Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 22:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity
2,002 Commits 17 Branches 35 Tags
2d007e4c8ba156939542df22ac9f120ff94316e9
Commit Graph

2002 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
David Cooper
83472301bc Don't "echo" the prime to the terminal 2016-12-30 11:33:27 -05:00
David Cooper
62aee8f846 Remove leading "00" byte from prime, if present 
The primes in https://svn.nmap.org/nmap/scripts/ssl-dh-params.nse do not include a leading "00" byte, so don't include it in `$dh_p`.
 2016-12-30 11:32:41 -05:00
David Cooper
c0c041b1c2 Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-29 16:59:58 -05:00
David Cooper
5e5199ddb5 Merge branch '2.9dev' into run_freak_sockets 2016-12-29 16:58:22 -05:00
David Cooper
3b54ac398e Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-29 16:57:31 -05:00
David Cooper
99290ea1a5 Merge branch '2.9dev' into run_beast_sockets 2016-12-29 16:56:08 -05:00
David Cooper
a094acc155 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-29 16:54:05 -05:00
David Cooper
7116d1bbdf Merge branch '2.9dev' into cipher_order_sockets 2016-12-29 16:52:50 -05:00
David Cooper
b7ff8a1ee3 Add extra check 2016-12-29 16:45:46 -05:00
David Cooper
e931ebf6b4 Merge branch '2.9dev' into extend_logjam_phase_1 2016-12-29 16:43:44 -05:00
Dirk Wetter
e8e60e368f Merge pull request #568 from dcooper16/test_just_one_sockets 
test_just_one() sockets
 2016-12-29 22:38:35 +01:00
David Cooper
ec3a644c4d Common primes test phase 1 
In response to your request in #572, this PR provides a starting point for addressing #120. It adds code to `run_logjam()` to try connecting to the server using any cipher that uses an ephemeral DH key. If successful, it gets the server's ephemeral key (in OpenSSL's PEM format) and then extracts the prime from the key and places it in `$dh_p`. So, all that needs to be done at this point is to compare `$dh_p` against a set of "bad" primes. I'm not sure if I'll be able to work on that part soon, so if someone else has the time, that would be great.

I actually found the `-msg` option easy to use. I moved the code in `parse_tls_serverhello()` that extracts the DH ephemeral public key from the ServerKeyExchange message into a separate function. Then, if using OpenSSL with the `-msg` option, I extract the ServerKeyExchange message from `$TMPFILE` and call this new function to extract the key and convert it to PEM format. That way the new code in `run_logjam()` can use either `$OPENSSL` or `tls_sockets()`.
 2016-12-29 16:31:42 -05:00
Dirk Wetter
5627211add Merge pull request #556 from dcooper16/run_pfs_sockets 
run_pfs() speedup + sockets
 2016-12-29 22:18:28 +01:00
Dirk
c3b300c5fb - cleanup ignore_no_or_lame() 
- reorder get_install_dir in main() so that warnings are not displayed before --help
- tweak missing ~/etc msg
 2016-12-29 22:02:07 +01:00
David Cooper
3884f30821 Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-29 11:58:38 -05:00
David Cooper
912db2fc95 Merge branch '2.9dev' into run_freak_sockets 2016-12-29 11:57:43 -05:00
David Cooper
f0f3918b0f Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-29 11:56:43 -05:00
David Cooper
9513ed4d99 Merge branch '2.9dev' into test_just_one_sockets 2016-12-29 11:55:52 -05:00
David Cooper
de61f0cbf3 Merge branch '2.9dev' into run_beast_sockets 2016-12-29 11:55:01 -05:00
David Cooper
2350eaa9f5 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-29 11:54:00 -05:00
David Cooper
e18b5a4709 Merge branch '2.9dev' into run_pfs_sockets 2016-12-29 11:52:29 -05:00
David Cooper
