Merge branch 'master' into version_negotiation
This commit is contained in:
commit
f968bd8346
18
testssl.sh
18
testssl.sh
|
@ -3444,7 +3444,7 @@ run_server_preference() {
|
||||||
[[ -n "$PROXY" ]] && arg=" SPDY/NPN is"
|
[[ -n "$PROXY" ]] && arg=" SPDY/NPN is"
|
||||||
[[ -n "$STARTTLS" ]] && arg=" "
|
[[ -n "$STARTTLS" ]] && arg=" "
|
||||||
if spdy_pre " $arg" ; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY
|
if spdy_pre " $arg" ; then # is NPN/SPDY supported and is this no STARTTLS? / no PROXY
|
||||||
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
if sclient_connect_successful $? $TMPFILE; then
|
if sclient_connect_successful $? $TMPFILE; then
|
||||||
proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g')
|
proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g')
|
||||||
if [[ -z "${proto[i]}" ]]; then
|
if [[ -z "${proto[i]}" ]]; then
|
||||||
|
@ -3619,16 +3619,16 @@ cipher_pref_check() {
|
||||||
if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS?
|
if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS?
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
npn_protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
npn_protos=$($OPENSSL s_client $BUGS -nextprotoneg \"\" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g')
|
||||||
for p in $npn_protos; do
|
for p in $npn_protos; do
|
||||||
order=""
|
order=""
|
||||||
$OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||||
printf " %-10s %s " "$p:" "$cipher"
|
printf " %-10s %s " "$p:" "$cipher"
|
||||||
tested_cipher="-"$cipher
|
tested_cipher="-"$cipher
|
||||||
order="$cipher"
|
order="$cipher"
|
||||||
while true; do
|
while true; do
|
||||||
$OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE
|
$OPENSSL s_client -cipher "ALL:$tested_cipher" $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE || break
|
sclient_connect_successful $? $TMPFILE || break
|
||||||
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)
|
||||||
out "$cipher "
|
out "$cipher "
|
||||||
|
@ -3931,7 +3931,7 @@ compare_server_name_to_cert()
|
||||||
|
|
||||||
# Check whether any of the DNS names in the certificate match the servername
|
# Check whether any of the DNS names in the certificate match the servername
|
||||||
dns_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
dns_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||||
sed -e 's/,/\n/g' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
|
tr '.' '\n' grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
|
||||||
for san in $dns_sans; do
|
for san in $dns_sans; do
|
||||||
[[ "$san" == "$servername" ]] && return 0
|
[[ "$san" == "$servername" ]] && return 0
|
||||||
# If $san is a wildcard name, then do a wildcard match
|
# If $san is a wildcard name, then do a wildcard match
|
||||||
|
@ -3943,7 +3943,7 @@ compare_server_name_to_cert()
|
||||||
|
|
||||||
# Check whether any of the IP addresses in the certificate match the serername
|
# Check whether any of the IP addresses in the certificate match the serername
|
||||||
ip_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
ip_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||||
sed -e 's/,/\n/g' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
|
tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
|
||||||
for san in $ip_sans; do
|
for san in $ip_sans; do
|
||||||
[[ "$san" == "$servername" ]] && return 0
|
[[ "$san" == "$servername" ]] && return 0
|
||||||
done
|
done
|
||||||
|
@ -4243,9 +4243,9 @@ certificate_info() {
|
||||||
fileout "${json_prefix}cn" "$cnok" "$cnfinding"
|
fileout "${json_prefix}cn" "$cnok" "$cnfinding"
|
||||||
|
|
||||||
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||||
egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | \
|
egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \
|
||||||
sed -e 's/ *DNS://g' -e 's/ *IP Address://g' -e 's/ *email://g' -e 's/ *URI://g' -e 's/ *DirName://g' \
|
sed -e 's/ *DNS://g' -e 's/ *IP Address://g' -e 's/ *email://g' -e 's/ *URI://g' -e 's/ *DirName://g' \
|
||||||
-e 's/ *Registered ID://g' -e 's/,/\n/g' \
|
-e 's/ *Registered ID://g' \
|
||||||
-e 's/ *othername:<unsupported>//g' -e 's/ *X400Name:<unsupported>//g' -e 's/ *EdiPartyName:<unsupported>//g')
|
-e 's/ *othername:<unsupported>//g' -e 's/ *X400Name:<unsupported>//g' -e 's/ *EdiPartyName:<unsupported>//g')
|
||||||
# ^^^ CACert
|
# ^^^ CACert
|
||||||
out "$indent"; pr_bold " subjectAltName (SAN) "
|
out "$indent"; pr_bold " subjectAltName (SAN) "
|
||||||
|
@ -8394,4 +8394,4 @@ fi
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.522 2016/07/08 09:25:39 dirkw Exp $
|
# $Id: testssl.sh,v 1.523 2016/07/11 14:20:35 dirkw Exp $
|
||||||
|
|
|
@ -4,23 +4,91 @@
|
||||||
# x448 and x25519 are missing, others are not supported
|
# x448 and x25519 are missing, others are not supported
|
||||||
# License see testssl.sh
|
# License see testssl.sh
|
||||||
|
|
||||||
|
readonly RUN_DIR=$(dirname "$0")
|
||||||
|
|
||||||
|
test_openssl_suffix() {
|
||||||
|
local naming_ext="$(uname).$(uname -m)"
|
||||||
|
local uname_arch="$(uname -m)"
|
||||||
|
local myarch_suffix=""
|
||||||
|
|
||||||
|
[[ $uname_arch =~ 64 ]] && myarch_suffix=64 || myarch_suffix=32
|
||||||
|
if [[ -f "$1/openssl" ]] && [[ -x "$1/openssl" ]]; then
|
||||||
|
OPENSSL="$1/openssl"
|
||||||
|
return 0
|
||||||
|
elif [[ -f "$1/openssl.$naming_ext" ]] && [[ -x "$1/openssl.$naming_ext" ]]; then
|
||||||
|
OPENSSL="$1/openssl.$naming_ext"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
find_openssl_binary() {
|
||||||
|
# 0. check environment variable whether it's executable
|
||||||
|
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
||||||
|
pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary."
