mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
cleanup of #489
This commit is contained in:
parent
09c19b4654
commit
fd6e2c0682
68
testssl.sh
68
testssl.sh
@ -197,6 +197,7 @@ CLIENT_AUTH=false
|
|||||||
NO_SSL_SESSIONID=false
|
NO_SSL_SESSIONID=false
|
||||||
HOSTCERT=""
|
HOSTCERT=""
|
||||||
HEADERFILE=""
|
HEADERFILE=""
|
||||||
|
HEADERVALUE=""
|
||||||
HTTP_STATUS_CODE=""
|
HTTP_STATUS_CODE=""
|
||||||
PROTOS_OFFERED=""
|
PROTOS_OFFERED=""
|
||||||
TLS_EXTENSIONS=""
|
TLS_EXTENSIONS=""
|
||||||
@ -892,6 +893,30 @@ run_http_date() {
|
|||||||
detect_ipv4
|
detect_ipv4
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# HEADERFILE needs to contain the HTTP header (made sure by invoker)
|
||||||
|
# arg1: key=word to match
|
||||||
|
# arg2: hint for fileout()
|
||||||
|
# output: value after ":"
|
||||||
|
|
||||||
|
detect_headerdups() {
|
||||||
|
local -i nr=$(grep -Faciw "$1:" $HEADERFILE)
|
||||||
|
|
||||||
|
if [[ $nr -gt 1 ]]; then
|
||||||
|
pr_svrty_medium "misconfiguration: $nr headers "
|
||||||
|
pr_italic "$1"
|
||||||
|
out " -- checking first one "
|
||||||
|
out "\n$spaces"
|
||||||
|
# first awk matches the key, second extracts the from the first line the value, be careful with quotes here!
|
||||||
|
HEADERVALUE=$(awk "/$1:/" $HEADERFILE | head -1 | awk "{ sub(/$1:/,\"\"); print }")
|
||||||
|
[[ $DEBUG -ge 2 ]] && pr_italic "$HEADERVALUE" && out "\n$spaces"
|
||||||
|
fileout "$2""_multiple" "WARN" "Multiple $2 headers. Using first header: $HEADERVALUE"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
HEADERVALUE=$(awk "/$1:/" $HEADERFILE | head -1 | awk "{ sub(/$1:/,\"\"); print }")
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
includeSubDomains() {
|
includeSubDomains() {
|
||||||
if grep -aiqw includeSubDomains "$1"; then
|
if grep -aiqw includeSubDomains "$1"; then
|
||||||
pr_done_good ", includeSubDomains"
|
pr_done_good ", includeSubDomains"
|
||||||
@ -924,12 +949,8 @@ run_hsts() {
|
|||||||
pr_bold " Strict Transport Security "
|
pr_bold " Strict Transport Security "
|
||||||
grep -iaw '^Strict-Transport-Security' $HEADERFILE >$TMPFILE
|
grep -iaw '^Strict-Transport-Security' $HEADERFILE >$TMPFILE
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
if ! grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -waq "1" ; then
|
detect_headerdups "Strict-Transport-Security" "HSTS"
|
||||||
pr_svrty_medium "misconfiguration: two HSTS headers"
|
hsts_age_sec=$(sed -e 's/[^0-9]*//g' <<< $HEADERVALUE)
|
||||||
outln " (displaying first one here)."
