Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

- polish of #118

Browse Source 
- FIX #22
This commit is contained in:
Dirk 2015-06-11 18:33:06 +02:00
parent c39b69a45f
commit f9e4526f70
1 changed files with 19 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
testssl.sh
View File

@ -2619,6 +2619,10 @@ EOF
# Test for TLS_FALLBACK_SCSV # Test for TLS_FALLBACK_SCSV
tls_fallback_scsv() { tls_fallback_scsv() {
local ret
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for TLS_FALLBACK_SCSV Protection" && outln "\n"
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507) "
# This isn't a vulnerability check per se, but checks for the existence of # This isn't a vulnerability check per se, but checks for the existence of
# the countermeasure to protect against protocol downgrade attacks. # the countermeasure to protect against protocol downgrade attacks.
@ -2629,33 +2633,24 @@ tls_fallback_scsv() {
return 4 return 4
fi fi
# Set up a local temporary file in which to store OpenSSL's output...
local TEMP="/tmp"
if [ ! -z "$HOME" ] && [ -w "$HOME" ]; then
TEMP="$HOME"
fi
local scsv="$TEMP/.testssl_scsv-${NODEIP}-${PORT}.txt"
ret=1
# ...and do the test # ...and do the test
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for TLS_FALLBACK_SCSV Support" && outln "\n" $OPENSSL s_client -connect $NODEIP:$PORT $SNI -no_tls1_2 -fallback_scsv &>$TMPFILE </dev/null
pr_bold " TLS_FALLBACK_SCSV"; out " (RFC 7507) " if grep -q "CONNECTED(00" "$TMPFILE"; then
echo | $OPENSSL s_client -connect $NODEIP:$PORT -no_tls1_2 -fallback_scsv > "$scsv" 2>&1 if grep -q "alert inappropriate fallback" "$TMPFILE"; then
if grep -q "CONNECTED(00" "$scsv"; then pr_litegreen "Downgrade attack prevention supported (OK)"
if grep -q "alert inappropriate fallback" "$scsv"; then ret=0
pr_green "not vulnerable (OK) - supported"
ret=0
else else
pr_litered "VULNERABLE (NOT ok)"; out " - not supported\n" pr_brown "Downgrade attack prevention NOT supported"
ret=2 ret=2
fi fi
else else
pr_magentaln "test failed (couldn't connect)" pr_magenta "test failed (couldn't connect)"
ret=3 ret=3
fi fi
# Quick cleanup outln
rm -f "$scsv" tmpfile_handle $FUNCNAME.txt
return $ret
} }
# Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3 # Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3
@ -3737,6 +3732,10 @@ startup() {
do_tls_fallback_scsv=true do_tls_fallback_scsv=true
let "VULN_COUNT++" let "VULN_COUNT++"
;; ;;
-Z|--tls[_-]fallback|tls[_-]fallback[_-]scs)
do_tls_fallback_scsv=true
let "VULN_COUNT++"
;;
-F|--freak) -F|--freak)
do_freak=true do_freak=true
let "VULN_COUNT++" let "VULN_COUNT++"
@ -3908,6 +3907,6 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.271 2015/06/02 20:12:53 dirkw Exp $ # $Id: testssl.sh,v 1.272 2015/06/11 16:33:05 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab # ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab