mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 04:49:44 +01:00
Reorder output of run_server_preference()
This commit reorders the output of run_server_preference() as discussed in #1311.
This commit is contained in:
parent
90c6134013
commit
fa5d13eb06
@ -18,9 +18,6 @@
|
||||
"cipherlist_AVERAGE","testssl.sh/81.169.166.184","443","LOW","offered","","CWE-310"
|
||||
"cipherlist_GOOD","testssl.sh/81.169.166.184","443","OK","offered","",""
|
||||
"cipherlist_STRONG","testssl.sh/81.169.166.184","443","OK","offered","",""
|
||||
"cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
|
||||
"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","",""
|
||||
"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","",""
|
||||
"cipher-tls1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
|
||||
"cipher-tls1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
|
||||
"cipher-tls1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1 x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
|
||||
@ -60,6 +57,9 @@
|
||||
"cipher-tls1_3_x1301","testssl.sh/81.169.166.184","443","OK","TLSv1.3 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256","",""
|
||||
"cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
|
||||
"prioritize_chacha_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","false","",""
|
||||
"cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
|
||||
"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","",""
|
||||
"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","",""
|
||||
"FS","testssl.sh/81.169.166.184","443","OK","offered","",""
|
||||
"FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","",""
|
||||
"FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""
|
||||
|
115
testssl.sh
115
testssl.sh
@ -6613,9 +6613,7 @@ run_server_preference() {
|
||||
|
||||
outln
|
||||
pr_headlineln " Testing server's cipher preferences "
|
||||
|
||||
outln
|
||||
pr_bold " Has server cipher order? "
|
||||
|
||||
if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
|
||||
addcmd="$OPTIMAL_PROTO"
|
||||
@ -6726,6 +6724,56 @@ run_server_preference() {
|
||||
debugme echo "has_cipher_order: $has_cipher_order"
|
||||
debugme echo "has_tls13_cipher_order: $has_tls13_cipher_order"
|
||||
|
||||
# restore file from above
|
||||
[[ "$default_proto" == TLSv1.3 ]] && cp "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt" $TMPFILE
|
||||
cipher1=$(get_cipher $TMPFILE)
|
||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||
|
||||
# Sanity check: Handshake with no ciphers and one with forward list didn't overlap
|
||||
if [[ "$cipher0" != $cipher1 ]]; then
|
||||
limitedsense=" (matching cipher in list missing)"
|
||||
fi
|
||||
|
||||
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && ( [[ "$cipher1" == TLS_* ]] || [[ "$cipher1" == SSL_* ]] ); then
|
||||
default_cipher="$(rfc2openssl "$cipher1")"
|
||||
elif [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ "$cipher1" != TLS_* ]] && [[ "$cipher1" != SSL_* ]]; then
|
||||
default_cipher="$(openssl2rfc "$cipher1")"
|
||||
fi
|
||||
[[ -z "$default_cipher" ]] && default_cipher="$cipher1"
|
||||
|
||||
"$FAST" && using_sockets=false
|
||||
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
|
||||
|
||||
neat_header
|
||||
while read proto_ossl proto_hex proto_txt; do
|
||||
pr_underline "$(printf -- "%b" "$proto_txt")"
|
||||
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
|
||||
# the following takes care of that but only if we know the protocol is not supported
|
||||
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
|
||||
outln "\n - "
|
||||
continue
|
||||
fi
|
||||
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
|
||||
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
|
||||
if [[ $proto_ossl == ssl2 ]] || \
|
||||
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ) || \
|
||||
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ); then
|
||||
if [[ $proto_ossl == ssl2 ]]; then
|
||||
outln " (listed by strength)"
|
||||
elif [[ $proto_ossl == tls1_3 ]]; then
|
||||
outln " (no server order, thus listed by strength)"
|
||||
else
|
||||
prln_svrty_high " (no server order, thus listed by strength)"
|
||||
fi
|
||||
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
||||
else
|
||||
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
||||
fi
|
||||
done <<< "$(tm_out " ssl2 22 SSLv2\n ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
|
||||
outln
|
||||
|
||||
pr_bold " Has server cipher order? "