|
|
||||||
out "$spaces"
|
|
||||||
fi
|
|
||||||
hsts_age_sec=$(sed -e 's/[^0-9]*//g' $TMPFILE | head -1)
|
|
||||||
debugme echo "hsts_age_sec: $hsts_age_sec"
|
debugme echo "hsts_age_sec: $hsts_age_sec"
|
||||||
if [[ -n $hsts_age_sec ]]; then
|
if [[ -n $hsts_age_sec ]]; then
|
||||||
hsts_age_days=$(( hsts_age_sec / 86400))
|
hsts_age_days=$(( hsts_age_sec / 86400))
|
||||||
@ -952,7 +973,7 @@ run_hsts() {
|
|||||||
if includeSubDomains "$TMPFILE"; then
|
if includeSubDomains "$TMPFILE"; then
|
||||||
fileout "hsts_subdomains" "OK" "HSTS includes subdomains"
|
fileout "hsts_subdomains" "OK" "HSTS includes subdomains"
|
||||||
else
|
else
|
||||||
fileout "hsts_subdomains" "WARN" "HSTS only for this domain, consider to include subdomains as well"
|
fileout "hsts_subdomains" "INFO" "HSTS only for this domain"
|
||||||
fi
|
fi
|
||||||
if preload "$TMPFILE"; then
|
if preload "$TMPFILE"; then
|
||||||
fileout "hsts_preload" "OK" "HSTS domain is marked for preloading"
|
fileout "hsts_preload" "OK" "HSTS domain is marked for preloading"
|
||||||
@ -980,33 +1001,20 @@ run_hpkp() {
|
|||||||
local spaces=" "
|
local spaces=" "
|
||||||
local key_found=false
|
local key_found=false
|
||||||
local i
|
local i
|
||||||
local hpkp_headers
|
local hpkp_headers=""
|
||||||
local first_hpkp_header
|
|
||||||
|
|
||||||
if [[ ! -s $HEADERFILE ]]; then
|
if [[ ! -s $HEADERFILE ]]; then
|
||||||
run_http_header "$1" || return 3
|
run_http_header "$1" || return 3
|
||||||
fi
|
fi
|
||||||
#pr_bold " HPKP "
|
|
||||||
pr_bold " Public Key Pinning "
|
pr_bold " Public Key Pinning "
|
||||||
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
|
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
if egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -waq "1" ; then
|
detect_headerdups "Public-Key-Pins" "HPKP"
|
||||||
:
|
hpkp_header=$HEADERVALUE
|
||||||
else
|
|
||||||
hpkp_headers=""
|
#FIXME: we should treat report_only maybe seperately
|
||||||
pr_svrty_medium "multiple HPKP headers: "
|
detect_headerdups "Public-Key-Pins-Report-Only" "HPKP_report_only"
|
||||||
# https://scotthelme.co.uk was a candidate
|
hpkp_header+="$HEADERVALUE "
|
||||||
#FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> egrep -ai -w
|
|
||||||
for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do
|
|
||||||
pr_italic $i
|
|
||||||
hpkp_headers="$hpkp_headers$i "
|
|
||||||
out " "
|
|
||||||
done
|
|
||||||
out "\n$spaces Examining first one: "
|
|
||||||
first_hpkp_header=$(awk -F':' '/Public-Key-Pins/ { print $1 }' $HEADERFILE | head -1)
|
|
||||||
pr_italic "$first_hpkp_header, "
|
|
||||||
fileout "hpkp_multiple" "WARN" "Multiple HPKP headershpkp_headers. Using first header: $first_hpkp_header"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is
|
# remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is
|
||||||
sed -e 's/Public-Key-Pins://g' -e s'/Public-Key-Pins-Report-Only://' $TMPFILE | \
|
sed -e 's/Public-Key-Pins://g' -e s'/Public-Key-Pins-Report-Only://' $TMPFILE | \
|
||||||
@ -1016,7 +1024,7 @@ run_hpkp() {
|
|||||||
tr ' ' '\n' < $TMPFILE.2 >$TMPFILE
|
tr ' ' '\n' < $TMPFILE.2 >$TMPFILE
|
||||||
|
|
||||||
hpkp_nr_keys=$(grep -ac pin-sha $TMPFILE)
|
hpkp_nr_keys=$(grep -ac pin-sha $TMPFILE)
|
||||||
out "# of keys: "
|
out " # of keys: "
|
||||||
if [[ $hpkp_nr_keys -eq 1 ]]; then
|
if [[ $hpkp_nr_keys -eq 1 ]]; then
|
||||||
pr_svrty_high "1 (NOT ok), "
|
pr_svrty_high "1 (NOT ok), "
|
||||||
fileout "hpkp_keys" "NOT ok" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked"
|
fileout "hpkp_keys" "NOT ok" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked"
|
||||||
@ -1211,7 +1219,7 @@ run_application_banner() {
|
|||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
run_cookie_flags() { # ARG1: Path, ARG2: path
|
run_cookie_flags() { # ARG1: Path
|
||||||
local -i nr_cookies
|
local -i nr_cookies
|
||||||
local nr_httponly nr_secure
|
local nr_httponly nr_secure
|
||||||
local negative_word
|
local negative_word
|
||||||
@ -8869,4 +8877,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.552 2016/10/01 08:04:32 dirkw Exp $
|
# $Id: testssl.sh,v 1.553 2016/10/01 20:25:13 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user