Commit Graph

1607 Commits

Author SHA1 Message Date
David Cooper ed3ecdd524 Reorganize run_server_defaults()
This function reorganizes `run_server_defaults()` based on the suggestion in #515.

The current `determine_tls_extensions()` is renamed to `get_server_certificate()`, and two changes are made to it:
*it no longer includes an extra call to `$OPENSSL s_client` to check for the ALPN extension; and
* rather than setting `$TLS_EXTENSIONS` to be the extensions found during this call to the function, it adds any newly found extensions to those already in `$TLS_EXTENSIONS`.

The PR then adds a new function, `determine_tls_extensions()`, which borrows some logic from the old `determine_tls_extensions()`, but this new `determine_tls_extensions()` only looks for additional TLS extensions, including ALPN.

`run_server_defaults()` makes multiple calls to `get_server_certificate()` (as it previously did to `determine_tls_extensions()`) in order to collect all of the server's certificates, and then it makes one call to `determine_tls_extensions()`, which checks for support for extensions that were not checked for by `get_server_certificate()` (e.g., ALPN, extended master secret, signed certificate timestamps).

The new `determine_tls_extensions()` will check for most of the extensions that are checked for by 
`run_server_defaults()`, including the heartbeat extension, so the call to `determine_tls_extensions()` from `run_heartbleed()` will still work.
2016-11-21 14:26:19 -05:00
David Cooper f4529df263 More fixes for missing cipher mapping file
> The dh_bits are still not shown, maybe because of #531.

This PR fixes the issue of dh_bits not being shown if the cipher-mapping.txt file is missing. The problem is that the code in `parse_tls_serverhello()` that parses the ServerKeyExchange message assumes that `$rfc_cipher_suite` has the RFC version of the name the cipher suite. However, if the cipher-mapping.txt file is missing, `$rfc_cipher_suite` will have the OpenSSL name of the cipher suite. This PR changes the code to recognize either the RFC or OpenSSL names for ciphers with ephemeral DH or ECDH keys.
2016-11-21 11:30:01 -05:00
Dirk Wetter 7a418ed9c8 Update CREDITS.md 2016-11-21 09:06:21 +01:00
Dirk Wetter 822c3c6cd0 Update CREDITS.md 2016-11-21 09:05:56 +01:00
Dirk Wetter 2c10c622a0 Update Readme.md 2016-11-21 08:57:50 +01:00
Dirk Wetter e60180d0ea Merge pull request #522 from dcooper16/faster_run_allciphers
Faster version of run_allciphers()
2016-11-20 10:41:26 +01:00
Dirk Wetter b22bde8ce0 Merge pull request #521 from dcooper16/no_pkey
OpenSSL 0.9.8 does not support the pkey command
2016-11-20 09:45:32 +01:00
Dirk Wetter a9f8411160 Merge pull request #523 from dcooper16/missing_mapping_file
Additional fixes for no cipher mapping file
2016-11-19 22:39:10 +01:00
Dirk Wetter e0f7bc4062 Merge pull request #529 from dcooper16/parse_tls_serverhello6
Extend TLS ServerHello parsing (part 6)
2016-11-19 22:26:56 +01:00
Dirk Wetter 0d74b798fb Merge pull request #528 from dcooper16/parse_tls_serverhello5
Extend TLS ServerHello parsing (part 5)
2016-11-19 22:25:26 +01:00
Dirk Wetter cb7163e186 Merge pull request #524 from dcooper16/neat_list_Camellia_GCM
Fix neat_list() for Camellia GCM
2016-11-19 20:18:31 +01:00
David Cooper d02a0af8af Extend TLS ServerHello parsing (part 6)
This PR extends `tls_sockets()` by parsing the contents of the ALPN and NPN extensions, if the "full" response is being processed.
2016-11-18 12:09:07 -05:00
David Cooper 403a5c5b1e Extend TLS ServerHello parsing (part 5)
When `tls_sockets()` is used with the "full" option and the chosen cipher suite involves an ephemeral finite-field DH key (DH), this PR extracts the public key from the ServerKeyExchange message and adds it to `$TMPFILE`. In addition (and the primary reason for this PR), it compares the ephemeral public key's parameters to those specified in RFC 7919, and indicates whether one the groups from that RFC was used. This will allow `run_pfs()` to be extended to indicate which, if any, RFC 7919 DH groups a server supports.
2016-11-18 10:19:44 -05:00
AlGreed d1ff5449b9 spelling fixed 2016-11-18 00:44:24 +01:00
AlGreed eb86467b50 Merge branch 'drwetter/2.9dev' into 2.9dev 2016-11-17 23:27:50 +01:00
AlGreed f7cf3552f0 Fixed some bugs; added CVE, CWE and hint fields. 2016-11-17 23:27:27 +01:00
David Cooper 64f56e899b Merge branch '2.9dev' into no_pkey 2016-11-17 13:52:44 -05:00
David Cooper 05b8010526 Merge branch '2.9dev' into faster_run_allciphers 2016-11-17 13:51:16 -05:00
David Cooper ae3d5cfad9 Merge branch '2.9dev' into missing_mapping_file 2016-11-17 13:49:56 -05:00
David Cooper cdd127fe44 Merge branch '2.9dev' into neat_list_Camellia_GCM 2016-11-17 13:48:41 -05:00
Dirk Wetter 127bc243f9 Merge pull request #526 from dcooper16/parse_tls_serverhello4
Extend TLS ServerHello parsing (part 4)
2016-11-17 19:30:01 +01:00
David Cooper a18dd45f1f Extend TLS ServerHello parsing (part 4)
This PR adds parsing of the CertificateStatus message to `parse_tls_serverhello()`. If the caller requests that the "full" response be parsed, then the CertificateStatus message is parsed, and the OCSP response is added to $TMPFILE, in a manner similar to the output of `$OPENSSL s_client` when the `-status` option is used.
2016-11-17 12:04:24 -05:00
David Cooper 496957720e Fix neat_list() for Camellia GCM
The string "CamelliaGCM" is too long for the "Encryption" column printed by `neat_list()`. So, either "CamelliaGCM" needs to be shortened to "Camellia" (as this PR does), or the "Encryption" column needs to be made wider.
2016-11-16 09:07:52 -05:00
David Cooper 3c107b543e Additional fixes for no cipher mapping file
Client simulations can still use sockets even if the cipher mapping file is missing. If the cipher file is present, then `parse_tls_serverhello()` write the RFC name for the cipher and then `run_client_simulation()` converts that to the OpenSSL name (so that the output is the same as if OpenSSL were used).  This PR changes `parse_tls_serverhello()` so that it writes the OpenSSL name for the cipher if the mapping file is missing, which `run_client_simulation()` can then just display.

