Merge branch 'master' into version_negotiation
This commit is contained in:
commit
f968bd8346
18
testssl.sh
18
testssl.sh
|
@ -3444,7 +3444,7 @@ run_server_preference() {
|
|||
[[ -n "$PROXY" ]] && arg=" SPDY/NPN is"
|
||||
[[ -n "$STARTTLS" ]] && arg=" "
|
||||
if spdy_pre " $arg" ; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY
|
||||
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
if sclient_connect_successful $? $TMPFILE; then
|
||||
proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g')
|
||||
if [[ -z "${proto[i]}" ]]; then
|
||||
|
@ -3619,16 +3619,16 @@ cipher_pref_check() {
|
|||
if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS?
|
||||
outln
|
||||
else
|
||||
npn_protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
||||
npn_protos=$($OPENSSL s_client $BUGS -nextprotoneg \"\" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
||||
for p in $npn_protos; do
|
||||
order=""
|
||||
$OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
$OPENSSL s_client $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
printf " %-10s %s " "$p:" "$cipher"
|
||||
tested_cipher="-"$cipher
|
||||
order="$cipher"
|
||||
while true; do
|
||||
$OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
$OPENSSL s_client -cipher "ALL:$tested_cipher" $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||
sclient_connect_successful $? $TMPFILE || break
|
||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||
out "$cipher "
|
||||
|
@ -3931,7 +3931,7 @@ compare_server_name_to_cert()
|
|||
|
||||
# Check whether any of the DNS names in the certificate match the servername
|
||||
dns_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||
sed -e 's/,/\n/g' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
|
||||
tr '.' '\n' grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
|
||||
for san in $dns_sans; do
|
||||
[[ "$san" == "$servername" ]] && return 0
|
||||
# If $san is a wildcard name, then do a wildcard match
|
||||
|
@ -3943,7 +3943,7 @@ compare_server_name_to_cert()
|
|||
|
||||
# Check whether any of the IP addresses in the certificate match the serername
|
||||
ip_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||
sed -e 's/,/\n/g' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
|
||||
tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
|
||||
for san in $ip_sans; do
|
||||
[[ "$san" == "$servername" ]] && return 0
|
||||
done
|
||||
|
@ -4243,9 +4243,9 @@ certificate_info() {
|
|||
fileout "${json_prefix}cn" "$cnok" "$cnfinding"
|
||||
|
||||
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||
egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | \
|
||||
egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \
|
||||
sed -e 's/ *DNS://g' -e 's/ *IP Address://g' -e 's/ *email://g' -e 's/ *URI://g' -e 's/ *DirName://g' \
|
||||
-e 's/ *Registered ID://g' -e 's/,/\n/g' \
|
||||
-e 's/ *Registered ID://g' \
|
||||
-e 's/ *othername:<unsupported>//g' -e 's/ *X400Name:<unsupported>//g' -e 's/ *EdiPartyName:<unsupported>//g')
|
||||
# ^^^ CACert
|
||||
out "$indent"; pr_bold " subjectAltName (SAN) "
|
||||
|
@ -8394,4 +8394,4 @@ fi
|
|||
exit $?
|
||||
|
||||
|
||||
# $Id: testssl.sh,v 1.522 2016/07/08 09:25:39 dirkw Exp $
|
||||
# $Id: testssl.sh,v 1.523 2016/07/11 14:20:35 dirkw Exp $
|
||||
|
|
|
@ -4,23 +4,91 @@
|
|||
# x448 and x25519 are missing, others are not supported
|
||||
# License see testssl.sh
|
||||
|
||||
readonly RUN_DIR=$(dirname "$0")
|
||||
|
||||
test_openssl_suffix() {
|
||||
local naming_ext="$(uname).$(uname -m)"
|
||||
local uname_arch="$(uname -m)"
|
||||
local myarch_suffix=""
|
||||
|
||||
[[ $uname_arch =~ 64 ]] && myarch_suffix=64 || myarch_suffix=32
|
||||
if [[ -f "$1/openssl" ]] && [[ -x "$1/openssl" ]]; then
|
||||
OPENSSL="$1/openssl"
|
||||
return 0
|
||||
elif [[ -f "$1/openssl.$naming_ext" ]] && [[ -x "$1/openssl.$naming_ext" ]]; then
|
||||
OPENSSL="$1/openssl.$naming_ext"
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
|
||||
find_openssl_binary() {
|
||||
# 0. check environment variable whether it's executable
|
||||
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
||||
pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary."
