Commit Graph

4009 Commits

Author SHA1 Message Date
Dirk Wetter ae7b8988b9 Fixes related to session tickets and resumption
This commit fixes a the regression "Session Ticket RFC 5077 hint missing/incomplete" #1218.
Reason was that in some case where the ticket lifetime hint was not restrieved before, later
$OPENSSL s_client -connect with -cipher ALL:COMPLEMENTOFALL didn't get the ticket either.
Just using "$OPTIMAL_PROTO" instead  of -cipher ALL:COMPLEMENTOFALL fixed it in the cases
tested so far.

Then a global variable is instroduced -- TLS_TICKETS. Which keeps in any case the
state whether session tickets are supported. This is being used to fix #1089. It
remains a bit unclear what is meant in https://tools.ietf.org/html/rfc5077#section-5.6
by "TLS clients MAY be given a hint of the lifetime of the ticket". We use this information
to chck for resumption by ticket which seems realistically the best solution.

Sessin resumption was also made a bit more reliably: The ServerHello is now
being tested for "New" also. If this and "Reused" wasn't detected, an error
is raised.

In general we could do better in keeping and reusing information of a ServerHello
in TMPDIR.
2019-03-23 22:16:34 +01:00
Dirk 44881d5eba Revert change for MacOSX as hinted 2019-03-19 10:00:13 +01:00
Dirk Wetter 7b2a2174e4
Merge pull request #1215 from dcooper16/determine_optimal_proto_sockets_bugfix
determine_optimal_proto_sockets_helper() speedup and bug fix
2019-03-18 12:35:22 +01:00
David Cooper 9ec70fa4d9
determine_optimal_proto_sockets_helper() speedup and bug fix
There is currently a bug in determine_optimal_proto_sockets_helper(). In two places there is code of the form:

   tls_sockets ...
   if [[ $? -eq 0 ]]; then
        ...
   elif [[ $? -eq 2 ]]; then
        ...
   fi

This code does not work as intended since the second check ("elif [[ $? -eq 2 ]]") is actually comparing the results of the first check to 2 rather than the results of the call to tls_sockets().

This PR fixes that problem and also speeds up the code. Since tls_sockets() sets $DETECTED_TLS_VERSION to the protocol version that was negotiated, there is no need to scan $TEMPDIR/$NODEIP.parse_tls_serverhello.txt for this information.
2019-03-13 16:17:50 -04:00
Dirk Wetter bc6b2c6f94
Merge pull request #1213 from capncrunch/fix_starttls_imap
fix IMAP STARTTLS regexp
2019-03-10 10:02:47 +01:00
Bodo Bellut f5bf2e0e22 fix IMAP STARTTLS regexp 2019-03-09 18:05:51 +01:00
Dirk Wetter 053a2265ab editing of comments 2019-03-06 19:48:21 +01:00
Dirk ee72e9deae Reset APPEND var if the file doesn't exist
...as otherwise it won't be created, fixes #1210.
2019-03-06 16:37:32 +01:00
Dirk Wetter a0d51611d2 Housekeeping
* changed = to ==
* fixed emphasize errors in emphasize_stuff_in_headers()
* add new debian version
* prospectively add Alt-Svc header, see #1209 (won't show up in output yet)
2019-03-05 17:43:04 +01:00
Dirk Wetter 4442c6c236 Determine $SERVER_SIZE_LIMIT_BUG upfront
In order to handle better Cisco ACE loadbalancers (almost extinct species) which
have a problem with ClientHellos >127 ciphers we have had introduced a variable which
needs to be filled better with some sense.

This commit does that by introducing the function determine_sizelimitbug() which
is called in lets_roll().

It also removes then redundant code in cipher_pref_check().

Open:
* handle run_grease()
* do we want this information at least in a logfile
* or maybe eben on screen?

See also #1202 .
2019-03-05 16:47:19 +01:00
Dirk d965f14a15 name is openssl.Linux.x86_64.krb now 2019-02-28 19:38:25 +01:00
Dirk b4bc334bb8 Fix JSON output for public key algorithm
For non-EC public key algorithm of the server certificate
the terminal output contained the algorithm but not the
file out put. This PR fixes that, see also #1187 and puts
the public key algorithm first in the cert_keySize -- also
for EC cerificates.

In addition it fixes the recognition of ECDSA certificates
which were detected as DSA certificates (order in case
statement).

Also there were in a few double sqaure brackets an assignment operator
'=' instead of a test operator '=='
2019-02-23 12:49:45 +01:00
Dirk Wetter 8fb0b70124
Merge pull request #678 from dcooper16/get_server_certificates_extensions
Remove extra call to s_client
2019-02-22 17:43:21 +01:00
Dirk Wetter 56e8520b79
Merge pull request #663 from dcooper16/openssl_ciphers_s
Use -s option with OpenSSL ciphers
2019-02-22 17:38:41 +01:00
Dirk 5dd8839be3 Add ciphers to BEAST check
There were a few, mostly less common ciphers in this check missing.
This commit adds them and fixes #208.

It also removes redundant quotes in double square brackets and
updates documentation for determine_optimal_proto().
2019-02-22 15:28:49 +01:00
Dirk 57054bc149 minor code improvements 2019-02-22 15:09:05 +01:00
Dirk Wetter b42ebc883e
Merge pull request #1204 from sxxs/2.9dev
openssl for Darwin x86_64; built with make-openssl.sh on macOS 10.14.3 (Mojave)
2019-02-22 11:51:17 +01:00
Dominik Herrmann 778f725dbd
openssl for Darwin x86_64; built with make-openssl.sh on macOS 10.14.3 (Mojave) 2019-02-22 11:49:44 +01:00
Dirk Wetter 218e387fe2
Merge pull request #1203 from sxxs/2.9dev
Update make-openssl.sh: Darwin compatibility
2019-02-22 11:30:21 +01:00
Dominik Herrmann 9d26b86030
Update make-openssl.sh: Darwin compatibility
- Darwin doesn't build with -static (removed; file name suffix changed to "dynamic" in this case)
- Darwin has a different openssldir (/private/etc/ssl)
- script doesn't fail any more at make clean step in case there is no Makefile yet
- Darwin 64 bit compilation needs ./Configure instead of ./config and an explicit reference to darwin64-x86_64-cc
2019-02-22 11:17:57 +01:00
Dirk ed7e7d8d50 Add line for Darwin
not sure whether -static just works. TBD
2019-02-22 10:07:46 +01:00
Dirk 6bd489331d Updated store because of Mozilla update
Following certificate were added:
- Certigna Root CA
- UCA Extended Validation Root
- UCA Global G2 Root
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
2019-02-21 09:21:19 +01:00
Dirk c957e4e302 Fix non-supported curve initital error message also for STARTTLS
This is the last fix for #1087.

It determines STARTTLS_OPTIMAL_PROTO (unless --ssl-native is being used) with
sockets per default which removes cases where an openssl s_client
connect using STARTTLS failed with the initial message 'doesn't seem to be a TLS/SSL
enabled server' and prompt 'Really proceed ? ("yes" to continue)' now shouldn't
happen in those cases anymore.

To not have redundant code determine_optimal_proto_sockets_helper() is being
used for not STARTTLS and plain TLS/SSL.

In addition it looked like this determine_optimal_proto() was not always called in
the beginning when a STARTTLS scan was requested. Instead determine_service()
contained an openssl s_client connect called which was the wrong place and thus
removed. Also now determine_optimal_proto() also for STARTTLS will always being called.
2019-02-20 21:37:59 +01:00
Dirk Wetter 315005fc6f Add SSLv2 to SWEET32
The information on 64 Block ciphers using SSLv2 in the SWEET32
paper is sparse. Maybe becuase SSLv2 is the bigger problem.

For completeness also SSLv2 ciphers were added to the SWEET32 check.
It fixes finally #613.

Also with --ssl-native when no ciphers or only a handlful of ciphers
are supplied by openssl there's a "Local problem" warning issued and
the test aborted as the results would make much sense otherwise.

A few peices of documenation of parameters and return conditions
for sslv2_sockets() and has_server_protocol() was added.
2019-02-19 20:41:54 +01:00
Dirk Wetter 40f7e15f26 Bump RC version # 2019-02-18 20:33:08 +01:00
Dirk Wetter 7ea470f7c1
Merge pull request #1200 from dcooper16/move_gost_rsa_cipher
TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5 uses an RSA certificate
2019-02-18 18:09:57 +01:00
Dirk Wetter 2124f51b90
Merge pull request #1201 from dcooper16/fix_check_tls12_pref
Fix check_tls12_pref()
2019-02-18 10:39:20 +01:00
David Cooper e0ce496a45
Fix check_tls12_pref()
This is a minor bug when performing run_server_preference() if the server cannot handle ClientHello messages with more than 128 ciphers (i.e., $SERVER_SIZE_LIMIT_BUG is true) and the server supports at least one cipher in 'CAMELLIA:IDEA:KRB5:PSK:SRP:aNULL:eNULL'.

The problem is that `$OPENSSL s_client` is called with a cipher list such as
   ECDHE-RSA-AES256-GCM-SHA384:CAMELLIA256-SHA:AES256-SHA256
then
   ECDHE-RSA-AES256-GCM-SHA384:CAMELLIA256-SHA:AES256-SHA256:-CAMELLIA256-SHA
then
   ECDHE-RSA-AES256-GCM-SHA384:CAMELLIA256-SHA:AES256-SHA256:-CAMELLIA256-SHA:-AES256-SHA256
and finally
   ECDHE-RSA-AES256-GCM-SHA384:CAMELLIA256-SHA:AES256-SHA256:-CAMELLIA256-SHA:-AES256-SHA256:-ECDHE-RSA-AES256-GCM-SHA384

The last call to $OPENSSL s_client produces an error since the list of ciphers to send is empty, and this results in connectivity_problem() being called to print a "openssl s_client connect problem" warning. 

This PR fixes the problem by constructing a list of ciphers to test for and by not calling $OPENSSL s_client if the list is empty.
2019-02-15 14:28:56 -05:00
David Cooper 28239cd244
TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5 uses an RSA certificate
As Dirk commented in #1199, TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5 uses an RSA certificate, not a GOST certificate. So, this PR moves that cipher suite (0xff, 0x00) from the GOST list to the RSA list.

According to etc/cipher-mapping.txt, TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5 uses RSA for both authentication and key exchange, so this PR places it on the list of cipher suites that uses RSA for encryption rather than signatures.
2019-02-15 09:51:00 -05:00
David Cooper 9cc0624bf2 Use -s option with OpenSSL ciphers
With OpenSSL 1.1.0 (and maybe other versions), the `ciphers` function lists many cipher suites that are not actually supported by the `s_client` option. This PR fixes that by using the `-s` option whenever `$OPENSSL ciphers` is used to obtain a list of cipher suites supported by OpenSSL. According to https://www.openssl.org/docs/manmaster/man1/ciphers.html:
```
-s

    Only list supported ciphers: those consistent with the security level, and minimum and
    maximum protocol version. This is closer to the actual cipher list an application will
    support.
```
When the `-s` option is used along with `-tls1`, OpenSSL 1.1.0 will not list any ciphers that only work with TLSv1.2. So, `prepare_debug()` needed to be changed to correctly populate `ossl_supported_tls`, which is supposed to be a list of all non-SSLv2 ciphers supported by the server.

LibreSSL issues an "unknown option" error if the `-s` option is provided, so the `-s` option is only included in the command line if `$OPENSSL` has been determined to support it.

This PR is needed so that `prepare_debug()` can correctly determine which cipher suites are or are not supported by `$OPENSSL`.
2019-02-15 09:07:03 -05:00
David Cooper 64ac831a8d Remove extra call to s_client
This PR removes an extra call to `$OPENSSL s_client` in `get_server_certificates()` and it also changes `get_server_certificates()` to not collect extensions when SNI is not being provided.
2019-02-15 09:06:24 -05:00
Dirk e27b03dff8 Clarify error message
... when no certificate was detected. Shouldn't be needed
anymore since @dcooper16's fix 8488b84 but for robustness
it might be good to leave it.
2019-02-15 10:09:31 +01:00
Dirk Wetter 6c0bbaf042
Merge pull request #1199 from dcooper16/get_server_certificate_sockets
Use sockets for get_server_certificate()
2019-02-15 09:40:22 +01:00
Dirk 5b05f144b3 remove some redundant quotes 2019-02-15 09:21:28 +01:00
David Cooper 8488b84136
Use sockets for get_server_certificate()
This PR modifies  get_server_certificate() to use tls_sockets() rather than $OPENSSL for finding certificates using SSLv3 - TLSv1.2, unless $SSL_NATIVE is true. Using tls_sockets() allows testssl.sh to find certificates used by the server even if the server is only using cipher suites not supported by $OPENSSL. This may happen, for example, if the server only supports TLS_ECDHE_ cipher suites with curve X25519 and a version of OpenSSL prior to 1.1.0 is being used. A less likely possibility would be if the server had a certificate with a DH key, and a newer version of OpenSSL that does not support TLS_DH_ cipher suites is being used.

Since tls_sockets() cannot be used to obtain session tickets from the server, an additional test for session ticket lifetime needed to be added.

In order to reduce the number of times the server needs to be queried for certificates, this PR bundles the testing in a similar way to what is already done to test for cipher suites. Currently, each call to get_server_certificate() only tests for one type of certificate. This PR has each call test for more than one type of certificate. For example, one call is made to test for ECDSA, ECDH, DH, DSA, and GOST certificates. If the test is unsuccessful, then the server has none of these certificates. If the test finds a certificate (e.g., an ECDSA) certificate, then another test is run looking for the remaining types (ECDH, DH, DSA, and GOST) until a test is unsuccessful.

For most servers, this will reduce the number of calls to get_server_certificate() from 8 or 9 to 4 or 6.
2019-02-14 10:29:48 -05:00
Dirk Wetter 1769378139 Fix naming of average ciphers
... which lead to a problem with CBC ciphers.

See #1157
2019-02-14 14:53:28 +01:00
Dirk bd2e10bffe Move listciphers() and sub_cipherlists()
... to be right in top of run_cipherlists()
2019-02-13 15:54:12 +01:00
Dirk 5e9a326dfe Finalize Weak 128 Bit ciphers
This fixes #1157.

* Move IDEA to the same category as 3DES
* Rename the category to 3DES_IDEA (JSON)
* Rename 128 Bit category to AVERAGE (JSON)
* Move 256 Bit CBC ciphers into this category too
* Remove category HIGH

Furthermore:

* Code readability improvements, especially in run_cipherlists()
* fix minor bugs (e.g. aNULL ciphers were used in higher categories when --ssl-native was supplied)
* rearrange order for sub_cipherlists()
* proper documentation for arguments of sub_cipherlists()  in run_cipherlists()
* add "$cve" "$cwe" arguments to fileout in sub_cipherlists() -- (was passed before but not used)
* change debugging leftover filenames for sub_cipherlists to the JSON identifier
2019-02-13 15:44:46 +01:00
Dirk Wetter 3d55d0ebd1
Merge pull request #1197 from dcooper16/run_server_preference_ssl2_only
Fix run_server_preference() for SSLv2 only server
2019-02-13 14:47:46 +01:00
Dirk 5b1e3bb59c Complete SWEET32
... with RC2 IDEA and DES ciphers.
Still open is SSLv2.

See #613
2019-02-13 14:44:28 +01:00
Dirk c252541bcf Minor code simplification / readability 2019-02-13 14:37:57 +01:00
Dirk Wetter 818c96ddbe
Merge pull request #1196 from dcooper16/reorganize_run_cipher_per_proto
Reorganize run_cipher_per_proto()
2019-02-13 14:14:21 +01:00
Dirk Wetter c671ea9796
Merge pull request #1195 from dcooper16/reorganize_check_cipher_pref
Reorganize cipher_pref_check()
2019-02-13 13:51:49 +01:00
Dirk Wetter e8a5ab60cb
Merge pull request #1194 from dcooper16/fix_determine_optimal_proto
Fix determine_optimal_proto()
2019-02-13 13:31:39 +01:00
Dirk Wetter ee4cec2f11
Merge pull request #1193 from dcooper16/fix_get_cipher
Fix get_cipher()
2019-02-13 13:28:44 +01:00
Dirk Wetter c0d04f7a84
Merge pull request #1198 from dcooper16/run_server_defaults_ssl2_only
Fix run_server_defaults() for SSLv2-only servers
2019-02-13 13:25:51 +01:00
David Cooper 1cf796fd36
Fix run_server_defaults() for SSLv2-only servers
This PR makes a few improvements to run_server_defaults() when run on an SSLv2-only server.

First, it uses sslv2_sockets() to test the server rather than $OPENSSL, so that it will work even if $OPENSSL does not support SSLv2.

Second, it changes run_server_defaults() to only call get_server_certificate() once if $OPTIMAL_PROTO is -ssl2, since calling more than once is a waste -  SSLv2 only supports ciphers that use RSA key exchange.

Finally, as some code assumes that $TEMPDIR/intermediatecerts.pem will exist, even if it is empty, this PR changes a couple of places that delete $TEMPDIR/intermediatecerts.pem to instead make the file empty.
2019-02-12 15:15:18 -05:00
David Cooper 90d36262ea
Fix run_server_preference() for SSLv2 only server
When run_server_preference() is run on a server that only supports SSLv2 it incorrectly reports that the server has a cipher order. The reason for this is that $list_fwd and $list_reverse only include one SSLv2 cipher.

In SSLv2 the server sends a list of all ciphers it supports in common with the client and the client chooses which cipher to use. As a result, the server cannot enforce a cipher order for SSLv2.

So, this PR fixes the problem in run_server_preference() by skipping the test for whether the server enforces a cipher order if $OPTIMAL_PROTO is -ssl2 and simply declares that the server does not enforce a cipher order.

Note that this PR is somewhat dependent on #1194, as #1194 needs to be applied in order for $OPTIMAL_PROTO to be set to -ssl2 when testing an SSLv2-only server.
2019-02-12 13:44:55 -05:00
David Cooper 8fdb388dc3
Reorganize run_cipher_per_proto()
This PR reorganizes run_cipher_per_proto(). Currently run_cipher_per_proto() runs a for loop, which loops over each protocol and prints the set of supported ciphers for each protocol. This PR simply places the body of the for loop in a separate function from the loop itself. This allows the body of the loop to be called for just a single protocol.

While this PR does not change the way that testssl.sh functions, it would allow for a future change in which run_server_preferences() called cipher_pref_check() for protocols in which the server enforces a cipher order and calls ciphers_by_strength() for protocols in which the server does not enforce a cipher order.
2019-02-12 12:50:24 -05:00
David Cooper 2a13643bb1
Reorganize cipher_pref_check()
This PR reorganizes cipher_pref_check(). Currently, cipher_pref_check() runs a for loop, which loops over each protocol and prints the set of supported ciphers for each protocol. This PR simply places the body of the for loop in a separate function from the loop itself. This allows cipher_pref_check() to be called for just a single protocol rather than for all protocols. Another PR will make a similar change to run_cipher_per_proto().

The reason for this change is that cipher_pref_check() was only intended to be used in cases in which the server enforces a cipher preference order. Some servers, however, enforce an order for some protocols, but not for others. The change in this PR will make it possible in the future to call cipher_pref_check() only for protocols in which the server enforces a cipher order.
2019-02-12 12:43:57 -05:00