From a676742256a4f99f8634541b604c418da385df5f Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 3 Feb 2016 17:55:53 +0100 Subject: [PATCH] Remaining issues solved for OpenSSL 1.1.0 compliance, output corrections, CN/SNI improvements --- testssl.sh | 70 ++++++++++++++++++++++++++---------------------------- 1 file changed, 34 insertions(+), 36 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8b49d3c..b3cfa9a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -369,6 +369,9 @@ pr_headlineln() { pr_headline "$1" ; outln; } pr_squoted() { out "'$1'"; } pr_dquoted() { out "\"$1\""; } +local_problem_ln() { pr_litemagentaln "Local problem: $1"; } +local_problem() { pr_litemagenta "Local problem: $1"; } + ### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/ ### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html set_color_functions() { @@ -1385,7 +1388,7 @@ std_cipherlists() { tmpfile_handle $FUNCNAME.$debugname.txt else singlespaces=$(echo "$2" | sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g') - local_problem "No $singlespaces configured in $OPENSSL" + local_problem_ln "No $singlespaces configured in $OPENSSL" fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)" fi # we need 1xlf in those cases: @@ -2049,7 +2052,7 @@ run_client_simulation() { locally_supported() { [[ -n "$2" ]] && out "$2 " if $OPENSSL s_client "$1" 2>&1 | grep -aq "unknown option"; then - local_problem "$OPENSSL doesn't support \"s_client $1\"" + local_problem_ln "$OPENSSL doesn't support \"s_client $1\"" return 7 fi return 0 @@ -2116,8 +2119,8 @@ run_protocols() { using_sockets=false else using_sockets=true - pr_headlineln "(via sockets except TLS 1.2 and SPDY/HTTP2) " - via+="via sockets except for TLS1.1 and SPDY/HTTP2" + pr_headlineln "(via sockets except TLS 1.2, SPDY+HTTP2) " + via+="via sockets except for TLS1.2, SPDY+HTTP2" fi fi outln @@ -2555,7 +2558,7 @@ run_server_preference() { } cipher_pref_check() { - local p proto protos + local p proto protos npn_protos local tested_cipher cipher order pr_bold " Cipher order" @@ -2588,8 +2591,8 @@ cipher_pref_check() { if ! spdy_pre " SPDY/NPN: "; then # is NPN/SPDY supported and is this no STARTTLS? outln else - protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" >$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g') - for p in $protos; do + npn_protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" >$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g') + for p in $npn_protos; do order="" $OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY >$ERRFILE >$TMPFILE cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') @@ -2619,12 +2622,13 @@ cipher_pref_check() { get_host_cert() { local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE - $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null $TEMPDIR/$FUNCNAME.txt + $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null $tmpdir if sclient_connect_successful $? $tmpvar; then awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT else return 1 fi + tmpfile_handle $FUNCNAME.txt # return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]})) } @@ -2898,7 +2902,6 @@ certificate_info() { spaces=" " fi - out "$indent" sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u ) key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u ) @@ -2937,7 +2940,7 @@ certificate_info() { esac # old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html - pr_bold " Server key size " + out "$indent"; pr_bold " Server key size " if [[ -z "$keysize" ]]; then outln "(couldn't determine)" fileout "$heading key_size" "WARN" "Server keys size cannot be determined" @@ -3024,8 +3027,8 @@ certificate_info() { fi fi else - cn="(no CN field in subject)" - out "$cn" + cn="no CN field in subject" + pr_litemagenta "($cn)" cnfinding="$cn" cnok="INFO" fi @@ -3038,8 +3041,11 @@ certificate_info() { #FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite) debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\"" - if [[ $NODE == "$cn_nosni" ]]; then - if [[ $SERVICE == "HTTP" ]] || $CLIENT_AUTH; then + if [[ "$cn_nosni" == "$cn" ]]; then + outln " (works w/o SNI)" + cnfinding+=" (works w/o SNI)" + elif [[ $NODE == "$cn_nosni" ]]; then + if [[ $SERVICE == "HTTP" ]] || $CLIENT_AUTH ; then outln " (works w/o SNI)" cnfinding+=" (works w/o SNI)" else @@ -3062,7 +3068,7 @@ certificate_info() { fi outln ")" cnfinding+=")" - elif [[ "$cn_nosni" == "*no CN field*" ]]; then + elif [[ "$cn_nosni" == *"no