This PR also unsets `ADD_RFC_STR` if the mapping file is missing, so that `neat_list()` won't try to display the RFC names for the ciphers.
2016-11-15 15:55:54 -05:00
David Cooper b0ac21fe31 Add two missing OpenSSL cipher names 2016-11-15 15:13:09 -05:00
David Cooper 46e9e99437 Merge branch '2.9dev' into faster_run_allciphers
Conflicts:
	testssl.sh
2016-11-15 15:06:24 -05:00
David Cooper 96caa6c302 Merge branch 'no_pkey' of https://github.com/dcooper16/testssl.sh into no_pkey 2016-11-15 14:53:33 -05:00
David Cooper ea10f1ee93 Faster version of run_allciphers()
This PR speeds up the implementation of `run_allciphers()` by introducing a number of changes:

* Rather than check for implemented ciphers in a hierarchical manner (as introduced in #326), this PR follows the approach of `cipher_pref_check()`. Testing a block of ciphers, marking the selected cipher as implemented, and then testing same block of ciphers, minus those that have previously been selected, until a test fails. Thus the number of calls to `$OPENSSL s_client` is just one more than the number of ciphers implemented. (Since some servers cannot handle ClientHellos with more than 128 messages, the tests are performed on blocks of 128 or few ciphers. So, if OpenSSL supports 197 ciphers, the number of calls to `$OPENSSL s_client` is 2 plus the number of ciphers supported by the server.

* If $using_sockets is true, then OpenSSL is used first to find all supported ciphers that OpenSSL supports (since OpenSSL is faster than `tls_sockets()`), and then `tls_sockets()` is only used to test those cipher suites that were not found to be supported by OpenSSL.

* The `prepare_debug()` function, which reads in `$CIPHERS_BY_STRENGTH_FILE` determines which ciphers are supported by the version of OpenSSL being used. If a version of OpenSSL older than 1.0 is being used, then this is used to determine which ciphers to test using OpenSSL rather than using `$OPENSSL ciphers -V`.

