Commit Graph

3961 Commits

Author SHA1 Message Date
David Cooper b7c566fb24 Merge branch '2.9dev' into cipher_order_sockets 2016-12-13 08:42:06 -05:00
David Cooper 6b1b25a4b1 Merge branch '2.9dev' into run_cipher_per_proto_sockets 2016-12-13 08:40:47 -05:00
Dirk f30dab9e2f cosmetic improvement to #551 2016-12-13 12:38:20 +01:00
Dirk Wetter 7f3b1de737 Merge pull request #551 from dcooper16/parse_sslv2_fix
Don't parse SSLv2 ServerHello unless successful response
2016-12-13 12:28:26 +01:00
Dirk Wetter 156af69dc2 Merge pull request #560 from sdann/2.9dev
Add support for testing postgres protocol over TLS/SSL
2016-12-13 08:53:30 +01:00
Steven Danneman 461f956603 Add support for testing postgres protocol over TLS/SSL
The Postgres protocol uses STARTTLS with a custom start packet. This
functionality is supported by openssl s_client in the current openssl
master branch but not yet in any released version.

This patch detects whether the given openssl binary supports postgres
and runs the default tests against a postgres server.

Example of no openssl support:

    ~/bin/testssl$ ./testssl.sh --quiet
    --openssl=/opt/openssl/openssl-1.1.0c/bin/openssl --starttls=postgres
    test.postgres.server.com:5432

     Start 2016-12-07 18:03:24    -->> ip.add.re.ss:5432
    (test.postgres.server.com:5432) <<--

    Fatal error: Your /opt/openssl/openssl-1.1.0c/bin/openssl does not
    support the "-starttls postgres" option

Example of openssl support:

    ~/bin/testssl$ ./testssl.sh --quiet
    --openssl=/opt/openssl/openssl-2016-12-07/bin/openssl --startt ls=postgres
    test.postgres.server.com:5432

     Start 2016-12-07 18:06:03    -->> ip.add.re.ss:5432
    (test.postgres.server.com:5432) <<--

     Service set:            STARTTLS via POSTGRES

     Testing protocols (via openssl, SSLv2 via sockets)

     SSLv2               not offered (OK)
     SSLv3               offered (NOT ok)
     TLS 1               offered
     TLS 1.1             offered
     TLS 1.2             offered (OK)
     SPDY/NPN            (SPDY is an HTTP protocol and thus not tested here)
     HTTP2/ALPN          (HTTP/2 is a HTTP protocol and thus not tested
    here)
    ...
2016-12-12 12:05:11 -08:00
David Cooper 953d02b61c Merge branch '2.9dev' into run_pfs_sockets 2016-12-12 09:49:05 -05:00
David Cooper 78813ee707 Merge branch '2.9dev' into ec_curve_strengths 2016-12-12 09:47:58 -05:00
David Cooper e0d4b3a7da Merge branch '2.9dev' into run_beast_sockets 2016-12-12 09:46:30 -05:00
David Cooper 2a9668c000 Updated based on @typingArtist's suggesting 2016-12-12 09:38:20 -05:00
David Cooper 55436eec68 Merge branch '2.9dev' into parse_sslv2_fix 2016-12-12 09:25:45 -05:00
David Cooper f243803d77 Merge branch '2.9dev' into cipher_order_sockets 2016-12-12 09:24:29 -05:00
David Cooper 3deaa0b167 Merge branch '2.9dev' into run_cipher_per_proto_sockets 2016-12-12 09:22:48 -05:00
Dirk d14b24e832 regression fix #290, see #549 2016-12-11 18:15:36 +01:00
Dirk Wetter 6380121acc Merge pull request #542 from dcooper16/run_rc4_sockets
run_rc4() sockets implementation
2016-12-10 23:49:08 +01:00
Dirk Wetter da5afd2e0a Merge pull request #553 from dcooper16/fix_read_cipher_mapping
Fix bug in reading of cipher mapping file
2016-12-10 13:01:07 +01:00
David Cooper 97652e64e0 run_pfs() speedup + sockets
This PR implements `run_pfs()` in a manner similar to `run_allciphers()`. It uses OpenSSL followed by `tls_sockets()` to test for both supported PFS cipher suites as well as elliptic curves offered.

I made an attempt at addressing #548 by using different colors to print the different curve names, depending on strength. The colors chosen are exactly the same as those that would be chosen by `read_dhbits_from_file()`:
```
     # bits <= 163:       pr_svrty_medium
     163 < # bits <= 193: pr_svrty_minor
     193 < # bits <= 224: out
     # bits > 224:        pr_done_good
```

I also added code for #464 to create a list of the DH groups from RFC 7919 that a server supports. However, since no servers seem to support this at the moment (except with TLS 1.3), I marked this code to only run if the $EXPERIMENTAL flag is set.
2016-12-08 12:36:45 -05:00
David Cooper 6d93bff835 Align elliptic curve lengths with OpenSSL
For several elliptic curves the number of bits, as indicated by OpenSSL, is slightly different than the name implies. For example, for sect239k1 OpenSSL outputs: `Server Temp Key: ECDH, sect239k1, 238 bits`.