|
||||||
|
outln " Looking some place else ..."
|
||||||
|
elif [[ -x "$OPENSSL" ]]; then
|
||||||
|
: # 1. all ok supplied $OPENSSL was found and has excutable bit set -- testrun comes below
|
||||||
|
elif test_openssl_suffix $RUN_DIR; then
|
||||||
|
: # 2. otherwise try openssl in path of testssl.sh
|
||||||
|
elif test_openssl_suffix ../$RUN_DIR; then
|
||||||
|
: # 2. otherwise try openssl in path of testssl.sh
|
||||||
|
elif test_openssl_suffix ../$RUN_DIR/bin; then
|
||||||
|
: # 3. otherwise here, this is supposed to be the standard --platform independed path in the future!!!
|
||||||
|
elif test_openssl_suffix "$(dirname "$(which openssl)")"; then
|
||||||
|
: # 5. we tried hard and failed, so now we use the system binaries
|
||||||
|
fi
|
||||||
|
|
||||||
|
# no ERRFILE initialized yet, thus we use /dev/null for stderr directly
|
||||||
|
$OPENSSL version -a 2>/dev/null >/dev/null
|
||||||
|
if [[ $? -ne 0 ]] || [[ ! -x "$OPENSSL" ]]; then
|
||||||
|
echo "\ncannot exec or find any openssl binary"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
echo "using $OPENSSL"
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
VERBOSE=false
|
||||||
|
if [[ $1 == "-v" ]]; then
|
||||||
|
VERBOSE=true
|
||||||
|
shift
|
||||||
|
fi
|
||||||
|
|
||||||
HN="$1"
|
HN="$1"
|
||||||
[ -z "$HN" ] && HN=testssl.sh
|
[ -z "$HN" ] && HN=testssl.sh
|
||||||
for curve in $(bin/openssl.Linux.x86_64 ecparam -list_curves | awk -F':' '/:/ { print $1 }'); do
|
find_openssl_binary
|
||||||
printf "$curve: "
|
|
||||||
|
ERRFILE=$(mktemp /tmp/curve_tester.R.XXXXXX) || exit -6
|
||||||
|
TMPFILE=$(mktemp /tmp/curve_tester.T.XXXXXX) || exit -6
|
||||||
|
|
||||||
|
|
||||||
|
for curve in $($OPENSSL ecparam -list_curves | awk -F':' '/:/ { print $1 }'); do
|
||||||
#if bin/openssl.Linux.x86_64 s_client -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep -q "BEGIN CERTIFICATE" ; then
|
#if bin/openssl.Linux.x86_64 s_client -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep -q "BEGIN CERTIFICATE" ; then
|
||||||
# echo 'YES'
|
# echo 'YES'
|
||||||
#else
|
#else
|
||||||
# echo '--'
|
# echo '--'
|
||||||
#fi
|
#fi
|
||||||
if bin/openssl.Linux.x86_64 s_client -cipher ECDH -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep "Server Temp Key:" ; then
|
$OPENSSL s_client -cipher ECDH -curves $curve -connect $HN:443 -servername $HN </dev/null 2>$ERRFILE | grep "Server Temp Key:" >$TMPFILE
|
||||||
:
|
if [[ $? -eq 0 ]]; then
|
||||||
|
printf "$curve: "
|
||||||
|
cat $TMPFILE | sed 's/^.*Server Temp Key: //'
|
||||||
else
|
else
|
||||||
echo '--'
|
if grep -q 'Error with' $ERRFILE; then
|
||||||
|
if "$VERBOSE"; then
|
||||||
|
echo "$curve: no client support"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "$curve: --"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
# vim:ts=5:sw=5:expandtab
|
rm -f $ERRFILE $TMPFILE
|
||||||
# $Id: curves.bash,v 1.2 2016/07/08 09:39:27 dirkw Exp $
|
|
||||||
|
# vim:ts=5:sw=5:expandtab
|
||||||
|
# $Id: curves.bash,v 1.3 2016/07/09 12:22:13 dirkw Exp $
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue