1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-07-17 19:21:57 +02:00
Commit Graph

2356 Commits

Author SHA1 Message Date
b0f4253ff2 add X-Permitted-Cross-Domain-Policies 2018-01-14 12:22:06 +01:00
77071bf50d a few IBM data power headers added 2018-01-11 17:28:48 +01:00
16de7fa1b7 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2018-01-03 21:43:38 +01:00
407358623e Fix, header restore, TLS13 ciphers
This fixes a bug which prevented the script from running properly. Also
the commit restores writing a correct comment header. In addition it
adds TLS 1.3 ciphers.
2018-01-03 21:41:09 +01:00
a3b4609d24 make 0964cbc5d3 easier in execution (session resumption) 2017-12-31 21:10:41 +01:00
0964cbc5d3 OpenSSL 1.1.1 seems to have changed the behaviour regarding Session ID
support. If the server doesn't supply an session identifier the file
is just empty.

This commit fixes that by adding a separate case for OpenSSL 1.1.1
and an empty file. It is deliberately only changing this as this
was tested to work.

It is prelimary and a save-the-work-patch as it might be better
to catch this earlier.
2017-12-31 11:49:25 +01:00
75e9add0f1 make ID for session_resumption_id common (allo lowercase) 2017-12-31 09:12:16 +01:00
c4c8ff4434 fix needed answer "YES" in protocol section 2017-12-29 23:14:14 +01:00
85c470fcdc Merge branch 'jp-host+port' into 2.9dev 2017-12-27 10:14:21 +01:00
0bc1f6f708 make MAX_PARALLEL and MAX_WAIT_TEST configurable + documentation 2017-12-27 09:50:34 +01:00
9981d76879 Move target host + port to different JSON (pretty) object
For JSON pretty the host specific parameters target host + port
could be better placed in the scanResult object.

It is still under discussion as logically the parent object is deduced
the command line.
2017-12-25 17:42:27 +01:00
eeaceb2845 Merge pull request from dcooper16/run_crime_ossl111
run_crime() and OpenSSL 1.1.1
2017-12-25 16:56:03 +01:00
7a1fb66957 Further (slight) update on cipher quality coloring
TLS_RSA_* which don't fall into the aleady mentioned
    categories (CBC cipher, export, RC4 etc.) are now
    a bit more more penalized. Those are the ones which have
    an RSA key exchange AND a modern encryption.

    pr_cipher_quality() needs to be redone after carefully
    reconsidered which cipher should have which rating.
2017-12-25 14:55:12 +01:00
85fa5f4fa9 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-12-25 14:17:06 +01:00
8fbbb211b9 Fix error where a ECDHE-GCM cipher was labeled low
FIX 
2017-12-25 14:15:17 +01:00
581b7cf579 run_crime() and OpenSSL 1.1.1
This PR is similar to . If using OpenSSL 1.1.1 to connect to a server that supports TLSv1.3, `run_crime()` will connect to the server using TLSv1.3, which does not support TLS-level compression. So, the server will be reported as "not vulnerable" even if would use compression for connections at TLSv1.2 and below.

I have not encountered any "live" servers that support both TLSv1.3 and TLS-level compression. I verified this problem by using OpenSSL 1.1.1 to create a server that supports both TLSv1.3 and TLS-level compression:
```
openssl111 s_server -cert cert.pem -key key.pem -accept 8443 -WWW -comp
```
I then tested the server using `testssl.sh --crime` with both openssl111 and OpenSSL 1.0.2-chacha.
2017-12-21 11:22:08 -05:00
978478fd0c Fix "typo" 2017-12-21 15:06:08 +01:00
410c3d5f82 Merge pull request from dcooper16/run_renego_ossl111
run_renego() and OpenSSL 1.1.1
2017-12-21 09:45:05 +01:00
b9e67fcf29 run_renego() and OpenSSL 1.1.1
run_renego() appears to produce a false positive if OpenSSL 1.1.1 is used and the server being tested supports TLSv1.3 (i.e., the server supports the same draft version of TLSv1.3 as the version of OpenSSL 1.1.1 being used does). This PR fixes the problem by telling calls to $OPENSSL s_client in run_renego() to not use TLSv1.3.
2017-12-20 16:38:10 -05:00
5c005ac139 Add '--full' / '-9' ...
.. to check during the default run for server implemenation bugs
and run cipher per procol check instead of cipher check.

