Commit Graph

1507 Commits

Author SHA1 Message Date
Dirk e083fab130 - run_logjam(): run_logjam(0 fixed error where logjam couldn't parse "ServerKeyExchange" message using SSL_NATIVE -- if TLS != 1.2 was returned
- run_logjam(): determine dh bit size and based on this mark the common primes as more or less vulnerable
- run_logjam(): renamed remaining dhe variable to dh
- further house keeping in run_logjam()
2017-01-19 14:45:19 +01:00
Dirk Wetter 9c3ab427b6 Merge pull request #590 from dcooper16/dhe_cipher_list
Generate list of all DHE ciphers
2017-01-18 22:08:43 +01:00
Dirk e3d183e909 -output correction run_logjam
- rename dhe to dh
2017-01-18 22:05:27 +01:00
David Cooper dcd37729f4 Generate list of all DHE ciphers
This PR adds a function that generates a list of all DHE ciphers for `run_logjam()`.
2017-01-18 15:16:13 -05:00
Dirk 05d27ff1be - FIX for the last mess submitted ;-) 2017-01-18 18:09:39 +01:00
Dirk 61b16a078a - file etc/common-primes was not edited correctly! 2017-01-18 16:38:09 +01:00
Dirk 8bf7b6b31b forgot to save work, followup to 4433345b16 , #120, #589 2017-01-18 16:23:18 +01:00
Dirk 4433345b16 - first implementation (draft) of LOGJAM common primes, see #589, #120
- output polishing of run_drown()
- polishing of run_logjam()
- decrease severity to high for LOGJAM, see CVE rating
2017-01-18 15:53:01 +01:00
Dirk b1c80512e6 first bunch of common primes, see #589 + #576 + #120. License of nmap is also GPLv2: no conflicts 2017-01-18 12:44:15 +01:00
Dirk e9916dd1f4 - FIX #566
- reorder get_<DNS>_record() for better overview
- move CMDLINE__IP away from main into determine_ip_addresses() where it belongs to
2017-01-17 13:57:14 +01:00
Dirk e7a35934ae add lf before -E 2017-01-17 12:00:18 +01:00
Dirk Wetter 5ea5ae5a53 Merge pull request #571 from dcooper16/run_freak_sockets
Use sockets for run_freak()
2017-01-17 11:41:50 +01:00
Dirk a3a30c7fa5 - CAA RR (expertimental)
- replace some sed+grep by awk in get_mx_record()
2017-01-17 11:19:57 +01:00
Dirk cdbdc51f5d fix #587 2017-01-16 14:06:32 +01:00
Dirk Wetter 350c2e09bb Merge pull request #576 from dcooper16/extend_logjam_phase_1
Extend logjam phase 1
2017-01-14 21:40:29 +01:00
Dirk Wetter ad7eeddb96 Merge pull request #579 from dcooper16/run_crime_sockets
Use sockets for run_crime()
2017-01-14 13:18:22 +01:00
Dirk Wetter 354e0ed31a Merge pull request #585 from dcooper16/show_selected_curve
Show selected curve
2017-01-14 12:12:33 +01:00
Dirk Wetter 32ef531cd1 Merge pull request #586 from dcooper16/find_encrypt_then_mac_extension
Detect support for encrypt-then-mac extension
2017-01-14 12:02:10 +01:00
David Cooper c5dcaf476f Remove redundant setting to success to 0 2017-01-13 12:18:32 -05:00
David Cooper 91e0da3485 Detect support for encrypt-then-mac extension
In some cases, the "TLS extensions" line output for the "--server-defaults" option will not show `"encrypt-then-mac/#22"` even if the server supports this extension. The reason is that a server will only include this extension in the ServerHello message if it supports the extension and the selected cipher is a CBC cipher. So, if `determine_tls_extensions()` connects to the server with a non-CBC cipher, then it will not detect if the server supports the encrypt-then-mac extension.

It is possible that support for the extension will be detected by `get_server_certificate()`, but only if one of the calls to that function results in a CBC cipher being selected and OpenSSL 1.1.0 is being used (as prior versions did not support the encrypt-then-mac extension).

