Commit Graph

2615 Commits

Author SHA1 Message Date
Dirk
a66f5cfdbc curl added for --phone-out checks 2018-09-04 20:20:09 +02:00
Dirk
9a3b6e334b BigIP F5: routed domains
Set routed domains to 3 digits, see also
https://github.com/drwetter/F5-BIGIP-Decoder/issues/1
2018-09-03 13:25:19 +02:00
Dirk
61508b1443 add missing line feed in run_preferences() 2018-09-03 11:10:24 +02:00
Dirk
563dbebffb Added rDNS to file output (CSV+JSON) 2018-09-03 10:45:28 +02:00
Dirk Wetter
a3d8143043
Merge pull request #1109 from dcooper16/shellcheck
Fix some shellcheck issues
2018-08-30 23:07:31 +02:00
Dirk Wetter
c83612d8ec
Merge pull request #1110 from dcooper16/certlist_ordering_problem
Fix #1080
2018-08-30 22:03:29 +02:00
David Cooper
37e9065d36
Check for certificate_list ordering problems
RFC 8446 specifies the following for the list of certificates provided by the server:

    The sender's certificate MUST come in the first
    CertificateEntry in the list.  Each following certificate SHOULD
    directly certify the one immediately preceding it.

In RFC 5246 the "SHOULD" was a "MUST". This commit adds a check of whether the certificates provided by the server are in the correct order and issues a low severity warning if they are not.
2018-08-28 15:33:31 -04:00
David Cooper
e84470b939
Fix some shellcheck issues
This commit fixes some issues identified by shellcheck.
2018-08-28 09:23:06 -04:00
Dirk
8d7dd663f9 Finalizing proxy support for OCSP checks
As mentioned in #1106 proxying ocsp protocol doesn't work (yet)
This commit notifies the user that it is not possible. One
can ignore that and try by supplying IGN_OCSP_PROXY=true.

It also fixes a typo I probably introduced (pVULN_THRESHLD).
2018-08-24 15:43:25 +02:00
Dirk
3fdcd034f3 Fine tuning of --outprefix
The standard separator after $FNAME_PREFIX is now '-'.
You can as well supply a different <fname_prefix> ending in '.',  '_' or ',' , then
no no additional '-' will be appended.

Also a small bash function get_last_char() has been introduced which returns
the last char from a supplied string.
2018-08-23 11:40:50 +02:00
Dirk
5da7454e7a Merge branch 'ocsp_crl_final' into 2.9dev
and bump version to 3.0rc1
2018-08-17 12:32:35 +02:00
Dirk
ed17797b13 Finalize proxy support for http_get()
... for curl, wget and sockets. Tested and worked.

Furthermore: fd_socket() now is a bit more injection safe as
an echo statement was exchange by printf. For possible future
changes fd_socket now also has and arg1 for the file descriptor.
2018-08-17 12:23:16 +02:00
Dirk
5837e82c85 Supplying of both -6 and --ip=one results in picking an IPv6 address
... previously it depended on the order of DNS replies otherwise. This was
one outcome of discussion in #1026 where it seemed more logical
to pick an IPv6 address as opposed to an abitrary (v4/v6) address.
2018-08-16 12:03:56 +02:00
Dirk
efa56a34f2 Fix error introduced from previous commit 2018-08-15 02:15:19 +02:00
Dirk
89f7814f81 Fix #1100: scenarios with -6 and --ip=<ipv6address>
This PR fixes checks where those two cmdline options were supplied
but errorneously also the IPv4 address was tested.

It also lables supplied IPv6 addresses as AAAA records
instead of A records.

Still, determine_ip_addresses() has space for improvements.

Some comparisons fixed strings popped up during debugging were polished
to avoid internal quoting

[[ $VAR == "teststr" ]]

will be otherwise expanded to

[[ $VAR == \t\e\s\t\s\t\r ]]
2018-08-15 01:50:10 +02:00
Dirk
7cc584027c Save work for later -- proxy not working 2018-07-26 22:49:12 +02:00
Dirk Wetter
94828aed03
Merge pull request #1091 from dcooper16/common_primes_update
Update etc/common-primes.txt
2018-07-26 22:45:36 +02:00
Dirk Wetter
811c66bb80
Merge pull request #1092 from dcooper16/2048_bit_common_primes
Consider 2048-bit DH primes as acceptable
2018-07-26 21:28:43 +02:00
David Cooper
ddfc6d5506
Consider 2048-bit DH primes as acceptable
This PR changes run_logjam() so that it does not warn about the use of 2048-bit DH primes, even if the selected prime is a common prime.

This PR leaves two issues unaddressed. First, it does not detect servers that are vulnerable to Attack IV in https://weakdh.org/logjam.html. These are servers that use DH primes that are of sufficient length, but that are poorly generated, and so are still vulnerable to attack.

