Commit Graph

1192 Commits

Author SHA1 Message Date
David Cooper 98dc3bfadb Support DH server keys
When `certificate_info()` is given a certificate with a DH public key it displays something like:
```
   Server key size              fixme:  dhKeyAgreement 3072 bits (FIXME: can't tell whether this is good or not)
```

This PR fixes that so that the output is:
```
   Server key size              DH 3072 bits
```
2016-08-25 15:23:53 -04:00
David Cooper aeba340dcb Output correct error for unsupported certificate purpose
This PR is in response to issue #454. I tried repeating the reported problem by creating a certificate in which the extendedKeyUsage extension was present and only included the anyExtendedKeyUsage OID. In running the test, I discovered two problems.

First, when `determine_trust()` is calling `verify_retcode_helper()` to display the reason that path validation failed, it assumes that there are at least two certificate bundles provided. (I was running the test using just one certificate bundle, containing my local root.) So, I changed `determine_trust()` to use `${verify_retcode[1]}` rather than `${verify_retcode[2]}` in the case that all bundles failed (it seems that 2 vs. 1 was an arbitrary choice).

Once that was fixed, testssl.sh output "NOT ok  (unknown, pls report) 26". So, the second thing this PR fixes is to output "NOT ok (unsupported certificate purpose)" if OpenSSL responds with an unsupported certificate purpose error.
2016-08-25 11:41:16 -04:00
David Cooper 12e3a3314a OpenSSL 1.1.0 doesn't have "-no_ssl2" option
With OpenSSL 1.1.0, `s_client -no_ssl2` fails with an "unknown option" error. At the moment the `-no_ssl2` option is only used in two functions, `run_client_simulation()` and `run_crime()`. In `run_crime()`, the `-no_ssl2` option is only included if the OpenSSL version is 0.9.8.

This PR checks whether the OpenSSL version in use supports the `-no_ssl2` option, and if it doesn't, it removes it from the calls to `s_client` in `run_client_simulation()`.
2016-08-24 10:14:12 -04:00
David Cooper 7cfe97f23a Warning on BEAST when no local SSLv3 support
If the version of OpenSSL being used doesn't support `s_client -ssl3` (e.g., OpenSSL 1.1.0), `run_beast()` doesn't display a warning that testing for CBC in SSLv3 isn't locally supported.

This PR adds a "Local problem" warning if the OpenSSL being used doesn't support `s_client -ssl3`.
2016-08-23 12:37:22 -04:00
David Cooper 0fcb2bcb44 Fix SSLv2-only test in determine_optimal_proto()
The test for whether a server only supports SSLv2 was broken, since `$OPTIMAL_PROTO` will be `-ssl2` whether SSLv2 is the only protocol that succeeds or no protocol succeeds.

This PR sets $OPTIMAL_PROTO (or $STARTTLS_OPTIMAL_PROTO) to "" if no protocol succeeds.
2016-08-23 12:29:31 -04:00
David Cooper 38abfeb1e5 Return 0 even if test couldn't be performed 2016-08-23 11:35:03 -04:00
David Cooper 7dd1d15e9a run_ssl_poodle() when OpenSSL doesn't support SSLv3
If the version of OpenSSL being used doesn't support `s_client -ssl3` (e.g., OpenSSL 1.1.0), `run_ssl_poodle()` displays `not vulnerable (OK)` even though it can't test whether the server is vulnerable.

This PR fixes it so that a "Local problem" warning is displayed is `s_client -ssl3` isn't supported.

The PR also removes the `$SNI` from the call to `$OPENSSL s_client` since OpenSSL ignores the `-servername` directive for `-ssl3` anyways.
2016-08-23 11:31:04 -04:00
David Cooper 2b7a77979c Fix "--devel" with SSLv2
If testssl.sh is called with `--devel 22` and the response from `sslv2_sockets()` is not 0, then `tls_sockets()` will be called, and the result of the `tls_sockets()` command will be output rather than the result of the `sslv2_sockets()` command.
2016-08-11 14:40:20 -04:00
David Cooper 358a4082e8 Move printing of results out of sslv2_sockets()
This PR addresses the "FIXME" in `run_protocols()`:
```
      sslv2_sockets                                                    #FIXME: messages/output need to be moved to this (higher) level
```
It also changes `run_drown()` to call `sslv2_sockets()` in order to avoid duplicate code.
2016-08-11 14:16:33 -04:00
David Cooper 50d2ef18ca Replace sockread() with sockread_serverhello()
This PR is in response to issue #352, where it was noted that Bash does not support binary data in strings.

I replaced all calls to `sockread()` with calls to `sockread_serverhello()`, and then, since is now used everywhere and not just to read ServerHello messages, I renamed `sockread_serverhello()` to `sockread()`.

I tested the revised code against several servers, including one that is vulnerable to CCS and Heartbleed, and got the same results as with the current code (although the hexdumps displayed in debug mode differ).

