Commit Graph

3980 Commits

Author SHA1 Message Date
David Cooper 9cc0624bf2 Use -s option with OpenSSL ciphers
With OpenSSL 1.1.0 (and maybe other versions), the `ciphers` function lists many cipher suites that are not actually supported by the `s_client` option. This PR fixes that by using the `-s` option whenever `$OPENSSL ciphers` is used to obtain a list of cipher suites supported by OpenSSL. According to https://www.openssl.org/docs/manmaster/man1/ciphers.html:
```
-s

    Only list supported ciphers: those consistent with the security level, and minimum and
    maximum protocol version. This is closer to the actual cipher list an application will
    support.
```
When the `-s` option is used along with `-tls1`, OpenSSL 1.1.0 will not list any ciphers that only work with TLSv1.2. So, `prepare_debug()` needed to be changed to correctly populate `ossl_supported_tls`, which is supposed to be a list of all non-SSLv2 ciphers supported by the server.

LibreSSL issues an "unknown option" error if the `-s` option is provided, so the `-s` option is only included in the command line if `$OPENSSL` has been determined to support it.

This PR is needed so that `prepare_debug()` can correctly determine which cipher suites are or are not supported by `$OPENSSL`.
2019-02-15 09:07:03 -05:00
David Cooper 64ac831a8d Remove extra call to s_client
This PR removes an extra call to `$OPENSSL s_client` in `get_server_certificates()` and it also changes `get_server_certificates()` to not collect extensions when SNI is not being provided.
2019-02-15 09:06:24 -05:00
Dirk e27b03dff8 Clarify error message
... when no certificate was detected. Shouldn't be needed
anymore since @dcooper16's fix 8488b84 but for robustness
it might be good to leave it.
2019-02-15 10:09:31 +01:00
Dirk Wetter 6c0bbaf042
Merge pull request #1199 from dcooper16/get_server_certificate_sockets
Use sockets for get_server_certificate()
2019-02-15 09:40:22 +01:00
Dirk 5b05f144b3 remove some redundant quotes 2019-02-15 09:21:28 +01:00
David Cooper 8488b84136
Use sockets for get_server_certificate()
This PR modifies  get_server_certificate() to use tls_sockets() rather than $OPENSSL for finding certificates using SSLv3 - TLSv1.2, unless $SSL_NATIVE is true. Using tls_sockets() allows testssl.sh to find certificates used by the server even if the server is only using cipher suites not supported by $OPENSSL. This may happen, for example, if the server only supports TLS_ECDHE_ cipher suites with curve X25519 and a version of OpenSSL prior to 1.1.0 is being used. A less likely possibility would be if the server had a certificate with a DH key, and a newer version of OpenSSL that does not support TLS_DH_ cipher suites is being used.

Since tls_sockets() cannot be used to obtain session tickets from the server, an additional test for session ticket lifetime needed to be added.

In order to reduce the number of times the server needs to be queried for certificates, this PR bundles the testing in a similar way to what is already done to test for cipher suites. Currently, each call to get_server_certificate() only tests for one type of certificate. This PR has each call test for more than one type of certificate. For example, one call is made to test for ECDSA, ECDH, DH, DSA, and GOST certificates. If the test is unsuccessful, then the server has none of these certificates. If the test finds a certificate (e.g., an ECDSA) certificate, then another test is run looking for the remaining types (ECDH, DH, DSA, and GOST) until a test is unsuccessful.

For most servers, this will reduce the number of calls to get_server_certificate() from 8 or 9 to 4 or 6.
2019-02-14 10:29:48 -05:00
Dirk Wetter 1769378139 Fix naming of average ciphers
... which lead to a problem with CBC ciphers.

See #1157
2019-02-14 14:53:28 +01:00
Dirk bd2e10bffe Move listciphers() and sub_cipherlists()
... to be right in top of run_cipherlists()
2019-02-13 15:54:12 +01:00
Dirk 5e9a326dfe Finalize Weak 128 Bit ciphers
This fixes #1157.

