||||
if $WIDE; then
|
if $WIDE; then
|
||||||
outln ", ciphers follow (client/browser support is here specially important) \n"
|
outln ", ciphers follow (client/browser support is important here) \n"
|
||||||
neat_header
|
neat_header
|
||||||
else
|
else
|
||||||
out " "
|
out " "
|
||||||
@ -3446,7 +3451,8 @@ run_pfs() {
|
|||||||
$OPENSSL s_client -cipher $pfs_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI &>$tmpfile </dev/null
|
$OPENSSL s_client -cipher $pfs_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI &>$tmpfile </dev/null
|
||||||
sclient_connect_successful $? $tmpfile
|
sclient_connect_successful $? $tmpfile
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
if [[ $sclient_success -ne 0 ]] && [[ "$SHOW_EACH_C" -eq 0 ]]; then
|
[[ "$sclient_success" -eq 0 ]] && pfs_offered=true
|
||||||
|
if [[ "$sclient_success" -ne 0 ]] && [[ "$SHOW_EACH_C" -eq 0 ]]; then
|
||||||
continue # no successful connect AND not verbose displaying each cipher
|
continue # no successful connect AND not verbose displaying each cipher
|
||||||
fi
|
fi
|
||||||
if $WIDE; then
|
if $WIDE; then
|
||||||
@ -3456,7 +3462,6 @@ run_pfs() {
|
|||||||
kx="$kx $dhlen"
|
kx="$kx $dhlen"
|
||||||
fi
|
fi
|
||||||
neat_list $HEXC $pfs_cipher "$kx" $enc $strength
|
neat_list $HEXC $pfs_cipher "$kx" $enc $strength
|
||||||
let "pfs_offered++"
|
|
||||||
if [[ "$SHOW_EACH_C" -ne 0 ]]; then
|
if [[ "$SHOW_EACH_C" -ne 0 ]]; then
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_green "works"
|
pr_green "works"
|
||||||
@ -3474,7 +3479,7 @@ run_pfs() {
|
|||||||
debugme echo $pfs_offered
|
debugme echo $pfs_offered
|
||||||
$WIDE || outln
|
$WIDE || outln
|
||||||
|
|
||||||
if [[ "$pfs_offered" -eq 1 ]]; then
|
if ! "$pfs_offered"; then
|
||||||
pr_brown "no PFS ciphers found"
|
pr_brown "no PFS ciphers found"
|
||||||
fileout "pfs_ciphers" "NOT OK" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
|
fileout "pfs_ciphers" "NOT OK" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
|
||||||
else
|
else
|
||||||
@ -3488,7 +3493,11 @@ run_pfs() {
|
|||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
# sub1_curves
|
# sub1_curves
|
||||||
return $pfs_offered
|
if "$pfs_offered"; then
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -3604,7 +3613,7 @@ run_http2() {
|
|||||||
done
|
done
|
||||||
if $had_alpn_proto; then
|
if $had_alpn_proto; then
|
||||||
outln " (offered)"
|
outln " (offered)"
|
||||||
fileout "https_alpn" "INFO" "HTTP2/ALPN : offered\nProtocols: $alpn_finding"
|
fileout "https_alpn" "INFO" "HTTP2/ALPN : offered; Protocols: $alpn_finding"
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
outln "not offered"
|
outln "not offered"
|
||||||
@ -4930,9 +4939,11 @@ run_beast(){
|
|||||||
local continued=false
|
local continued=false
|
||||||
local cbc_cipher_list="EXP-RC2-CBC-MD5:IDEA-CBC-SHA:EXP-DES-CBC-SHA:DES-CBC-SHA:DES-CBC3-SHA:EXP-DH-DSS-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DH-DSS-DES-CBC3-SHA:EXP-DH-RSA-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-RSA-DES-CBC3-SHA:EXP-EDH-DSS-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EXP-ADH-DES-CBC-SHA:ADH-DES-CBC-SHA:ADH-DES-CBC3-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC-MD5:KRB5-DES-CBC3-MD5:KRB5-IDEA-CBC-MD5:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:AES128-SHA:DH-DSS-AES128-SHA:DH-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ADH-AES128-SHA:AES256-SHA:DH-DSS-AES256-SHA:DH-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ADH-AES256-SHA:AES128-SHA256:AES256-SHA256:DH-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:ADH-CAMELLIA128-SHA:EXP1024-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:DHE-RSA-AES128-SHA256:DH-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA256:CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:ADH-CAMELLIA256-SHA:PSK-3DES-EDE-CBC-SHA:PSK-AES128-CBC-SHA:PSK-AES256-CBC-SHA:SEED-SHA:DH-DSS-SEED-SHA:DH-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-SEED-SHA:ADH-SEED-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AECDH-DES-CBC3-SHA:AECDH-AES128-SHA:AECDH-AES256-SHA:SRP-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-RSA-AES256-SHA384:RC2-CBC-MD5:EXP-RC2-CBC-MD5:IDEA-CBC-MD5:DES-CBC-MD5:DES-CBC3-MD5"
|
local cbc_cipher_list="EXP-RC2-CBC-MD5:IDEA-CBC-SHA:EXP-DES-CBC-SHA:DES-CBC-SHA:DES-CBC3-SHA:EXP-DH-DSS-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DH-DSS-DES-CBC3-SHA:EXP-DH-RSA-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-RSA-DES-CBC3-SHA:EXP-EDH-DSS-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EXP-ADH-DES-CBC-SHA:ADH-DES-CBC-SHA:ADH-DES-CBC3-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC-MD5:KRB5-DES-CBC3-MD5:KRB5-IDEA-CBC-MD5:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:AES128-SHA:DH-DSS-AES128-SHA:DH-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ADH-AES128-SHA:AES256-SHA:DH-DSS-AES256-SHA:DH-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ADH-AES256-SHA:AES128-SHA256:AES256-SHA256:DH-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:ADH-CAMELLIA128-SHA:EXP1024-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:DHE-RSA-AES128-SHA256:DH-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA256:CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:ADH-CAMELLIA256-SHA:PSK-3DES-EDE-CBC-SHA:PSK-AES128-CBC-SHA:PSK-AES256-CBC-SHA:SEED-SHA:DH-DSS-SEED-SHA:DH-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-SEED-SHA:ADH-SEED-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AECDH-DES-CBC3-SHA:AECDH-AES128-SHA:AECDH-AES256-SHA:SRP-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-RSA-AES256-SHA384:RC2-CBC-MD5:EXP-RC2-CBC-MD5:IDEA-CBC-MD5:DES-CBC-MD5:DES-CBC3-MD5"
|
||||||
|
|
||||||
if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then
|
if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
|
||||||
outln
|
outln
|
||||||
pr_headlineln " Testing for BEAST vulnerability "
|
pr_headlineln " Testing for BEAST vulnerability "
|
||||||
|
fi
|
||||||
|
if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
||||||
@ -4968,16 +4979,18 @@ run_beast(){
|
|||||||
sclient_connect_successful $? $TMPFILE || continue
|
sclient_connect_successful $? $TMPFILE || continue
|
||||||
|
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln "\n $(toupper $proto):";
|
out "\n "; pr_underline "$(toupper $proto):\n";
|
||||||
|
if "$first"; then
|
||||||
neat_header # NOT_THAT_NICE: we display the header also if in the end no cbc cipher is available on the client side
|
neat_header # NOT_THAT_NICE: we display the header also if in the end no cbc cipher is available on the client side
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
for ciph in $(colon_to_spaces "$cbc_cipher_list"); do
|
for ciph in $(colon_to_spaces "$cbc_cipher_list"); do
|
||||||
