Commit Graph

2606 Commits

Author SHA1 Message Date
Dirk Wetter b60e25fbea Merge pull request #801 from dcooper16/std_cipherlists_has_server_protocol
std_cipherlists() and has_server_protocol()
2017-07-25 21:48:52 +02:00
Dirk 512cb81325 typo in comment for run_std_cipherlists() 2017-07-25 20:38:02 +02:00
David Cooper 1ee4db4e41 std_cipherlists() and has_server_protocol()
`std_cipherlists()` uses `has_server_protocol()` to determine whether to test for ciphers using SSLv2. However, this was resulting in false negatives due to #759. This PR removes the `has_server_protocol()` check so that SSLv2 is checked whenever the connection attempt with the TLSv1.2 ClientHello failed.
2017-07-25 13:24:29 -04:00
David Cooper cf0da7f994 Fix client simulations with SSLv2 ClientHello
This PR fixes the extraction of the cipher suites in SSLv2 ClientHellos in `client_simulation_sockets()`. Since `client_simulation_sockets()` can only handle SSLv3 and above ServerHellos, it removes any SSLv2 ciphers and converts the other cipher from 3-byte format to 2-byte format.
2017-07-25 12:46:37 -04:00
Dirk Wetter 468e96f419 Merge pull request #787 from sdann/fix_has_server_protocol
Fix logic in has_server_protocol()
2017-07-25 16:27:36 +02:00
Dirk b7f4b23c23 commenting #797 2017-07-25 16:19:36 +02:00
Dirk Wetter 007d54fa26 Merge pull request #797 from dcooper16/yaSSL_client_simulation
yaSSL and client simulation
2017-07-25 16:15:29 +02:00
David Cooper 6be478da0b Merge branch '2.9dev' into yaSSL_client_simulation 2017-07-25 08:48:05 -04:00
Dirk 3adb5ac71f Logic for POODLE && TLS_FALLBACK_SCSV
If vulnernable to POODLE and has no TLS_FALLBACK_SCSV ==> HIGH.
If only run the fallback check and it has none, still label it as MEDIUM but issue
a clear warning that test under this circumstances is incomplete.
2017-07-25 10:54:01 +02:00
David Cooper c370f2359b Extract cipher suites from SSLv2 ClientHello 2017-07-24 11:26:18 -04:00
Dirk 615a93e69e in html mode the sed statement for the server banner had and error resulting in sed messages like "unknown option to s" 2017-07-22 20:57:32 +02:00
David Cooper 91927e0f59 yaSSL and client simulation
This PR adds the same additional check to `client_simulation_sockets()` as was previously added to `tls_sockets()`. It extracts the list of cipher suites offered from each ClientHello and passes the list to `parse_tls_serverhello()` so that `parse_tls_serverhello()` can check that the cipher offered in the ServerHello was included in the ClientHello.

This assumes that a real client would abort the connection if it was presented with a cipher in the ServerHello that it didn't offer in its ClientHello.
2017-07-21 10:59:23 -04:00
Dirk 4e3b2318ab FIX #795 awk had word match, didn't work and wasn't needed
If certicate was determined before running dorwn, we needed to remove "SHA256 " (regression)
2017-07-20 19:13:06 +02:00
Dirk baeca77021 drown additions
* also provide links to censys.io if there's drown detected
* remove SHOW_CENSYS_LINK variable
* calculate fingerprint upfront (if not done yet)
2017-07-20 17:44:00 +02:00
Steven Danneman 72851c7e3f Catch MySQL (yaSSL) server bug when testing standard cipher categories
Unfortunately, most categories were passing incorrectly, since a
tls_socket() error was interpreted as a success for many of the cases.
Now we explicitely check for the known yaSSL failure and raise a warning
that the test is inconclusive.

New output against --starttls=mysql looks like:

Testing ~standard cipher categories
-----------------------------------

 NULL ciphers (no encryption)                  SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.
 Anonymous NULL Ciphers (no authentication)    SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.
 Export ciphers (w/o ADH+NULL)                 SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.
 LOW: 64 Bit + DES encryption (w/o export)     offered (NOT ok)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.
 Triple DES Ciphers (Medium)                   offered
 High encryption (AES+Camellia, no AEAD)       offered (OK)
 Strong encryption (AEAD ciphers)              SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.

