Commit Graph

4190 Commits

Author SHA1 Message Date
Dirk Wetter ad7eeddb96 Merge pull request #579 from dcooper16/run_crime_sockets
Use sockets for run_crime()
2017-01-14 13:18:22 +01:00
Dirk Wetter 354e0ed31a Merge pull request #585 from dcooper16/show_selected_curve
Show selected curve
2017-01-14 12:12:33 +01:00
Dirk Wetter 32ef531cd1 Merge pull request #586 from dcooper16/find_encrypt_then_mac_extension
Detect support for encrypt-then-mac extension
2017-01-14 12:02:10 +01:00
David Cooper c5dcaf476f Remove redundant setting to success to 0 2017-01-13 12:18:32 -05:00
David Cooper 91e0da3485 Detect support for encrypt-then-mac extension
In some cases, the "TLS extensions" line output for the "--server-defaults" option will not show `"encrypt-then-mac/#22"` even if the server supports this extension. The reason is that a server will only include this extension in the ServerHello message if it supports the extension and the selected cipher is a CBC cipher. So, if `determine_tls_extensions()` connects to the server with a non-CBC cipher, then it will not detect if the server supports the encrypt-then-mac extension.

It is possible that support for the extension will be detected by `get_server_certificate()`, but only if one of the calls to that function results in a CBC cipher being selected and OpenSSL 1.1.0 is being used (as prior versions did not support the encrypt-then-mac extension).

In this PR, if `determine_tls_extensions()` is called and `$TLS_EXTENSIONS` does not already contain `"encrypt-then-mac/#22"`, then an attempt will be made to connect to the server with only CBC ciphers specified in the ClientHello. If the connection is not successful (presumably because the server does not support any CBC ciphers), then a second connection attempt will be made with the "default" ciphers being specified in the ClientHello.

en.wikipedia.org is an example of a server that supports the encrypt-then-mac extension, but for which the support is not currently detected (unless OpenSSL 1.1.0 is used) since in the call to `determine_tls_extension()` a non-CBC cipher is selected.
2017-01-13 12:13:20 -05:00
David Cooper 42da64d601 Show selected curve
This PR changes `read_dhbits_from_file()` so that, when the "quiet" parameter is absent, the selected curve is shown in addition to the number of bits. This PR only affects the output of `run_client_simulation()` and the `Negotiated cipher` in `run_server_preference()`.
2017-01-13 10:28:48 -05:00
David Cooper 77dbe7ed1b Merge branch '2.9dev' into run_crime_sockets 2017-01-13 09:09:04 -05:00
David Cooper 859ea0c7d3 Merge branch '2.9dev' into run_freak_sockets 2017-01-13 09:08:02 -05:00
David Cooper eabaa95163 Merge branch '2.9dev' into extend_logjam_phase_1 2017-01-13 09:07:12 -05:00
David Cooper 545a4543bc Merge branch '2.9dev' into run_ssl_poodle_sockets 2017-01-13 09:06:04 -05:00
David Cooper e2dca3e845 Merge branch '2.9dev' into run_beast_sockets 2017-01-13 09:05:02 -05:00
David Cooper 1169e3daef Merge branch '2.9dev' into run_server_preference_sockets 2017-01-13 09:04:10 -05:00
David Cooper 43d495aa65 Merge branch '2.9dev' into cipher_order_sockets 2017-01-13 09:03:00 -05:00
Dirk Wetter 436326a547 Merge pull request #573 from dcooper16/run_std_cipherlists_sockets
Use sockets for run_std_cipherlists()
2017-01-13 14:44:43 +01:00
Dirk Wetter bf87a9fe4a Merge pull request #582 from dcooper16/generate_static_cipher_lists
Create static cipher lists for testssl.sh
2017-01-13 14:39:17 +01:00
Dirk Wetter 048f17ca9a Merge pull request #583 from dcooper16/run_client_simulation_bugfix
run_client_simulation() bugfix
2017-01-13 14:38:05 +01:00
David Cooper 1a705f900f run_client_simulation() bugfix
There are two places in `run_client_simulation()` in which `$OPENSSL s_client` is called, after which there is a `debugme echo` line to display the `$OPENSSL s_client` command line when testssl.sh is being run in debug mode, and then `sclient_connect_successful $? $TMPFILE` is called to determine whether `$OPENSSL s_client` successfully established a connection.

So, `sclient_connect_successful()` is being passed the result of the `debugme()` call, which always returns 0, rather than the result of the `$OPENSSL s_client` call.

This PR fixes the problem by moving the `debugme()` line to before the call to `$OPENSSL s_client`, so that  `sclient_connect_successful()` is passed the results of the `$OPENSSL s_client` call.
2017-01-12 14:59:29 -05:00
David Cooper 0bc2b1c4bb Create static cipher lists for testssl.sh
This PR adds a new utility that generates the various static cipher lists that appear in testssl.sh.

This utility serves two purposes:
* It can be run whenever new ciphers are added to cipher-mapping.txt to see if any of the lists in testssl.sh need to be updated. (This includes if cipher-mapping.txt is modified to add OpenSSL-style names for ciphers that are currently listed, but that have not yet been assigned such names.)
* It can be used as a reference in order to understand how each of the lists is defined.
2017-01-12 13:17:04 -05:00
David Cooper c9119dd8ee Use static lists for sockets 2017-01-12 13:09:11 -05:00
David Cooper 92d1daa976 Merge branch '2.9dev' into run_crime_sockets 2017-01-09 09:06:10 -05:00
David Cooper d011803ae8 Merge branch '2.9dev' into run_std_cipherlists_sockets 2017-01-09 09:03:18 -05:00
David Cooper be7bb01815 Merge branch '2.9dev' into run_freak_sockets 2017-01-09 09:02:23 -05:00
David Cooper c8d04d7bab Merge branch '2.9dev' into extend_logjam_phase_1
Conflicts:
	testssl.sh
2017-01-09 09:01:31 -05:00
David Cooper cb362f6082 Merge branch '2.9dev' into run_ssl_poodle_sockets 2017-01-09 08:54:20 -05:00
David Cooper d1238f201e Merge branch '2.9dev' into run_beast_sockets 2017-01-09 08:53:24 -05:00
David Cooper cc4ab5cdec Merge branch '2.9dev' into run_server_preference_sockets 2017-01-09 08:52:26 -05:00
David Cooper 85afbbd6ed Merge branch '2.9dev' into cipher_order_sockets 2017-01-09 08:51:10 -05:00
Dirk Wetter 33ca94f6e8 Merge pull request #577 from dcooper16/run_server_defaults_bugfix
run_server_defaults() bugfix
2017-01-08 15:59:45 +01:00
Dirk Wetter b99371c069 Merge pull request #578 from dcooper16/fix_sslv2_sockets
sslv2_sockets() bug fixes
2017-01-08 15:58:01 +01:00
Dirk Wetter 0b24e80057 Merge pull request #580 from gniltaws/2.9dev
Detect $TESTSSL_INSTALL_DIR when testssl is a symlinked command
2017-01-08 15:55:21 +01:00
David Cooper 95c75f1792 Add support for OpenSSL 1.1.0
Starting with OpenSSL 1.1.0, s_client will not offer TLS compression methods, even if OpenSSL is compiled with zlib support, unless the `-comp` flag is included in the command line.
2017-01-05 15:45:18 -05:00
David Cooper ab9eb6044e Use sockets for run_crime()
This PR changes `run_crime()` to use `tls_sockets()` rather than failing if `$OPENSSL` lacks zlib support, unless `$SSL_NATIVE` is `true`.

At the moment, the ClientHello created by `socksend_tls_clienthello()` only specifies the NULL compression method. So, this PR adds a new parameter to `socksend_tls_clienthello()` and `tls_sockets()` to allow to caller to request that additional compression methods (DEFLATE and LZS) be specified in the ClientHello.

This PR makes another change to `run_crime()`. At the moment, if `$OPENSSL s_client` fails to connect to the server, `run_crime()` will report that the server is not vulnerable, since the output from `$OPENSSL s_client` includes the line "Compression: NONE" (see below). This PR changes that by checking whether the connection was successful, and reporting a "test failed (couldn't connect)" warning if it wasn't successful, rather than reporting "not vulnerable (OK)".

```
CONNECTED(00000003)
140338777061024:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 389 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1483645971
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
```
2017-01-05 14:55:08 -05:00
Todd Swatling 557c15607a detects install dir when symlinked and realpath not present
$ ls -l /usr/local/bin/testssl
lrwxrwxrwx /usr/local/bin/testssl -> /home/user/testssl.sh/testssl.sh
2017-01-05 14:45:39 -05:00
Todd Swatling 70e6e289e1 removed trailing spaces 2017-01-05 14:20:19 -05:00
David Cooper d66e5ec0d7 sslv2_sockets() bug fixes
This PR fixes a few bugs in `sslv2_sockets()`. The main issue is that a server may not send the entire ServerHello in a single packet. If it doesn't and the full response is being parsed (i.e., certificate and list of ciphers), then `parse_sslv2_serverhello()` will encounter errors, since it assumes that it has the entire ServerHello. This PR compares the length of the response to the length of the ServerHello as specified in the first two bytes of the response and requests more data from the server if the response appears incomplete.

