Commit Graph

3013 Commits

Author SHA1 Message Date
Dirk Wetter 7a327f5439
Merge branch '3.0' into ossl_determine_optimal_proto 2019-10-18 21:06:49 +02:00
Dirk Wetter f118085278
Merge pull request #1339 from dcooper16/simplify_determine_sizelimitbug
Simplify determine_sizelimitbug()
2019-10-17 09:39:54 +02:00
Dirk Wetter e7d67e6134
Merge pull request #1341 from dcooper16/run_protocols_speedup
Use determine_optimal_sockets_params() in run_protocols()
2019-10-17 09:28:33 +02:00
Dirk Wetter a8a938470c
Merge pull request #1342 from dcooper16/bad_version_negotiation
Warn if bad version negotiation detected
2019-10-17 09:22:08 +02:00
Dirk Wetter 975ee61eee
Merge pull request #1346 from csett86/osx10146
Update Safari to 13.0 and macOS to 10.14
2019-10-17 08:53:42 +02:00
Christoph Settgast 23b845c11b Update Safari to 13.0 and macOS to 10.14
manually wiresharked, now with TLS1.3 for macOS as well.
2019-10-16 20:36:08 +02:00
David Cooper 877d444300
Warn if bad version negotiation detected
There are a few places where testssl.sh sends a TLS 1.2 (or TLS 1.3) ClientHello and expects the server to respond with a ServerHello as long as it supports TLS 1.2 (or TLS 1.3) or earlier.

run_protocols() performs a fairly thorough check for a server's ability to handle version negotiation, but the problem may also be caught by determine_optimal_sockets_params(), if the server rejects a TLS 1.2 ClientHello even though it supports some earlier protocol version.

In the future, we could try to make use of $OPTIMAL_SOCKETS_PROTO in order to make testssl.sh work a bit better with servers (if any still exist) that don't handle version negotiation correctly. At the moment, though, this PR just prints a warning to the user that the server is buggy, and that this may lead to problems in the scan. It doesn't call fileout() to add anything to the JSON/CSV output, since run_protocols() should already be doing that.
2019-10-07 10:21:04 -04:00
David Cooper 30b93d4c72
Use determine_optimal_sockets_params() in run_protocols()
This PR modifies run_protocols() to use the information collected by determine_optimal_sockets_params(). If it has already been determined that a protocol is supported, then no test is run. run_protocols() will still run a test for a protocol even if it has been determined that the server does not support that protocol. The reason for running the test is to verify that the server handles version negotiation correctly. This could be a TLSv1 server that rejects a TLSv1.2 or TLSv1.3 ClientHello, or it could happen in the opposite direction. At one point there was a server that would respond to an SSLv3 ClientHello with a TLSv1.2 ServerHello.

This PR required a couple of changes to determine_optimal_sockets_params() so that additional information could be passed to run_protocols(). If the server supports TLS 1.3, then run_protocols() needs to know which version (RFC 8446, draft 28, draft 27, etc.) rather than just that TLS 1.3 is supported. If the server supports TLS 1.2, but not TLS 1.3, then run_protocols() needs to know about at least one TLS 1.2 cipher that the server supports so that it can form a TLS 1.3 ClientHello that has no more than 128 ciphers and that should result in the server returning a TLS 1.2 ServerHello.
2019-10-04 16:55:09 -04:00
David Cooper 9b3ab29550
Modify check for TLS13_ONLY
In a PR that I'm developing to to use the results of determine_optimal_sockets_params() in run_protocols() I add specific versions of TLS 1.3 to PROTOS_OFFERED (e.g., tls1_3_rfc8446, tsl1_3_draft28). If that PR is accepted, then the current check for TLS 1.3-only will no longer work. So, this commit changes the way that the check for TLS 1.3-only is performed in order to avoid problems if the other PR is merged.
2019-10-03 16:18:51 -04:00
David Cooper 4f462eb718
Simplify determine_sizelimitbug()
This PR takes advantage of the testing done by determine_optimal_sockets_params() in order to simplify determine_sizelimitbug().

By the time that determine_sizelimitbug() is called, determine_optimal_sockets_params() has already determined whether TLSv1.2 ClientHello with 128 ciphers (including 00FF) sent by tls_sockets() works, and it has set TLS12_CIPHER to a list of exactly 128 ciphers (including 00FF) that works with the server. So, determine_sizelimitbug() doesn't have to check whether the server supports TLSv1.2 and no longer needs to send tests using 127 or 128 ciphers. determine_sizelimitbug() can just perform one test with 129 ciphers, if the server supports TLSv1.2, and use the results to set $SERVER_SIZE_LIMIT_BUG.
2019-10-02 13:21:08 -04:00
David Cooper ca29015e9c Use OpenSSL for determine_optimal_proto()
This PR reverts determine_optimal_proto() to use OpenSSL again rather than tls_sockets().

The primary reason for this is that the primary purpose of determine_optimal_proto() is to set OPTIMAL_PROTO, which is only used with $OPENSSL s_client. So, the best way to determine what works best on the $OPENSSL s_client command line is to use $OPENSSL s_client.

In most cases, determine_optimal_proto_sockets_helper() would set OPTIMAL_PROTO to an acceptable value, but it might not always do so. For example, suppose that a server
* supports different cipher suites with different protocols, 
* supports TLSv1.2, but only with cipher suites not supported by $OPENSSL, but
* supports TLSv1.1 with at least one cipher suite supported by $OPENSSL.

In the above case, determine_optimal_proto_sockets_helper() would set OPTIMAL_PROTO to "-tls1_2", but testing using $OPENSSL would result in OPTIMAL_PROTO being set to "-tls1_1".

Using $OPENSSL for determine_optimal_proto() also allows for edge cases to be detected earlier:
* If the server only supports TLSv1.3, and $OPENSSL does not support TLSv1.3, then the code in this PR will detect that (rather than waiting until run_protocols() is executed).
* The code in this PR can also detect if the server only supports SSLv3 (and possibly also SSLv2), but $OPENSSL does not support SSLv3.
* This code can also detect the (rare) case in which connections using $OPENSSL succeed, but connections using tls_sockets() fail.

[Note also that in the current code, if $all_failed is true, then a message may be printed that $OPENSSL is not IPv6 aware, even if testing was performed using tls_sockets() rather than $OPENSSL.]
2019-10-02 13:08:52 -04:00
Dirk Wetter 35c69bee27
Merge pull request #1338 from drwetter/drwetter-dockerfiles1
Docker container for testing (generated by a script)
2019-10-02 17:53:37 +02:00
Dirk Wetter bcc1298eb3
0-RTT dockerfile script for nginx 2019-10-02 17:52:34 +02:00
Dirk Wetter fe43d9dd0c
Docker files for testing
docker-debian10.tls13only.start.sh can be linked to e.g. docker-debian10.tls13.start.sh, then also TLS 1.2 is added.
2019-10-02 17:50:11 +02:00
Dirk Wetter cf00c8e8ac
Merge pull request #1337 from dcooper16/fix_session_resumption
Fix sub_session_resumption()
2019-10-02 08:52:23 +02:00
David Cooper 644d7c839e
Update
This commit addresses TLSv1.3 servers that do not support session tickets by that support session resumption by ID, but only with TLSv1.2 or earlier.
2019-10-01 16:25:51 -04:00
David Cooper 0fe60e82a8
Fix sub_session_resumption()
This PR fixes an issue with sub_session_resumption() when using OpenSSL 1.1.1.

As noted in #1335, some servers will return a session ticket for TLSv1.2, but not for TLSv1.3.

OpenSSL 1.1.1 does not support the "-no_ssl2" option, and so when using OpenSSL 1.1.1 sub_session_resumption() adds $OPTIMAL_PROTO to the $OPENSSL s_client command line. When determine_optimal_proto_sockets_helper() is called, $OPTIMAL_PROTO will generally be set to "-tls1_2" (or "-tls1_1" or "-tls1") unless the server is a TLSv1.3-only server. As a result  sub_session_resumption() will specify that same protocol on the command line if OpenSSL 1.1.1 is being used.

If "--ssl-native" is used, however, then determine_optimal_proto() will set $OPTIMAL_PROTO to "-tls1_3" if the server supports TLSv1.3 (and doesn't use STARTTLS). Similarly, if the version of determine_optimal_proto() in #1336 is used, then $OPTIMAL_PROTO will usually be empty. In either case, sub_session_resumption() will send a TLSv1.3 ClientHello, even if the server only supports session tickets for TLSv1.2 and below.

This PR appears to fix the problem. This PR makes no changes when using a version of OpenSSL that supports "-no_ssl2". When using a version of OpenSSL that does not support "-no_ssl2", however, rather than using $OPTIMAL_PROTO, this PR has sub_session_resumption() use whatever protocol version the server connected with when $sessticket_lifetime_hint was set.
2019-10-01 15:48:02 -04:00
Dirk Wetter e492b5761d
Merge pull request #1334 from dcooper16/reset_ossl_dependent_vars
Reset OpenSSL dependent variables
2019-10-01 20:03:55 +02:00
David Cooper 11486d3bca Reset OpenSSL dependent variables
There is a problem if a TLSv1.3-only server is tested using the OpenSSL 1.0.2-chacha binary and $OSSL_SHORTCUT is true.

