Commit Graph

4190 Commits

Author SHA1 Message Date
Dirk Wetter efdcd805a9 Update Readme.md 2016-06-04 19:14:38 +02:00
Dirk Wetter 561cfa16fc - FIX #367 2016-06-02 21:31:24 +02:00
David Cooper b1e2fc7448 Merge branch 'master' into version_negotiation 2016-06-02 09:19:37 -04:00
David Cooper e8cc32af54 Merge branch 'master' into socksend_tls_clienthello_extensions 2016-06-02 09:16:45 -04:00
David Cooper f5fcff22d6 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-06-02 09:14:20 -04:00
David Cooper c593675b8e Merge branch 'master' into more_sslv2_sslv3_fixes 2016-06-02 09:09:57 -04:00
David Cooper fc6b5070af Merge branch 'master' into fix_issue_276 2016-06-02 09:08:24 -04:00
Dirk Wetter 6a9b0e01fc - polishing #366 and IPv6-related 2016-06-02 09:59:52 +02:00
Dirk Wetter 51f4c9ac9e Merge pull request #366 from typingArtist/365_fix_ipv6_handling
drwetter#365 fix ipv6 handling
2016-06-02 09:27:14 +02:00
David Cooper 6825c0b363 Allow for certificates with no subjectAltName extension
While it seems that almost all certificates include a subjectAltName extension, need to allow for the possibility that the two certificates being compared don't have subjectAltName extensions.
2016-06-01 16:20:10 -04:00
David Cooper 3bc0d6b45c Fix issue #276
Here is my proposed change to fix issue #276.
2016-06-01 15:57:40 -04:00
David Cooper a9cd3ec6ca Merge branch 'master' into version_negotiation
Conflicts:
	testssl.sh
2016-05-31 09:51:13 -04:00
typingArtist 2c69e83f5b https://github.com/drwetter/testssl.sh/issues/365 add UNBRACKETED_IPV6 quirks option
Since some OpenSSL binaries, namely Gentoo’s, don’t support bracketed
IPv6 addresses but unbracketed ones, specified as the -connect option,
the UNBRACKETED_IPV6 environment variable can be set to true for
disabling the automatic addition of brackets around IPv6 addresses on
such platforms.
2016-05-27 20:11:47 +02:00
typingArtist cf62353fc6 https://github.com/drwetter/testssl.sh/issues/365 ensure DNS PTR lookups use un-bracketed IPv6 address
While standard OpenSSL requires the literal IPv6 address enclosed
in [brackets], standard DNS lookup tools don’t support the additional
characters. Before making reverse PTR lookups, these brackets have to
be removed from the IPv6 addresses.
2016-05-27 19:54:23 +02:00
Dirk Wetter 1074c062c7 Merge branch 'master' of github.com:drwetter/testssl.sh 2016-05-27 17:44:08 +02:00
Dirk Wetter e1a8306286 - try to address #352
- WARNING in fileout is MEDIUM now
- NOT ok for medium on screen squashed
2016-05-27 17:43:45 +02:00
Dirk Wetter 1ecad208fe Update Readme.md 2016-05-26 18:03:07 +02:00
Dirk Wetter 6fb15e83fa global $OPENSSL_NR_CIPHERS 2016-05-26 12:56:55 +02:00
David Cooper 4d059f7106 Merge branch 'master' into version_negotiation 2016-05-25 16:57:37 -04:00
David Cooper acc72a1daf Merge branch 'master' into socksend_tls_clienthello_extensions 2016-05-25 16:50:56 -04:00
David Cooper a503d883c7 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-05-25 16:38:23 -04:00
David Cooper f9757c4e4d Merge branch 'master' into more_sslv2_sslv3_fixes 2016-05-25 16:32:04 -04:00
Dirk Wetter 65193cdcee Merge pull request #361 from dcooper16/run_rc4_show_each_fix
run_pfs() and run_rc4() show each fixes
2016-05-24 23:47:23 +02:00
David Cooper 2a4d987f31 Merged master fixed conflict. 2016-05-24 14:19:19 -04:00
David Cooper e0c147ec86 run_pfs() and run_rc4() show each fixes
When run_rc4() is run with the "--show-each" option, but without the "--wide" option, a list of all RC4 ciphers is printed, without any distinction between those that are supported by the server and those that are not. This is the same issue I noted in #332 for run_pfs().

In run_pfs(), the displayed output was corrected, but all ciphers were still being added to $pfs_ciphers, so the list of supported PFS ciphers sent to fileout() was incorrect.