This PR also modifies `parse_sslv2_serverhello()` to check for more errors. It compares the length of the response it has been provided to the specified length (`$v2_hello_length`) and returns an error if the response is shorter than `$v2_hello_length` and the full response is supposed to be parsed. It will also check whether there was an error in converting the certificate from DER to PEM format and will return an error if there was (and it will suppress the error message).
2017-01-04 10:47:36 -05:00
David Cooper c1d072b7a8 Check for matching SSLv2 cipher
Some servers respond to an SSLv2 ClientHello with a list of all SSLv2 ciphers that the server supports rather than just a list of ciphers that it supports in common with the client (i.e., that appear in the ClientHello). This PR changes the sockets version of `std_cipherlists()` so that, if `sslv2_sockets()` is successful, it checks whether there are any ciphers in common between the ClientHello and the ServerHello before declaring that the server supports the specified cipher list.
2017-01-04 10:34:13 -05:00
David Cooper 5270747eb0 Check for matching SSLv2 cipher
Some servers respond to an SSLv2 ClientHello with a list of all SSLv2 ciphers that the server supports rather than just a list of ciphers that it supports in common with the client (i.e., that appear in the ClientHello). This PR changes the sockets version of `run_freak()` so that, if `sslv2_sockets()` is successful, it checks whether there are any ciphers in common between the ClientHello and the ServerHello before declaring that the server supports an export RSA cipher.
2017-01-04 10:31:13 -05:00
David Cooper ad5590a444 run_server_defaults() bugfix
If `determine_tls_extensions()` does not create a temporary file (`$TEMPDIR/$NODEIP.determine_tls_extensions.txt`) then `run_server_defaults()` will display error messages when an attempt is made to copy this file or to search (grep) it. This may happen if `$OPTIMAL_PROTO` is `-ssl2` or if `determine_tls_extensions()` uses sockets and `parse_tls_serverhello()` encountered an error and did not create a temporary file (`$TEMPDIR/$NODEIP.parse_tls_serverhello.txt`). This PR fixes this by only trying to copy and search `$TEMPDIR/$NODEIP.determine_tls_extensions.txt` is `$OPTIMAL_PROTO` is not `-ssl2` and `determine_tls_extensions()` was successful (return value 0).
2017-01-04 10:19:11 -05:00
David Cooper 83472301bc Don't "echo" the prime to the terminal 2016-12-30 11:33:27 -05:00
David Cooper 62aee8f846 Remove leading "00" byte from prime, if present
The primes in https://svn.nmap.org/nmap/scripts/ssl-dh-params.nse do not include a leading "00" byte, so don't include it in `$dh_p`.
2016-12-30 11:32:41 -05:00
David Cooper c0c041b1c2 Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-29 16:59:58 -05:00
David Cooper 5e5199ddb5 Merge branch '2.9dev' into run_freak_sockets 2016-12-29 16:58:22 -05:00
David Cooper 3b54ac398e Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-29 16:57:31 -05:00
David Cooper 99290ea1a5 Merge branch '2.9dev' into run_beast_sockets 2016-12-29 16:56:08 -05:00
David Cooper a094acc155 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-29 16:54:05 -05:00
David Cooper 7116d1bbdf Merge branch '2.9dev' into cipher_order_sockets 2016-12-29 16:52:50 -05:00
David Cooper b7ff8a1ee3 Add extra check 2016-12-29 16:45:46 -05:00
David Cooper e931ebf6b4 Merge branch '2.9dev' into extend_logjam_phase_1 2016-12-29 16:43:44 -05:00
Dirk Wetter e8e60e368f Merge pull request #568 from dcooper16/test_just_one_sockets
test_just_one() sockets
2016-12-29 22:38:35 +01:00
David Cooper ec3a644c4d Common primes test phase 1
In response to your request in #572, this PR provides a starting point for addressing #120. It adds code to `run_logjam()` to try connecting to the server using any cipher that uses an ephemeral DH key. If successful, it gets the server's ephemeral key (in OpenSSL's PEM format) and then extracts the prime from the key and places it in `$dh_p`. So, all that needs to be done at this point is to compare `$dh_p` against a set of "bad" primes. I'm not sure if I'll be able to work on that part soon, so if someone else has the time, that would be great.

I actually found the `-msg` option easy to use. I moved the code in `parse_tls_serverhello()` that extracts the DH ephemeral public key from the ServerKeyExchange message into a separate function. Then, if using OpenSSL with the `-msg` option, I extract the ServerKeyExchange message from `$TMPFILE` and call this new function to extract the key and convert it to PEM format. That way the new code in `run_logjam()` can use either `$OPENSSL` or `tls_sockets()`.
2016-12-29 16:31:42 -05:00