802af274d9 Merge branch '2.9dev' into cipher_order_sockets 2016-12-29 11:51:15 -05:00
Dirk Wetter
b8e1ede08c Merge pull request #572 from dcooper16/run_logjam_sockets 
Use sockets for run_logjam()
 2016-12-29 15:38:54 +01:00
Dirk
c3671928ae fix for 83d2a63 2016-12-29 00:09:44 +01:00
Dirk
83d2a63e0f - Stronger warning if ~/etc is missing, also requires more explicit consent to continue 
- fix lfs for -e -E if openssl has not DH/ECDH
- further minor output corrections
 2016-12-28 23:47:35 +01:00
David Cooper
88f4c77078 Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-28 11:27:22 -05:00
David Cooper
324a78a47d Merge branch '2.9dev' into run_logjam_sockets 2016-12-28 11:26:20 -05:00
David Cooper
6ed620d740 Merge branch '2.9dev' into run_freak_sockets 2016-12-28 11:25:26 -05:00
David Cooper
322703d39f Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-28 11:24:44 -05:00
David Cooper
44c766b993 Merge branch '2.9dev' into test_just_one_sockets 2016-12-28 11:23:54 -05:00
David Cooper
88658f8b89 Merge branch '2.9dev' into run_beast_sockets 2016-12-28 11:23:05 -05:00
David Cooper
1b70bc5994 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-28 11:22:18 -05:00
David Cooper
da217f2136 Merge branch '2.9dev' into run_pfs_sockets 2016-12-28 11:21:30 -05:00
David Cooper
ccebf47f56 Merge branch '2.9dev' into cipher_order_sockets 2016-12-28 11:19:32 -05:00
Dirk Wetter
5e43739224 Merge pull request #575 from dcooper16/fix_run_protocols 
Minor bug fixes in run_protocols()
 2016-12-27 23:08:38 +01:00
David Cooper
fd2e52c396 Minor bug fixes in run_protocols() 
In a few places `run_protocols()` specifies the wrong TLS version as the "ID" when calling `fileout()`.
 2016-12-27 14:14:20 -05:00
David Cooper
fddc8a012e Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-23 14:32:08 -05:00
David Cooper
b88cc4af71 Merge branch '2.9dev' into run_logjam_sockets 2016-12-23 14:31:13 -05:00
David Cooper
2bdc63e47d Merge branch '2.9dev' into run_freak_sockets 2016-12-23 14:28:18 -05:00
David Cooper
6084968b7a Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-23 14:27:18 -05:00
David Cooper
3050a4c1fc Merge branch '2.9dev' into test_just_one_sockets 2016-12-23 14:25:23 -05:00
David Cooper
ba2f07bc0b Merge branch '2.9dev' into run_beast_sockets 2016-12-23 14:24:14 -05:00
David Cooper
64bd786daf Merge branch '2.9dev' into run_server_preference_sockets 2016-12-23 14:22:47 -05:00
David Cooper
48f33fff5a Merge branch '2.9dev' into run_pfs_sockets 2016-12-23 14:21:23 -05:00
David Cooper
fba1793c5a Merge branch '2.9dev' into cipher_order_sockets 2016-12-23 14:20:16 -05:00
Dirk Wetter
725488449c Merge pull request #574 from dcooper16/run_http2_sockets 
Use sockets for run_http2()
 2016-12-23 18:31:03 +01:00
David Cooper
dc98371ed0 Use sockets for run_http2() 
This PR changes `run_http2()` so that it uses `tls_sockets()` rather than failing, if `$OPENSSL` does not support the `-alpn` option. If `$OPENSSL` supports the `-alpn` option (or if `$SSL_NATIVE` is true), then this PR has no effect.
 2016-12-23 11:02:31 -05:00
David Cooper
90812a2732 Use sockets for run_std_cipherlists() 
This PR change `run_std_cipherlists()` to use sockets. As noted in isse #554, I have some questions about the definitions of the cipher lists, but I wrote the code so that the ciphers that are tested when using sockets are the same as those that are tested when using OpenSSL. For a few of the cipherlists, the sockets version tests a few additional ciphers; but these are ciphers that are not supported by OpenSSL, and whose definitions are consistent with the ciphers that OpenSSL includes.

