Commit Graph

2679 Commits

Author SHA1 Message Date
Dirk
5d1cfcad08 Renamed (typo) openssl-rfc.mappping.html and added entries
Some SSLv2 ciphers were missing (see openssl/ssl/ssl2.h and
SSLeay (ssl.h + ssl_lib.c).

Also in this list security bit strength None were renamed to '0',
encryption None to Null.
2018-11-01 14:08:15 +01:00
Dirk
2a65bb8c9a Add +2 to MAX_OSSL_FAIL if running with --openssl-native AND an --openssl-timeout
.. otherwise we'll hit too soon the threshold: Logic: by specifying
a timeout a user indicates that there might be a problem.

Also fatal() now supports a hint which is printed in normal
text (to stderr)
2018-10-30 00:06:59 +01:00
Dirk
987fbeda37 Detect downgrade to plaintext for STARTTLS, IMAP
Some Cyrus IMAD if configured with SSL_CTX_set_cipher_list(context, "!TLSv1")
and similar respond with a plaintext 'a002 NO Starttls negotiation failed"
when a not-supported protocol is detected, see #1082.

This PR fixes this by detecting (also) this downgrade. As a precaution
It still issues a warning as this is seems a special configuration.
2018-10-29 23:19:47 +01:00
Dirk Wetter
43ee837ec2
Merge pull request #1147 from C0FFEEC0FFEE/dev-fixcsv
Dev fixcsv
2018-10-24 09:10:14 +02:00
Michael Koch
e184f94b8a Revert "Remove trailing spaces"
This reverts commit 7881dc386c.
2018-10-24 08:27:19 +02:00
Michael Koch
040e4d3050 Remove duplicate commas in CSV output 2018-10-23 14:25:36 +02:00
Michael Koch
7881dc386c Remove trailing spaces 2018-10-23 14:23:38 +02:00
Dirk
f18fb03bf3 Simplify run_logjam()
Looking @ pending #1114 two improvements were done:

1) Keep the status of DH group detected (<name> or "Unknown DH group")
   as well as the bit length
2) move the detection to a separate function get_common_prime()

There's still room for improvements when run_pfs() will take
over a part.

Also double code (my bad) from run_logjam() was move to a separate function.
2018-10-16 20:56:52 +02:00
Dirk
33c7902247 Check requirements on missing binaries
As #1146 noted some installations miss hexdump. Better practice
is to check before what's needed albeit the error message when
a binary is missing does give the user a hint.
2018-10-16 15:32:11 +02:00
Dirk
032020bc4f Add a LICENSE section
and ask for mentioning that this program is being used
and where to get it from.
2018-10-15 12:27:57 +02:00
Dirk
b2ad9e3c15 Be more verbose what client is simulated
Currently the client simulation is based on the handshake data
from SSLlabs which is purely focussed on HTTP -- as SSLlabs does
HTTP only.

In #540 there was a PR addressing the fact that the data is not
what is claims to be -- the handshake of Android 7 seems to be
Chrome for Android and not Android itself.

This PR tries at least to modify the headline for client simulations.
2018-10-15 09:33:12 +02:00
Dirk Wetter
1821204d6e
Merge pull request #1044 from dcooper16/only_show_supported_ciphers
Only list supported ciphers
2018-10-15 09:08:27 +02:00
Dirk
2a27416fd7 Fix fragmentation also under FreeBSD and OS X
This PR addresses the remaining TCP fragmentation by piping the line buffered
internal print through cat, see also #1130.
It extends 1b52834 which was the same doing for Linux and
OpenBSD.

This PR also consolidates the last remaining low level socket calls
in client_simulation_sockets() into socksend_clienthello().

An negative performance effect is barely measurable.

It also does a check whether the fd 5 is taken by a tty as
I see this while writing the commit message ;-). We might
want to make that line better instead of just echoing. :-)
2018-10-11 21:00:33 +02:00
Dirk
2fb137dfcf Bump version no of rc 2018-10-09 12:36:15 +02:00
David Cooper
92f9134c4c Only list supported ciphers
At the beginning of run_server_preference(), if the attempt to connect to the server is unsuccessful, a message is printed listing all of the ciphers in $list_fwd and $tls13_list_fwd:

     no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:ADH-AES256-GCM-SHA384:AECDH-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256

This message can be misleading. I tested a server that only supported TLSv1.3 using the provided OpenSSL 1.0.2-chacha. The server supported TLS_AES_256_GCM_SHA384, but OpenSSL didn't. However, the message implies that the server does not support  TLS_AES_256_GCM_SHA384.

