Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reorder output of run_server_preference()

Browse Source 
This commit reorders the output of run_server_preference() as discussed in #1311.
This commit is contained in:
David Cooper
2022-03-22 15:20:02 -04:00
parent 90c6134013
commit fa5d13eb06
2 changed files with 60 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
t/baseline_data/default_testssl.csvfile
View File

@@ -18,9 +18,6 @@
"cipherlist_AVERAGE","testssl.sh/81.169.166.184","443","LOW","offered","","CWE-310"
"cipherlist_GOOD","testssl.sh/81.169.166.184","443","OK","offered","",""
"cipherlist_STRONG","testssl.sh/81.169.166.184","443","OK","offered","",""
"cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","",""
"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","",""
"cipher-tls1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
"cipher-tls1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
"cipher-tls1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1 x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
@@ -60,6 +57,9 @@
"cipher-tls1_3_x1301","testssl.sh/81.169.166.184","443","OK","TLSv1.3 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256","",""
"cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
"prioritize_chacha_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","false","",""
"cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","",""
"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","",""
"FS","testssl.sh/81.169.166.184","443","OK","offered","",""
"FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","",""
"FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""

115
testssl.sh
View File

@@ -6613,9 +6613,7 @@ run_server_preference() {
outln
pr_headlineln " Testing server's cipher preferences "
outln
pr_bold " Has server cipher order? "
if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
addcmd="$OPTIMAL_PROTO"
@@ -6726,6 +6724,56 @@ run_server_preference() {
debugme echo "has_cipher_order: $has_cipher_order"
debugme echo "has_tls13_cipher_order: $has_tls13_cipher_order"
# restore file from above
[[ "$default_proto" == TLSv1.3 ]] && cp "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt" $TMPFILE
cipher1=$(get_cipher $TMPFILE)
tmpfile_handle ${FUNCNAME[0]}.txt
# Sanity check: Handshake with no ciphers and one with forward list didn't overlap
if [[ "$cipher0" != $cipher1 ]]; then
limitedsense=" (matching cipher in list missing)"
fi
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && ( [[ "$cipher1" == TLS_* ]] || [[ "$cipher1" == SSL_* ]] ); then
default_cipher="$(rfc2openssl "$cipher1")"
elif [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ "$cipher1" != TLS_* ]] && [[ "$cipher1" != SSL_* ]]; then
default_cipher="$(openssl2rfc "$cipher1")"
fi
[[ -z "$default_cipher" ]] && default_cipher="$cipher1"
"$FAST" && using_sockets=false
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
neat_header
while read proto_ossl proto_hex proto_txt; do
pr_underline "$(printf -- "%b" "$proto_txt")"
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
# the following takes care of that but only if we know the protocol is not supported
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
outln "\n - "
continue
fi
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
if [[ $proto_ossl == ssl2 ]] || \
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ) || \
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ); then
if [[ $proto_ossl == ssl2 ]]; then
outln " (listed by strength)"
elif [[ $proto_ossl == tls1_3 ]]; then
outln " (no server order, thus listed by strength)"
else
prln_svrty_high " (no server order, thus listed by strength)"
fi
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
else
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
fi
done <<< "$(tm_out " ssl2 22 SSLv2\n ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
outln
pr_bold " Has server cipher order? "
jsonID="cipher_order"
if "$TLS13_ONLY" && ! "$has_tls13_cipher_order"; then
out "no (TLS 1.3 only)"
limitedsense=" (limited sense as client will pick)"
@@ -6807,33 +6855,17 @@ run_server_preference() {
pr_bold " Negotiated cipher "
jsonID="cipher_negotiated"
# restore file from above
[[ "$default_proto" == TLSv1.3 ]] && cp "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt" $TMPFILE
cipher1=$(get_cipher $TMPFILE)
# Sanity check: Handshake with no ciphers and one with forward list didn't overlap
if [[ "$cipher0" != $cipher1 ]]; then
limitedsense=" (matching cipher in list missing)"
fi
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && ( [[ "$cipher1" == TLS_* ]] || [[ "$cipher1" == SSL_* ]] ); then
default_cipher="$(rfc2openssl "$cipher1")"
elif [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ "$cipher1" != TLS_* ]] && [[ "$cipher1" != SSL_* ]]; then
default_cipher="$(openssl2rfc "$cipher1")"
fi
[[ -z "$default_cipher" ]] && default_cipher="$cipher1"
pr_cipher_quality "$default_cipher"
case $? in
1) fileout "$jsonID" "CRITICAL" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
1) fileout "$jsonID" "CRITICAL" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
2) fileout "$jsonID" "HIGH" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
2) fileout "$jsonID" "HIGH" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
3) fileout "$jsonID" "MEDIUM" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
3) fileout "$jsonID" "MEDIUM" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
6|7) fileout "$jsonID" "OK" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
6|7) fileout "$jsonID" "OK" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;; # best ones
4) fileout "$jsonID" "LOW" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") (cbc) $limitedsense"
4) fileout "$jsonID" "LOW" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") (cbc) $limitedsense"
;; # it's CBC. --> lucky13
0) pr_warning "default cipher empty" ;
if [[ $OSSL_VER == 1.0.2* ]]; then
@@ -6844,10 +6876,10 @@ run_server_preference() {
fi
ret=1
;;
*) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
*) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
esac
read_dhbits_from_file "$TMPFILE"
read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt"
if [[ "$cipher0" != $cipher1 ]]; then
pr_warning " -- inconclusive test, matching cipher in list missing"
@@ -6856,39 +6888,6 @@ run_server_preference() {
else
outln "$limitedsense"
fi
"$FAST" && using_sockets=false
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
pr_bold " Cipher per protocol"
outln "\n" && neat_header
while read proto_ossl proto_hex proto_txt; do
pr_underline "$(printf -- "%b" "$proto_txt")"
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
# the following takes care of that but only if we know the protocol is not supported
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
outln "\n - "
continue
fi
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
if [[ $proto_ossl == ssl2 ]] || \
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ) || \
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ); then
if [[ $proto_ossl == ssl2 ]]; then
outln " (listed by strength)"
elif [[ $proto_ossl == tls1_3 ]]; then
outln " (no server order, thus listed by strength)"
else
prln_svrty_high " (no server order, thus listed by strength)"
fi
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
else
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
fi
done <<< "$(tm_out " ssl2 22 SSLv2\n ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
outln
return $ret
# end of run_server_preference()
}