Second, it does not address the potential problem that use of a common prime could leak information about what server product is being used, even if this information is not leaked through other means (e.g., HTTP headers). This should not be an issue with common primes from an RFC (2409, 3526, 5114, 7919), but would be an issue with product-specific common primes.
2018-07-23 15:06:53 -04:00
David Cooper
0f9e6b9883
Remove duplicate common primes
Remove three additional common primes that appeared in both https://svn.nmap.org/nmap/scripts/ssl-dh-params.nse and https://github.com/cryptosense/diffie-hellman-groups/blob/master/gen/common.json. Note that run_logjam() will not work properly if the server's prime appears twice in etc/common-primes.txt.
2018-07-23 13:48:18 -04:00
David Cooper
81981b7c27
Update etc/common-primes.txt
The primes in etc/common-primes.txt that were taken from https://github.com/cryptosense/diffie-hellman-groups/blob/master/gen/common.json were encoded in decimal rather than hexadecimal, preventing them from being matched against the primes offered by servers. This PR converts the primes from https://github.com/cryptosense/diffie-hellman-groups/blob/master/gen/common.json to hexadecimal, removing those that were duplicates from https://svn.nmap.org/nmap/scripts/ssl-dh-params.nse.
2018-07-23 13:30:04 -04:00
Dirk Wetter
093108d297
Merge pull request #1090 from dcooper16/rfc7919_primes
Add RFC 7919 primes to etc/common-primes.txt
2018-07-20 15:29:39 +02:00
David Cooper
99c5f42b3f
Add RFC 7919 primes to etc/common-primes.txt
This PR adds the 6 primes from RFC 7919 to etc/common-primes.txt so that they can be detected by run_logjam().
2018-07-20 09:20:44 -04:00
Dirk
d83aed83fd server banner message polishing if empty 2018-07-19 14:09:19 +02:00
Dirk
ee8c70bce3 Minor polish
Typos, cleanup ec_nistp_64_gcc_128 (for 64 bit at least), add -DOPENSSL_TLS_SECURITY_LEVEL=0
2018-07-18 00:57:32 +02:00
Dirk
5f7f392e83 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2018-07-17 01:14:35 +02:00
Dirk
b6dca77cd2 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2018-07-17 00:44:47 +02:00
Dirk
5d5d21af04 Make script for OpenSSL 1.1.1 tree 2018-07-17 00:41:21 +02:00
Dirk
6e5f7c15af Make Travis CI shut up.
A soon-to-be-expired cert can be also HIGH, thus a test
for critical is appropriate.
2018-07-11 17:14:29 +02:00
Dirk
c0921c8877 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2018-07-11 11:03:52 +02:00
Dirk
61c5e8b96d (Slightly) improved JSON output for certificates
This commit fixes a bug mentioned in #1084 where a server
with multiple host certificates wa missing a certificate
number the the host certificate itself.

It also adds a JSON object for the number of host certificates.
2018-07-11 10:59:05 +02:00
Dirk Wetter
09182cb196
Merge pull request #1079 from dcooper16/bad_certificate_list
Handle incorrectly populated certificate_list
2018-07-05 09:54:58 +02:00
David Cooper
72ef69aeae
Handle incorrectly populated certificate_list
According to Section 7.4.2 of RFC 5246, when a server sends its certificate it MUST send a list in which the first certificate is the sender's certificate and "Each following certificate MUST directly certify the one preceding it." testssl.sh currently assumes that the server has populated the list way and so places the second certificate in the list into $TEMPDIR/hostcert_issuer.pem.

However, not all servers have been following this requirement, and so draft-ietf-tls-tls13 (soon to be RFC 8446) only says that servers SHOULD list the certificates in this way and says that clients "SHOULD be prepared to handle potentially extraneous certificates and arbitrary orderings from any TLS version, with the exception of the end-entity certificate which MUST be first."

testssl.sh needs to place the correct certificate in $TEMPDIR/hostcert_issuer.pem, since otherwise any OCSP request it sends will be incorrect, and any attempt to verify and OCSP response will be incorrect as well.

This PR changes extract_certificates() and parse_tls_serverhello() to populate $TEMPDIR/hostcert_issuer.pem with the first certificate in certificate_list that has a subject DN that matches the issuer DN in the server's certificate, rather than simply populating $TEMPDIR/hostcert_issuer.pem with the second certificate in the list.