read hexcode dash cbc_cipher sslvers kx auth enc mac < <($OPENSSL ciphers -V "$ciph" 2>>$ERRFILE) # -V doesn't work with openssl < 1.0
|
read hexcode dash cbc_cipher sslvers kx auth enc mac < <($OPENSSL ciphers -V "$ciph" 2>>$ERRFILE) # -V doesn't work with openssl < 1.0
|
||||||
# ^^^^^ process substitution as shopt will either segfault or doesn't work with old bash versions
|
# ^^^^^ process substitution as shopt will either segfault or doesn't work with old bash versions
|
||||||
$OPENSSL s_client -cipher "$cbc_cipher" -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
$OPENSSL s_client -cipher "$cbc_cipher" -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ $sclient_success -eq 0 ]] && vuln_beast=true
|
[[ $sclient_success -eq 0 ]] && vuln_beast=true && "$WIDE" && first=false
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
normalize_ciphercode $hexcode
|
normalize_ciphercode $hexcode
|
||||||
if [[ "$SHOW_EACH_C" -ne 0 ]]; then
|
if [[ "$SHOW_EACH_C" -ne 0 ]]; then
|
||||||
@ -5003,7 +5016,11 @@ run_beast(){
|
|||||||
|
|
||||||
if ! "$WIDE"; then
|
if ! "$WIDE"; then
|
||||||
if [[ -n "$detected_cbc_ciphers" ]]; then
|
if [[ -n "$detected_cbc_ciphers" ]]; then
|
||||||
detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | \
|
||||||
|
sed -e "s/ /\\${cr} ${spaces}/12" \
|
||||||
|
-e "s/ /\\${cr} ${spaces}/9" \
|
||||||
|
-e "s/ /\\${cr} ${spaces}/6" \
|
||||||
|
-e "s/ /\\${cr} ${spaces}/3")
|
||||||
fileout "cbc_$proto" "NOT OK" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
|
fileout "cbc_$proto" "NOT OK" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
|
||||||
! "$first" && out "$spaces"
|
! "$first" && out "$spaces"
|
||||||
out "$(toupper $proto):"
|
out "$(toupper $proto):"
|
||||||
@ -5075,16 +5092,18 @@ run_rc4() {
|
|||||||
local rc4_detected=""
|
local rc4_detected=""
|
||||||
local available=""
|
local available=""
|
||||||
|
|
||||||
if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || $WIDE; then
|
if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
|
||||||
outln
|
outln
|
||||||
pr_headlineln " Checking for vulnerable RC4 Ciphers "
|
pr_headlineln " Checking for vulnerable RC4 Ciphers "
|
||||||
|
fi
|
||||||
|
if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808) "
|
pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808) "
|
||||||
|
|
||||||
$OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
pr_litered "VULNERABLE (NOT ok): "
|
"$WIDE" || pr_litered "VULNERABLE (NOT ok): "
|
||||||
rc4_offered=1
|
rc4_offered=1
|
||||||
if "$WIDE"; then
|
if "$WIDE"; then
|
||||||
outln "\n"
|
outln "\n"
|
||||||
@ -5118,6 +5137,7 @@ run_rc4() {
|
|||||||
rc4_detected+="$rc4_cipher "
|
rc4_detected+="$rc4_cipher "
|
||||||
done < <($OPENSSL ciphers -V $rc4_ciphers_list:@STRENGTH)
|
done < <($OPENSSL ciphers -V $rc4_ciphers_list:@STRENGTH)
|
||||||
outln
|
outln
|
||||||
|
"$WIDE" && pr_litered "VULNERABLE (NOT ok)"
|
||||||
fileout "rc4" "NOT OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected"
|
fileout "rc4" "NOT OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected"
|
||||||
else
|
else
|
||||||
pr_litegreenln "no RC4 ciphers detected (OK)"
|
pr_litegreenln "no RC4 ciphers detected (OK)"
|
||||||
@ -6760,4 +6780,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.464 2016/02/07 18:13:58 dirkw Exp $
|
# $Id: testssl.sh,v 1.467 2016/02/22 09:44:42 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user