$HAS_NO_SSL2 is set to true when find_openssl_binary() is called with OpenSSL 1.0.2-chacha. /usr/bin/openssl does not have the -no_ssl2 option, but the second call to find_openssl_binary(), after setting $OPENSSL to /usr/bin/openssl, does not set $HAS_NO_SSL2 to false. So, later calls to $OPENSSL s_client include the -no_ssl2 option, resulting in connection failures.

This PR fixes the problem by modifying find_openssl_binary() to ensure that every OpenSSL-dependent variable is set by this function.
2019-10-01 08:51:15 -04:00
Dirk Wetter f05eac7003
Merge pull request #1335 from dcooper16/session_tickets
Fix session ticket issues
2019-10-01 00:11:22 +02:00
David Cooper 8ec4087121 Fix session ticket issues
This PR fixes two issues with finding session tickets when using OpenSSL 1.1.1.

First, if OpenSSL connects to the server using TLSv1.3 and it receives more than one Post-Handshake New Session Ticket, then the "TLS session ticket lifetime hint" will appear more than once in $TMPFILE. This will cause the line to appear more than once in $sessticket_lifetime_hint, which causes problems when trying to extract the $lifetime and $unit from $sessticket_lifetime_hint.

This PR fixes the first problem by changing the awk expression in the lines that set sessticket_lifetime_hint so that only the first line with "session ticket lifetime" is extracted.

The second issue is that some servers (e.g., google.com) return a session ticket for TLSv1.2, but not for TLSv1.3. For such servers, testssl.sh will miss the session ticket if $OPTIMAL_PROTO is empty or "-tls1_3" and the --ssl-native flag is not set.

This PR addresses the second issue with the changes in lines 9047 - 9053 -- the code that is intended to provide a last chance to find a session ticket.

If $OPENSSL supports TLSv.1.3 and the server returns session tickets for TLSv1.3 connections, then the session ticket would have already been found by get_server_certificate(), since get_server_certificate() uses $OPENSSL for TLSv1.3 if $OPENSSL supports TLSv1.3. So, in such circumstances, the code in liens 9047 - 9053 should not try again with TLSv1.3. So, if $OPENSSL supports TLSv1.3 and $OPTIMAL_PROTO is empty or is set to "-tls1_3" (either of which would result in a TLSv1.3 ClientHello), the "$OPENSSL s_client" call is changed to specify -no_tls1_3 rather than $OPTIMAL_PROTO.

The code on line 9047 is also changed to only make this final try is $TLS13_ONLY is false. If $TLS13_ONLY is true, then either:
* $OPENSSL does not support TLSv1.3 and the connection attempt would fail anyway; or
* $OPENSSL supports TLSv1.3, in which case any session ticket would have been found by get_server_certificate(), since get_server_certificate() uses $OPENSSL for TLSv1.3 if $OPENSSL supports TLSv1.3.

In either case, there is no reason to try again to find a session ticket.
2019-09-30 16:50:40 -04:00
Dirk ba009565a8 swap ldap server as previous one wasn't reachable anymore 2019-09-25 09:36:16 +02:00
Dirk Wetter 2a635ee62d
Merge pull request #1331 from dcooper16/fix1328
Fix #1328
2019-09-25 08:39:12 +02:00
David Cooper 6d1d74a7a4
Fix #1328
This PR fixes #1328 by removing any '\r' characters that appear in the command line read from the file provided to the `--file` option.
2019-09-24 15:53:32 -04:00
Dirk Wetter 613e1d0133
Merge pull request #1216 from dcooper16/add_determine_optimal_sockets_params
Add determine_optimal_sockets_params()
2019-09-24 08:46:49 +02:00
David Cooper 5cebf17287 Add more checks to determine_optimal_sockets_params()
This commit adds some more checks to determine_optimal_sockets_params(). These additional checks will almost never need to be run, and so will not slow down the typical run of testssl.sh, but adding them will provide information that can be useful for other parts of testssl.sh.

These additional checks will only be run if the server does not support TLSv1.3 and a TLSv1.2 ClientHello is not successful. This means that either:
   * The server is not an TLS/SSL enabled server.
   * The server only supports SSLv2.
   * The server supports some protocol in SSLv3 - TLSv1.1, but does not handle version negotiation correctly.

