Commit Graph

3868 Commits

Author SHA1 Message Date
David Cooper 7ccb611d13 Update TLS12_CIPHER
Update `$TLS12_CIPHER` to contain only 128 ciphers (so that it will work with servers that can't handle larger ClientHello messages), and also add some newer ciphers to `$TLS12_CIPHER`. Also define  a `$TLS12_CIPHER_2ND_TRY` containing a list of 127 ciphers that do not appear in `$TLS12_CIPHER`. `$TLS12_CIPHER_2ND_TRY` is used in `run_protocols()` in order to perform a second test against servers that do not establish a TLSv1.2 connection when offered `$TLS12_CIPHER`.
2017-07-28 12:14:44 -04:00
David Cooper a20d98bbfa Make two attempts to connect with TLSv1.2
In `run_protocols()` for TLS 1.2, try one set of 127 ciphers and if the result isn't a connection at TLSv1.2 then try another set of 127 ciphers before giving up and assuming that TLS 1.2 isn't supported.
2017-07-28 12:07:29 -04:00
Dirk Wetter eeda1ef684 Merge pull request #805 from dcooper16/client_sim_ssl2_server
Client simulation and SSLv2 servers
2017-07-27 17:34:42 +02:00
David Cooper d81c740ca6 Merge branch '2.9dev' into client_sim_ssl2_server
Conflicts:
	testssl.sh
2017-07-27 09:26:03 -04:00
Dirk Wetter 64f6591210 Merge pull request #800 from dcooper16/fix_client_sim_sslv2
Fix client simulations with SSLv2 ClientHello
2017-07-27 12:58:23 +02:00
Dirk 8b2dfb81c5 reflect 37c8ee8c4e99ee5aa11618703af1706abcf5db04: debug level 2 is showing only minimal information like rough status and errors 2017-07-26 23:13:57 +02:00
Dirk 37c8ee8c4e Straigthen DEBUG level 2
FIX #786

Fixed all other occurences so that debug level 2 is showing only minimal information like rough status and errors

Better line breaks for level 2

In ``client_simulation_sockets()`` and ``tls_sockets()`` moved debug output into if statements (may save a bit of time)

Replaced "$DEBUG -eq" by "$DEBUG -ge"

Removed obsolete hb_rounds in ``run_heartbleed()``

Adjusted wide output in vulnerabilities
2017-07-26 22:37:50 +02:00
David Cooper afc46344b1 client simulation and SSLv2 servers
The data for `run_client_simulation()` currently includes two clients that send version 2.0 CLIENT-HELLO messages (see Appendix E.2 of RFC 5246). Each of the CLIENT-HELLO messages advertises support for newer protocol versions (SSLv3 in the case of IE6XP and TLSv1.0 in the case of Java 6u45). A server may reject one of these version 2.0 CLIENT-HELLO messages, or it may respond with an SSLv2, SSLv3, or TLSv1.0 ServerHello.

The current code in `client_simulation_sockets()` assumes that the server's response with be an SSLv3 or later ServerHello. So, it can support cases in which servers respond with an SSLv3 or TLSv1.0 ServerHello (once PR #800 is accepted to undo the mistake in PR #797), but not cases in which servers response with an SSLv2 ServerHello.

This PR adds code to `client_simulation_sockets()` to check if the server's response is an SSLv2 ServerHello, so that it can process such responses with `parse_sslv2_serverhello()` rather than `parse_tls_serverhello()`.