This PR changes the message (and the one included in CSV/JSON output) to only list those ciphers in $list_fwd and $tls13_list_fwd that are actually supported by $OPENSSL.

Note that even with this PR, some ciphers are listed that aren't really supported by $OPENSSL, since the `-s` option isn't used. But, that is #663.
2018-10-05 12:11:24 -04:00
Dirk
8007607037 Add jsonID to EC in run_pfs() 2018-10-05 16:42:32 +02:00
Dirk Wetter
1d8e347ea8
Merge pull request #1141 from dcooper16/ecdh_quality
Send ECDHE quality to fileout()
2018-10-05 16:33:24 +02:00
Dirk
76c7299124 House keeping: consolidating socket functions
* Put all low level socket related functions close to each other

* removed socksend2 as it was not used and outdated looking forward

* socksend_sslv2_clienthello() renamed to socksend_clienthello() as
  it wasn't particular SSLv2 related

* removed the low level socket calls from socksend_tls_clienthello()
  and called socksend_clienthello() instead

* renamed socksend_tls_clienthello() to prepare_tls_clienthello()
  as it is not a low level function anymore
2018-10-05 15:41:16 +02:00
David Cooper
b5af8496fc
Send ECDHE quality to fileout()
This PR is also based on #1139, but it addresses ECDH keys rather than DH keys. When run_pfs() prints the list of elliptic curves offered, it colors each curve according to its quality (based on key length). However, the severity level used when the list is sent to fileout() is always "INFO". This PR changes the call to fileout() to make the severity level be based on the quality of the shortest curve that the server offers.
2018-10-04 14:02:43 -04:00
Dirk
d6f1064b9c Fix STARTTLS IMAP
introduce @ b49399e7c7
2018-10-04 18:27:47 +02:00
Dirk Wetter
f607702dad
Merge pull request #1138 from dcooper16/fix_typo
Remove typo
2018-10-04 18:22:34 +02:00
David Cooper
d23eb11566
Remove typo
This PR removes a typo that was introduced in b49399e7c7.
2018-10-04 09:00:01 -04:00
Dirk
b49399e7c7 Adding LMTP as a STARTTLS protocol
This commit adds LMTP to the STARTTLS protocols
supported. It requires an openssl version which
supports this which is either openssl 1.1.1
or a backported version 1.0.2 (binary is in
process).

A check is in place whetrher the binary supports
this.

Furthermore some framework additions were made for
further STARTTLS protocols like IRC and NNTP.
2018-10-04 11:24:52 +02:00
Dirk Wetter
f40f53938b
Merge pull request #1137 from dcooper16/fix_1097
Name check for XMPP servers
2018-10-04 10:32:28 +02:00
David Cooper
c4db88526f Handle critical subjectAltName extension
For XMPP servers, when extracting the SRV-ID and XmppAddr names from the subjectAltName extension, need to take into account that the subjectAltName extension may be marked as critical, in which case there will be the DER encoding of TRUE (0101FF) between the DER encoding of the subjectAltName extension's OID (0603551D11) and the tag for OCTET STRING (04).
2018-10-03 08:44:23 -04:00
David Cooper
e0f5c7513a Name check for XMPP servers
This PR is an attempt to address #1097. I have only been able to test it against jabber.topf.org and against locally created test certificates, so it needs more testing.

The main issue that this addresses is that testssl.sh currently checks against the wrong name for XMPP servers. According to RFC 6120, Section 13.7.2.1:

   o  The initiating entity sets the source domain of its reference
      identifiers to the 'to' address it communicates in the initial
      stream header; i.e., this is the identity it expects the receiving
      entity to provide in a PKIX certificate.

So, if the --xmpphost option is provided, then the name provided in that option should be compared against the name in the certificate rather than the host name.

compare_server_name_to_cert() currently takes the server name to look for in the certificate as an parameter, but every call to compare_server_name_to_cert() uses $NODE as the argument. So, this PR removes the parameter and sets $servername to either $XMPP_HOST or $NODE as appropriate. This small change alone should fix the problem for most XMPP servers since the server's name SHOULD appear in the certificate encoded as a DNS name. That is the case for the one server I could test - jabber.topf.org.