Adding these additional checks helps in at least the following ways.

If determine_optimal_proto() (assuming it is reverted to using OpenSSL) is unable to connect to the server using OpenSSL, it will be possible determine whether the problem is the the server does not support TLS/SSL or that a different version of OpenSSL is needed to test the server.

If the code in #1205 for run_server_preference() is unable to connect when checking for a cipher order, the reason for the failure will be known, making it possible to determine the correct response to the failure.
2019-09-23 15:57:07 -04:00
David Cooper ce9bc79422 Add determine_optimal_sockets_params()
This PR adds a new helper function that is run just prior to determine_optimal_proto() and that determines the what information tls_sockets() should include in a ClientHello.

For a TLSv1.3 ClientHello, determine_optimal_sockets_params() determines whether tls_sockets() should use 0x33 or 0x28 are the extension number for the key_share extension. 0x33 should be used with servers that support RFC 8446 or drafts 23-28. 0x28 should be used with servers that support drafts 18-22.

For a TLSv1.2 ClientHello, determine_optimal_sockets_params() determines what cipher list tls_sockets() should send. For most servers, the list of ciphers in $TLS12_CIPHER works best. But, there are some servers that do not support any ciphers in $TLS12_CIPHER, but do support one or more ciphers in $TLS12_CIPHER_2ND_TRY.
2019-09-23 15:56:08 -04:00
David Cooper 80a725541b Allow TLS12_CIPHER to be changed
In some rare cases a server does not support any of the ciphers in $TLS12_CIPHER, but does support at least one cipher in $TLS12_CIPHER_2ND_TRY. In such cases, TLS12_CIPHER should be changed to $TLS12_CIPHER_2ND_TRY so that subsequent tests using $TLS12_CIPHER will succeed.
2019-09-23 15:54:44 -04:00
Dirk Wetter da2beb48d3
Merge pull request #1330 from dcooper16/more_run_protocol_fixes
More run_protocol() fixes
2019-09-23 20:40:25 +02:00
David Cooper 25d68544ed
More run_protocol() fixes
This PR fixes a few issues with run_protocol():

* In the case that the call to `tls_sockets "03" "$TLS12_CIPHER"` had a return value of 2, the code determining what results to print was looking at `$DETECTED_TLS_VERSION`. However, the value of this variable was set by the later call to `tls_sockets "04" "$tls13_ciphers_to_test"`. This caused incorrect results in the case of a server that supports TLSv1.3 and TLS1.1 (or earlier), but not TLSv1.2. This PR saves the value of `$DETECTED_TLS_VERSION` in `$tls12_detected_version` and then uses this variable later rather than `$DETECTED_TLS_VERSION`.

* When running in debug mode with a server that does not support TLSv1.3, testssl.sh was printing

           TLS 1.3     -- downgradednot offered and downgraded to a weaker protocol"

This PR fixes the output by not printing the "--downgraded"

* As noted in #1329, run_protocols() was treating a downgrade from TLSv1.2 as less bad if the server supports TLSv1.3. This PR changes this code back to treat any downgrade from TLSv1.2 as equally bad.

* In order to be consistent with the TLSv1.3 test, this PR changes the TLS1.2 test output to say "not offered and downgraded to a weaker protocol" if a TLSv1.2 ClientHello results in a downgraded connection.
2019-09-23 11:26:40 -04:00
Dirk Wetter 9e3bcfb2ef
Merge pull request #1329 from dcooper16/fix_run_protocols
Fix run_protocols()
2019-09-21 11:27:01 +02:00
David Cooper 76fb81112b
Fix run_protocols()
This PR fixes a problem in run_protocols() that was introduced by 7ec3c6ab99.

7ec3c6ab99 changes run_protocols() to perform the initial testing for TLSv1.3 support before testing for TLSv1.2 support. The problem with this is that the code for testing TLSv1.3 makes use of the results of the TLSv1.2 testing.

In the current code, Line 5183 looks at the value of $subret to determine whether the TLSv1.2 ClientHello resulted in a successful connection. However, $subet has not yet been set (it has just been initialized to 0 at the beginning of the function). Since $subret will always be 0, the code will try to extract a cipher from $TEMPDIR/$NODEIP.parse_tls_serverhello.txt. This may work, since $TEMPDIR/$NODEIP.parse_tls_serverhello.txt may have been populated by a prior function call, but this is not how the code was intended to work.