One concern I have is the code in `run_ccs_injection()`. The current code is:
```
     byte6=$(echo "$SOCKREPLY" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//')
     lines=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | count_lines )
     debugme echo "lines: $lines, byte6: $byte6"

     if [[ "$byte6" == "0a" ]] || [[ "$lines" -gt 1 ]]; then
          pr_done_best "not vulnerable (OK)"
...
```
I revised this to:
```
     if [[ -s "$SOCK_REPLY_FILE" ]]; then
          byte6=$(hexdump -ve '1/1 "%.2x"' "$SOCK_REPLY_FILE" | sed 's/^..........//')
          lines=$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE" | count_lines )
          debugme echo "lines: $lines, byte6: $byte6"
     fi
     rm "$SOCK_REPLY_FILE"
     if [[ "$byte6" == "0a" ]] || [[ "$lines" -gt 1 ]]; then
...
```
In the revised code `byte6` is initialized to `0a` so that the response is `not vulnerable (OK)` if `$SOCK_REPLY_FILE` is empty. This has worked okay since for all of the servers that I tested that weren't vulnerable `$SOCK_REPLY_FILE` was empty. Since I haven't seen any other examples, I don't understand why check for vulnerability was written the way it was. So, I'm a bit concerned that the test in the revised code may produce incorrect results now that `hexdump -ve '1/1 "%.2x"' "$SOCK_REPLY_FILE"` is an accurate hexdump of the reply.
2016-08-10 16:14:32 -04:00
David Cooper ba74740613 Merge branch 'master' into server_preference_sslv2_fixes 2016-08-09 10:52:11 -04:00
David Cooper 8a7827436d Merge branch 'master' into more_sslv2_sslv3_fixes 2016-08-09 10:48:49 -04:00
Dirk 424cf233d1 FIX #431 2016-08-09 10:35:58 +02:00
Dirk b0923a1833 - workaround for failed CI test 2016-07-26 22:00:53 +02:00
Dirk b1595c124b - new 1.0.2i binaries with IPv6 and renamed old chacha/poly-ciphers from PM 2016-07-26 21:03:09 +02:00
Dirk c8490c0dea Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-26 20:51:56 +02:00
Dirk 7fb89f8071 - new 1.0.2i binaries with IPv6 and renamed old chacha/poly-ciphers from PM 2016-07-26 20:51:21 +02:00
Dirk Wetter 1d516a2d4d Delete openssl.Linux.i686-krb5 2016-07-26 20:43:02 +02:00
Dirk Wetter 19f2182af1 Delete openssl.Linux.x86_64-krb5 2016-07-26 20:42:48 +02:00
Dirk a0582d70e1 Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-26 20:41:26 +02:00
Dirk d5bda3272f - new 1.0.2i binaries with IPv6 and renamed old chacha/poly-ciphers frpom PM 2016-07-26 20:40:27 +02:00
Dirk Wetter 1c4790b184 Update Readme.md 2016-07-26 20:32:05 +02:00
Dirk Wetter 2e1e45fca0 Update Readme.md 2016-07-26 20:31:20 +02:00
Dirk Wetter 830bc0fb4f Update Readme.md 2016-07-26 20:23:31 +02:00
Dirk Wetter c7afd8e366 Update Readme.md 2016-07-26 20:22:51 +02:00
Dirk 5114a118f2 Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-26 20:18:37 +02:00
Dirk 69e8be6be8 - new 1.0.2i binaries with IPv6 and renamed old chacha/poly-ciphers from PM 2016-07-26 20:16:35 +02:00
David Cooper f9a4ab51b2 Merge branch 'master' into server_preference_sslv2_fixes 2016-07-26 13:36:15 -04:00
David Cooper 1add0f86f9 Merge branch 'master' into more_sslv2_sslv3_fixes
Conflicts:
	testssl.sh
2016-07-26 13:33:49 -04:00
Dirk Wetter 48f2dc20a6 Merge pull request #428 from dcooper16/determine_optimal_proto_ssl2_fix
SSLv2 fixes for determine_optimal_proto()
2016-07-26 18:29:49 +02:00
Dirk Wetter 3f550d14cf Merge pull request #429 from dcooper16/old_openssl_warning
Don't ignore response to old OpenSSL warning
2016-07-26 18:27:33 +02:00
Dirk Wetter 8d3e157e35 Merge pull request #430 from dcooper16/minor_typos
Fix two minor typos
2016-07-26 18:25:39 +02:00
David Cooper 746eab7f6b Fix two minor typos
Fixes for two minor typos that were previously included in PR #345.
2016-07-26 12:07:08 -04:00
David Cooper 72bbdbf49b Remove fixes for minor typos 2016-07-26 12:00:46 -04:00
David Cooper 4ed1f2fc11 Don't ignore response to old OpenSSL warning
In the check for old versions of OpenSSL, the results of the call to `ignore_no_or_lame()` are ignored, and so the program continues even if the user enters `no`.
2016-07-26 11:29:25 -04:00
David Cooper bc6367d3ad Update testssl.sh 2016-07-26 11:21:23 -04:00
David Cooper b43562aabf Update testssl.sh 2016-07-26 11:13:45 -04:00
David Cooper 23d311b1fc SSLv2 fixes for determine_optimal_proto()
This PR makes three changes to `determine_optimal_proto()`:
* It no longer tries an empty string for `$OPTIMAL_PROTO` twice.
* It does not include `-servername` for `-ssl2` or `-ssl3`, since some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options.
* It displays a warning if `$OPTIMAL_PROTO` is `-ssl2`, since some tests in testssl.sh will not work correctly for SSLv2-only servers.
2016-07-26 11:10:20 -04:00
David Cooper e9a2d27af3 Remove determine_optimal_proto() fix 2016-07-26 11:04:43 -04:00
David Cooper d67fff3223 SSLv2 fixes for server preference
This PR addresses two issues related to SSLv2 for "--server-preference" checks.