Please not that this option could disappear later.
2017-12-20 19:21:33 +01:00
6d53a1e9f4 Merge pull request from dcooper16/status_request
Process TLSv1.3 status_request extension
2017-12-20 18:52:40 +01:00
d919629f51 Merge pull request from dcooper16/supported_groups
Process supported_groups extension
2017-12-20 18:52:02 +01:00
14908bac98 Process supported_groups extension
In TLSv1.3 servers may send a supported_groups extension, which "SHOULD contain all groups the server supports, regardless of whether they are currently supported by the client."

This PR extracts the contents of the supported_groups extension, if `parse_tls_serverhello()` is to process "all" of the server's response. The contents of the extension are also displayed on the terminal if $DEBUG -ge 3.
2017-12-20 10:40:17 -05:00
65e435eb70 Process TLSv1.3 status_request extension
In TLSv1.2 and below, servers respond to a status_request extension (a request for a stapled OCSP response) by returning an empty status_request extension and then including a CertificateStatus message, which follows the Certificate message. In TLSv1.3 the CertificateStatus response is included as the value of the status_request extension, which now appears as an extension within the Certificate message.

This PR extracts the contents of the status_request extension sent by the server so that it can later be processed in the same way as if it had sent in a TLSv1.2 or below response.
2017-12-20 10:17:21 -05:00
f53d601325 Merge pull request from dcooper16/tls13_decrypt_response
Decrypt server's TLSv1.3 response
2017-12-20 09:03:36 +01:00
5580aaae1b Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-12-20 09:01:09 +01:00
1488baeac5 Documentation of CA_BUNDLES_PATH
See also 
2017-12-20 09:00:00 +01:00
e8be1f441b Decrypt server's TLSv1.3 response
This PR adds code to decrypt the encrypted portion of the server's response for TLSv1.3 and to then process any certificates and encrypted extensions. This code supports all 5 TLSv1.3 cipher suites, and so any response can be decrypted as long as the session key can be derived (which requires OpenSSL to support the ephemeral key that was used - see ).

For the symmetric decryption, the sym-decrypt() function uses OpenSSL when possible and internal Bash functions when needed.

For AES-GCM and AES-CCM ciphers sym-decrypt() normally uses internal Bash functions, which rely on using "$OPENSSL enc" in AES-ECB mode to generate the key stream and then Bash functionality to XOR the key stream with the ciphertext. With some version of OpenSSL the AES-GCM ciphers are decrypted using "$OPENSSL enc" in AES-GCM mode directly. On my system, however, both methods seem to work about equally fast.

For ChaCha20 ciphers, "$OPENSSL enc -chacha20" is used, if supported (OpenSSL 1.1.x only). and Bash internal functions (without any OpenSSL support) are used otherwise. In this case, if the Bash internal functions need to be used, decryption is very, very, very slow. Fortunately, in a typical run of testssl.sh there won't be many cases in which the connection will be TLSv1.3 with ChaCha20 and the entire response needs to be processed (requiring decryption). In most cases, even if the connection is TLSv1.3 with ChaCha20, will at most need the ephemeral key, which is available in plain text.
2017-12-15 16:40:47 -05:00
33f8a04066 Merge pull request from dcooper16/tls13_derive_session_key
Derive handshake traffic key for TLSv1.3
2017-12-15 13:02:18 +01:00
cfecc3c8c4 Derive handshake traffic key for TLSv1.3
This is the first in a series of PRs to add support for processing the encrypted portions of the server's response in a TLSv1.3 handshake.

This PR adds the code to derive the handshake traffic key needed to decrypt the response (the next PR will add the code to perform the symmetric-key decryption of the encrypted portions of the response).

Since this PR does not make use of the traffic key that it derives, it doesn't yet add any new functionality.

