1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-07-22 13:41:45 +02:00
Commit Graph

2333 Commits

Author SHA1 Message Date
14908bac98 Process supported_groups extension
In TLSv1.3 servers may send a supported_groups extension, which "SHOULD contain all groups the server supports, regardless of whether they are currently supported by the client."

This PR extracts the contents of the supported_groups extension, if `parse_tls_serverhello()` is to process "all" of the server's response. The contents of the extension are also displayed on the terminal if $DEBUG -ge 3.
2017-12-20 10:40:17 -05:00
f53d601325 Merge pull request from dcooper16/tls13_decrypt_response
Decrypt server's TLSv1.3 response
2017-12-20 09:03:36 +01:00
5580aaae1b Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-12-20 09:01:09 +01:00
1488baeac5 Documentation of CA_BUNDLES_PATH
See also 
2017-12-20 09:00:00 +01:00
e8be1f441b Decrypt server's TLSv1.3 response
This PR adds code to decrypt the encrypted portion of the server's response for TLSv1.3 and to then process any certificates and encrypted extensions. This code supports all 5 TLSv1.3 cipher suites, and so any response can be decrypted as long as the session key can be derived (which requires OpenSSL to support the ephemeral key that was used - see ).

For the symmetric decryption, the sym-decrypt() function uses OpenSSL when possible and internal Bash functions when needed.

For AES-GCM and AES-CCM ciphers sym-decrypt() normally uses internal Bash functions, which rely on using "$OPENSSL enc" in AES-ECB mode to generate the key stream and then Bash functionality to XOR the key stream with the ciphertext. With some version of OpenSSL the AES-GCM ciphers are decrypted using "$OPENSSL enc" in AES-GCM mode directly. On my system, however, both methods seem to work about equally fast.

For ChaCha20 ciphers, "$OPENSSL enc -chacha20" is used, if supported (OpenSSL 1.1.x only). and Bash internal functions (without any OpenSSL support) are used otherwise. In this case, if the Bash internal functions need to be used, decryption is very, very, very slow. Fortunately, in a typical run of testssl.sh there won't be many cases in which the connection will be TLSv1.3 with ChaCha20 and the entire response needs to be processed (requiring decryption). In most cases, even if the connection is TLSv1.3 with ChaCha20, will at most need the ephemeral key, which is available in plain text.
2017-12-15 16:40:47 -05:00
33f8a04066 Merge pull request from dcooper16/tls13_derive_session_key
Derive handshake traffic key for TLSv1.3
2017-12-15 13:02:18 +01:00
cfecc3c8c4 Derive handshake traffic key for TLSv1.3
This is the first in a series of PRs to add support for processing the encrypted portions of the server's response in a TLSv1.3 handshake.

This PR adds the code to derive the handshake traffic key needed to decrypt the response (the next PR will add the code to perform the symmetric-key decryption of the encrypted portions of the response).

Since this PR does not make use of the traffic key that it derives, it doesn't yet add any new functionality.

Note that testssl.sh will not always be able to derive the session keys. If the version of OpenSSL that is bundled with testssl.sh is used and the server chooses to use an X25519 ephemeral key, OpenSSL will be unable to perform the shared secret in derive-handshake-traffic-secret(). (OpenSSL 1.1.0 supports X25519.) Since X25519 use a different encoding than ECDH keys, the lack of X25519 support will be discovered in parse_tls_serverhello() when $OPENSSL pkey is unable to convert the key from DER to PEM. So, in debugging mode, parse_tls_serverhello() now displays a warning if it receives a key share that $OPENSSL pkey cannot handle.
2017-12-14 16:55:18 -05:00
1984d7fc90 html version of man page added 2017-12-14 10:25:59 +01:00
c23f47858d Overwrite as a default empty files
This commit tries to address . Empty files can now
be overwritten without exiting with an error.
2017-12-14 10:06:19 +01:00
4339c27659 Merge pull request from dcooper16/fix_certificate_check
Fix check for whether certificates were found
2017-12-13 20:34:19 +01:00
d8839b375b Fix check for whether certificates were found
get_server_certificate() uses an awk script to extract the certificates from the output of OPENSSL s_client and it then uses the following line to determine how many certificates were found:

     nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")

If $nrsaved is 0, then get_server_certificate() returns 1 (indicating failure); otherwise it returns 0 (indicating success).