|
||||
jsonID="cipher_order"
|
||||
if "$TLS13_ONLY" && ! "$has_tls13_cipher_order"; then
|
||||
out "no (TLS 1.3 only)"
|
||||
limitedsense=" (limited sense as client will pick)"
|
||||
@ -6807,33 +6855,17 @@ run_server_preference() {
|
||||
|
||||
pr_bold " Negotiated cipher "
|
||||
jsonID="cipher_negotiated"
|
||||
|
||||
# restore file from above
|
||||
[[ "$default_proto" == TLSv1.3 ]] && cp "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt" $TMPFILE
|
||||
cipher1=$(get_cipher $TMPFILE)
|
||||
|
||||
# Sanity check: Handshake with no ciphers and one with forward list didn't overlap
|
||||
if [[ "$cipher0" != $cipher1 ]]; then
|
||||
limitedsense=" (matching cipher in list missing)"
|
||||
fi
|
||||
|
||||
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]] && ( [[ "$cipher1" == TLS_* ]] || [[ "$cipher1" == SSL_* ]] ); then
|
||||
default_cipher="$(rfc2openssl "$cipher1")"
|
||||
elif [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]] && [[ "$cipher1" != TLS_* ]] && [[ "$cipher1" != SSL_* ]]; then
|
||||
default_cipher="$(openssl2rfc "$cipher1")"
|
||||
fi
|
||||
[[ -z "$default_cipher" ]] && default_cipher="$cipher1"
|
||||
pr_cipher_quality "$default_cipher"
|
||||
case $? in
|
||||
1) fileout "$jsonID" "CRITICAL" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||
1) fileout "$jsonID" "CRITICAL" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
||||
;;
|
||||
2) fileout "$jsonID" "HIGH" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||
2) fileout "$jsonID" "HIGH" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
||||
;;
|
||||
3) fileout "$jsonID" "MEDIUM" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||
3) fileout "$jsonID" "MEDIUM" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
||||
;;
|
||||
6|7) fileout "$jsonID" "OK" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||
6|7) fileout "$jsonID" "OK" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
||||
;; # best ones
|
||||
4) fileout "$jsonID" "LOW" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") (cbc) $limitedsense"
|
||||
4) fileout "$jsonID" "LOW" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") (cbc) $limitedsense"
|
||||
;; # it's CBC. --> lucky13
|
||||
0) pr_warning "default cipher empty" ;
|
||||
if [[ $OSSL_VER == 1.0.2* ]]; then
|
||||
@ -6844,10 +6876,10 @@ run_server_preference() {
|
||||
fi
|
||||
ret=1
|
||||
;;
|
||||
*) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TMPFILE" "string") $limitedsense"
|
||||
*) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
||||
;;
|
||||
esac
|
||||
read_dhbits_from_file "$TMPFILE"
|
||||
read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt"
|
||||
|
||||
if [[ "$cipher0" != $cipher1 ]]; then
|
||||
pr_warning " -- inconclusive test, matching cipher in list missing"
|
||||
@ -6856,39 +6888,6 @@ run_server_preference() {
|
||||
else
|
||||
outln "$limitedsense"
|
||||
fi
|
||||
|
||||
"$FAST" && using_sockets=false
|
||||
[[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
|
||||
|
||||
pr_bold " Cipher per protocol"
|
||||
outln "\n" && neat_header
|
||||
while read proto_ossl proto_hex proto_txt; do
|
||||
pr_underline "$(printf -- "%b" "$proto_txt")"
|
||||
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
|
||||
# the following takes care of that but only if we know the protocol is not supported
|
||||
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
|
||||
outln "\n - "
|
||||
continue
|
||||
fi
|
||||
# TODO: Also the fact that a protocol is not supported seems not to be saved by cipher_pref_check()
|
||||
# (./testssl.sh --wide -p -P -E vs ./testssl.sh --wide -P -E )
|
||||
if [[ $proto_ossl == ssl2 ]] || \
|
||||
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ) || \
|
||||
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ); then
|
||||
if [[ $proto_ossl == ssl2 ]]; then
|
||||
outln " (listed by strength)"
|
||||
elif [[ $proto_ossl == tls1_3 ]]; then
|
||||
outln " (no server order, thus listed by strength)"
|
||||
else
|
||||
prln_svrty_high " (no server order, thus listed by strength)"
|
||||
fi
|
||||
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
||||
else
|
||||
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
|
||||
fi
|
||||
done <<< "$(tm_out " ssl2 22 SSLv2\n ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n tls1_3 04 TLSv1.3\n")"
|
||||
outln
|
||||
|
||||
return $ret
|
||||
# end of run_server_preference()
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user