mirror of
				https://github.com/drwetter/testssl.sh.git
				synced 2025-10-25 22:11:01 +02:00 
			
		
		
		
	Merge branch 'master' into version_negotiation
This commit is contained in:
		
						commit
						f968bd8346
					
				
							
								
								
									
										18
									
								
								testssl.sh
									
									
									
									
									
								
							
							
						
						
									
										18
									
								
								testssl.sh
									
									
									
									
									
								
							| @ -3444,7 +3444,7 @@ run_server_preference() { | ||||
|                [[ -n "$PROXY" ]] && arg="   SPDY/NPN is" | ||||
|                [[ -n "$STARTTLS" ]] && arg="    " | ||||
|                if spdy_pre " $arg" ; then                                       # is NPN/SPDY supported and is this no STARTTLS? / no PROXY | ||||
|                     $OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" </dev/null 2>>$ERRFILE >$TMPFILE | ||||
|                     $OPENSSL s_client -connect $NODEIP:$PORT $BUGS -nextprotoneg "$NPN_PROTOs" $SNI </dev/null 2>>$ERRFILE >$TMPFILE | ||||
|                     if sclient_connect_successful $? $TMPFILE; then | ||||
|                          proto[i]=$(grep -aw "Next protocol" $TMPFILE | sed -e 's/^Next protocol://' -e 's/(.)//' -e 's/ //g') | ||||
|                          if [[ -z "${proto[i]}" ]]; then | ||||
| @ -3619,16 +3619,16 @@ cipher_pref_check() { | ||||
|      if ! spdy_pre "     SPDY/NPN: "; then       # is NPN/SPDY supported and is this no STARTTLS? | ||||
|           outln | ||||
|      else | ||||
|           npn_protos=$($OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg \"\" </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g') | ||||
|           npn_protos=$($OPENSSL s_client $BUGS -nextprotoneg \"\" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE | grep -a "^Protocols " | sed -e 's/^Protocols.*server: //' -e 's/,//g') | ||||
|           for p in $npn_protos; do | ||||
|                order="" | ||||
|                $OPENSSL s_client -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE | ||||
|                $OPENSSL s_client $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE | ||||
|                cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE) | ||||
|                printf "    %-10s %s " "$p:" "$cipher" | ||||
|                tested_cipher="-"$cipher | ||||
|                order="$cipher" | ||||
|                while true; do | ||||
|                     $OPENSSL s_client -cipher "ALL:$tested_cipher" -host $NODE -port $PORT $BUGS -nextprotoneg "$p" $PROXY </dev/null 2>>$ERRFILE >$TMPFILE | ||||
|                     $OPENSSL s_client -cipher "ALL:$tested_cipher" $BUGS -nextprotoneg "$p" -connect $NODEIP:$PORT $SNI </dev/null 2>>$ERRFILE >$TMPFILE | ||||
|                     sclient_connect_successful $? $TMPFILE || break | ||||
|                     cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE) | ||||
|                     out "$cipher " | ||||
| @ -3931,7 +3931,7 @@ compare_server_name_to_cert() | ||||
| 
 | ||||
|      # Check whether any of the DNS names in the certificate match the servername | ||||
|      dns_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ | ||||
|               sed -e 's/,/\n/g' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g') | ||||
|                tr '.' '\n'  grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g') | ||||
|      for san in $dns_sans; do | ||||
|           [[ "$san" == "$servername" ]] && return 0 | ||||
|           # If $san is a wildcard name, then do a wildcard match | ||||
| @ -3943,7 +3943,7 @@ compare_server_name_to_cert() | ||||
| 
 | ||||
|      # Check whether any of the IP addresses in the certificate match the serername | ||||
|      ip_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ | ||||
|              sed -e 's/,/\n/g' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g') | ||||
|              tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g') | ||||
|      for san in $ip_sans; do | ||||
|           [[ "$san" == "$servername" ]] && return 0 | ||||
|      done | ||||
| @ -4243,9 +4243,9 @@ certificate_info() { | ||||
|      fileout "${json_prefix}cn" "$cnok" "$cnfinding" | ||||