This PR fixes both issues.
2016-05-24 13:57:47 -04:00
Dirk 5a03e96304 - consequently removed "NOT ok" for not-av of TLS 1.2 2016-05-23 22:42:40 +02:00
Dirk Wetter bf17a17b70 - 3DES in standard cipher list is medium, thus "NOT ok" is too much (need for elegant general way for "medium")
(see also https://www.keylength.com/en/8/)
2016-05-23 18:56:05 +02:00
Dirk Wetter aa99c5eb88 - FIX #347
- LF removed in JSON
2016-05-20 13:45:53 +02:00
Dirk Wetter 803e363310 Merge pull request #356 from dcooper16/server_key_size
Fix typo in Server key size check
2016-05-20 08:16:48 +02:00
Dirk Wetter fbf25d7ae1 Merge pull request #357 from dcooper16/cert_sig_algo
Recognize more signature algorithms
2016-05-20 08:12:52 +02:00
David Cooper 2ffed62d53 Recognize more signature algorithms
This PR adds to the list of signature algorithms recognized in certificate_info().
2016-05-19 16:45:56 -04:00
David Cooper dccf9bef63 Fix typo in Server key size check
When certificate_info() is trying to determine what type of public key the server has so that it can determine whether the key size is acceptable, it sometimes looks at $cert_sig_algo rather than $cert_key_algo. This PR fixes that and also adds support for DSA public keys.
2016-05-19 16:39:06 -04:00
Dirk Wetter 9a1425da14 - FIX #354
- polish #353
2016-05-18 19:06:26 +02:00
Dirk Wetter 3dc94d2b3b Merge pull request #353 from dcooper16/parse_tls_serverhello_with_added_checks
parse_tls_serverhello() with added checks
2016-05-18 08:18:47 +02:00
David Cooper 2a0a382321 Don't use dec2hex
The dec2hex() was actually converting from hex to decimal. Since it was only being used in one place, and wasn't really needed there, I just deleted it.
2016-05-17 12:02:12 -04:00
David Cooper cba7fddbdd Revised parse_tls_serverhello()
Revised parse_tls_serverhello() to more carefully check the response for errors, and to provide for more flexibility (e.g., if handshake messages are split across multiple fragments).
2016-05-16 16:52:51 -04:00
David Cooper 07a8bd3143 Support version negotiation test
The new test in PR #346 sends a TLSv1.4 ClientHello, so socksend_tls_clienthello() needs to include the signature algorithms extension if $tls_low_byte >= 3 rather than only if it is equal to 3.
2016-05-11 09:24:07 -04:00
Dirk Wetter 4eefe0df8b Merge pull request #314 from thomaspatzke/master
logfile, jsonfile and csvfile parameters work without =
2016-05-11 00:14:24 +02:00
David Cooper 1d4622ebab Additional checks in run_protocols()
One server I am testing responds to an SSLv3 ClientHello with TLSv1.2. If tls_sockets is being used, then testssl.sh responds with "#FIXME: downgraded. still missing a test case here." This PR fixes that, and in general checks the responses in run_protocols() more closely.

If tls_sockets is being used and the connection fails even though the server supports an earlier version of SSL/TLS, then it flags an error. If tls_sockets returns 2, then it verifies that $DETECTED_TLS_VERSION is equal to the highest version number supported by the server (that is also less than the version number in the ClientHello).

In addition, in order to test servers' support for version negotiation, it adds a new test that sends a TLSv1.4 ClientHello and verifies that the server responds with the highest version number that it supports. (This test only runs if both $using_sockets and $EXPERIMENTAL are true and server actually supports some version of SSL/TLS other than SSLv2.)
2016-05-06 15:12:53 -04:00
David Cooper 92c2b60d9b Signature Algorithms extension for TLSv1.2 only
Changed to only include the signature algorithms extension for TLSv1.2, since RFC 5246 says:

   Note: this extension is not meaningful for TLS versions prior to 1.2.
   Clients MUST NOT offer it if they are offering prior versions.
   However, even if clients do offer it, the rules specified in [TLSEXT]
   require servers to ignore extensions they do not understand.

Inclusion of the extension for TLS 1.1 didn't seem to cause any harm, but it seems better to follow the RFC and not include it for TLSv1.0 or TLSv1.1.
2016-05-05 17:08:40 -04:00
David Cooper 120a5c86ef Add padding extension
RFC 7685 notes that there is at least one TLS implementation that hangs if the client sends a ClientHello with a TLSCiphertext.length between 256 and 511 bytes, and so the padding extension was defined in order to get around this bug. (OpenSSL s_client includes this extension when the -bugs option is used.) So, I changed socksend_tls_clienthello() to include the padding extension if the CLientHello would have a length between 256 and 511 bytes, making the padding extension just large enough to make the ClientHello 512 bytes.

I also fixed a typo (a missing "0x") in the check for whether any ECC ciphers are included in the Client Hello.
2016-05-03 16:48:42 -04:00
David Cooper 9d1803d6eb More SSLv2 (and SSLv3) related fixes
In doing some work on cipher_pref_check() I noticed that it was failing on SSLv2 since the call to "$OPENSSL s_client" includes SNI. I've also noticed in my testing that "$OPENSSL s_client" will not connect to an SSLv2-only server unless the "-ssl2" flag is included. So, I carefully checked each call to "$OPENSSL s_client" in the program (other than in run_allciphers and run_cipher_per_proto, since those functions are already addresses in PR #341) to see whether they would inappropriate fail with an SSLv2-only (or SSLv3-only) server.