The majority of the code in this PR is to address the other possibilities noted in RFC 6120, Section 13.7.1.2.1. This section notes that an XMPP server's identity name also appear in the subjectAltName extension as an otherName, either an SRV-ID or an XmppAddr identifier. Unfortunately, OpenSSL's certificate printer does not support otherName and just prints "othername:<unsupported>". So, this PR includes code to manually extract any SRV-ID or XmppAddr names from the certificate. This involves parsing the DER encoding of the certificate to look for the subjectAltName extension, looping through all of the names in the extension, and pulling out the names of these two name forms. This code is only run if the server is an XMPP server and the certificate does not have a matching DNS name. So, this code will rarely be executed.

This PR addresses one other issue. There is code in certificate_info() to set the variables $has_dns_sans and $has_dns_sans_nosni. These variables are needed to address the following requirement:

     # Find out if the subjectAltName extension is present and contains
     # a DNS name, since Section 6.3 of RFC 6125 says:
     #      Security Warning: A client MUST NOT seek a match for a reference
     #      identifier of CN-ID if the presented identifiers include a DNS-ID,
     #      SRV-ID, URI-ID, or any application-specific identifier types
     #      supported by the client.

While it is relatively easy to determine whether a certificate includes a DNS name in the subjectAltName extension, as noted above, it is not easy to determine whether it has an SRV-ID or an XmppAddr. So, this PR leverages the work compare_server_name_to_cert() does in parsing the subjectAltName extension by having compare_server_name_to_cert() set a global variable indicating whether the certificate has a subjectAltName extension with a relevant name form (DNS, SRV-ID, or XmppAddr for XMPP, or DNS for other servers). $has_dns_sans and $has_dns_sans_nosni are then just set to the value of this global variable.
2018-10-03 08:44:23 -04:00
Dirk
1b52834dfc Extend workaround for TCP fragmentation
Instead of checking via uname for Linux this commit does a check
whether the outcome for an external printf is what is expected. This
makes it more compatible e.g. with OpenBSD which surprisingly works
similar like the GNU counterpart.

Also it checks all external printfs installed wther it's the
"right one" to use. Previously it stopped just at the first one
and if this was "wrong", bash's printf was used.
2018-10-02 23:04:02 +02:00
Dirk Wetter
b22e0d08fd
Merge pull request #1136 from dcooper16/undo_1113
Revert #1113
2018-09-26 13:52:05 +02:00
Dirk
db948cd6b5 Make sure length bytes are two chars wide
Linux bash internal printf shortened the string
when using len2twobytes() with 3 chars, FreeBSD
e.g. did not.

It worked under both OS though when piping to
the socket with printf.

This commit makes sure that always 2+2 chars
are returned when a 3 char number is supplied.

Kudos @dcooper16
2018-09-26 13:41:35 +02:00
Dirk
e1ee04fbd7 Put temporary workaounrd in place for Linux + TCP fragmentation
This commit basically reverses the previous commit 305eefc for
Linux only. Here the external printf is working fine, where as
the BSDish counterpart is not (see e.g. #1134).

For Linux is basically addresses #1130 / #1113.

A compatible solution for all OS needs to be found.
2018-09-26 09:21:28 +02:00
David Cooper
83a9302718
Revert #1113
This PR removes the changes that were added in #1113. As noted in the conversation for #1113, it was eventually determined that the actual bug was related to the first message fragment being too short rather than the overall length of the message. So, the warning message that is displayed by the code is misleading. In addition, if changes are made to avoid TCP fragmentation, then this code will no longer even test for intolerance to short message fragments.
2018-09-25 14:16:00 -04:00
Dirk
305eefc9e8 Reverse dd3657e temporarily to get a clear picture
See #1134, #1135, also #1132 is a suspect
2018-09-25 16:18:59 +02:00
Dirk
d9f0258171 Fix of errorneous return value due to ALPN check
This commit fixes a problem when not every supplied $ALPN_PROTOs
was suported which is probably never the case ;-/

See #1133
2018-09-25 10:54:17 +02:00
Dirk Wetter
441f14ae90
Merge pull request #1124 from dcooper16/deprecated_curves
Deprecated elliptic curves
2018-09-24 10:30:30 +02:00
Dirk
39822d89e9 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2018-09-23 14:16:42 +02:00
Dirk
dd3657eb23 Fix TCP fragmentation
As @tomato42 pointed out in #1113 '\x0a' causes the printf buffer
to flush before all data was sent. As a result any '\x0a' in
a ClientHello causes a new TCP fragment.