Partial workaround for #793
2017-07-19 17:35:37 -07:00
Dirk ad1dd01466 polishing #784 and #788
Also introduced the global BAD_SERVER_HELLO_CIPHER which can be later used
for notifying crappy cipher negotiations
2017-07-19 18:46:46 +02:00
Dirk Wetter fc7a89e659 Merge pull request #788 from sdann/mysql_ccs_injection
Fix CCS Injection detection for MySQL (yaSSL)
2017-07-19 18:37:51 +02:00
Dirk Wetter cc5d8a708e Merge pull request #792 from dcooper16/last_extension_not_empty
Make sure last ClientHello extension is not empty
2017-07-19 17:33:31 +02:00
David Cooper bcd71555ea Make sure last ClientHello extension is not empty
According to a discussion thread on the IETF TLS WG mail list (see https://www.ietf.org/mail-archive/web/tls/current/msg19720.html), there is at least one TLS server that will fail if the last extension in the ClientHello has contains extension_data of length 0.

Currently, `tls_sockets()` will create such a ClientHello if:
* The padding extension is included, and the length of the ClientHello without the padding data would be between 508 and 511 bytes.
* No padding extension is included, and the caller provided `$extra_extensions` in which the last extension in `$extra_extensions` is empty.
* No padding extension is included, `$extra_extensions` is empty, no ECC cipher suites are offered, and the ClientHello is for TLSv1.1 or below (in this case the next protocol extension would be that last one).

This PR avoids the server bug (in nearly all cases) by ensuring the the padding extension (when present) always contains at least one byte, and by ensuring that when the padding extension is not present that the (non-empty) heartbeat extension is the last extension.

This PR does leave one possible scenario in which the last extension would be empty. If the caller provides an `$extra_extensions` in which the last extension in `$extra_extensions` is empty, `tls_sockets()` does not add a padding extension (or a padding extension is included in `$extra_extensions`), and `$extra_extensions` includes a heartbeat extension, then the last extension in the ClientHello would be empty. This, however, is a highly unlikely scenario, and certainly there are currently no such calls to `tls_sockets()` in testssl.sh.
2017-07-14 15:48:59 -04:00
Dirk Wetter 507e59dc97 Update CREDITS.md 2017-07-13 14:02:33 +02:00
Dirk Wetter 17513abfe8 Update CREDITS.md 2017-07-13 14:00:41 +02:00
Dirk Wetter fb6901a792 Update Readme.md 2017-07-13 13:56:14 +02:00
Dirk Wetter dc0db33588 Installation section and polish 2017-07-13 13:55:22 +02:00
Dirk 9d1e7d1f29 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-07-13 12:37:52 +02:00
Dirk 28fe4c48de manpage not for editing
Generated via ``ronn -r testssl.1.md`` from the md source. Can be viewed
e.g. by ``nroff -man testssl.1 [| less]``
2017-07-13 12:35:13 +02:00
Dirk f2d07ec22b First draft of the manpage
Until the content is finalized the plan is to keep it in MD format.
For medium terms it is something which needs to be reconsidered
as markdown as the source format for documentation has too many limits.
Happy for suggestions here.

In the meantime here's what needs to be done:

* finalizing (see comments)
* proofreading 1: accuracy, logic, more content related
* proofreading 2: grammar, spelling
* more? pls let me know
2017-07-13 12:27:28 +02:00
Dirk Wetter 7339e43b18 Merge pull request #784 from dcooper16/fix_782
Handle server returning unsupported cipher
2017-07-13 09:15:07 +02:00
Dirk Wetter 413751c806 Merge pull request #785 from dcooper16/parse_tls_serverhello_bugfix
Remove extra line break in debugging output
2017-07-13 09:10:30 +02:00
Steven Danneman ca818c4dde Fix CCS Injection detection for MySQL (yaSSL)
Another yaSSL server incompatiblity. MySQL protects against CCS
Injection by erroring if it sees to CCS requests before the handshake
completes. But instead of returning a TLS alert, it seems to error up
the stack to MySQL which returns it's own error message.