However, the check for the number of certificates returned doesn't work if no certificates were found, as nrsaved will be set to 1 if no certificates were found:

     > touch level0.crt
     > echo level?.crt
     level0.crt
     > touch level1.crt
     > echo level?.crt
     level0.crt level1.crt
     > rm level0.crt level1.crt
     > echo level?.crt
     level?.crt

This PR fixes the problem by first checking that level0.crt exists (-s is used instead of -e, since an empty file wouldn't have a certificate).
2017-12-13 11:23:41 -05:00
3e73a553f0 Merge pull request from dcooper16/no_pkey
Introduce property global HAS_PEY
2017-12-13 17:19:42 +01:00
cea570836f Check for pkey support
Similar to the recently added HAS_PKUTIL (f829878a43), this PR adds HAS_PKEY, which indicates whether OpenSSL has the pkey utility. HAS_PKEY is then checked before attempting to do something that requires the pkey utility.
2017-12-13 11:01:58 -05:00
69956016b3 CVEs from https://robotattack.org/ added (in JSON) 2017-12-13 13:21:17 +01:00
fe7feda228 Merge pull request from dcooper16/reduce_file_ops
Reduce use of temporary files
2017-12-12 19:41:39 +01:00
5978d37c74 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-12-12 19:41:07 +01:00
f829878a43 Introduce property global HAS_PKUTIL 2017-12-12 19:37:33 +01:00
274d8a8b3a Reduce use of temporary files
This PR reduces testssl.sh's use of temporary files by making greater use of pipes. This results in a very slight performance improvement.
2017-12-12 11:51:15 -05:00
97b7f9c923 Merge pull request from dcooper16/correct_title
Correct comment
2017-12-12 16:41:09 +01:00
4a209cceb4 Correct comment
The comment at the beginning of the run_robot() function uses the wrong title for the paper. This PR fixes the title and adds a URL.
2017-12-12 10:25:44 -05:00
8f597f7077 Merge pull request from dcooper16/Bleichenbacher
Test for vulnerability to Bleichenbacher attack
2017-12-12 15:58:24 +01:00
5de873f8bc Test for vulnerability to Bleichenbacher attack
This PR adds a test to check whether a server that supports ciphers suites that use RSA key transport (TLS_RSA) are vulnerable to Bleichenbacher attacks (see http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf).
2017-12-12 09:51:48 -05:00
7e62dc3192 Merge pull request from seccubus/json_footer_breaks_json
JSOn output is broken by the JSON footer in combination with mass mode
2017-12-07 09:59:58 +01:00
393e4fb920 JSON output fixed in --parallel too 2017-12-06 21:54:59 +01:00
3eb402a3d5 JSOn output is broken by the JSON footer in combination with mass mode 2017-12-06 16:10:53 +01:00
2a0a0475ab Fix for POP3, Robustness for STARTTLS
POP3 STARTTLS handshakes were often unsuccessful as
a regex wasn't properly escaped.

Furthermore if a STARTTLS handshake doesn't succeed, there's
a warning now.
2017-12-06 12:24:26 +01:00
9e1ed1c9cf Add check for -oA in nma greppable output 2017-12-06 10:23:24 +01:00
f92d3988af Better consistency (cipher coloring)
Especially for yellow=low the key exchange is considered
to be equal now. That needs to be subject to reconsideration.
2017-12-04 21:53:39 +01:00
cf89488ab9 Merge pull request from dcooper16/color_all_ciphers
Color all ciphers
2017-12-04 21:12:01 +01:00
7f6ff5db3b Sloppy try to address in the worst cases of wrong coloring of ciphers
See pending PR  / issue .

There's still lots of work needed and probably the function
needs to be completely rewritten and to be in sync with
other parts of the program.
2017-12-04 21:06:47 +01:00
0c779d1684 proper indentation of "client-based" in service detection
Also correct "based" to "-based" (Marriam-Webster + Oxford Dict.)
where appropriate.
2017-12-04 17:14:06 +01:00
721ca1e45c Fix regression in HTTP header
This PR fixes one odd formatting of header flags like X-Frame-Options,
where the output header maybe contained a LF "\r". X-XSS-Protection was
also not correctly formatted due to the fact that only a part of it until
the blank was displayed.

Also the file output may contain now 1x less blank, e.g.

"X-Content-Type-Options: nosniff" instead of
"X-Content-Type-Options:  nosniff"
2017-12-04 15:47:45 +01:00
853b8333e3 Color all ciphers
This PR adds an additional COLOR level (3). If color is set to 3 then all ciphers are printed according to pr_cipher_quality() rather than just the "Negotiated cipher" in run_server_preference().
2017-12-04 09:18:27 -05:00
868e872dc6 Merge pull request from dcooper16/reduce_alert_processing
Reducing processing of alert messages
2017-12-04 14:33:29 +01:00
e516ba1b9d Update ISSUE_TEMPLATE.md 2017-12-04 14:04:41 +01:00
4aec5664d5 introducing sentence added 2017-12-04 13:59:12 +01:00
a9e1ca4440 Delete .issue_template 2017-12-04 13:55:52 +01:00
3150cfed0e new issue template 2017-12-04 13:54:55 +01:00
374fb2a85c Create .issue_template 2017-12-04 13:48:37 +01:00
b6a022d84f Reducing processing of alert messages
This PR reduces the amount of work parse_tls_serverhello() does when processing alert messages when not in debug mode. It delays writing anything to $TMPFILE unless $DEGUG -ge 1 until it has reason to believe that the response was successful. If $DEBUG is 0 and alert messages are sent, then no file operations are performed processing the alert messages.