CN field"* ]]; then outln ", (request w/o SNI: $cn_nosni)" cnfinding+=", (request w/o SNI: $cn_nosni)" else @@ -3399,7 +3405,7 @@ run_pfs() { nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $pfs_cipher_list)) if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then outln - local_problem "You only have $nr_supported_ciphers PFS ciphers on the client side " + local_problem_ln "You only have $nr_supported_ciphers PFS ciphers on the client side " fileout "pfs" "WARN" "(Perfect) Forward Secrecy tests: Skipped. You only have $nr_supported_ciphers PFS ciphers on the client site. ($CLIENT_MIN_PFS are required)" return 1 fi @@ -3512,7 +3518,7 @@ http2_pre(){ return 1 fi if ! $HAS_ALPN; then - local_problem "$OPENSSL doesn't support HTTP2/ALPN"; + local_problem_ln "$OPENSSL doesn't support HTTP2/ALPN"; fileout "https_alpn" "WARN" "HTTP2/ALPN : HTTP/2 was not tested as $OPENSSL does not support it" return 7 fi @@ -4454,10 +4460,6 @@ run_ccs_injection(){ return $ret } -local_problem() { - pr_litemagentaln "Local problem: $1" -} - run_renego() { # no SNI here. Not needed as there won't be two different SSL stacks for one IP local legacycmd="" @@ -4499,7 +4501,7 @@ run_renego() { 0.9.8*) # we need this for Mac OSX unfortunately case "$OSSL_VER_APPENDIX" in [a-l]) - local_problem "$OPENSSL cannot test this secure renegotiation vulnerability" + local_problem_ln "$OPENSSL cannot test this secure renegotiation vulnerability" fileout "sec_client_renego" "WARN" "Secure Client-Initiated Renegotiation : $OPENSSL cannot test this secure renegotiation vulnerability" return 3 ;; @@ -4570,7 +4572,7 @@ run_crime() { # first we need to test whether OpenSSL binary has zlib support $OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout &1 | grep -qw nextprotoneg +# $OPENSSL s_client -help 2>&1 | grep -qw nextprotoneg # if [[ $? -eq 0 ]]; then # $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI /dev/null >$TMPFILE # if [[ $? -eq 0 ]]; then @@ -4746,8 +4748,8 @@ run_tls_fallback_scsv() { # the countermeasure to protect against protocol downgrade attacks. # First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL - if ! $OPENSSL s_client -h 2>&1 | grep -q "\-fallback_scsv"; then - local_problem "$OPENSSL lacks TLS_FALLBACK_SCSV support" + if ! $OPENSSL s_client -help 2>&1 | grep -q "\-fallback_scsv"; then + local_problem_ln "$OPENSSL lacks TLS_FALLBACK_SCSV support" return 4 fi #TODO: this need some tuning: a) if one protocol is supported only it has practcally no value (theoretical it's interesting though) @@ -4814,7 +4816,7 @@ run_freak() { case $nr_supported_ciphers in 0) - local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured" + local_problem_ln "$OPENSSL doesn't have any EXPORT RSA ciphers configured" fileout "freak" "WARN" "FREAK (CVE-2015-0204) : Not tested. $OPENSSL doesn't have any EXPORT RSA ciphers configured" return 7 ;; @@ -4860,7 +4862,7 @@ run_logjam() { case $nr_supported_ciphers in 0) - local_problem "$OPENSSL doesn't have any DHE EXPORT ciphers configured" + local_problem_ln "$OPENSSL doesn't have any DHE EXPORT ciphers configured" fileout "logjam" "WARN" "LOGJAM (CVE-2015-4000) : Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured" return 3 ;; @@ -5244,10 +5246,10 @@ find_openssl_binary() { $OPENSSL s_client -ssl3 2>&1 | grep -aq "unknown option" || \ HAS_SSL3=true && \ HAS_SSL3=false - $OPENSSL s_client help 2>&1 | grep -qw '\-alpn' && \ + $OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \ HAS_ALPN=true || \ HAS_ALPN=false - $OPENSSL s_client help 2>&1 | grep -qw '\-nextprotoneg' && \ + $OPENSSL s_client -help 2>&1 | grep -qw '\-nextprotoneg' && \ HAS_SPDY=true || \ HAS_SPDY=false @@ -5275,10 +5277,6 @@ openssl_age() { esac ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " fi - if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then - pr_magentaln "$PROG_NAME doesn't work yet with OpenSSL 1.1.0!" - ignore_no_or_lame "Type \"yes\" to accept weird output, false negatives and positives " - fi outln } @@ -5882,7 +5880,7 @@ get_mx_record() { # check_proxy() { if [[ -n "$PROXY" ]]; then - if ! $OPENSSL s_client help 2>&1 | grep -qw proxy; then + if ! $OPENSSL s_client -help 2>&1 | grep -qw proxy; then fatal "Your $OPENSSL is too old to support the \"--proxy\" option" -1 fi PROXYNODE=${PROXY%:*} @@ -6746,4 +6744,4 @@ fi exit $? -# $Id: testssl.sh,v 1.460 2016/02/03 08:55:45 dirkw Exp $ +# $Id: testssl.sh,v 1.461 2016/02/03 16:55:52 dirkw Exp $