* Move IDEA to the same category as 3DES
* Rename the category to 3DES_IDEA (JSON)
* Rename 128 Bit category to AVERAGE (JSON)
* Move 256 Bit CBC ciphers into this category too
* Remove category HIGH

Furthermore:

* Code readability improvements, especially in run_cipherlists()
* fix minor bugs (e.g. aNULL ciphers were used in higher categories when --ssl-native was supplied)
* rearrange order for sub_cipherlists()
* proper documentation for arguments of sub_cipherlists()  in run_cipherlists()
* add "$cve" "$cwe" arguments to fileout in sub_cipherlists() -- (was passed before but not used)
* change debugging leftover filenames for sub_cipherlists to the JSON identifier
2019-02-13 15:44:46 +01:00
Dirk Wetter 3d55d0ebd1
Merge pull request #1197 from dcooper16/run_server_preference_ssl2_only
Fix run_server_preference() for SSLv2 only server
2019-02-13 14:47:46 +01:00
Dirk 5b1e3bb59c Complete SWEET32
... with RC2 IDEA and DES ciphers.
Still open is SSLv2.

See #613
2019-02-13 14:44:28 +01:00
Dirk c252541bcf Minor code simplification / readability 2019-02-13 14:37:57 +01:00
Dirk Wetter 818c96ddbe
Merge pull request #1196 from dcooper16/reorganize_run_cipher_per_proto
Reorganize run_cipher_per_proto()
2019-02-13 14:14:21 +01:00
Dirk Wetter c671ea9796
Merge pull request #1195 from dcooper16/reorganize_check_cipher_pref
Reorganize cipher_pref_check()
2019-02-13 13:51:49 +01:00
Dirk Wetter e8a5ab60cb
Merge pull request #1194 from dcooper16/fix_determine_optimal_proto
Fix determine_optimal_proto()
2019-02-13 13:31:39 +01:00
Dirk Wetter ee4cec2f11
Merge pull request #1193 from dcooper16/fix_get_cipher
Fix get_cipher()
2019-02-13 13:28:44 +01:00
Dirk Wetter c0d04f7a84
Merge pull request #1198 from dcooper16/run_server_defaults_ssl2_only
Fix run_server_defaults() for SSLv2-only servers
2019-02-13 13:25:51 +01:00
David Cooper 1cf796fd36
Fix run_server_defaults() for SSLv2-only servers
This PR makes a few improvements to run_server_defaults() when run on an SSLv2-only server.

First, it uses sslv2_sockets() to test the server rather than $OPENSSL, so that it will work even if $OPENSSL does not support SSLv2.

Second, it changes run_server_defaults() to only call get_server_certificate() once if $OPTIMAL_PROTO is -ssl2, since calling more than once is a waste -  SSLv2 only supports ciphers that use RSA key exchange.

Finally, as some code assumes that $TEMPDIR/intermediatecerts.pem will exist, even if it is empty, this PR changes a couple of places that delete $TEMPDIR/intermediatecerts.pem to instead make the file empty.
2019-02-12 15:15:18 -05:00
David Cooper 90d36262ea
Fix run_server_preference() for SSLv2 only server
When run_server_preference() is run on a server that only supports SSLv2 it incorrectly reports that the server has a cipher order. The reason for this is that $list_fwd and $list_reverse only include one SSLv2 cipher.

In SSLv2 the server sends a list of all ciphers it supports in common with the client and the client chooses which cipher to use. As a result, the server cannot enforce a cipher order for SSLv2.

So, this PR fixes the problem in run_server_preference() by skipping the test for whether the server enforces a cipher order if $OPTIMAL_PROTO is -ssl2 and simply declares that the server does not enforce a cipher order.

Note that this PR is somewhat dependent on #1194, as #1194 needs to be applied in order for $OPTIMAL_PROTO to be set to -ssl2 when testing an SSLv2-only server.
2019-02-12 13:44:55 -05:00
David Cooper 8fdb388dc3
Reorganize run_cipher_per_proto()
This PR reorganizes run_cipher_per_proto(). Currently run_cipher_per_proto() runs a for loop, which loops over each protocol and prints the set of supported ciphers for each protocol. This PR simply places the body of the for loop in a separate function from the loop itself. This allows the body of the loop to be called for just a single protocol.

While this PR does not change the way that testssl.sh functions, it would allow for a future change in which run_server_preferences() called cipher_pref_check() for protocols in which the server enforces a cipher order and calls ciphers_by_strength() for protocols in which the server does not enforce a cipher order.
2019-02-12 12:50:24 -05:00
David Cooper 2a13643bb1
Reorganize cipher_pref_check()
This PR reorganizes cipher_pref_check(). Currently, cipher_pref_check() runs a for loop, which loops over each protocol and prints the set of supported ciphers for each protocol. This PR simply places the body of the for loop in a separate function from the loop itself. This allows cipher_pref_check() to be called for just a single protocol rather than for all protocols. Another PR will make a similar change to run_cipher_per_proto().