This commit changes all TCP sockets write to use an external
printf if available which doesn't show this behaviour, see #1130.
It was checked against wireshark.

The external printf was available for Linux, FreeBSD 9 and OpenBSD,
so I do not expect any problems with MacOS X either.

There might be further solutions like 'stdbuf' or 'dd' which
are shown in #1130.
2018-09-23 13:30:46 +02:00
Dirk
11d74d2f6e Remove the cat in get_cipher() and get_protocol()
See #1129
2018-09-22 09:50:15 +02:00
Dirk Wetter
0727a30456
Merge pull request #1129 from dcooper16/fix_1118
Fix #1118
2018-09-22 09:23:15 +02:00
Dirk Wetter
7b9a673b6e
Merge pull request #1131 from dcooper16/avoid_oa
Avoid unnecessary '0a' characters in ClientHello
2018-09-22 09:21:48 +02:00
David Cooper
2b46664a83
Remove '0a' character from public keys
This commit removes the '0a' character from public keys used in the key_share extension. New key pairs were created by repeatedly generating new keys until one was found that had no '0a' characters in the public key.
2018-09-21 17:07:46 -04:00
David Cooper
41c7e74823
Avoid unnecessary '0a' characters in ClientHello
As noted in #1130, the current implementation of socksend_tls_clienthello() results in packets being fragmented wherever a '0a' character appears in the message. This cannot be avoided, but there are a few places where a '0a' character appears in which the character could easily be replaced:

* In the session_id for a TLSv1.3 ClientHello.
* In the 32-byte client random value
* In any public key sent in the key_share extension

This PR removes those uses of the '0a' character. While this does not do much to address the problem, it does result in a slight reduction in the amount of fragmentation of messages.
2018-09-21 17:05:08 -04:00
David Cooper
9b9f435059
Fix #1118
This PR is an attempt to fix the problem identified in #1118.

Currently, get_cipher() and get_protocol() attempt the extract the cipher and protocol from the SSL-Session information printed by OpenSSL s_client. This does not always work for TLSv1.3, however, since OpenSSL 1.1.1 will only print SSL-Session information for a TLSv1.3 connection if the server sends New Session Ticket. If the server doesn't, then get_cipher() and get_protocol() return empty strings.

For TLSv1.3 connections in which the server does not send a New Session Ticket, there seems to be only one other source for this information. A line of the form:

        New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

[Note that "New" would be "Reused" if the connection were created via session resumption.]

The use of this line seems to be okay for extracting the negotiated cipher, but it cannot be used in general to extract the negotiated protocol. The reason is that this line is created as follows:

    c = SSL_get_current_cipher(s);
    BIO_printf(bio, "%s, Cipher is %s\n",
               SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));

While the cipher that is printed seems to be the negotiated cipher, the protocol that is printed is "the SSL/TLS protocol version that first defined the cipher." Since TLS 1.3 ciphers may only be used with TLS 1.3, protocol version printed on this line may be accepted as the negotiated protocol if and only if it is "TLSv1.3."

This PR addresses the problem by modifying get_cipher() and get_protocol() to check the "New, ..., Cipher is ..." line if lines from SSL-Session ("Cipher    : ...", "Protocol  : ...") cannot be found. In the case of get_protocol() the protocol on the "New, ..., Cipher is ..." will be accepted only if the protocol is "TLSv1.3" and the cipher is a TLSv1.3 cipher.

This PR also adds a check for the "New, ..., Cipher is ..." to sclient_connect_successful(). If this line is present, and the protocol and cipher are not "(NONE)", then this is accepted as an indication that the connection was successful even if the "Master-Key" line does not appear. It is not clear whether this extra test is needed, however, as sclient_connect_successful() will not even look at the text in the output of OpenSSL s_client if function's return value is 0, and OpenSSL s_client should return 0 if the connection was successful.
2018-09-21 15:08:29 -04:00
David Cooper
4effe1dbf3 Deprecated elliptic curves
Most of the curves that were defined for the supported_groups extension in RFC 4492 have been deprecated in RFC 8422 and RFC 8446. Appendix B.3.1.4 of RFC 8446 says that these deprecated values "are used in previous versions of TLS and MUST NOT be offered or negotiated by TLS 1.3 implementations."