In testing a random sampling of U.S. government servers, of 57 servers tested 5 reported "unauthorized" for the OCSP URI using the current testssl.sh and all 5 of these reported "not revoked" with this PR. This PR also corrects the same issue in some servers on the Alexa Top 1000, but this was only a problem for 12 of those 1000 servers.
2018-06-28 16:17:04 -04:00
Dirk Wetter
488cb03c60
Merge pull request #1078 from dcooper16/stapled_ocsp_revocation_check
Check stapled OCSP response for revocation status
2018-06-28 20:25:46 +02:00
David Cooper
b5595a9205
Check stapled OCSP response for revocation status
In cases in which the server offers a stapled OCSP response, this commit extracts the OCSP response and then checks the response for the status of the server's certificate. The check is performed in the same way as when the certificate includes an OCSP URI and the "--phone-out" option is set, except that the OCSP response is received from the TLS server rather than coming directly from the OCSP responder. Since this only involves additional processing of data that testssl.sh is already receiving, the check is performed whether or not the "--phone-out" flag is set.
2018-06-28 14:15:55 -04:00
Dirk
4aabc3f999 Merge branch 'skip_offensive' into 2.9dev 2018-06-26 13:10:18 +02:00
Dirk
33cf1d524c Fine tuning if Jac2NL's commit of IDS evasion
Reduce the offensive tests to 4: the others are "just" / mostly cipher
based checks which should not cause an IDS to block. (This maybe
subject to reconsider at a later time.)

Added a switch --ids-friendly

Updated VULN_COUNT accordingly

Added this (including PHONE_OUT to env debugging output)

Added help()

Manual section added
2018-06-26 13:04:30 +02:00
Dirk
01f177199c Merge branch 'Jac2NL-2.9dev' into skip_offensive 2018-06-26 12:36:01 +02:00
Dirk
3ce22ed8df Merge branch '2.9dev' of https://github.com/Jac2NL/testssl.sh into Jac2NL-2.9dev 2018-06-26 12:35:29 +02:00
Dirk
87f0cda234 Fix #1071 : typos and link in docu 2018-06-25 18:31:55 +02:00
Jacco de Leeuw
7098b7be50 If the environment variable OFFENSIVE has been set to false, skip a number of checks that have offensive characteristics. 2018-06-24 17:30:36 +02:00
Dirk Wetter
0355145576
Merge pull request #1074 from dcooper16/fix615
Fix #615
2018-06-22 14:18:23 +02:00
David Cooper
30624ddb75
Fix #615
This PR fixes #615 for the case in which tls_sockets() is used by splitting the list of CBC ciphers into two lists, each with fewer than 128 ciphers and then testing each list separately.

For the --ssl-native case, no changes were needed. Even though $cbc_ciphers contains 154 ciphers, no version of OpenSSL supports all of these ciphers, and so the actual ClientHello sent by every version of OpenSSL contains fewer than 128 ciphers.

I did, however, add the -no_ssl2 flag to the "$OPENSSL s_client" command to prevent OpenSSL from sending an SSLv2-compatible ClientHello. As is noted in a comment in run_server_preference(), "the supplied openssl will send an SSLv2 ClientHello if $SNI is empty and the -no_ssl2 isn't provided."
2018-06-21 11:23:30 -04:00
Dirk
aa0f33e984 Update RFC section in ~/doc with soon to be TLS 1.3 RFC
See PR #1072, title taken from
https://github.com/ietf/draft-ietf-tls-tls13/blob/master/rfc8446.xml
(maybe subject to change).

Todo: Handle the obsolted ones, maybe by adding "obsolete"
2018-06-20 09:41:51 +02:00
Dirk Wetter
8e144e8e6f
Merge pull request #1072 from dcooper16/rfc8446
TLS 1.3 will be RFC 8446
2018-06-20 09:25:10 +02:00
David Cooper
af8f98a04d TLS 1.3 will be RFC 8446
According to https://www.theregister.co.uk/2018/06/19/ietf_calls_for_formal_tls_1_0_1_1_deprecation, TLS 1.3 will be published as RFC 8446. This seems to be confirmed by https://www.rfc-editor.org/auth48/rfc8446 and https://github.com/ietf/draft-ietf-tls-tls13.

This PR updates comments that refer to draft-ietf-tls-tls13 to instead refer to RFC 8446. It also makes minor changes to other comments related to TLS 1.3 drafts.

NOTE: This PR is a bit premature as it may be several weeks before RFC 8446 is actually published.
2018-06-19 14:19:34 -04:00
Dirk
f2944205b9 Fix output error when $HEADERFILE was empty 2018-06-19 10:27:42 +02:00
Dirk
d23241b8cd Fix to-be-expired-soon certificate
The certificate from self-signed.badssl.com was about to expire
which raises a MEDIUM type issue in testssl.

This commit does a workaround for this, so that those certificates
will be ok in Travis CI.

(Same problem exists in 2.9.5)
2018-06-13 14:30:35 +02:00
Dirk
b6cc01a558 Fix line feeds in vulnerabilty output when running in wide mode
This commit is a FIX for #1069, thus when running in
wide mode it corrects an additional line feed which
happened sometimes.

As @dcooper16 pointed out it also cleans up the needless
if-statements in run_rc4(), run_lucky13() and run_beast().

It also inserts for wide mode lines a blank so the alignment
is not at the left border anymore (check for leftovers
needed).
2018-06-13 13:25:02 +02:00
Dirk Wetter
1be25f9cf7
Merge pull request #1067 from dcooper16/revocation_checking_errors
Fix false "revoked" results for CRL and OCSP checking
2018-06-05 10:33:42 +02:00