Commit Graph

2562 Commits

Author SHA1 Message Date
Dirk Wetter 7aaadf731c Merge pull request #773 from sdann/postgres_cleanup
Postgres cleanup
2017-07-01 10:43:05 +02:00
Dirk Wetter 4cb48a1399 Merge branch '2.9dev' into postgres_cleanup 2017-07-01 10:25:28 +02:00
Dirk 02488884bb added experimental label for MySQL STARTTLS protocol 2017-07-01 10:11:34 +02:00
Dirk Wetter 152c5c225c Merge pull request #774 from sdann/mysql_starttls
Add mysql (openssl) starttls support
2017-07-01 10:05:05 +02:00
Steven Danneman 123db1d694 Add mysql (openssl) starttls support
openssl/master branch now supports mysql STARTTLS in s_client

This patch adds support to call and use that s_client support to run
most, but not all (pfs, client simulation) tests.

The socket implementation is stubbed, but not yet functional.
2017-06-30 16:12:03 -07:00
Steven Danneman 2a2e9ebc07 Rename variable as it is not a regex 2017-06-30 15:57:41 -07:00
Steven Danneman e4212f4fb3 Remove use of "postgress" with extra 's' for secure
Though it matches the pattern of the other protocol names in testssl, it
is not commonly used in practice.
2017-06-29 14:39:22 -07:00
Dirk 2d007e4c8b increased verbosity for some standard cipher lists 2017-06-29 17:58:58 +02:00
Dirk 62ce04adf0 remove redundant option "false" in --warnings 2017-06-28 20:28:23 +02:00
Dirk 9d699d1248 straighten server header markup 2017-06-22 13:39:37 +02:00
Dirk ff63700c6e add few more header flags, work on #765 2017-06-20 23:18:15 +02:00
Dirk 4cb435a549 added several insecurity headers 2017-06-20 11:31:22 +02:00
Dirk f53c3c1377 removed separate option for SPDY and HTTP/2 , addressing #767 2017-06-20 08:43:35 +02:00
Dirk 4c73afeef8 fix for nmap file parser (not properly assigned ip variable) 2017-06-14 09:24:20 +02:00
Dirk 7094c4436f also now honor different ports per host from nmap file.
testssl.sh is taking an educated guess which port makes sense to scan,
which one not and for which one to use which starttls handshake upfront.
This minimizes needless sscans and error messages.
2017-06-13 18:42:07 +02:00
Dirk 531b4453ef new function for guessing "port --> invoking" assignments 2017-06-13 15:19:28 +02:00
Dirk Wetter 18cbdcc272 Will Hunt 2017-06-13 08:41:32 +02:00
Dirk Wetter 0488ef1a5f Will Hunt 2017-06-13 08:40:31 +02:00
Dirk Wetter ff37bc3bef Create Readme.md 2017-06-13 00:29:44 +02:00
Dirk f7fdefcdc0 mass testing nmap grep(p)able prefers now hostname instead of ip address in nmap file
--serial is now a shortcut for --mode=serial
2017-06-12 22:56:36 +02:00
Dirk e0960c5379 --parallel is now shortcut for --mode=parallel 2017-06-12 19:07:58 +02:00
Dirk 241b6e4d2e parallel mass testing mode, Ticketbleed+client auth, parallel mode also for nmap
Parallel mass testing mode is now not anymore experimental. To
use it a separate flag ``--mode=parallel`` was introduced. Serial
is still the default for now to avoid unexpected conditions.
Both the mode arguement and the default is subject to change.

The parallel mass testing mode can now also make use of a
nmap file. Also the functional test for nmap file was put
into a separate function and made more user safe. Open point is
that we better should use the hostname if the forward DNS record matches.

Fixed logical inconsistency: Ticketbleed was not being tested against a server with client authentication

Some variables in the beginning reordered
2017-06-12 18:23:55 +02:00
Dirk 1b0ac5ffd6 first version of implicit parsing for nmap greppable files (-oG)
Currently for serial scanning only.
2017-06-12 17:09:52 +02:00
Dirk 30d3233cb4 Merge branch 'SAN_preferred' into 2.9dev 2017-06-09 13:48:28 +02:00
Dirk 69fa8ca378 several improvements
timeout: the TLS ticket check has a timeout, so that early on non-reachable hosts
are determined. If it is running into the timeout, it quits early. The
timeout is configurable via environment e.g. TIMEOUT=16 ./ticketbleed.bash <host>

Also other ports are allowed albeit it probably it is of limited use

Supplying no arg is now more user-friendly
2017-06-09 12:45:22 +02:00
Dirk 15219475e9 strip supplied port automatically 2017-06-09 11:27:59 +02:00
Dirk b69505223a added "gmap2testssl.sh": utility which converts grepable nmap output to testssl's file input 2017-06-09 11:22:11 +02:00
Dirk 53b6e2cfe8 changed PoC to a 3 rounder test (like testssl.sh) to increase reliability.
If different memory is returned each try it is for sure vulnerable. This
helps getting weird servers properly tested and weeds out false positives.
2017-06-07 18:16:18 +02:00
Dirk 5bb5c19e63 cleanup before addressing #592 2017-06-07 09:54:24 +02:00
Dirk Wetter 861b38bce5 Merge pull request #761 from dcooper16/SAN_preferred_update
SAN_preferred updates
2017-06-07 09:38:22 +02:00
David Cooper dd0fc73be0 SAN_preferred updates
This PR attempts to address the outstanding issues with respect to issue #733, mainly by addressing the rules for when a certificate is obtained without SNI.
2017-06-02 15:28:06 -04:00
Dirk a8ffa66cad output polishing for must staple 2017-06-01 18:15:44 +02:00
Dirk 63cb4ffc5e improved high level sections of DNS in determine_ip_addresses()
FIX #668

Polishing ``get_*_record()``

Simplfied ``main`` a bit
2017-06-01 18:08:13 +02:00
Dirk a90eb8c9be FIX #744 2017-06-01 16:24:45 +02:00
Dirk Wetter f3f29cd85c Merge pull request #760 from dcooper16/fix_757
Fix #757
2017-06-01 15:51:21 +02:00
Dirk e4f64463a4 FIX #758 2017-06-01 15:47:38 +02:00
David Cooper 5807b5e993 Fix #757
I believe I discovered the reason for issue #757: f2303a0d79.

This commit removed attempted to replace `$cbc_cipher_list_hex` (which was computed on the fly) with `$cbc_ciphers_hex` (which is static). However, the function was still using `$cbc_cipher_list_hex`, and since it wasn't being initialized to "" at the beginning of the function, the second call to `run_beast()` (to handle the second IP address) just appended to the value created by the first. Then, when the first two bytes were removed from the resulting string the result was a malformed cipher suite list, which caused `tls_sockets()` to fail.
2017-06-01 09:36:03 -04:00
Dirk a73a92b64d Merge branch 'SAN_preferred' of github.com:drwetter/testssl.sh into SAN_preferred 2017-06-01 15:20:36 +02:00
Dirk e035dabb13 Trying to address #733, not complete yet (see also #735).
Open issues: 1) The SNI logic 2) The fileout logic. 3) another section with ``trust_nosni -eq 4/8``

For 2): fileout is a general finding MEDIUM [1] which isn't in line now with the pr_*finding
in the section above anymore. It would make sense to punish HTTP services more than others.
Unfortunately he fileout statement cannot be moved below pr_svrty_medium/pr_svrty_high as
trustfinding_nosni hasn't been determined yet.

Fast solution would be probably to move the trustfinding_nosni section above the trustfinding
section.

Still 3) and a different trust over non-SNI makes it difficult -- e.g. Server has CN match only over
SNI but without SNI SAN matches. That's an edge case though which probably doesn't exist (like Bielefeld)

[1] That was WARN before. WARN should indicate a status of testssl that it cannot perform a check
2017-06-01 15:19:21 +02:00
Dirk 252cceb5dd Trying to address #735, not complete yet.
Open issues: 1) The SNI logic 2) The fileout logic. 3) another section with ``trust_nosni -eq 4/8``

For 2): fileout is a general finding MEDIUM [1] which isn't in line now with the pr_*finding
in the section above anymore. It would make sense to punish HTTP services more than others.
Unfortunately he fileout statement cannot be moved below pr_svrty_medium/pr_svrty_high as
trustfinding_nosni hasn't been determined yet.

Fast solution would be probably to move the trustfinding_nosni section above the trustfinding
section.

Still 3) and a different trust over non-SNI makes it difficult -- e.g. Server has CN match only over
SNI but without SNI SAN matches. That's an edge case though which probably doesn't exist (like Bielefeld)

[1] That was WARN before. WARN should indicate a status of testssl that it cannot perform a check
2017-06-01 14:52:19 +02:00
Dirk 5890677d85 chmodded 2017-06-01 11:14:52 +02:00
Dirk de5b2aa042 readded basic check from seccubus whether check via starttls works 2017-06-01 11:14:04 +02:00
Dirk Wetter bd015b9129 Merge pull request #753 from dcooper16/mass_testing_command_line_error
Massing testing with command line error
2017-05-31 21:37:54 +02:00
Dirk 91b9236055 PoC for unit test in bash 2017-05-31 10:30:02 +02:00
David Cooper 28dadbfb19 Merge branch '2.9dev' into mass_testing_command_line_error 2017-05-30 16:52:55 -04:00
Dirk Wetter 55b89ee131 Rename 02_http.t to 32_http.t 2017-05-30 22:15:13 +02:00
Dirk Wetter 4afedb45b1 Rename 01_badssl.com.t to 31_badssl.com.t 2017-05-30 22:14:19 +02:00
Dirk Wetter 8e1ace839f Merge pull request #755 from dcooper16/stop_parent
Stop parent if child encounters parsing error
2017-05-30 21:05:05 +02:00
David Cooper 0f09af8566 Stop parent if child encounters parsing error
This PR implements the suggestion from #753 for a child process in mass testing to send a signal to the parent to exit if the child encounters an error parsing its command line. At the moment, the child only sends the signal if it encounters an error that results in the `help()` function being called, but that could easily be changed (e.g., to also send a signal if `fatal()` is called in the child process).

In the case of parallel mass testing, the cleanup function needs to call `get_next_message_testing_parallel_result()` for the child that sent the signal, since otherwise the child's error message would not be displayed. Since I cannot tell which child sent the signal, I just call `cleanup()`, which displays the output of all completed child processes. Since the child process will send the signal almost immediately after starting, it can be assumed the that process that send the signal will be the last one that completed, and so its output will be displayed last (so it isn't hidden from the user).

Note that PR #753 is still needed, since there are still scenarios in which a child would not produce any JSON output, but the parent testssl.sh would not exit (e.g., the child process cannot open a socket to the server it is supposed to test). In additional, PR #754 would still be useful, since it would be more user friendly to catch the error in the mass testing file immediately (when possible) rather that partway through a potentially time-consuming testing process.
2017-05-24 17:12:18 -04:00
David Cooper c831dd0fd3 Handle all empty JSON file cases 2017-05-23 14:52:25 -04:00