Following the approach of `cipher_pref_check()` reduces the number of queries to the server. Using OpenSSL before `tls_sockets()` reduces the number of calls to `tls_sockets()` to 3 plus the number of ciphers supported by the server that are not supported by OpenSSL, so the cost penalty over just using OpenSSL is fairly small.
2016-11-15 14:45:50 -05:00
David Cooper 8ad9e45acf OpenSSL 0.9.8 does not support the pkey command
The `tls_sockets()` and `sslv2_sockets()` use `get_pub_key_size()` to extract the size of the server's public key if the full response is being processed, and `get_pub_key_size()` uses `$OPENSSL pkey` to extract the server's public key from the certificate. However, OpenSSL 0.9.8 does not support the "pkey" command. This PR changes `get_pub_key_size()` to suppress the error message displayed by OpenSSL when the "pkey" command is not supported.
2016-11-15 11:32:30 -05:00
Dirk 08384920a9 Cipher mapping externalized by using David's extended mapping. Also implemented warnings
and fallback to openssl if this file cannot be found and thus sockets can't be used
2016-11-15 15:20:48 +01:00
Dirk e8ce1fcb74 emphasize that we're using sockets in run_allciphers -- unless otherwise requested 2016-11-15 13:09:41 +01:00
Dirk d4ed7466ce introducing --fast for the impatient 2016-11-15 12:59:07 +01:00
Dirk Wetter 37933d6fa1 Merge pull request #512 from dcooper16/run_allciphers_sockets
Use tls_sockets() in run_allciphers()
2016-11-15 12:54:15 +01:00
Dirk Wetter cb53723dff Merge pull request #515 from dcooper16/find_more_extensions
Find more extensions in run_server_defaults()
2016-11-15 10:24:00 +01:00
Dirk Wetter 1d995428e1 Merge pull request #517 from dcooper16/parse_tls_serverhello3
Extend TLS ServerHello parsing (part 3)
2016-11-15 08:17:48 +01:00
David Cooper 1a042d5dba Merge branch '2.9dev' into parse_tls_serverhello3 2016-11-09 17:29:20 -05:00
David Cooper 28e4984f8a Merge branch '2.9dev' into find_more_extensions 2016-11-09 17:28:32 -05:00
David Cooper 7ff9f13b12 Merge branch '2.9dev' into run_allciphers_sockets 2016-11-09 17:27:00 -05:00
Dirk Wetter 83d2bb0241 Merge pull request #514 from dcooper16/fix_x25519_2.9dev
Curve X25519 fixes for 2.9dev
2016-11-09 21:29:29 +01:00
Dirk 36134e3040 Merge branch 'dcooper16-fix_x25519' into 2.9dev 2016-11-09 21:18:39 +01:00
Dirk fc3db43948 Merge branch 'fix_x25519' of https://github.com/dcooper16/testssl.sh into dcooper16-fix_x25519 2016-11-09 21:18:09 +01:00
David Cooper a97ca32568 Extend TLS ServerHello parsing (part 3)
This PR adds parsing of the Certificate message to `parse_tls_serverhello()`. If the caller requests that the "full" response be parsed, then the Certificate message is parsed, the server's certificate is placed in $HOSTCERT and the intermediate certificates are placed in  $TEMPDIR/intermediatecerts.pem. The certificates are also added to $TMPFILE, in a manner similar to the output of `$OPENSSL s_client` when the `-showcerts` option is used.
2016-11-09 13:41:36 -05:00
David Cooper 3a68e5b937 Find more extensions in run_server_defaults()
This PR uses `tls_sockets()` to determine whether a server supports certain extensions that may not be supported by `$OPENSSL`. At the moment it checks for max_fragment_length, client_certificate_url, truncated_hmac, ALPN, signed_certificate_timestamp, encrypt_then_mac, and extended_master_secret.

In https://github.com/dcooper16/testssl.sh/blob/extended_tls_sockets/testssl.sh, `run_server_defaults()` is re-written to use `tls_sockets()` instead of `$OPENSSL`, with just one call to `$OPENSSL s_client` to get the session ticket, which reduces the dependence on `$OPENSSL`, but this PR limits the number of calls to `tls_sockets()`, which is still slow.

Note: I included ALPN in the `tls_sockets()` ClientHello since a single call to `tls_sockets()` cannot test for both NPN and ALPN, and since support for NPN was added to OpenSSL before support for ALPN was added, I figured it was more likely that `determine_tls_extensions()` had already determined whether the server supported NPN.
2016-11-08 12:36:25 -05:00
David Cooper 64a96c8388 Curve X25519 fixes for 2.9dev
This PR fixes the same issues as were fixed in PR #513, but also makes two changes to `parse_tls_serverhello()`:

* It changes the number of bits for curve X25519 from 256 to 253 to match OpenSSL.

* It removes the "ECDH, " from the "Server Temp Key: " line in order to match OpenSSL's output.
2016-11-08 10:20:48 -05:00
David Cooper 43b35b8cc2 Curve X25519 fixes
This PR fixes two issues related to curve X25519.

First, while OpenSSL 1.1.0 supports curve X25519, it is not included in the output of `$OPENSSL ecparam -list_curves`. I tried several versions of OpenSSL (and one version of LibreSSL), and every version output either "Error with command" or "unknown option" in response to `$OPENSSL s_client -curves $curve` if it either did not support the `-curves` option or did not support `$curve`. (When the `-curve` option was supported with `$curve`, a "connect" error was output.)

The second issue is that the "Server Temp Key" line in the output of `s_client` is different for curve X25519. For other elliptic curves, the output is
```
Server Temp Key: ECDH, P-256, 256 bits
```
For X25519 it is:
```
Server Temp Key: X25519, 253 bits
```
So, `read_dhbits_from_file()` needs to allow for `$what_dh` being "X25519" rather than "ECDH" and `run_pfs()` needs to allow for the possibility that the curve name will be the first field rather than the second.
2016-11-08 10:10:14 -05:00
David Cooper facf34391f Merge branch '2.9dev' into run_allciphers_sockets 2016-11-08 08:43:24 -05:00
Dirk 9ea5cf8698 minor 2016-11-07 23:52:58 +01:00
Dirk e9edc5fb5a update 2016-11-07 21:05:21 +01:00
Dirk 4f99d9d658 update 2016-11-07 21:03:45 +01:00
David Cooper 66c855f54b Merge branch '2.9dev' into run_allciphers_sockets 2016-11-07 13:50:58 -05:00