The reason for this change is that cipher_pref_check() was only intended to be used in cases in which the server enforces a cipher preference order. Some servers, however, enforce an order for some protocols, but not for others. The change in this PR will make it possible in the future to call cipher_pref_check() only for protocols in which the server enforces a cipher order.
2019-02-12 12:43:57 -05:00
David Cooper dd8ee06ca5
Fix determine_optimal_proto()
This PR fixes two bugs in determine_optimal_proto().

First, sslv2_sockets() returns 3 if the connection was successful.

Second, if all connection attempts using tls_sockets() were unsuccessful, it is possible that $TEMPDIR/$NODEIP.parse_tls_serverhello.txt will not exist, so copying it or grepping it will lead to an error. Checking that $proto is not 22 will fix this as $proto will be empty is $OPENSSL s_client was used and it will be 00, 01, 02, 03, or 04 if tls_sockets() was used and the connection was successful with some protocol higher than SSLv2.
2019-02-12 11:27:49 -05:00
David Cooper 7a62654aef
Fix get_cipher()
This PR fixes a bug in get_cipher() - one that also appears in sclient_connect_successful().

The code currently assumes that cipher names contain only uppercase letters and numbers. However, ciphers that do not provide authentication include "anon" in the name, which is written in lowercase.

This PR fixes the problem by allowing lowercase letters to appear in cipher names (except in the first portion of the name).

Note that no change was made to similar code in get_protocol(), since the line in get_protocol() only matches TLSv1.3 ciphers, which do not contain any lowercase letters.
2019-02-12 10:43:13 -05:00
Dirk Wetter 5d1109a582 Workarounds for missing curves in OpenSSL
In case where the OpenSSL version used cannot successfully do openssl s_client
connects there are a few problems, see #1087.

This PR partly addresses them by
* changing the logic of HTTP header failure: we don't terminate anymore but
  continue with a warning message
* we try to find out what the reason was: If it is a missing curve we signal
  it back to the user
* we keep track in a global variable KNOWN_OSSL_PROB. It's not being used yet
  on all connects as it has not been decided whether we do a connect despite
  we know if there's a problem or rather not.
* Give hints to the user for resumption tests, secure renegotiation, CRIME and BREACH.
  For the latter --assume-http needs to be supplied for any output.

Also: for finding the OPTIMAL_PROTO now (unless --ssl-native is being used)
sockets are the default which removes in cases where an openssl s_client
connect fails, the initial message 'doesn't seem to be a TLS/SSL enabled server'
and prompt 'Really proceed ? ("yes" to continue)'. For STARTTLS this needs
to be done as well.

Here a minor bug was fixed: when openssl s_client connect in determine_optimal_proto()
succeeded without a protocol supplied, OPTIMAL_PROTO wasn't set. A statement was
added but now it is only being used when --ssl-native was supplied.

Leftover for this workaround is to find out why the number of certificate retrieved is
zero in those cases, despite the fact that there's a valid 'host_certificate.pem' from
tls_socket() calls.  Thus still run_server_defaults() stops after 'TLS clock skew'
as certificate_info() is not being called in run_server_defaults(). For now in
those cases 'Problem: Host certificate found but we can't continue with "server defaults"'
is being printed.

In general for the future it would be great if we could e.g. retrieve the header over
TLS sockets.
2019-02-11 20:24:41 +01:00
Dirk Wetter 691ca28bb9
Merge pull request #1192 from dcooper16/fix_second_clienthello
Fix TLSv1.3 second ClientHello
2019-02-09 13:44:26 +01:00
David Cooper a26aae381c
Fix TLSv1.3 second ClientHello
This PR fixes two problems with modify_clienthello().

First, the function was incorrectly using the variable $key_share instead of $new_key_share. Since $key_share is defined when modify_clienthello() is called from resend_if_hello_retry_request(), but not when it is called from client_simulation_sockets(), this bug does not seem to result in incorrect behavior, but it should still be fixed.

Second, when this function is used to create a second ClientHello in response to a HelloRetryRequest, it removes the key_share extension from the original ClientHello and then appends the new key_share extension at the end. According to https://mailarchive.ietf.org/arch/msg/tls/8ZKCyamcYFaV90h6nf4MUnSPkEE, however, extensions must appear in the second ClientHello in the same order in which they appeared in the first ClientHello.