As written, `std_cipherlists` will use sockets for testing by default, except in two cases:
* If the `$SSL_NATIVE` is true, then only OpenSSL is used, and if OpenSSL doesn't support any ciphers in the cipherlist, then the test is skipped.
* If `$FAST` is true (but `$SSL_NATIVE` is false), then OpenSSL is used whenever it supports at least one cipher from the cipherlist, and `tls_sockets()` (or `sslv2_sockets()`) is only used when OpenSSL doesn't support any ciphers from the cipherlist.
 2016-12-22 15:46:01 -05:00
David Cooper
0d75bae195 Use sockets for run_logjam() 
This PR changes `run_logjam()` to use sockets.
 2016-12-21 14:55:01 -05:00
David Cooper
815e21e9b5 Use sockets for run_freak() 
This PR changes `run_freak()` to use sockets.

I added two ciphers to `$exportrsa_cipher_list`: EXP1024-RC4-MD5 (0x00,0x60) and EXP1024-RC2-CBC-MD5 (0x00,0x61). So, the list is now as follows:
```
      0x00,0x62 - EXP1024-DES-CBC-SHA            TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA                SSLv3      Kx=RSA(1024)   Au=RSA     Enc=DES(56)                    Mac=SHA1     export    
      0x00,0x61 - EXP1024-RC2-CBC-MD5            TLS_RSA_EXPORT1024_WITH_RC2_56_MD5                 SSLv3      Kx=RSA(1024)   Au=RSA     Enc=RC2(56)                    Mac=MD5      export    
      0x00,0x64 - EXP1024-RC4-SHA                TLS_RSA_EXPORT1024_WITH_RC4_56_SHA                 SSLv3      Kx=RSA(1024)   Au=RSA     Enc=RC4(56)                    Mac=SHA1     export    
      0x00,0x60 - EXP1024-RC4-MD5                TLS_RSA_EXPORT1024_WITH_RC4_56_MD5                 SSLv3      Kx=RSA(1024)   Au=RSA     Enc=RC4(56)                    Mac=MD5      export    
      0x00,0x14 - EXP-EDH-RSA-DES-CBC-SHA        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA              SSLv3      Kx=DH(512)     Au=RSA     Enc=DES(40)                    Mac=SHA1     export    
      0x00,0x08 - EXP-DES-CBC-SHA                TLS_RSA_EXPORT_WITH_DES40_CBC_SHA                  SSLv3      Kx=RSA(512)    Au=RSA     Enc=DES(40)                    Mac=SHA1     export    
      0x00,0x06 - EXP-RC2-CBC-MD5                TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5                 SSLv3      Kx=RSA(512)    Au=RSA     Enc=RC2(40)                    Mac=MD5      export    
 0x04,0x00,0x80 - EXP-RC2-CBC-MD5                SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5               SSLv2      Kx=RSA(512)    Au=RSA     Enc=RC2(40)                    Mac=MD5      export    
      0x00,0x0E - EXP-DH-RSA-DES-CBC-SHA         TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA               SSLv3      Kx=DH/RSA      Au=DH      Enc=DES(40)                    Mac=SHA1     export    
      0x00,0x03 - EXP-RC4-MD5                    TLS_RSA_EXPORT_WITH_RC4_40_MD5                     SSLv3      Kx=RSA(512)    Au=RSA     Enc=RC4(40)                    Mac=MD5      export    
 0x02,0x00,0x80 - EXP-RC4-MD5                    SSL_CK_RC4_128_EXPORT40_WITH_MD5                   SSLv2      Kx=RSA(512)    Au=RSA     Enc=RC4(40)                    Mac=MD5      export
```
 2016-12-21 13:16:10 -05:00