This PR aligns the output created by `parse_tls_serverhello()` with OpenSSL.
2016-12-08 10:19:57 -05:00
David Cooper bceca2a89e Fix bug in reading of cipher mapping file
When the cipher-mapping.txt file is read, the contents of the "Mac=..." column is placed in `TLS_CIPHER_EXPORT` rather than the contents of the "export" column. This PR fixes that.
2016-12-06 17:18:18 -05:00
David Cooper dd04a10b2f run_beast() speedup + sockets
This PR implements `run_beast()` in a manner similar to `run_allciphers()`.
2016-12-06 11:37:41 -05:00
David Cooper 8b9bc3ca2c Don't parse SSLv2 ServerHello unless successful response
This PR is a proposed alternative to #537. It only attempts to extract the certificate and list of ciphers from the SSLv2 ServerHello is `ret=3`.
2016-12-06 11:23:01 -05:00
David Cooper 48e1e5e1a5 Merge branch '2.9dev' into run_rc4_sockets
Conflicts:
	testssl.sh
2016-12-05 09:10:51 -05:00
David Cooper 2c140bb7e8 Merge branch '2.9dev' into cipher_order_sockets 2016-12-05 09:02:50 -05:00
David Cooper d27d48491f Merge branch '2.9dev' into run_cipher_per_proto_sockets 2016-12-05 08:57:16 -05:00
AlGreed 742ad1920f Merge branch 'drwetter/2.9dev' into 2.9dev 2016-12-03 19:43:21 +01:00
Dirk 72a96f64e4 Merge branch 'AlGreed-2.9dev' into 2.9dev 2016-12-03 13:40:08 +01:00
Dirk 62a40f747e Merge branch '2.9dev' of https://github.com/AlGreed/testssl.sh into AlGreed-2.9dev
Conflicts:
	testssl.sh
2016-12-03 13:39:50 +01:00
David Cooper e2613303ea Merge branch '2.9dev' into run_cipher_per_proto_sockets 2016-12-02 13:35:21 -05:00
David Cooper e82c5288cd Merge branch '2.9dev' into cipher_order_sockets 2016-12-02 13:33:53 -05:00
David Cooper 93b5a5c595 Merge branch '2.9dev' into run_rc4_sockets 2016-12-02 13:32:43 -05:00
Dirk Wetter e67d3646e9 Merge pull request #546 from dcooper16/drown_and_non_RSA_certs
run_drown() when server has non-RSA certificates
2016-12-02 17:10:16 +01:00
David Cooper e7eac77be4 run_drown() when server has non-RSA certificates
This PR address a problem in `run_drown()` when the server does not support SSLv2, but does support multiple certificates or doesn't have an RSA certificate.

One example of the problem can be seen with www.facebook.com. If `run_server_preferences()` is run before `run_drown()`, then the results of `run_drown()` are:
```
 DROWN (2016-0800, CVE-2016-0703)          not vulnerable on this port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=A626B154CC65634181250B810B1BD4C89EC277CEA08D785EEBE7E768BDA7BB00 SHA256 A3F474FB17509AE6C5B6BA5E46B79E0DE6AF1BF1EEAA040A6114676E714C9965 could help you to find out
```
If only `run_drown()` is performed, then the result is:
```
 DROWN (2016-0800, CVE-2016-0703)          not vulnerable on this port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=A626B154CC65634181250B810B1BD4C89EC277CEA08D785EEBE7E768BDA7BB00 could help you to find out
```
However, A626B154CC65634181250B810B1BD4C89EC277CEA08D785EEBE7E768BDA7BB00 is the fingerprint of Facebook's ECDSA certificate, not its RSA certificate.

In addition, as noted in the "FIXME," `run_drown()` will display the warning "make sure you don't use this certificate elsewhere with SSLv2 enabled services" even if the server doesn't have an RSA certificate, even though SSLv2 can only use RSA certificates.

This PR fixes this issue by only showing the warning if the server has an RSA certificate and by ensuring that the `$cert_fingerprint_sha2` used to construct the "https://censys.io/ipv4?q=..." URL only contains a single SHA256 fingerprint and that it is the fingerprint of the server's RSA certificate.
2016-12-02 10:16:04 -05:00
AlGreed 9eba15834e Merge remote-tracking branch 'drwetter/2.9dev' into 2.9dev 2016-12-01 23:52:51 +01:00
David Cooper c522cad687 Use sockets to determine cipher order
This PR modifies `cipher_pref_check()` to use `tls_sockets()`. As with similar PRs for `run_allciphers()`, `run_cipher_per_proto()`, and `run_rc4()`, it also makes use of `$OPENSSL s_client`, since `$OPENSSL s_client` is faster than `tls_sockets()`.