I am not aware of any servers that will actually complain if the extensions in the second ClientHello do not appear in the same order as in the first ClientHello, bug this fix helps to ensure that the ClientHello messages testssl.sh sends are in compliance with the standard.
2019-02-08 15:40:28 -05:00
Dirk Wetter b5dbe73a7e Minor output tuning for #1188
Prefer quoted name, see https://datatracker.ietf.org/liaison/1616/.
Also added visibility info for now.
2019-02-08 14:11:52 +01:00
Dirk Wetter 28dd530c45 Merge branch '2.9dev' of github.com:/drwetter/testssl.sh into 2.9dev 2019-02-07 10:42:16 +01:00
Dirk Wetter 98505590b3
Merge pull request #1188 from dcooper16/eTLS
WIP: Detecting "eTLS" 1.3 (Fix #1185)
2019-02-06 16:59:03 +01:00
David Cooper 30da1cdd72
WIP: Detecting "eTLS" 1.3 (Fix #1185)
This PR is an attempt at addressing #1185. According to https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.01_60/ts_10352303v010101p.pdf, if eTLS is in use, then the certificate should contain a subjectAltName extension with one or more "names" containing "visibility information." The "visibility information" is encoded as an otherName with a type-id of 0.4.0.3523.3.1 and a value of

   VisibilityInformation ::= SEQUENCE {
        fingerprint         OCTET STRING (SIZE(10)),
        accessDescription   UTF8String }

The etsi_etls_visibility_info() function determines whether the certificate includes an "visibility information," and, if it does, extracts the fingerprints and access descriptions.

This PR is a work-in-progress for two reasons. First, it has not been tested against any real certificates that contain "visibility information." Testing against real certificates would be helpful to verify that the parsing of the certificate is correct.

Second, the presentation of the visibility information (both in the printed text and in what is sent to fileout()) may need improvement. Having seen no examples, it is not clear what the contents of accessDescription can be expected to look like. The document says that the contents will be "human-readable text," but it is not clear whether the description will be relatively short or very long.
2019-01-31 11:51:16 -05:00
Dirk 7f8a0f2c8b Readd final 00,ff to high_ciphers to previous commit 2019-01-28 21:23:51 +01:00
Dirk ed8f26b2f6 Improve standard cipher lists section
To finalize #1157 following was done

* move 3DES one line above
* put 128 bit CBC ciphers (ARIA, Camellie and AES) SEED and IDEA into 128Bit
* the remaining 256 bit ciphers NOT supporting AEAD Mac into high

Also 128 bit ciphers are getting a small complaint (LOW, yellow) if
available instead of red (for SEED and IDEA before)

To ease the (future) output rated_output() is included, but it's not being used
yet.

Also often I have docker hosts for testing. If I use them while the external
network is down, I still experience DNS timeouts. I added for dig
timeout values which proved to be reasonable in my tests with and
without network.

Also if an IPv4 or an IPv6 address was supplied testssl.sh doesn't
do (futile) DNS lookups anymore.
2019-01-28 18:31:57 +01:00
Dirk Wetter e02b313394 Test code for a HTTP GET request over sockets
It doesn't run per default and it doens't work yet. Just to share the idea.
2019-01-26 14:18:04 +01:00
Dirk Wetter 7de93e26dc Introducing HAS_X448 and HAS_X25519
... to enable checks whether a curve has been detected by sockets
won't be detected and/or makes problems with remaining openssl
s_client + other calls

Related to #1087
2019-01-26 12:50:16 +01:00
Dirk Wetter 966f414a2b Multiple IP scan fix (no --file) + single cipher scan works with multiple IPs
This PR addresses the problem (#1037) that if a hostname resolves to multiple IP
addresses only the first one is being scanned as this IP isn't reachable and the
scan terminated here and didn't continue with the 2nd, 3rd etc.

Same applied to scans with --mx.

This based on the global MULTIPLE_CHECKS which is set to true whenever
such a scan is started.

One minor point: Also if the last IP isn't reachable the output will say
"proceeding with next:". I guess that should be clear looking at the (different outputs).

This PR also fixes a scan problem with a single cipher/pattern (-x/--single-cipher):
previously where only one IP was scanned.

Furthermore some redundant quotes were removed.
2019-01-24 17:57:29 +01:00
Dirk Wetter ef6deb037e ~Empty files when scan problems encountered
This commit addresses #934. It adds a line in the log/csv output
and a json object named "scanProblem" when either the function
fatal() is being called and it logs the reason of the fatal error.
2019-01-21 12:19:56 +01:00
Dirk 7ffd46447a Add new openssl helper binaries for Linux and FreeBSD
.. based on https://github.com:/drwetter/openssl-1.0.2.bad

plus the patch fedora-dirk-ipv6.patch applied.