Debug output looks like:

---
sending client hello,
reading server hello

1st reply:

sending payload #2 with TLS version x03, x02:
tls_content_type: 16 | tls_protocol: 0000 | byte6: 04

2nd reply:
00000000  16 00 00 02 ff 13 04 23  30 38 53 30 31 42 61 64  |.......#08S01Bad|
00000010  20 68 61 6e 64 73 68 61  6b 65                    | handshake|
0000001a

test failed, probably read buffer too small (16000002FF1304)
---

This patch adds a custom check for this MySQL specific error, as far
down in the error check path as I can.
2017-07-12 17:14:05 -07:00
Steven Danneman ec18c5231c Fix logic in has_server_protocol()
If $PROTOS_OFFERED was empty, and thus the protocols unknown, this
function would return true for any protocol you passed it. This caused
most callers to assume TLS1.0, even if the server didn't offer it.

Instead return false and make the caller do an extra lookup.
2017-07-12 17:11:21 -07:00
David Cooper 92fb537e24 Remove extra line break in debugging output
A commit that was made on May 15 replaced a `tm_out` with `echo` rather than `echo -e` resulting in an extra line break.
2017-07-12 16:32:12 -04:00
David Cooper 6004123dc0 Merge branch '2.9dev' into fix_782 2017-07-12 08:55:44 -04:00
Dirk Wetter 9244f2c83c Merge pull request #783 from sdann/mysql_starttls
Add mysql (sockets) starttls support
2017-07-12 09:32:31 +02:00
Dirk Wetter bddf5b2404 Merge pull request #775 from dcooper16/hpkp_bugfix
run_hpkp() bug fix
2017-07-11 23:21:51 +02:00
David Cooper 7037bd8e4b Handle server returning unsupported cipher
As reported in #782, some servers will return a ServerHello with a cipher not listed in the ClientHello rather than than return an Alert, if the server does not support any of the ciphers listed in the ClientHello.

This commit modifies `tls_sockets()` to check whether the cipher in the ServerHello was one included in the ClientHello and to fail if it wasn't.
2017-07-11 15:10:40 -04:00
Steven Danneman 8be69e9789 Add sockets implementation of mysql starttls
This is the simplest direct socket implementation of the MySQL STARTTLS
protocol.

This is a binary protocol, so it requires a new stream based send
(instead of the current line based send).
2017-07-11 11:11:44 -07:00
Steven Danneman a8ae90137d fd_socket now also modifies NW_STR
Assign to local variable sooner.
2017-07-11 11:05:24 -07:00
David Cooper 0bd8eca2a2 Merge branch '2.9dev' into hpkp_bugfix 2017-07-11 08:52:55 -04:00
Dirk deb7fd52a9 making some socket timeouts configurable through ENV, thus synching it with the documentation 2017-07-11 10:03:33 +02:00
David Cooper 05c8e1e595 Merge branch '2.9dev' into hpkp_bugfix 2017-07-10 08:49:30 -04:00
Dirk 637812a022 bali out if both flat and pretty JSON outout was specified 2017-07-10 10:57:48 +02:00
David Cooper 1f76c4d144 Merge branch '2.9dev' into hpkp_bugfix 2017-07-06 08:59:00 -04:00
Dirk bc0c1dc553 FIX #779 2017-07-06 13:02:27 +02:00
David Cooper 26ec80e764 run_hpkp() bug fix
In `run_hpkp()` there is a call to `$OPENSSL s_client` that uses `${sni[i]}` as one of the command line options, but `sni` is not defined. My guess is that this was a copy/paste error from `run_client_simulation()`, which is the only function where an `sni` array is defined.

I am guessing that the intention was to use `$SNI` in `run_hpkp()`.
2017-07-03 14:28:21 -04:00
Dirk Wetter 7aaadf731c Merge pull request #773 from sdann/postgres_cleanup
Postgres cleanup
2017-07-01 10:43:05 +02:00
Dirk Wetter 4cb48a1399 Merge branch '2.9dev' into postgres_cleanup 2017-07-01 10:25:28 +02:00
Dirk 02488884bb added experimental label for MySQL STARTTLS protocol 2017-07-01 10:11:34 +02:00
Dirk Wetter 152c5c225c Merge pull request #774 from sdann/mysql_starttls
Add mysql (openssl) starttls support
2017-07-01 10:05:05 +02:00
Steven Danneman 123db1d694 Add mysql (openssl) starttls support
openssl/master branch now supports mysql STARTTLS in s_client

This patch adds support to call and use that s_client support to run
most, but not all (pfs, client simulation) tests.

The socket implementation is stubbed, but not yet functional.
2017-06-30 16:12:03 -07:00
Steven Danneman 2a2e9ebc07 Rename variable as it is not a regex 2017-06-30 15:57:41 -07:00