When a connection is made using SSLv3 or later, `run_client_simulation()` will show to the protocol and cipher selected for the connection. With this PR, if the connection is made using SSLv2, `run_client_simulation()` will just show "SSLv2." In the case of SSLv2, the ServerHello contains a list of all ciphers that the server and client have in common, and it is up to the client to choose one. So, if the client and server have more than one cipher in common, more information about the client would be needed to know which cipher it would choose.
2017-07-26 14:02:56 -04:00
David Cooper f5da066c05 Merge branch '2.9dev' into fix_client_sim_sslv2 2017-07-26 09:03:31 -04:00
Dirk 2932e1f29e FIX #798 2017-07-26 09:55:49 +02:00
David Cooper 42de1dc7e8 Merge branch '2.9dev' into fix_client_sim_sslv2 2017-07-25 16:12:19 -04:00
Dirk d783bd5856 reminder after #759 has been addressed 2017-07-25 21:53:05 +02:00
Dirk Wetter b60e25fbea Merge pull request #801 from dcooper16/std_cipherlists_has_server_protocol
std_cipherlists() and has_server_protocol()
2017-07-25 21:48:52 +02:00
Dirk 512cb81325 typo in comment for run_std_cipherlists() 2017-07-25 20:38:02 +02:00
David Cooper 1ee4db4e41 std_cipherlists() and has_server_protocol()
`std_cipherlists()` uses `has_server_protocol()` to determine whether to test for ciphers using SSLv2. However, this was resulting in false negatives due to #759. This PR removes the `has_server_protocol()` check so that SSLv2 is checked whenever the connection attempt with the TLSv1.2 ClientHello failed.
2017-07-25 13:24:29 -04:00
David Cooper cf0da7f994 Fix client simulations with SSLv2 ClientHello
This PR fixes the extraction of the cipher suites in SSLv2 ClientHellos in `client_simulation_sockets()`. Since `client_simulation_sockets()` can only handle SSLv3 and above ServerHellos, it removes any SSLv2 ciphers and converts the other cipher from 3-byte format to 2-byte format.
2017-07-25 12:46:37 -04:00
Dirk Wetter 468e96f419 Merge pull request #787 from sdann/fix_has_server_protocol
Fix logic in has_server_protocol()
2017-07-25 16:27:36 +02:00
Dirk b7f4b23c23 commenting #797 2017-07-25 16:19:36 +02:00
Dirk Wetter 007d54fa26 Merge pull request #797 from dcooper16/yaSSL_client_simulation
yaSSL and client simulation
2017-07-25 16:15:29 +02:00
David Cooper 6be478da0b Merge branch '2.9dev' into yaSSL_client_simulation 2017-07-25 08:48:05 -04:00
Dirk 3adb5ac71f Logic for POODLE && TLS_FALLBACK_SCSV
If vulnernable to POODLE and has no TLS_FALLBACK_SCSV ==> HIGH.
If only run the fallback check and it has none, still label it as MEDIUM but issue
a clear warning that test under this circumstances is incomplete.
2017-07-25 10:54:01 +02:00
David Cooper c370f2359b Extract cipher suites from SSLv2 ClientHello 2017-07-24 11:26:18 -04:00
Dirk 615a93e69e in html mode the sed statement for the server banner had and error resulting in sed messages like "unknown option to s" 2017-07-22 20:57:32 +02:00
David Cooper 91927e0f59 yaSSL and client simulation
This PR adds the same additional check to `client_simulation_sockets()` as was previously added to `tls_sockets()`. It extracts the list of cipher suites offered from each ClientHello and passes the list to `parse_tls_serverhello()` so that `parse_tls_serverhello()` can check that the cipher offered in the ServerHello was included in the ClientHello.

This assumes that a real client would abort the connection if it was presented with a cipher in the ServerHello that it didn't offer in its ClientHello.
2017-07-21 10:59:23 -04:00
Dirk 4e3b2318ab FIX #795 awk had word match, didn't work and wasn't needed
If certicate was determined before running dorwn, we needed to remove "SHA256 " (regression)
2017-07-20 19:13:06 +02:00
Dirk baeca77021 drown additions
* also provide links to censys.io if there's drown detected
* remove SHOW_CENSYS_LINK variable
* calculate fingerprint upfront (if not done yet)
2017-07-20 17:44:00 +02:00
Steven Danneman 72851c7e3f Catch MySQL (yaSSL) server bug when testing standard cipher categories
Unfortunately, most categories were passing incorrectly, since a
tls_socket() error was interpreted as a success for many of the cases.
Now we explicitely check for the known yaSSL failure and raise a warning
that the test is inconclusive.

New output against --starttls=mysql looks like:

Testing ~standard cipher categories
-----------------------------------

 NULL ciphers (no encryption)                  SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.
 Anonymous NULL Ciphers (no authentication)    SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.
 Export ciphers (w/o ADH+NULL)                 SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.
 LOW: 64 Bit + DES encryption (w/o export)     offered (NOT ok)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.
 Triple DES Ciphers (Medium)                   offered
 High encryption (AES+Camellia, no AEAD)       offered (OK)
 Strong encryption (AEAD ciphers)              SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug.

Partial workaround for #793
2017-07-19 17:35:37 -07:00
Dirk ad1dd01466 polishing #784 and #788
Also introduced the global BAD_SERVER_HELLO_CIPHER which can be later used
for notifying crappy cipher negotiations
2017-07-19 18:46:46 +02:00
Dirk Wetter fc7a89e659 Merge pull request #788 from sdann/mysql_ccs_injection
Fix CCS Injection detection for MySQL (yaSSL)
2017-07-19 18:37:51 +02:00
Dirk Wetter cc5d8a708e Merge pull request #792 from dcooper16/last_extension_not_empty
Make sure last ClientHello extension is not empty
2017-07-19 17:33:31 +02:00
David Cooper bcd71555ea Make sure last ClientHello extension is not empty
According to a discussion thread on the IETF TLS WG mail list (see https://www.ietf.org/mail-archive/web/tls/current/msg19720.html), there is at least one TLS server that will fail if the last extension in the ClientHello has contains extension_data of length 0.

Currently, `tls_sockets()` will create such a ClientHello if:
* The padding extension is included, and the length of the ClientHello without the padding data would be between 508 and 511 bytes.
* No padding extension is included, and the caller provided `$extra_extensions` in which the last extension in `$extra_extensions` is empty.
* No padding extension is included, `$extra_extensions` is empty, no ECC cipher suites are offered, and the ClientHello is for TLSv1.1 or below (in this case the next protocol extension would be that last one).

This PR avoids the server bug (in nearly all cases) by ensuring the the padding extension (when present) always contains at least one byte, and by ensuring that when the padding extension is not present that the (non-empty) heartbeat extension is the last extension.