In addition to Peter Mosman's branch the brauch and as a result the binaries
contain following additional STARTTLS features: LMTP, NNTP, IRC .

See also #741, #559, #1093, #179
2019-01-18 19:53:19 +01:00
Dirk 5c74af3694 Change in cipher categories / run_cipherlists()
As noted in #1157 the logic of different cipher suites put to categories
needed an improvement.

This commit addresses it by moving first RC2 and RC4 cipher suites to
the low category.

More to follow.
2019-01-17 13:05:17 +01:00
Dirk 6926bb330c Remove some redundant double quotes
.. in sub_cipherlists() and neat_list()
2019-01-10 14:40:02 +01:00
Dirk 6d2b42b38d Fix regression (TLS 1.3) in server preference test
.. see #1179
2019-01-10 14:17:42 +01:00
Dirk 53bd3bf736 Server preference for TLS 1.3
This commit fixes #1163 which lead to the misleading output when
a TLS 1.3 enabled server had no preferences for the TLS 1.3 ciphers
but for anything below (like currently for testssl.NET).

The TLS 1.3 handshake in sockets plus the following openssl handshake
was moved to the top in run_server_preference() so that it can be better
determined whether TLS 1.3 is available. If this section's outcome is
TLS 1.3 is negotiated a single TLS 1.3 handshake with 5 ciphers only is
done forward and reverse. The resulting ciphers are later on compared
whether there's a cipher order for TLS 1.3.

Basically this section should be redone, so that all openssl handshakes
are replaced by sockets. As this would consume more time as it appears
reasonable at this point of time, this was not done yet. A starting point
for this would be tls13_list_fwd + reverse. After release of 3.0 90%
of the code will be replaced anyway.

DHE-RSA-SEED-SHA and SEED-SHA was added to the reverse and forward lists
as some old openssl versions + apache use it.

Also:

Googles ALPN_PROTO grpc-exp was added (to be reconsidered at some certain point)

Some redundant quotes in double square brackets were removed.

All "do_*" variables are now in quotes when tested w if or [[
2019-01-09 15:33:15 +01:00
Dirk e29b1f40e6 Improve HTML-Formatting, minor additions
The HTML manual is now post processed through tidy
which removes the problem of ">" not HTML encoded.

--color 0 is now explicitly mentioned to avoid escaped codes in the
output.

Minor changes wrt certificate stores
2019-01-08 13:56:55 +01:00
Dirk 0b98b7c735 Small clarification to --help and <fname> 2018-12-19 11:45:02 +01:00
Dirk 75a9c021e5 Add -iL as a n alternative to --file 2018-12-17 21:09:12 +01:00
Dirk d10f66a4c5 Minor additions
1) add --add-ca option and remove eother references to ADDITIONAL_CA_FILES
2) add a paragraph 'TUNING OPTIONS'
3) add -iL as a n alternative to --file
2018-12-17 21:04:47 +01:00
Dirk e739b54664 Updated to version 3.0rcX
Reflect we're at 3.0rcX, 2.9.5 is past, 2.8 not supported

Removed features from 2.9.5. Added all(?-->David?) features implemented
in 2.9dev.

Mention docker image

Clarify when testssl.sh should be mentioned (license).
2018-12-14 14:47:41 +01:00
Dirk f708e1420e Updated Trust Stores, Java added
This is an update of the root certificate stores. Date from each store
is from yesterday.

Description update.

Also the Java certificate store was added. Previously Java was omitted
as it appeared not to be complete. I tested successfully this store.
2018-12-14 10:00:23 +01:00
Dirk 1416ff620b Major update, review
Review: grammar, spelling.  Errorneous and obsolete description.
        Some items reordered.

Updated: to reflect the current capabilities.

Moreover: (Almost) complete the tuning variables section.
2018-12-13 18:07:20 +01:00
Dirk 4f920a389a Don't output warnings in JSON in parent when mass testing
This addresses #1169: When using JSON as output format when mass testing
AND we have a non-fatal condition when e.g. openssl lacks support for
something it led to an invalid JSON as the warning was put into file w/o
a trailing comma.

The commit removes the warning to be put into the output. We still have the
message on screen + in HTML which is not as optimal as it could be.

Also I did some cleanups related to redundant double quotes I stumbled over while
fixing this.
2018-12-11 10:03:58 +01:00
Dirk ab7ca281c0 Minor polishing 2018-12-07 14:35:49 +01:00