As a general rule, if the call doesn't currently include the protocol, then I added "-ssl2" if $OPTIMAL_PROTO is "-ssl2", indicating that the server only supports SSLv2, and I removed any $SNI if a protocol is specified if a protocol is specified and it is either SSLv2 or SSLv3.

I tested it on an SSLv2-only server, and the results are much better. I also tested it on a collection of other servers, none of which support SSLv2, and the results are the same as with the current code.

The only thing I haven't been able to test is how the revised code works when the "--starttls" option is used. I don't believe the changes I made would cause anything to break in that case, but I also don't think code will work any better in that case, if the server only supports SSLv2. Of course, since no server should support SSLv2 (let alone only SSLv2), it shouldn't really be an issue.

One thing that I did not change, but that I do not understand; why does determine_optimal_proto() try the protocols in the order "-tls1_2 -tls1 -ssl3 -tls1_1 -ssl2" rather than "-tls1_2 -tls1_1 -tls1 -ssl3 -ssl2"? Doesn't the current ordering imply that TLS v1.0 and SSLv3 are better than TLS v1.1?
2016-04-29 17:04:01 -04:00
David Cooper 91bab81e26 "$OPENSSL ciphers" ignores "-tls1_1" and "-tls1_2"
Versions of OpenSSL prior to 1.1.0 ignore the options "-tls1_1" and "-tls1_2". So, a call of the form "$OPENSSL ciphers -tls1_2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' would list all supported ciphers (including SSLv2 ciphers), not just ciphers appropriate for TLS1.2.

This changes the code to use "-tls1" instead of "-tls1_1" or "-tls1_2" if a version of OpenSSL other than 1.1.0 is being used.
2016-04-21 14:05:19 -04:00
Dirk Wetter 269a9e8c60 - fix LF in JSON/CSV output
- fix EV detection
2016-04-21 18:44:57 +02:00
Dirk Wetter 948118c927 Merge pull request #343 from dcooper16/fix_typos
Fix some typos
2016-04-21 18:21:51 +02:00
David Cooper cf84d69171 Fix some typos
Note: I deleted line 207, "HAS_SSL2=false", since it was a repeat of line 203.
2016-04-21 12:04:33 -04:00
Dirk c62177044b - FIX #336 2016-04-20 18:53:04 +02:00
David Cooper fe098d4b39 Use $HAS_SSL2
I changed the code to use the global $HAS_SSL2 rather than $sslv2_locally_supported.

I don't think there's a need to use $HAS_SSL3 in run_allciphers(), since the call to "$OPENSSL s_client" for non-SSLv2 ciphers does not specify a protocol. It's also not needed in run_cipher_per_proto(), since there is already a call to locally_supported() before anything further is done with a protocol.
2016-04-19 09:47:52 -04:00
David Cooper 7e506e5c5a More extensions in socksend_tls_clienthello()
This PR adds the signature algorithms, heartbeat, session ticket, and next protocol extensions to the client hello message created by socksend_tls_clienthello() for TLS 1.0 and above. It also adds the supported elliptic curves and ec points format extensions if the client hello message includes any ECC cipher suites.

I tested this version against several servers with $EXPERIMENTAL set to true and get the same results as with the current code with $EXPERIMENTAL set to false.
2016-04-13 15:39:12 -04:00
David Cooper c6db49066f run_allciphers(),run_cipher_per_proto(), and SSLv2
This PR addresses two problems related to SSLv2 in run_allciphers() and run_cipher_per_proto().

In run_cipher_per_proto(), the call to "$OPENSSL s_client" is changed to that $SNI is not included if $proto is -sslv2 or -sslv3. As noted in a comment within run_prototest_openssl(), "newer openssl throw an error if SNI is supplied with SSLv2" and "SSLv3 doesn't have SNI (openssl doesn't complain though -- yet)."

run_allciphers() will sometimes incorrectly report that a server supports an SSLv2 cipher, even if the server does not support SSLv2 at all. The problem occurs if there is a supported SSLv3 cipher suite that has the same OpenSSL name as an SSLv2 cipher suite (e.g., RC4-MD5). Since the call to "$OPENSSL s_client" only uses the OpenSSL name, but the results report both the name, hexcode, and RFC cipher suite name, both the SSLv2 and SSLv3 cipher suites are reported as being supported (e.g., 0x04=RC4-MD5=TLS_RSA_WITH_RC4_128_MD5 and x010080=RC4-MD5=SSL_CK_RC4_128_WITH_MD5). This PR fixes the problem by testing SSLv2 cipher suites separately from non-SSLv2 cipher suites.
2016-04-11 15:51:53 -04:00