According to a recent discussion on the TLS mail list (see, for example, https://www.ietf.org/mail-archive/web/tls/current/msg26974.html and https://www.ietf.org/mail-archive/web/tls/current/msg26980.html) a TLS 1.3 server implementation may choose to reject a TLS 1.3 ClientHello simply because the ClientHello offers one or more of the deprecated curves.

This PR address this issue by no longer offering the deprecated curves in TLS 1.3 ClientHello messages. This only affects run_pfs(), since socksend_tls_clienthello() already does not offer the deprecated curves in TLS 1.3 ClientHello messages.

The change in this PR has no affect on the testing of servers that do not support TLS 1.3. For those that do support TLS 1.3, only the 5 non-deprecated curves are tested with TLS 1.3, but all 30 curves are tested with TLS 1.2.
2018-09-21 10:02:45 -04:00
Dirk
96a1002f84 Re-adding IP/FQDN + PORT to CSV output
This commit fixes a recently introduced bug, see #1128
2018-09-20 21:43:39 +02:00
Dirk Wetter
ef442f1c1c
Merge pull request #1126 from dcooper16/fewer_key_shares
Send fewer key shares
2018-09-19 09:30:28 +02:00
Dirk Wetter
04dfb66a42
Merge pull request #1125 from dcooper16/fix_grease_findings
Fix run_grease() severity levels
2018-09-19 09:26:33 +02:00
David Cooper
59e2c686c5
Send fewer key shares
This PR reduces the number of public keys that are included in the key_share extension for a TLS 1.3 ClientHello.

When creating the key_share extension for a TLS 1.3 ClientHello, generate_key_share_extension() generally omits the public keys for larger finite-field groups (ffdhe3072, ffdhe4096, ffdhe6144, and ffdhe8192) so that the extension will not be overly large.  However, the extension that it creates is still much larger than what is created by other software.

For a generic TLS 1.3 ClientHello, socksend_tls_clienthello() offers 7 groups in the supported_groups extension (P-256, P-384, P-521, X25519, X448, ffdhe2048, ffdhe3072) and 6 public keys in the key_share extension (P-256, P-384, P-521, X25519, X448, ffdhe2048). While the largest public key is omitted, this still creates a 665 byte key_share extension.

By contrast, Firefox offers 6 groups in the supported_groups extension (X25519, P-256, P-384, P-521, ffdhe2028, ffdhe3072), but only includes two public keys in the key_share extension (X25519, P-256). OpenSSL 1.1.1 offers 5 groups in the supported_groups extension (X25519, P-256, P-384, P-521, X448) and only includes one key in the key_share extension (X25519). Chrome offers 3 groups in the supported_groups extension (X25519, P-256, P-384) and only includes one key in the key_share extension (X25519).

Following the examples of OpenSSL, Firefox, and Chrome, this PR changes generate_key_share_extension() to include at most two public keys in the key_share extension. In general it will offer the public keys for the first two groups that appear in the supported_groups extension. However, it will still exclude the public key for any ffdhe group larger than ffdhe2048 unless that group appears first in the supported_groups extension.

In most cases this change will simply result in the ClientHello message being smaller. In some unusual cases, this change will force a second round-trip, with the server sending a HelloRetryRequest in order to ask for the key_share that it needs, but this will not affect the results of the testing.
2018-09-18 14:27:06 -04:00
David Cooper
1130e30120
Fix run_grease() severity levels
In run_grease() there is a mismatch between the severity level of finds as printed and as sent to fileout(). Problems are labeled as medium when printing, but as CRITICAL in the call to fileout(). This PR fixes the problem by changing CRITICAL to MEDIUM.
2018-09-18 11:47:32 -04:00
Dirk Wetter
355ba91b65
Merge pull request #1122 from dcooper16/fix_size_calculation
Fix calculation of ClientHello size
2018-09-17 13:24:40 +02:00
Dirk Wetter
d7e9794062
Merge pull request #1120 from dcooper16/avoid_clienthello_size_bug
Avoid ClientHello size bug
2018-09-17 09:59:23 +02:00