Commit Graph

3300 Commits

Author SHA1 Message Date
Dirk Wetter bbd103fe95
Merge pull request #1360 from drwetter/drwetter-patch-1
Remove c&p relict
2019-10-28 18:44:42 +01:00
Dirk Wetter d3e3724d65
Merge pull request #1356 from dcooper16/fix_parse_tls_serverhello_bug
Fix parse_tls_serverhello() bug
2019-10-28 18:41:43 +01:00
Dirk Wetter 326558dec1
Remove c&p relict 2019-10-28 18:36:39 +01:00
Dirk Wetter 9c27a03c30
Merge pull request #1357 from dcooper16/fix_do_starttls_initialization_bug
Fix do_starttls initialization bug
2019-10-28 18:08:01 +01:00
Dirk Wetter 1335d9ebda
Merge pull request #1359 from drwetter/fix_1355
Adress #1355
2019-10-28 18:01:58 +01:00
Dirk Wetter bfb94c8acb Adress #1355
by adding "_hint" to the additional information when
testing for DROWN.
2019-10-28 18:00:10 +01:00
Dirk Wetter 10a6c7b9d2
Merge pull request #1358 from dcooper16/use_jsonID
Use $jsonID rather than literal string
2019-10-28 17:49:16 +01:00
David Cooper 8a0f94f561
Use $jsonID rather than literal string
In run_drown(), $jsonID is set to "DROWN" and most calls to fileout() are of the form

     fileout "$jsonID" ...

However, one call is written as

    fileout "DROWN" ...

This PR changes this one call to be consistent with the others. This does not change the functionality of the program.
2019-10-28 12:43:29 -04:00
David Cooper 42c8769983
Fix do_starttls initialization bug
At the moment, $do_starttls is initialized to true in initialize_globals() and then it is set to true again in parse_cmd_line() if the --starttls command line option is used. Presumably the intention was to set $do_starttls to false in initialize_globals().
2019-10-28 10:15:05 -04:00
David Cooper be073e6134
Fix parse_tls_serverhello() bug
This PR fixes a minor bug in parse_tls_serverhello(). In some cases the server's entire response is not retrieved. In these cases, it is possible that the response from the server ends with a portion of a handshake message.

The loop at the beginning of parse_tls_serverhello() extracts the various handshake and alert messages from the server's response. If it gets to the end of the response, and what is at the end is not a complete message, it should just ignore that fragment and break out of the loop. At the moment, however, parse_tls_serverhello() just continues in the loop rather than breaking out. This has not been a problem up to now, since $msg_len is usually set to a positive value from a previous iteration of the loop, which causes the loop to end.

In the case of the server identified in #1353, however, $msg_len is 0 and so the continue rather than break results in an endless loop.
2019-10-28 10:06:21 -04:00
Dirk Wetter b64f5afaea
Merge pull request #1354 from drwetter/patch-1351
Changes to HTML header parsing
2019-10-26 15:13:39 +02:00
Dirk Wetter c840ea50ec
Update testssl.sh
remove '
2019-10-26 14:29:35 +02:00
Dirk Wetter e4f7788899
replace html pattern for header file
.. with just a pattern for  '<' or '{' maybe with a leading blank
2019-10-26 14:21:32 +02:00
Dirk Wetter ca5ff39bce
Extend pattern for HTTP header
Add another pattern because the SEDs tested so far do not seem to be fine with header containing x0d x0a (CRLF) -- which is the usual case. So we also trigger on any sign on a single line which is not alphanumeric (plus _)