With this PR, `cipher_pref_check()` first uses `$OPENSSL s_client` to obtain an ordered list of ciphers. It then makes one call to `tls_sockets()` (or a few calls if proto is TLSv1.2 and `$SERVER_SIZE_LIMIT_BUG` is `true`) to find if the server supports any ciphers that are not detected by `$OPENSSL s_client`. If not, then it is done. If it finds one, then it throws out the previous results and starts over with `tls_sockets()`. [If proto is TLSv1.2 and `$SERVER_SIZE_LIMIT_BUG` is `true`, then it doesn't throw out the `$OPENSSL s_client` results. Instead, it continues with `tls_sockets()` to get the full list of supported ciphers, and then uses `tls_sockets()` to order that list.]

The result is that this PR works almost as fast as the current `cipher_pref_check()` if `$OPENSSL s_client` finds all of the supported ciphers, at the cost of a performance penalty when testing servers that support ciphers that would have otherwise been missed using just OpenSSL.

Note that in this PR I removed SSLv2 from the list of protocols tested. This is because https://community.qualys.com/thread/16255 states that "in SSLv2 the client selects the suite to use." It seems that in SSLv2, the client sends a list of ciphers that it supports, the server responds with a list of ciphers that the client and server have in common, and then "the client selects the suite to use." So, showing a cipher order for SSLv2 is a bit misleading.

As noted in #543, this PR does not modify the second part of `cipher_pref_check()`, which deals with NPN protocols.
2016-12-01 16:51:38 -05:00
David Cooper 33baf66703 Merge branch '2.9dev' into run_rc4_sockets 2016-12-01 13:29:13 -05:00
David Cooper b79abd969a Merge branch 'run_cipher_per_proto_sockets' of https://github.com/dcooper16/testssl.sh into run_cipher_per_proto_sockets 2016-12-01 13:26:27 -05:00
David Cooper f2dae8efaf Merge branch '2.9dev' into run_cipher_per_proto_sockets 2016-12-01 13:24:36 -05:00
Dirk Wetter b58c48fa3e Merge pull request #544 from dcooper16/fixmeln_typo
Typo in definition of fixmeln()
2016-12-01 18:18:41 +01:00
David Cooper 07edcd9a6a Typo in definition of fixmeln()
The `fixmeln()` function was misnamed `fixme()`.
2016-12-01 12:04:06 -05:00
Dirk Wetter 7aee9b9f0b Merge pull request #536 from typingArtist/fix_starttls
Implement proper STARTTLS handshake for ftp, smtp, pop, imap and nntp
2016-12-01 16:29:12 +01:00
David Cooper db1f4c37a2 Limit calls to tolower()
It turns out that calling `tolower()` once for each cipher to test is very expensive. So, this commit tries to call `tolower()` only when necessary.
2016-11-30 13:40:28 -05:00
David Cooper 3838b0f613 Merge branch '2.9dev' into run_rc4_sockets 2016-11-30 09:14:23 -05:00
David Cooper 2ff480a6df Merge branch '2.9dev' into run_cipher_per_proto_sockets 2016-11-30 09:11:26 -05:00
Dirk Wetter f90da83d0b Merge pull request #538 from dcooper16/fix_run_allciphers
run_allciphers() bug fixes
2016-11-30 07:55:54 +01:00
David Cooper 01997b8b81 run_rc4() sockets implementation
This PR implements `run_rc4()` in a similar manner to `run_allciphers()` and `run_cipher_per_proto()` (in PR #541). The change doesn't seem to have much of an impact on speed, but when sockets are used it can detect ciphers that aren't locally supported by OpenSSL.
2016-11-29 11:58:49 -05:00
David Cooper af84d9b220 run_cipher_per_proto() speedup + sockets
This PR implements `run_cipher_per_proto()` in a manner similar to `run_allciphers()`.
2016-11-29 11:16:01 -05:00
David Cooper 49c023f27f run_allciphers() bug fixes
This PR fixes two minor bugs in run_allciphers():

* If `$SSL_NATIVE` or `$FAST` is `true`, then the cipher mapping file will not be used (unless `$OPENSSL ciphers` does not support the `-V` option), so there is no "fallback" to openssl, even if `[[ $TLS_NR_CIPHERS == 0 ]]`.

* If `$using_sockets` is `false` and `$SHOW_EACH_C` is `true`, then `ossl_supported` should be checked to see if the cipher was tested, not `TLS_CIPHER_OSSL_SUPPORTED`.
2016-11-28 10:45:44 -05:00
AlGreed 490818e931 Merge remote-tracking branch 'drwetter/2.9dev' into 2.9dev 2016-11-23 09:51:27 +01:00
AlGreed 4847fbc49a removed filling for hints 2016-11-23 09:46:11 +01:00
typingArtist 4d8c258b0b #536: fixed STARTTLS depending on 0 returned from debugme 2016-11-23 09:17:39 +01:00