This PR fixes the problem by doing the TLSv1.2 testing before the TLSv1.3 testing is done. It still waits until both have been tested, however, before outputting the results, so that the output for TLSv1.2 can be modified depending on whether TLSv1.3 is supported.
2019-09-20 17:37:11 -04:00
Dirk Wetter 1276c6754d
Merge pull request #1326 from drwetter/drwetter-idn-docker
Add idn support to Dockerfile
2019-09-19 09:14:17 +02:00
Dirk Wetter 7818f1acc8
Add idn support 2019-09-19 07:12:59 +00:00
Dirk Wetter 01f73a2249
Merge pull request #1325 from Phylu/patch-1
remove duplicate header name for other_header in file output
2019-09-18 20:42:33 +02:00
Janosch Maier 5e3d8755a1 remove duplicate header name for other_header in file output
The Finding of other_headers such as "Referrer-Policy" during file output are displayed as `$header: $HEADERVALUE` instead of only `$HEADERVALUE` as the good_headers. This leads to duplicate information e.g. in the JSON output file.
2019-09-18 19:36:57 +02:00
Dirk Wetter dcd5acb2af
Merge pull request #1323 from drwetter/protocol_improvements
Protocol improvements
2019-09-18 17:49:36 +02:00
Dirk Wetter 987bf845ad
Merge pull request #1322 from teward/idn-support
Add IDN/punycode support for non-ASCII URIs (#1319, #1320, #1321)
2019-09-18 17:49:13 +02:00
Thomas Ward ac9110549c
Update error message 2019-09-17 18:58:39 -04:00
Thomas Ward 62f504ab49
Add IDN support, if 'idn' executable is available 2019-09-17 18:57:48 -04:00
Dirk Wetter 7ec3c6ab99 Don't penalize TLS 1.2 is not available if TLS 1.3 is supported
... and thus this commit addresses #916.

It does that via a (quite) pre-test which checks for a general availabilty
of TLS 1.3 before the TLS 1.2 protocol test is being run and decides
based on that how a missing TLS 1.2 will be echoed.

Later on the complete TLS 1.3 test will be continued using the results
from the TLS 1.3 pre-test.
2019-09-14 17:56:31 +02:00
Dirk Wetter 231a29cdfd Deprecate TLS 1.0 and TLS 1.1
This commit addresses #1251 and gives a slight warning when still
using those protocols as government standards are or are at least
to expect also to deprecate those protocols. PCI DSS requires not
to use TLS 1.0 anymore and browser vendors supposedly will deprecate
TLS 1.0/1.1 next year.

This is a WIP for testing. It was committed already in May
(22ad490ea7b2868a4fd45862ca0bf8a3d8f24ea6) but somehow it was
lost.

Comments would be appeciated.

Open:
- how to treat non-HTTP protocols
- TLS 1.3 only hosts will mark the absence of TLS 1.2 as
  a medium finding
2019-09-14 10:41:54 +02:00
Dirk Wetter 3e4cd58f7b
Merge pull request #1318 from drwetter/dockerfile.docu
Resort and polish
2019-09-13 10:56:15 +02:00
Dirk Wetter 5767e1496e
Resort and polish 2019-09-13 10:54:18 +02:00
Dirk Wetter e4e3df50eb
Merge pull request #1307 from petegallagher/patch-1
Output files to host when using Docker
2019-09-13 10:42:02 +02:00
Dirk Wetter 96cf81f410
Merge pull request #1317 from drwetter/tls13_only
Better usability for TLS 1.3-only servers
2019-09-12 15:38:29 +02:00
Dirk 9c84129ff4 Better usability for TLS 1.3-only servers
In cases where TLS 1.3 is the only protocol supported by the server (as e.g.
in #1312), testssl.sh has some limits with the supplied binary.

For now (3.0) there's no perfect technical solution. This PR however improves
the verbosity what's going on and recommends to use an openssl binary
supporting TLS 1.3. And if the "secret" variable OSSL_SHORTCUT is set to true,
it automatically chooses that if available (it's a hack to do so and not
recommended. I just did it as a PoC).

In the next development we should consider probing this upfront!

Furthermore this PR removes some unnecessary quotes in double square brackets.
2019-09-12 10:55:32 +02:00
Peter Gallagher 860671ba76
Style change when referencing current directory. 2019-08-29 09:55:31 +01:00
Dirk Wetter 7b4eff3e58
Merge pull request #1309 from drwetter/unittest_json
remove -p from json unit test
2019-08-19 20:52:31 +02:00
Dirk Wetter 71e561ceba
Merge pull request #1308 from drwetter/binchar_fix
Binary string washer (0x00 bytes) (probably) after completed ClientHello
2019-08-19 20:51:21 +02:00