In almost every case, there is no attempt to look at the contents of $TEMPDIR/$NODEIP.parse_tls_serverhello.txt unless the connection was successful. So, in most cases, it is okay to not call tmpfile_handle() in parse_tls_serverhello() unless the connection was successful. There is, however. one place in run_grease() where the code reads the contents of $TEMPDIR/$NODEIP.parse_tls_serverhello.txt even if the connection was not successful. In order to address this, the DEBUG level is temporarily set to 1 when performing this test if its value is 0. Also in order to address this, changes were made in parse_tls_serverhello() to ensure that "tmpfile_handle $FUNCNAME.txt" is always called before returning if $DEBUG -ge 1.
2017-12-01 15:45:36 -05:00
62f925a1bc Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-12-01 21:21:22 +01:00
137f2fa3c3 Merge pull request from dcooper16/client_auth_and_assume_http
HTTP-related checks and certificate based client authentication
2017-12-01 21:19:23 +01:00
9c8fa5419d Merge pull request from dcooper16/check_version
Compare selected version against supported_versions
2017-12-01 21:03:52 +01:00
dda07cd1d0 commenting 2017-12-01 21:02:03 +01:00
4be759afea Merge pull request from sdann/mysql_read_timeout
Reduce read timeout for MySQL back to 1 second
2017-12-01 20:54:37 +01:00
99d12434dd fix strip_*_space() 2017-12-01 20:09:16 +01:00
1ba4b395ff HTTP-related checks and certificate based client authentication
If certificate-based client authentication is required by the server, then most HTTP-related checks are skipped, even if the "--assume-http" flag is used. If $CLIENT_AUTH is true, then $ASSUME_HTTP is ignored.

In some cases the checks are appropriately skipped, since the tests cannot be performed. In other places, the value of "$CLIENT_AUTH" is used as a hint as to whether HTTP is being used. For example, in run_tickbleed:

     if [[ "$SERVICE" != HTTP ]] && ! "$CLIENT_AUTH"; then
          outln "--   (applicable only for HTTPS)"
          fileout "ticketbleed" "INFO" "Ticketbleed: not applicable, not HTTP" "$cve" "$cwe"
          return 0
     fi

There are some places, however, where tests are just skipped, even if both $CLIENT_AUTH and $ASSUME_HTTP are true, even though the test could be performed. For example, run_client_simulation() only simulates generic clients in this case.

This PR attempts to address this:
* In run_client_simulation() it runs all of the tests if $ASSUME_HTTP is true.
* In certificate_transparency() it only says that the lack of CT information is "N/A" it can verify that HTTP is not being used (if $SERVICE is not HTTP and $CLIENT_AUTH is false). Otherwise it just says "no" without flagging it as an issue.
* In certificate_info() it displays additional warnings (about use of SHA-1 or subjectAltName matching) only if it can verify that HTTP is being used ($SERVICE is HTTP or $ASSUME_HTTP is true).
* In run_crime(), if compression is used, it only says " but not using HTTP" if it can verify that HTTP is not being used (if $SERVICE is not HTTP and $CLIENT_AUTH is false).
2017-12-01 10:58:06 -05:00
76c75ae8f9 Replace external calls with Bash functions 2017-12-01 10:31:30 -05:00
74c1a6bcb3 Compare selected version against supported_versions
If a supported_versions extension was included in the ClientHello, then check that the version returned by the server was included in the ClientHello's supported_versions extension.

OpenSSL will respond to a TLSv1.3 ClientHello that only specifies 0304 in its supported_versions extension with a ServerHello that specifies whatever draft of TLSv1.3 it currently supports (e.g., 7F16). The result is that run_protocols() incorrectly reports that OpenSSL supports TLSv1.3 "final" in addition to whatever draft version it supports.

This PR fixes that problem by treating it as a failed connection when the ClientHello offers only 0304 and the ServerHello specifies something else (e.g., 7F16).

Performing this check is actually a requirement for clients in Section 4.2.1 of draft-ietf-tls-tls13-22. So, including this check will also help make client simulations more accurate when clients that support TLSv1.3 are added to client-simulation.txt.
2017-12-01 10:31:29 -05:00
851030ea8f Fixes in headers
- double word match: Content-Security-Policy matched also X-Content-Security-Policy
- X-UA-Compatible always appeared twice
2017-12-01 13:31:43 +01:00