mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
105 lines
2.9 KiB
Bash
Executable File
105 lines
2.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
#
|
|
# PoC for unit tests in bash. Basic test with s_server, works under Linux only atm
|
|
|
|
OPENSSL="bin/openssl.$(uname).$(uname -m)"
|
|
$OPENSSL version -a || exit 1
|
|
|
|
FILE=tmp.json
|
|
|
|
remove_quotes() {
|
|
sed -i 's/"//g' $FILE
|
|
}
|
|
|
|
# arg1: id_value
|
|
# arg2: string to check against severity_value (optional)
|
|
# arg2,3: string to check against finding_value
|
|
# return: 0 whether it contains arg2 or arg3 (0: yes, 1: matches not)
|
|
check_result() {
|
|
# id : sslv3,
|
|
# ip : localhost/127.0.0.1,
|
|
# port : 4433,
|
|
# severity : HIGH,
|
|
# finding : SSLv3 is offered
|
|
|
|
local json_result=""
|
|
local severity_value=""
|
|
local finding_value=""
|
|
|
|
remove_quotes
|
|
json_result="$(awk '/id.*'"${1}"'/,/finding.*$/' $FILE)"
|
|
[[ -z $json_result ]] && exit -1
|
|
# is4lines?
|
|
finding_value="$(awk -F':' '/finding/ { print $2" "$3" "$4 }' <<< "$json_result")"
|
|
if [[ $# -eq 2 ]]; then
|
|
[[ $finding_value =~ "$2" ]] && return 0 || return 1
|
|
fi
|
|
severity_value="$(awk -F':' '/severity/ { print $2 }' <<< "$json_result")"
|
|
if [[ $finding_value =~ "$3" ]] && [[ $severity_value =~ "$2" ]] ; then
|
|
return 0
|
|
else
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
### generate self signed certificate
|
|
$OPENSSL req -new -x509 -out /tmp/server.crt -nodes -keyout /tmp/server.pem -subj '/CN=localhost' &>/dev/null || exit 2
|
|
echo
|
|
|
|
|
|
### 1) test protocol SSlv2:
|
|
$OPENSSL s_server -www -ssl2 -key /tmp/server.pem -cert /tmp/server.crt &>/dev/null &
|
|
pid=$!
|
|
rm $FILE 2>/dev/null
|
|
echo "Running testssl.sh SSLv2 protocol check against localhost for SSLv2: "
|
|
./testssl.sh -p -q --warnings=off --jsonfile=$FILE localhost:4433
|
|
check_result SSLv2 CRITICAL "vulnerable with 9 ciphers"
|
|
[[ $? -eq 0 ]] && echo "SSLv2: PASSED" || echo "FAILED"
|
|
echo
|
|
kill -9 $pid
|
|
wait $pid 2>/dev/null
|
|
|
|
### 2) test NPN + ALPN
|
|
$OPENSSL s_server -cipher 'ALL:COMPLEMENTOFALL' -alpn "h2" -nextprotoneg "spdy/3, http/1.1" -www -key /tmp/server.pem -cert /tmp/server.crt &>/dev/null &
|
|
pid=$!
|
|
rm $FILE
|
|
echo "Running testssl.sh HTTP/2 protocol checks against localhost: "
|
|
./testssl.sh -q --jsonfile=$FILE --protocols localhost:4433
|
|
if check_result NPN "spdy/3, http/1.1"; then
|
|
echo "SPDY/NPN: PASSED"
|
|
else
|
|
echo "SPDY/NPN: FAILED"
|
|
fi
|
|
|
|
if check_result ALPN "h2"; then
|
|
echo "HTTP2/ALPN: PASSED"
|
|
else
|
|
echo "HTTP2/ALPN: FAILED"
|
|
fi
|
|
kill -9 $pid
|
|
wait $pid 2>/dev/null
|
|
rm $FILE
|
|
|
|
### 3) test almost all other stuff
|
|
$OPENSSL s_server -cipher 'ALL:COMPLEMENTOFALL' -www -key /tmp/server.pem -cert /tmp/server.crt &>/dev/null &
|
|
pid=$!
|
|
rm $FILE
|
|
echo "Running baseline check with testssl.sh against localhost"
|
|
./testssl.sh -q --jsonfile=$FILE localhost:4433
|
|
#check_result sslv2 CRITICAL "is offered"
|
|
kill -9 $pid
|
|
wait $pid 2>/dev/null
|
|
|
|
rm $FILE
|
|
|
|
|
|
### test server defaults
|
|
# ./testssl.sh -q --jsonfile=$FILE --server-defaults localhost:4433
|
|
# -serverpref
|
|
# -no_ticket
|
|
# -no_resumption_on_reneg
|
|
# -status
|
|
|
|
# vim:ts=5:sw=5:expandtab
|
|
|