In this PR, if `determine_tls_extensions()` is called and `$TLS_EXTENSIONS` does not already contain `"encrypt-then-mac/#22"`, then an attempt will be made to connect to the server with only CBC ciphers specified in the ClientHello. If the connection is not successful (presumably because the server does not support any CBC ciphers), then a second connection attempt will be made with the "default" ciphers being specified in the ClientHello.

en.wikipedia.org is an example of a server that supports the encrypt-then-mac extension, but for which the support is not currently detected (unless OpenSSL 1.1.0 is used) since in the call to `determine_tls_extension()` a non-CBC cipher is selected.
2017-01-13 12:13:20 -05:00
David Cooper 42da64d601 Show selected curve
This PR changes `read_dhbits_from_file()` so that, when the "quiet" parameter is absent, the selected curve is shown in addition to the number of bits. This PR only affects the output of `run_client_simulation()` and the `Negotiated cipher` in `run_server_preference()`.
2017-01-13 10:28:48 -05:00
David Cooper 77dbe7ed1b Merge branch '2.9dev' into run_crime_sockets 2017-01-13 09:09:04 -05:00
David Cooper 859ea0c7d3 Merge branch '2.9dev' into run_freak_sockets 2017-01-13 09:08:02 -05:00
David Cooper eabaa95163 Merge branch '2.9dev' into extend_logjam_phase_1 2017-01-13 09:07:12 -05:00
Dirk Wetter 436326a547 Merge pull request #573 from dcooper16/run_std_cipherlists_sockets
Use sockets for run_std_cipherlists()
2017-01-13 14:44:43 +01:00
Dirk Wetter bf87a9fe4a Merge pull request #582 from dcooper16/generate_static_cipher_lists
Create static cipher lists for testssl.sh
2017-01-13 14:39:17 +01:00
Dirk Wetter 048f17ca9a Merge pull request #583 from dcooper16/run_client_simulation_bugfix
run_client_simulation() bugfix
2017-01-13 14:38:05 +01:00
David Cooper 1a705f900f run_client_simulation() bugfix
There are two places in `run_client_simulation()` in which `$OPENSSL s_client` is called, after which there is a `debugme echo` line to display the `$OPENSSL s_client` command line when testssl.sh is being run in debug mode, and then `sclient_connect_successful $? $TMPFILE` is called to determine whether `$OPENSSL s_client` successfully established a connection.

So, `sclient_connect_successful()` is being passed the result of the `debugme()` call, which always returns 0, rather than the result of the `$OPENSSL s_client` call.

This PR fixes the problem by moving the `debugme()` line to before the call to `$OPENSSL s_client`, so that  `sclient_connect_successful()` is passed the results of the `$OPENSSL s_client` call.
2017-01-12 14:59:29 -05:00
David Cooper 0bc2b1c4bb Create static cipher lists for testssl.sh
This PR adds a new utility that generates the various static cipher lists that appear in testssl.sh.

This utility serves two purposes:
* It can be run whenever new ciphers are added to cipher-mapping.txt to see if any of the lists in testssl.sh need to be updated. (This includes if cipher-mapping.txt is modified to add OpenSSL-style names for ciphers that are currently listed, but that have not yet been assigned such names.)
* It can be used as a reference in order to understand how each of the lists is defined.
2017-01-12 13:17:04 -05:00
David Cooper c9119dd8ee Use static lists for sockets 2017-01-12 13:09:11 -05:00
David Cooper 92d1daa976 Merge branch '2.9dev' into run_crime_sockets 2017-01-09 09:06:10 -05:00
David Cooper d011803ae8 Merge branch '2.9dev' into run_std_cipherlists_sockets 2017-01-09 09:03:18 -05:00
David Cooper be7bb01815 Merge branch '2.9dev' into run_freak_sockets 2017-01-09 09:02:23 -05:00
David Cooper c8d04d7bab Merge branch '2.9dev' into extend_logjam_phase_1
Conflicts:
	testssl.sh
2017-01-09 09:01:31 -05:00
Dirk Wetter 33ca94f6e8 Merge pull request #577 from dcooper16/run_server_defaults_bugfix
run_server_defaults() bugfix
2017-01-08 15:59:45 +01:00
Dirk Wetter b99371c069 Merge pull request #578 from dcooper16/fix_sslv2_sockets
sslv2_sockets() bug fixes
2017-01-08 15:58:01 +01:00
Dirk Wetter 0b24e80057 Merge pull request #580 from gniltaws/2.9dev
Detect $TESTSSL_INSTALL_DIR when testssl is a symlinked command
2017-01-08 15:55:21 +01:00
David Cooper 95c75f1792 Add support for OpenSSL 1.1.0
Starting with OpenSSL 1.1.0, s_client will not offer TLS compression methods, even if OpenSSL is compiled with zlib support, unless the `-comp` flag is included in the command line.
2017-01-05 15:45:18 -05:00
David Cooper ab9eb6044e Use sockets for run_crime()
This PR changes `run_crime()` to use `tls_sockets()` rather than failing if `$OPENSSL` lacks zlib support, unless `$SSL_NATIVE` is `true`.

At the moment, the ClientHello created by `socksend_tls_clienthello()` only specifies the NULL compression method. So, this PR adds a new parameter to `socksend_tls_clienthello()` and `tls_sockets()` to allow to caller to request that additional compression methods (DEFLATE and LZS) be specified in the ClientHello.

This PR makes another change to `run_crime()`. At the moment, if `$OPENSSL s_client` fails to connect to the server, `run_crime()` will report that the server is not vulnerable, since the output from `$OPENSSL s_client` includes the line "Compression: NONE" (see below). This PR changes that by checking whether the connection was successful, and reporting a "test failed (couldn't connect)" warning if it wasn't successful, rather than reporting "not vulnerable (OK)".

```
CONNECTED(00000003)
140338777061024:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 389 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1483645971
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
```
2017-01-05 14:55:08 -05:00
Todd Swatling 557c15607a detects install dir when symlinked and realpath not present
$ ls -l /usr/local/bin/testssl
lrwxrwxrwx /usr/local/bin/testssl -> /home/user/testssl.sh/testssl.sh
2017-01-05 14:45:39 -05:00
Todd Swatling 70e6e289e1 removed trailing spaces 2017-01-05 14:20:19 -05:00
David Cooper d66e5ec0d7 sslv2_sockets() bug fixes
This PR fixes a few bugs in `sslv2_sockets()`. The main issue is that a server may not send the entire ServerHello in a single packet. If it doesn't and the full response is being parsed (i.e., certificate and list of ciphers), then `parse_sslv2_serverhello()` will encounter errors, since it assumes that it has the entire ServerHello. This PR compares the length of the response to the length of the ServerHello as specified in the first two bytes of the response and requests more data from the server if the response appears incomplete.

This PR also modifies `parse_sslv2_serverhello()` to check for more errors. It compares the length of the response it has been provided to the specified length (`$v2_hello_length`) and returns an error if the response is shorter than `$v2_hello_length` and the full response is supposed to be parsed. It will also check whether there was an error in converting the certificate from DER to PEM format and will return an error if there was (and it will suppress the error message).
2017-01-04 10:47:36 -05:00
David Cooper c1d072b7a8 Check for matching SSLv2 cipher
Some servers respond to an SSLv2 ClientHello with a list of all SSLv2 ciphers that the server supports rather than just a list of ciphers that it supports in common with the client (i.e., that appear in the ClientHello). This PR changes the sockets version of `std_cipherlists()` so that, if `sslv2_sockets()` is successful, it checks whether there are any ciphers in common between the ClientHello and the ServerHello before declaring that the server supports the specified cipher list.
2017-01-04 10:34:13 -05:00
David Cooper 5270747eb0 Check for matching SSLv2 cipher
Some servers respond to an SSLv2 ClientHello with a list of all SSLv2 ciphers that the server supports rather than just a list of ciphers that it supports in common with the client (i.e., that appear in the ClientHello). This PR changes the sockets version of `run_freak()` so that, if `sslv2_sockets()` is successful, it checks whether there are any ciphers in common between the ClientHello and the ServerHello before declaring that the server supports an export RSA cipher.
2017-01-04 10:31:13 -05:00
David Cooper ad5590a444 run_server_defaults() bugfix
If `determine_tls_extensions()` does not create a temporary file (`$TEMPDIR/$NODEIP.determine_tls_extensions.txt`) then `run_server_defaults()` will display error messages when an attempt is made to copy this file or to search (grep) it. This may happen if `$OPTIMAL_PROTO` is `-ssl2` or if `determine_tls_extensions()` uses sockets and `parse_tls_serverhello()` encountered an error and did not create a temporary file (`$TEMPDIR/$NODEIP.parse_tls_serverhello.txt`). This PR fixes this by only trying to copy and search `$TEMPDIR/$NODEIP.determine_tls_extensions.txt` is `$OPTIMAL_PROTO` is not `-ssl2` and `determine_tls_extensions()` was successful (return value 0).
2017-01-04 10:19:11 -05:00
David Cooper 83472301bc Don't "echo" the prime to the terminal 2016-12-30 11:33:27 -05:00
David Cooper 62aee8f846 Remove leading "00" byte from prime, if present
The primes in https://svn.nmap.org/nmap/scripts/ssl-dh-params.nse do not include a leading "00" byte, so don't include it in `$dh_p`.
2016-12-30 11:32:41 -05:00
David Cooper c0c041b1c2 Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-29 16:59:58 -05:00
David Cooper 5e5199ddb5 Merge branch '2.9dev' into run_freak_sockets 2016-12-29 16:58:22 -05:00
David Cooper b7ff8a1ee3 Add extra check 2016-12-29 16:45:46 -05:00