This PR does leave one possible scenario in which the last extension would be empty. If the caller provides an `$extra_extensions` in which the last extension in `$extra_extensions` is empty, `tls_sockets()` does not add a padding extension (or a padding extension is included in `$extra_extensions`), and `$extra_extensions` includes a heartbeat extension, then the last extension in the ClientHello would be empty. This, however, is a highly unlikely scenario, and certainly there are currently no such calls to `tls_sockets()` in testssl.sh.
2017-07-14 15:48:59 -04:00
Dirk Wetter 507e59dc97 Update CREDITS.md 2017-07-13 14:02:33 +02:00
Dirk Wetter 17513abfe8 Update CREDITS.md 2017-07-13 14:00:41 +02:00
Dirk Wetter fb6901a792 Update Readme.md 2017-07-13 13:56:14 +02:00
Dirk Wetter dc0db33588 Installation section and polish 2017-07-13 13:55:22 +02:00
Dirk 9d1e7d1f29 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-07-13 12:37:52 +02:00
Dirk 28fe4c48de manpage not for editing
Generated via ``ronn -r testssl.1.md`` from the md source. Can be viewed
e.g. by ``nroff -man testssl.1 [| less]``
2017-07-13 12:35:13 +02:00
Dirk f2d07ec22b First draft of the manpage
Until the content is finalized the plan is to keep it in MD format.
For medium terms it is something which needs to be reconsidered
as markdown as the source format for documentation has too many limits.
Happy for suggestions here.

In the meantime here's what needs to be done:

* finalizing (see comments)
* proofreading 1: accuracy, logic, more content related
* proofreading 2: grammar, spelling
* more? pls let me know
2017-07-13 12:27:28 +02:00
Dirk Wetter 7339e43b18 Merge pull request #784 from dcooper16/fix_782
Handle server returning unsupported cipher
2017-07-13 09:15:07 +02:00
Dirk Wetter 413751c806 Merge pull request #785 from dcooper16/parse_tls_serverhello_bugfix
Remove extra line break in debugging output
2017-07-13 09:10:30 +02:00
Steven Danneman ca818c4dde Fix CCS Injection detection for MySQL (yaSSL)
Another yaSSL server incompatiblity. MySQL protects against CCS
Injection by erroring if it sees to CCS requests before the handshake
completes. But instead of returning a TLS alert, it seems to error up
the stack to MySQL which returns it's own error message.

Debug output looks like:

---
sending client hello,
reading server hello

1st reply:

sending payload #2 with TLS version x03, x02:
tls_content_type: 16 | tls_protocol: 0000 | byte6: 04

2nd reply:
00000000  16 00 00 02 ff 13 04 23  30 38 53 30 31 42 61 64  |.......#08S01Bad|
00000010  20 68 61 6e 64 73 68 61  6b 65                    | handshake|
0000001a

test failed, probably read buffer too small (16000002FF1304)
---

This patch adds a custom check for this MySQL specific error, as far
down in the error check path as I can.
2017-07-12 17:14:05 -07:00
Steven Danneman ec18c5231c Fix logic in has_server_protocol()
If $PROTOS_OFFERED was empty, and thus the protocols unknown, this
function would return true for any protocol you passed it. This caused
most callers to assume TLS1.0, even if the server didn't offer it.

Instead return false and make the caller do an extra lookup.
2017-07-12 17:11:21 -07:00
David Cooper 92fb537e24 Remove extra line break in debugging output
A commit that was made on May 15 replaced a `tm_out` with `echo` rather than `echo -e` resulting in an extra line break.
2017-07-12 16:32:12 -04:00
David Cooper 6004123dc0 Merge branch '2.9dev' into fix_782 2017-07-12 08:55:44 -04:00
Dirk Wetter 9244f2c83c Merge pull request #783 from sdann/mysql_starttls
Add mysql (sockets) starttls support
2017-07-12 09:32:31 +02:00
Dirk Wetter bddf5b2404 Merge pull request #775 from dcooper16/hpkp_bugfix
run_hpkp() bug fix
2017-07-11 23:21:51 +02:00
David Cooper 7037bd8e4b Handle server returning unsupported cipher
As reported in #782, some servers will return a ServerHello with a cipher not listed in the ClientHello rather than than return an Alert, if the server does not support any of the ciphers listed in the ClientHello.

This commit modifies `tls_sockets()` to check whether the cipher in the ServerHello was one included in the ClientHello and to fail if it wasn't.
2017-07-11 15:10:40 -04:00
Steven Danneman 8be69e9789 Add sockets implementation of mysql starttls
This is the simplest direct socket implementation of the MySQL STARTTLS
protocol.

This is a binary protocol, so it requires a new stream based send
(instead of the current line based send).
2017-07-11 11:11:44 -07:00
Steven Danneman a8ae90137d fd_socket now also modifies NW_STR
Assign to local variable sooner.
2017-07-11 11:05:24 -07:00
David Cooper 0bd8eca2a2 Merge branch '2.9dev' into hpkp_bugfix 2017-07-11 08:52:55 -04:00