Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Address 4xx after STARTTLS handshake seems to have succeeded

Browse Source 
In certain cases (see e.g. #939) the server side "kind of" falls back
from a TLS channel to the underlying plaintext STARTTLS with a 5xx
or 4xx.

This PR adds the detection of 4xx for all protocols (if STARTTLS has been
used) and labels the detection as "likely not av" (and keeps the warning). This
leads to two JSON/CSV objects in those cases.

The detection isn't quite perfect as the issue #939 shows the first
TLS message fragment resembles a TLS alert.

As noticed it also removes the recommendation to increase the
debug level if the level is already sufficient.
This commit is contained in:
Dirk 2018-03-21 12:36:25 +01:00
parent 50f7c93046
commit ffd89f8dea
1 changed files with 38 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
testssl.sh
View File

@ -1036,7 +1036,9 @@ hex2dec() {
# convert 414243 into ABC # convert 414243 into ABC
hex2ascii() { hex2ascii() {
for (( i=0; i<${#1}; i+=2 )); do for (( i=0; i<${#1}; i+=2 )); do
printf "\x${1:$i:2}" # 2>/dev/null added because 'warning: command substitution: ignored null byte in input'
# --> didn't help though
printf "\x${1:$i:2}" 2>/dev/null
done done
} }
@ -4394,8 +4396,7 @@ run_protocols() {
local key_share_extn_nr="$KEY_SHARE_EXTN_NR" local key_share_extn_nr="$KEY_SHARE_EXTN_NR"
local lines nr_ciphers_detected local lines nr_ciphers_detected
local tls13_ciphers_to_test="" local tls13_ciphers_to_test=""
local drafts_offered="" local drafts_offered="" debug_recomm=""
local debug_recomm=", rerun with DEBUG>=2"
local -i ret=0 subret=0 local -i ret=0 subret=0
local jsonID="SSLv2" local jsonID="SSLv2"
@ -4413,6 +4414,7 @@ run_protocols() {
fi fi
fi fi
outln outln
[[ "$DEBUG" -le 1 ]] && debug_recomm=", rerun w DEBUG>=2 or --ssl-native"
pr_bold " SSLv2 "; pr_bold " SSLv2 ";
if ! "$SSL_NATIVE"; then if ! "$SSL_NATIVE"; then
@ -4439,9 +4441,11 @@ run_protocols() {
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered ssl2 no add_tls_offered ssl2 no
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm" 4) out "likely "; pr_svrty_best "not offered (OK), "
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)" fileout "$jsonID" "OK" "likely not offered"
((ret++)) add_tls_offered ssl2 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
3) lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)") 3) lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
[[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) " [[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) "
@ -4517,8 +4521,11 @@ run_protocols() {
fi fi
fi fi
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm" 4) out "likely "; pr_svrty_best "not offered (OK), "
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)" fileout "$jsonID" "OK" "not offered"
add_tls_offered ssl3 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) pr_svrty_high "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl 5) pr_svrty_high "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "HIGH" "$supported_no_ciph1" fileout "$jsonID" "HIGH" "$supported_no_ciph1"
@ -4581,8 +4588,11 @@ run_protocols() {
fi fi
fi fi
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm" 4) out "likely not offered, "
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)" fileout "$jsonID" "INFO" "likely not offered"
add_tls_offered tls1 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl 5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "INFO" "$supported_no_ciph1" fileout "$jsonID" "INFO" "$supported_no_ciph1"
@ -4649,8 +4659,11 @@ run_protocols() {
fi fi
fi fi
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm" 4) out "likely not offered, "
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)" fileout "$jsonID" "INFO" "is not offered"
add_tls_offered tls1_1 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl 5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "INFO" "$supported_no_ciph1" fileout "$jsonID" "INFO" "$supported_no_ciph1"
@ -4728,8 +4741,11 @@ run_protocols() {
fi fi
fi fi
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm" 4) out "likely "; pr_svrty_medium "not offered, "
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)" fileout "$jsonID" "MEDIUM" "not offered"
add_tls_offered tls1_2 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) outln "$supported_no_ciph1" # protocol detected, but no cipher --> comes from run_prototest_openssl 5) outln "$supported_no_ciph1" # protocol detected, but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "INFO" "$supported_no_ciph1" fileout "$jsonID" "INFO" "$supported_no_ciph1"
@ -4873,8 +4889,11 @@ run_protocols() {
fi fi
add_tls_offered tls1_3 no add_tls_offered tls1_3 no
;; ;;
4) pr_fixme "signalled a 5xx after STARTTLS handshake"; outln "$debug_recomm" 4) out "likely not offered, "
fileout "$jsonID" "WARN" "received 5xx after STARTTLS handshake reply (rerun with DEBUG>=2)" fileout "$jsonID" "INFO" "not offered"
add_tls_offered tls1_3 no
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl 5) outln "$supported_no_ciph1" # protocol detected but no cipher --> comes from run_prototest_openssl
fileout "$jsonID" "INFO" "$supported_no_ciph1" fileout "$jsonID" "INFO" "$supported_no_ciph1"
@ -9840,9 +9859,9 @@ parse_tls_serverhello() {
tmln_out tmln_out
fi fi
if [[ $tls_content_type == "35" ]] && "$do_starttls"; then if "$do_starttls" && ( [[ $tls_content_type == 35 ]] || [[ $tls_content_type == 34 ]] ); then
# this could be a 500/5xx for some weird reason where the STARTTLS handshake failed # STARTTLS handshake failed and server replied plaintext with a 5xx or 4xx
debugme echo "$(hex2ascii "$tls_hello_ascii")" [[ $DEBUG -ge 2 ]] && printf "%s\n" "$(hex2ascii "$tls_hello_ascii" 2>/dev/null)"
[[ $DEBUG -ge 1 ]] && tmpfile_handle $FUNCNAME.txt [[ $DEBUG -ge 1 ]] && tmpfile_handle $FUNCNAME.txt
return 4 return 4
elif [[ $tls_content_type != "14" ]] && [[ $tls_content_type != "15" ]] && \ elif [[ $tls_content_type != "14" ]] && [[ $tls_content_type != "15" ]] && \