|
||||
outln " Looking some place else ..."
|
||||
elif [[ -x "$OPENSSL" ]]; then
|
||||
: # 1. all ok supplied $OPENSSL was found and has excutable bit set -- testrun comes below
|
||||
elif test_openssl_suffix $RUN_DIR; then
|
||||
: # 2. otherwise try openssl in path of testssl.sh
|
||||
elif test_openssl_suffix ../$RUN_DIR; then
|
||||
: # 2. otherwise try openssl in path of testssl.sh
|
||||
elif test_openssl_suffix ../$RUN_DIR/bin; then
|
||||
: # 3. otherwise here, this is supposed to be the standard --platform independed path in the future!!!
|
||||
elif test_openssl_suffix "$(dirname "$(which openssl)")"; then
|
||||
: # 5. we tried hard and failed, so now we use the system binaries
|
||||
fi
|
||||
|
||||
# no ERRFILE initialized yet, thus we use /dev/null for stderr directly
|
||||
$OPENSSL version -a 2>/dev/null >/dev/null
|
||||
if [[ $? -ne 0 ]] || [[ ! -x "$OPENSSL" ]]; then
|
||||
echo "\ncannot exec or find any openssl binary"
|
||||
exit 1
|
||||
fi
|
||||
echo
|
||||
echo "using $OPENSSL"
|
||||
echo
|
||||
}
|
||||
|
||||
|
||||
VERBOSE=false
|
||||
if [[ $1 == "-v" ]]; then
|
||||
VERBOSE=true
|
||||
shift
|
||||
fi
|
||||
|
||||
HN="$1"
|
||||
[ -z "$HN" ] && HN=testssl.sh
|
||||
for curve in $(bin/openssl.Linux.x86_64 ecparam -list_curves | awk -F':' '/:/ { print $1 }'); do
|
||||
printf "$curve: "
|
||||
find_openssl_binary
|
||||
|
||||
ERRFILE=$(mktemp /tmp/curve_tester.R.XXXXXX) || exit -6
|
||||
TMPFILE=$(mktemp /tmp/curve_tester.T.XXXXXX) || exit -6
|
||||
|
||||
|
||||
for curve in $($OPENSSL ecparam -list_curves | awk -F':' '/:/ { print $1 }'); do
|
||||
#if bin/openssl.Linux.x86_64 s_client -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep -q "BEGIN CERTIFICATE" ; then
|
||||
# echo 'YES'
|
||||
#else
|
||||
# echo '--'
|
||||
#fi
|
||||
if bin/openssl.Linux.x86_64 s_client -cipher ECDH -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep "Server Temp Key:" ; then
|
||||
:
|
||||
$OPENSSL s_client -cipher ECDH -curves $curve -connect $HN:443 -servername $HN </dev/null 2>$ERRFILE | grep "Server Temp Key:" >$TMPFILE
|
||||
if [[ $? -eq 0 ]]; then
|
||||
printf "$curve: "
|
||||
cat $TMPFILE | sed 's/^.*Server Temp Key: //'
|
||||
else
|
||||
echo '--'
|
||||
if grep -q 'Error with' $ERRFILE; then
|
||||
if "$VERBOSE"; then
|
||||
echo "$curve: no client support"
|
||||
fi
|
||||
else
|
||||
echo "$curve: --"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# vim:ts=5:sw=5:expandtab
|
||||
# $Id: curves.bash,v 1.2 2016/07/08 09:39:27 dirkw Exp $
|
||||
rm -f $ERRFILE $TMPFILE
|
||||
|
||||
# vim:ts=5:sw=5:expandtab
|
||||
# $Id: curves.bash,v 1.3 2016/07/09 12:22:13 dirkw Exp $
|
||||
|
||||
|
|
Loading…
Reference in New Issue