First, some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options.

Second, the line for extracting the chosen cipher,`cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)`, fails for SSLv2. For SSLv2, the output from `$OPENSSL s_client` is as shown below, and the `cipher=` line extracts the word `between` from `Ciphers common between both SSL endpoints:` rather than `IDEA-CBC-MD5` from `   Cipher    : IDEA-CBC-MD5`.

```
...
Ciphers common between both SSL endpoints:                                                                                                                                                                   
RC4-MD5         RC2-CBC-MD5     IDEA-CBC-MD5                                                                                                                                                                 
DES-CBC-MD5     DES-CBC3-MD5                                                                                                                                                                                 
---                                                                                                                                                                                                          
SSL handshake has read 1191 bytes and written 373 bytes                                                                                                                                                      
---                                                                                                                                                                                                          
New, SSLv2, Cipher is IDEA-CBC-MD5                                                                                                                                                                           
Server public key is 2048 bit                                                                                                                                                                                
Secure Renegotiation IS NOT supported                                                                                                                                                                        
Compression: NONE                                                                                                                                                                                            
Expansion: NONE                                                                                                                                                                                              
No ALPN negotiated                                                                                                                                                                                           
SSL-Session:                                                                                                                                                                                                 
    Protocol  : SSLv2                                                                                                                                                                                        
    Cipher    : IDEA-CBC-MD5
...
```
2016-07-26 10:22:36 -04:00
David Cooper 93ba2e5d65 Remove some server preference fixes 2016-07-26 10:11:22 -04:00
David Cooper 6bd6b8959c Merge branch 'master' into more_sslv2_sslv3_fixes 2016-07-26 08:48:01 -04:00
Dirk Wetter 5a763ff8e1 Merge pull request #424 from dcooper16/run_rc4_ssl2_ciphers
SSLv2 fixes for run_rc4()
2016-07-26 12:08:17 +02:00
Dirk Wetter a8048ccfa0 Merge pull request #425 from dcooper16/test_just_one_ssl2_ciphers
SSLv2 fixes for test_just_one()
2016-07-26 07:54:29 +02:00
David Cooper add75caf82 SSLv2 fixes for test_just_one()
This PR changes test_just_one() to correctly handle SSLv2 ciphers.

As with PR #424, this PR addresses the problem in which servers that do not implement SSLv2, but that implement RC4-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5, or NULL-MD5 are shown as implementing both the SSLv2 and SSLv3 versions of the ciphers, and that any SSLv2 ciphers that a server does implement are not shown as being implemented.
2016-07-25 17:00:49 -04:00
David Cooper db0a6db620 Remove fixes for test_just_one() 2016-07-25 16:54:19 -04:00
David Cooper 43d5ad5071 SSLv2 fixes for run_rc4()
This PR changes run_rc4() to correctly handle SSLv2 ciphers.

It addresses the problem in which servers that do not implement SSLv2, but that implement SSLv3 ciphers that share an OpenSSL name with an SSLv2 cipher (RC4-MD5 and EXP-RC4-MD5), are not incorrectly shown as having implemented the SSLv2 cipher.

It also addresses the problem that if a server does implement SSLv2 with an RC4 SSLv2-cipher suite, then that cipher suite it not shown as being implemented.
2016-07-25 16:42:04 -04:00
David Cooper d2f1e15243 Remove fixes for run_rc4() 2016-07-25 16:30:30 -04:00
David Cooper b142962063 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-07-25 16:24:35 -04:00
Dirk Wetter 9b3cfab5b8 Merge pull request #341 from dcooper16/run_allciphers(),run_cipher_per_proto(),-and-SSLv2
run_allciphers(),run_cipher_per_proto(), and SSLv2
2016-07-25 20:04:14 +02:00