From 23d311b1fc49970f0e0798b6154ee9cebd82556d Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 26 Jul 2016 11:10:20 -0400 Subject: [PATCH 1/5] SSLv2 fixes for determine_optimal_proto() This PR makes three changes to `determine_optimal_proto()`: * It no longer tries an empty string for `$OPTIMAL_PROTO` twice. * It does not include `-servername` for `-ssl2` or `-ssl3`, since some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options. * It displays a warning if `$OPTIMAL_PROTO` is `-ssl2`, since some tests in testssl.sh will not work correctly for SSLv2-only servers. --- testssl.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 5245616..0336251 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7811,7 +7811,7 @@ sclient_auth() { # determine_optimal_proto() { local all_failed - local addcmd="" + local sni="" #TODO: maybe query known openssl version before this workaround. 1.0.1 doesn't need this @@ -7829,8 +7829,9 @@ determine_optimal_proto() { done debugme echo "STARTTLS_OPTIMAL_PROTO: $STARTTLS_OPTIMAL_PROTO" else - for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2 ''; do - $OPENSSL s_client $OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $SNI $TMPFILE 2>>$ERRFILE + for OPTIMAL_PROTO in '' -tls1_2 -tls1 -ssl3 -tls1_1 -ssl2; do + [[ "$OPTIMAL_PROTO" =~ ssl ]] && sni="" || sni=$SNI + $OPENSSL s_client $OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" -msg $PROXY $sni $TMPFILE 2>>$ERRFILE if sclient_auth $? $TMPFILE; then all_failed=1 break @@ -7838,6 +7839,9 @@ determine_optimal_proto() { all_failed=0 done debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO" + pr_warningln "$NODEIP:$PORT appears to only support SSLv2." + ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " + [[ $? -ne 0 ]] && exit -2 fi grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190 From b43562aabf2d0e63e891b80e677f5db4560e09cd Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 26 Jul 2016 11:13:45 -0400 Subject: [PATCH 2/5] Update testssl.sh --- testssl.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 0336251..436b70e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7839,9 +7839,11 @@ determine_optimal_proto() { all_failed=0 done debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO" - pr_warningln "$NODEIP:$PORT appears to only support SSLv2." - ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " - [[ $? -ne 0 ]] && exit -2 + if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then + pr_warningln "$NODEIP:$PORT appears to only support SSLv2." + ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " + [[ $? -ne 0 ]] && exit -2 + fi fi grep -q '^Server Temp Key' $TMPFILE && HAS_DH_BITS=true # FIX #190 From bc6367d3ad8a7104f046b77a58f35a4d0ecf1b52 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 26 Jul 2016 11:21:23 -0400 Subject: [PATCH 3/5] Update testssl.sh --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 436b70e..cb22fd7 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7840,7 +7840,7 @@ determine_optimal_proto() { done debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO" if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then - pr_warningln "$NODEIP:$PORT appears to only support SSLv2." + pr_magentaln "$NODEIP:$PORT appears to only support SSLv2." ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " [[ $? -ne 0 ]] && exit -2 fi From 4ed1f2fc11d229a79107049f70a3d38e8a5d8bed Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 26 Jul 2016 11:29:25 -0400 Subject: [PATCH 4/5] Don't ignore response to old OpenSSL warning In the check for old versions of OpenSSL, the results of the call to `ignore_no_or_lame()` are ignored, and so the program continues even if the user enters `no`. --- testssl.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/testssl.sh b/testssl.sh index 5245616..10aeac6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7116,6 +7116,7 @@ check4openssl_oldfarts() { *) outln " Update openssl binaries or compile from github.com/PeterMosmans/openssl" ;; esac ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " + [[ $? -ne 0 ]] && exit -2 fi outln } From 746eab7f6b8fe6eeb965808fc0f3785ecaa97a1b Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 26 Jul 2016 12:07:08 -0400 Subject: [PATCH 5/5] Fix two minor typos Fixes for two minor typos that were previously included in PR #345. --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 5245616..0b04581 100755 --- a/testssl.sh +++ b/testssl.sh @@ -714,7 +714,7 @@ run_http_header() { wait_kill $! $HEADER_MAXSLEEP if [[ $? -eq 0 ]]; then # we do the get command again as it terminated within $HEADER_MAXSLEEP. Thus it didn't hang, we do it - # again in the foreground ito get an ccurate header time! + # again in the foreground to get an accurate header time! printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI >$HEADERFILE 2>$ERRFILE NOW_TIME=$(date "+%s") HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) @@ -3837,7 +3837,7 @@ tls_time() { debugme out "$TLS_TIME" outln else - pr_warning "SSLv3 through TLS 1.2 didn't return a timestamp" + pr_warningln "SSLv3 through TLS 1.2 didn't return a timestamp" fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2" fi return 0