See #1351
2019-10-26 14:14:21 +02:00
Dirk Wetter 53951fdb06
Merge pull request #1351 from tkaehn/headerfile_vs_ipv4_address_in_header
'IPv4 address in header' shows body content
2019-10-26 13:14:04 +02:00
Dirk Wetter 0cfd30f8b8
make filtering for header more robust
... by re-adding the former filters after ``sed '/^$q'``
2019-10-26 13:13:10 +02:00
Dirk Wetter f5c3b4e41d
Merge pull request #1352 from dcooper16/fix_client_simulation
Fix client simulation bug
2019-10-23 23:05:05 +02:00
David Cooper 73edf6fa8e
Fix client simulation bug
This PR fixes a bug in modify_clienthello() that occurs when client simulation is being performed, the ClientHello contain an SNI extension, and $SNI is empty. In the case, modify_clienthello() should just skip over the SNI extension and not include one in the modified ClientHello. However, the code currently only skips over the 2-byte extension type. The result being that the remainder of the extension is included in the modified ClientHello. This PR fixes the problem by ensuring the $offset is advanced whether or not $SNI is empty.
2019-10-23 11:03:52 -04:00
Thomas Kähn 7caa6a38b8 HEADERFILE ends on first newline.
Otherwise 'IPv4 address in header' shows body content.
2019-10-23 14:12:10 +02:00
Dirk Wetter 3c18262389
Merge pull request #1350 from drwetter/fix_1336
Squash message to use ./bin/openssl.* when --ssl-native is supplied
2019-10-19 10:07:55 +02:00
Dirk 7964a692ef Squash message to use ./bin/openssl.* when --ssl-native is supplied
PR #1336 included logic to pre-test the server side with sockets
and/or with openssl. However when the user supplied --ssl-native
sockets were never tested before. As a result ALL_FAILED_SOCKETS
was still true, so that the final eif statement complaint erroneously
that sockets didn't work but openssl does.

Also Travis complaint.

This PR fixes it by checking SSL_NATIVE to the final part of the
if statement.

One could also test sockets before and then set ALL_FAILED_SOCKETS
appropriately but that would only make sense if the socket methods
like run_robot() or run_heartbleed() would check ALL_FAILED_SOCKETS
first.

At the moment I went for this as it is easier and the case that sockets
aren't working but openssl does seems not very likely.
2019-10-19 09:52:02 +02:00
Dirk Wetter 764466d710
Merge pull request #1349 from drwetter/add_1336
Remove double TLS13 only handling
2019-10-18 21:33:30 +02:00
Dirk 1513d4eb49 Remove double TLS13 only handling
... as it was moved to determine_optimal_proto(), see #1336.

LF added in message when TLS13 only
2019-10-18 21:29:14 +02:00
Dirk Wetter 3389d84103
Merge pull request #1336 from dcooper16/ossl_determine_optimal_proto
Use OpenSSL for determine_optimal_proto()
2019-10-18 21:07:15 +02:00
Dirk Wetter 7a327f5439
Merge branch '3.0' into ossl_determine_optimal_proto 2019-10-18 21:06:49 +02:00
Dirk Wetter f118085278
Merge pull request #1339 from dcooper16/simplify_determine_sizelimitbug
Simplify determine_sizelimitbug()
2019-10-17 09:39:54 +02:00
Dirk Wetter e7d67e6134
Merge pull request #1341 from dcooper16/run_protocols_speedup
Use determine_optimal_sockets_params() in run_protocols()
2019-10-17 09:28:33 +02:00
Dirk Wetter a8a938470c
Merge pull request #1342 from dcooper16/bad_version_negotiation
Warn if bad version negotiation detected
2019-10-17 09:22:08 +02:00
Dirk Wetter 975ee61eee
Merge pull request #1346 from csett86/osx10146
Update Safari to 13.0 and macOS to 10.14
2019-10-17 08:53:42 +02:00
Christoph Settgast 23b845c11b Update Safari to 13.0 and macOS to 10.14
manually wiresharked, now with TLS1.3 for macOS as well.
2019-10-16 20:36:08 +02:00
Gonçalo Ribeiro e60cce9e1e Add quotes around CONNECT_TIMEOUT
I don't want to add any unnecessary vulnerabilities...
2019-10-10 04:57:38 +01:00
Gonçalo Ribeiro 5485ebe439 Update man page to include --connect-timeout 2019-10-10 04:41:10 +01:00
Gonçalo Ribeiro ae84d16a91 Add reference to --connect-timeout to help() 2019-10-10 04:18:16 +01:00
Gonçalo Ribeiro 83b212f581 Add argument --connect-timeout. Defaults to 3 min
This default value should not affect users not currently using the
timeout (Linux's default seems to be currently around 2 min).
2019-10-10 04:10:57 +01:00
Gonçalo Ribeiro f32d49ccf9 Add 2s timeout when connecting directly to node 2019-10-10 03:49:50 +01:00
David Cooper 877d444300
Warn if bad version negotiation detected
There are a few places where testssl.sh sends a TLS 1.2 (or TLS 1.3) ClientHello and expects the server to respond with a ServerHello as long as it supports TLS 1.2 (or TLS 1.3) or earlier.

run_protocols() performs a fairly thorough check for a server's ability to handle version negotiation, but the problem may also be caught by determine_optimal_sockets_params(), if the server rejects a TLS 1.2 ClientHello even though it supports some earlier protocol version.

In the future, we could try to make use of $OPTIMAL_SOCKETS_PROTO in order to make testssl.sh work a bit better with servers (if any still exist) that don't handle version negotiation correctly. At the moment, though, this PR just prints a warning to the user that the server is buggy, and that this may lead to problems in the scan. It doesn't call fileout() to add anything to the JSON/CSV output, since run_protocols() should already be doing that.
2019-10-07 10:21:04 -04:00
David Cooper 30b93d4c72
Use determine_optimal_sockets_params() in run_protocols()
This PR modifies run_protocols() to use the information collected by determine_optimal_sockets_params(). If it has already been determined that a protocol is supported, then no test is run. run_protocols() will still run a test for a protocol even if it has been determined that the server does not support that protocol. The reason for running the test is to verify that the server handles version negotiation correctly. This could be a TLSv1 server that rejects a TLSv1.2 or TLSv1.3 ClientHello, or it could happen in the opposite direction. At one point there was a server that would respond to an SSLv3 ClientHello with a TLSv1.2 ServerHello.

This PR required a couple of changes to determine_optimal_sockets_params() so that additional information could be passed to run_protocols(). If the server supports TLS 1.3, then run_protocols() needs to know which version (RFC 8446, draft 28, draft 27, etc.) rather than just that TLS 1.3 is supported. If the server supports TLS 1.2, but not TLS 1.3, then run_protocols() needs to know about at least one TLS 1.2 cipher that the server supports so that it can form a TLS 1.3 ClientHello that has no more than 128 ciphers and that should result in the server returning a TLS 1.2 ServerHello.
2019-10-04 16:55:09 -04:00
David Cooper 9b3ab29550
Modify check for TLS13_ONLY
In a PR that I'm developing to to use the results of determine_optimal_sockets_params() in run_protocols() I add specific versions of TLS 1.3 to PROTOS_OFFERED (e.g., tls1_3_rfc8446, tsl1_3_draft28). If that PR is accepted, then the current check for TLS 1.3-only will no longer work. So, this commit changes the way that the check for TLS 1.3-only is performed in order to avoid problems if the other PR is merged.
2019-10-03 16:18:51 -04:00
David Cooper 4f462eb718
Simplify determine_sizelimitbug()
This PR takes advantage of the testing done by determine_optimal_sockets_params() in order to simplify determine_sizelimitbug().

By the time that determine_sizelimitbug() is called, determine_optimal_sockets_params() has already determined whether TLSv1.2 ClientHello with 128 ciphers (including 00FF) sent by tls_sockets() works, and it has set TLS12_CIPHER to a list of exactly 128 ciphers (including 00FF) that works with the server. So, determine_sizelimitbug() doesn't have to check whether the server supports TLSv1.2 and no longer needs to send tests using 127 or 128 ciphers. determine_sizelimitbug() can just perform one test with 129 ciphers, if the server supports TLSv1.2, and use the results to set $SERVER_SIZE_LIMIT_BUG.
2019-10-02 13:21:08 -04:00
David Cooper ca29015e9c Use OpenSSL for determine_optimal_proto()
This PR reverts determine_optimal_proto() to use OpenSSL again rather than tls_sockets().

The primary reason for this is that the primary purpose of determine_optimal_proto() is to set OPTIMAL_PROTO, which is only used with $OPENSSL s_client. So, the best way to determine what works best on the $OPENSSL s_client command line is to use $OPENSSL s_client.

In most cases, determine_optimal_proto_sockets_helper() would set OPTIMAL_PROTO to an acceptable value, but it might not always do so. For example, suppose that a server
* supports different cipher suites with different protocols, 
* supports TLSv1.2, but only with cipher suites not supported by $OPENSSL, but
* supports TLSv1.1 with at least one cipher suite supported by $OPENSSL.

In the above case, determine_optimal_proto_sockets_helper() would set OPTIMAL_PROTO to "-tls1_2", but testing using $OPENSSL would result in OPTIMAL_PROTO being set to "-tls1_1".

Using $OPENSSL for determine_optimal_proto() also allows for edge cases to be detected earlier:
* If the server only supports TLSv1.3, and $OPENSSL does not support TLSv1.3, then the code in this PR will detect that (rather than waiting until run_protocols() is executed).
* The code in this PR can also detect if the server only supports SSLv3 (and possibly also SSLv2), but $OPENSSL does not support SSLv3.
* This code can also detect the (rare) case in which connections using $OPENSSL succeed, but connections using tls_sockets() fail.

[Note also that in the current code, if $all_failed is true, then a message may be printed that $OPENSSL is not IPv6 aware, even if testing was performed using tls_sockets() rather than $OPENSSL.]
2019-10-02 13:08:52 -04:00
Dirk Wetter 35c69bee27
Merge pull request #1338 from drwetter/drwetter-dockerfiles1
Docker container for testing (generated by a script)
2019-10-02 17:53:37 +02:00
Dirk Wetter bcc1298eb3
0-RTT dockerfile script for nginx 2019-10-02 17:52:34 +02:00
Dirk Wetter fe43d9dd0c
Docker files for testing
docker-debian10.tls13only.start.sh can be linked to e.g. docker-debian10.tls13.start.sh, then also TLS 1.2 is added.
2019-10-02 17:50:11 +02:00
Dirk Wetter cf00c8e8ac
Merge pull request #1337 from dcooper16/fix_session_resumption
Fix sub_session_resumption()
2019-10-02 08:52:23 +02:00
David Cooper 644d7c839e
Update
This commit addresses TLSv1.3 servers that do not support session tickets by that support session resumption by ID, but only with TLSv1.2 or earlier.
2019-10-01 16:25:51 -04:00
David Cooper 0fe60e82a8
Fix sub_session_resumption()
This PR fixes an issue with sub_session_resumption() when using OpenSSL 1.1.1.

As noted in #1335, some servers will return a session ticket for TLSv1.2, but not for TLSv1.3.

OpenSSL 1.1.1 does not support the "-no_ssl2" option, and so when using OpenSSL 1.1.1 sub_session_resumption() adds $OPTIMAL_PROTO to the $OPENSSL s_client command line. When determine_optimal_proto_sockets_helper() is called, $OPTIMAL_PROTO will generally be set to "-tls1_2" (or "-tls1_1" or "-tls1") unless the server is a TLSv1.3-only server. As a result  sub_session_resumption() will specify that same protocol on the command line if OpenSSL 1.1.1 is being used.

If "--ssl-native" is used, however, then determine_optimal_proto() will set $OPTIMAL_PROTO to "-tls1_3" if the server supports TLSv1.3 (and doesn't use STARTTLS). Similarly, if the version of determine_optimal_proto() in #1336 is used, then $OPTIMAL_PROTO will usually be empty. In either case, sub_session_resumption() will send a TLSv1.3 ClientHello, even if the server only supports session tickets for TLSv1.2 and below.

This PR appears to fix the problem. This PR makes no changes when using a version of OpenSSL that supports "-no_ssl2". When using a version of OpenSSL that does not support "-no_ssl2", however, rather than using $OPTIMAL_PROTO, this PR has sub_session_resumption() use whatever protocol version the server connected with when $sessticket_lifetime_hint was set.
2019-10-01 15:48:02 -04:00
Dirk Wetter e492b5761d
Merge pull request #1334 from dcooper16/reset_ossl_dependent_vars
Reset OpenSSL dependent variables
2019-10-01 20:03:55 +02:00
David Cooper 11486d3bca Reset OpenSSL dependent variables
There is a problem if a TLSv1.3-only server is tested using the OpenSSL 1.0.2-chacha binary and $OSSL_SHORTCUT is true.

$HAS_NO_SSL2 is set to true when find_openssl_binary() is called with OpenSSL 1.0.2-chacha. /usr/bin/openssl does not have the -no_ssl2 option, but the second call to find_openssl_binary(), after setting $OPENSSL to /usr/bin/openssl, does not set $HAS_NO_SSL2 to false. So, later calls to $OPENSSL s_client include the -no_ssl2 option, resulting in connection failures.

This PR fixes the problem by modifying find_openssl_binary() to ensure that every OpenSSL-dependent variable is set by this function.
2019-10-01 08:51:15 -04:00
Dirk Wetter f05eac7003
Merge pull request #1335 from dcooper16/session_tickets
Fix session ticket issues
2019-10-01 00:11:22 +02:00
David Cooper 8ec4087121 Fix session ticket issues
This PR fixes two issues with finding session tickets when using OpenSSL 1.1.1.

First, if OpenSSL connects to the server using TLSv1.3 and it receives more than one Post-Handshake New Session Ticket, then the "TLS session ticket lifetime hint" will appear more than once in $TMPFILE. This will cause the line to appear more than once in $sessticket_lifetime_hint, which causes problems when trying to extract the $lifetime and $unit from $sessticket_lifetime_hint.

This PR fixes the first problem by changing the awk expression in the lines that set sessticket_lifetime_hint so that only the first line with "session ticket lifetime" is extracted.

The second issue is that some servers (e.g., google.com) return a session ticket for TLSv1.2, but not for TLSv1.3. For such servers, testssl.sh will miss the session ticket if $OPTIMAL_PROTO is empty or "-tls1_3" and the --ssl-native flag is not set.

This PR addresses the second issue with the changes in lines 9047 - 9053 -- the code that is intended to provide a last chance to find a session ticket.

If $OPENSSL supports TLSv.1.3 and the server returns session tickets for TLSv1.3 connections, then the session ticket would have already been found by get_server_certificate(), since get_server_certificate() uses $OPENSSL for TLSv1.3 if $OPENSSL supports TLSv1.3. So, in such circumstances, the code in liens 9047 - 9053 should not try again with TLSv1.3. So, if $OPENSSL supports TLSv1.3 and $OPTIMAL_PROTO is empty or is set to "-tls1_3" (either of which would result in a TLSv1.3 ClientHello), the "$OPENSSL s_client" call is changed to specify -no_tls1_3 rather than $OPTIMAL_PROTO.

The code on line 9047 is also changed to only make this final try is $TLS13_ONLY is false. If $TLS13_ONLY is true, then either:
* $OPENSSL does not support TLSv1.3 and the connection attempt would fail anyway; or
* $OPENSSL supports TLSv1.3, in which case any session ticket would have been found by get_server_certificate(), since get_server_certificate() uses $OPENSSL for TLSv1.3 if $OPENSSL supports TLSv1.3.

In either case, there is no reason to try again to find a session ticket.
2019-09-30 16:50:40 -04:00