Note that testssl.sh will not always be able to derive the session keys. If the version of OpenSSL that is bundled with testssl.sh is used and the server chooses to use an X25519 ephemeral key, OpenSSL will be unable to perform the shared secret in derive-handshake-traffic-secret(). (OpenSSL 1.1.0 supports X25519.) Since X25519 use a different encoding than ECDH keys, the lack of X25519 support will be discovered in parse_tls_serverhello() when $OPENSSL pkey is unable to convert the key from DER to PEM. So, in debugging mode, parse_tls_serverhello() now displays a warning if it receives a key share that $OPENSSL pkey cannot handle.
2017-12-14 16:55:18 -05:00
1984d7fc90 html version of man page added 2017-12-14 10:25:59 +01:00
c23f47858d Overwrite as a default empty files
This commit tries to address . Empty files can now
be overwritten without exiting with an error.
2017-12-14 10:06:19 +01:00
4339c27659 Merge pull request from dcooper16/fix_certificate_check
Fix check for whether certificates were found
2017-12-13 20:34:19 +01:00
d8839b375b Fix check for whether certificates were found
get_server_certificate() uses an awk script to extract the certificates from the output of OPENSSL s_client and it then uses the following line to determine how many certificates were found:

     nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")

If $nrsaved is 0, then get_server_certificate() returns 1 (indicating failure); otherwise it returns 0 (indicating success).

However, the check for the number of certificates returned doesn't work if no certificates were found, as nrsaved will be set to 1 if no certificates were found:

     > touch level0.crt
     > echo level?.crt
     level0.crt
     > touch level1.crt
     > echo level?.crt
     level0.crt level1.crt
     > rm level0.crt level1.crt
     > echo level?.crt
     level?.crt

This PR fixes the problem by first checking that level0.crt exists (-s is used instead of -e, since an empty file wouldn't have a certificate).
2017-12-13 11:23:41 -05:00
3e73a553f0 Merge pull request from dcooper16/no_pkey
Introduce property global HAS_PEY
2017-12-13 17:19:42 +01:00
cea570836f Check for pkey support
Similar to the recently added HAS_PKUTIL (f829878a43), this PR adds HAS_PKEY, which indicates whether OpenSSL has the pkey utility. HAS_PKEY is then checked before attempting to do something that requires the pkey utility.
2017-12-13 11:01:58 -05:00
69956016b3 CVEs from https://robotattack.org/ added (in JSON) 2017-12-13 13:21:17 +01:00
fe7feda228 Merge pull request from dcooper16/reduce_file_ops
Reduce use of temporary files
2017-12-12 19:41:39 +01:00
5978d37c74 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-12-12 19:41:07 +01:00
f829878a43 Introduce property global HAS_PKUTIL 2017-12-12 19:37:33 +01:00
274d8a8b3a Reduce use of temporary files
This PR reduces testssl.sh's use of temporary files by making greater use of pipes. This results in a very slight performance improvement.
2017-12-12 11:51:15 -05:00
97b7f9c923 Merge pull request from dcooper16/correct_title
Correct comment
2017-12-12 16:41:09 +01:00
4a209cceb4 Correct comment
The comment at the beginning of the run_robot() function uses the wrong title for the paper. This PR fixes the title and adds a URL.
2017-12-12 10:25:44 -05:00
8f597f7077 Merge pull request from dcooper16/Bleichenbacher
Test for vulnerability to Bleichenbacher attack
2017-12-12 15:58:24 +01:00
5de873f8bc Test for vulnerability to Bleichenbacher attack
This PR adds a test to check whether a server that supports ciphers suites that use RSA key transport (TLS_RSA) are vulnerable to Bleichenbacher attacks (see http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf).
2017-12-12 09:51:48 -05:00
7e62dc3192 Merge pull request from seccubus/json_footer_breaks_json
JSOn output is broken by the JSON footer in combination with mass mode
2017-12-07 09:59:58 +01:00
393e4fb920 JSON output fixed in --parallel too 2017-12-06 21:54:59 +01:00
3eb402a3d5 JSOn output is broken by the JSON footer in combination with mass mode 2017-12-06 16:10:53 +01:00
2a0a0475ab Fix for POP3, Robustness for STARTTLS
POP3 STARTTLS handshakes were often unsuccessful as
a regex wasn't properly escaped.

Furthermore if a STARTTLS handshake doesn't succeed, there's
a warning now.
2017-12-06 12:24:26 +01:00
9e1ed1c9cf Add check for -oA in nma greppable output 2017-12-06 10:23:24 +01:00