| 
 | ||||
|      sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ | ||||
|           egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | \ | ||||
|           egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \ | ||||
|           sed -e 's/ *DNS://g' -e 's/ *IP Address://g' -e 's/ *email://g' -e 's/ *URI://g' -e 's/ *DirName://g' \ | ||||
|               -e 's/ *Registered ID://g' -e 's/,/\n/g' \ | ||||
|               -e 's/ *Registered ID://g' \ | ||||
|               -e 's/ *othername:<unsupported>//g' -e 's/ *X400Name:<unsupported>//g' -e 's/ *EdiPartyName:<unsupported>//g') | ||||
| #                   ^^^ CACert | ||||
|      out "$indent"; pr_bold " subjectAltName (SAN)         " | ||||
| @ -8394,4 +8394,4 @@ fi | ||||
| exit $? | ||||
| 
 | ||||
| 
 | ||||
| #  $Id: testssl.sh,v 1.522 2016/07/08 09:25:39 dirkw Exp $ | ||||
| #  $Id: testssl.sh,v 1.523 2016/07/11 14:20:35 dirkw Exp $ | ||||
|  | ||||
| @ -4,23 +4,91 @@ | ||||
| # x448 and x25519 are missing, others are not supported | ||||
| # License see testssl.sh | ||||
| 
 | ||||
| readonly RUN_DIR=$(dirname "$0") | ||||
| 
 | ||||
| test_openssl_suffix() { | ||||
|      local naming_ext="$(uname).$(uname -m)" | ||||
|      local uname_arch="$(uname -m)" | ||||
|      local myarch_suffix="" | ||||
| 
 | ||||
|      [[ $uname_arch =~ 64 ]] && myarch_suffix=64 || myarch_suffix=32 | ||||
|      if [[ -f "$1/openssl" ]] && [[ -x "$1/openssl" ]]; then | ||||
|           OPENSSL="$1/openssl" | ||||
|           return 0 | ||||
|      elif [[ -f "$1/openssl.$naming_ext" ]] && [[ -x "$1/openssl.$naming_ext" ]]; then | ||||
|           OPENSSL="$1/openssl.$naming_ext" | ||||
|           return 0 | ||||
|      fi | ||||
|      return 1 | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| find_openssl_binary() { | ||||
|      # 0. check environment variable whether it's executable | ||||
|      if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then | ||||
|           pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary." | ||||
|           outln " Looking some place else ..." | ||||
|      elif [[ -x "$OPENSSL" ]]; then | ||||
|           :    # 1. all ok supplied $OPENSSL was found and has excutable bit set -- testrun comes below | ||||
|      elif test_openssl_suffix $RUN_DIR; then | ||||
|           :    # 2. otherwise try openssl in path of testssl.sh | ||||
|      elif test_openssl_suffix ../$RUN_DIR; then | ||||
|           :    # 2. otherwise try openssl in path of testssl.sh | ||||
|      elif test_openssl_suffix ../$RUN_DIR/bin; then | ||||
|           :    # 3. otherwise here, this is supposed to be the standard --platform independed path in the future!!! | ||||
|      elif test_openssl_suffix "$(dirname "$(which openssl)")"; then | ||||
|           :    # 5. we tried hard and failed, so now we use the system binaries | ||||
|      fi | ||||
| 
 | ||||
|      # no ERRFILE initialized yet, thus we use /dev/null for stderr directly | ||||
|      $OPENSSL version -a 2>/dev/null >/dev/null | ||||
|      if [[ $? -ne 0 ]] || [[ ! -x "$OPENSSL" ]]; then | ||||
|           echo "\ncannot exec or find any openssl binary"  | ||||
|           exit 1 | ||||
|      fi | ||||
|      echo | ||||
|      echo "using $OPENSSL" | ||||
|      echo | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| VERBOSE=false | ||||
| if [[ $1 == "-v" ]]; then | ||||
|      VERBOSE=true | ||||
|      shift | ||||
| fi | ||||
| 
 | ||||
| HN="$1" | ||||
| [ -z "$HN" ] && HN=testssl.sh | ||||
| for curve in $(bin/openssl.Linux.x86_64 ecparam -list_curves | awk -F':' '/:/ { print $1 }'); do | ||||
| 	printf "$curve: " | ||||
| find_openssl_binary  | ||||
| 
 | ||||
| ERRFILE=$(mktemp /tmp/curve_tester.R.XXXXXX) || exit -6 | ||||
| TMPFILE=$(mktemp /tmp/curve_tester.T.XXXXXX) || exit -6 | ||||
| 
 | ||||
| 
 | ||||
| for curve in $($OPENSSL ecparam -list_curves | awk -F':' '/:/ { print $1 }'); do | ||||
| 	#if bin/openssl.Linux.x86_64 s_client -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep -q "BEGIN CERTIFICATE" ; then | ||||
| 	#	echo 'YES' | ||||
| 	#else | ||||
| 	#	echo '--' | ||||
| 	#fi | ||||
| 	if bin/openssl.Linux.x86_64 s_client -cipher ECDH -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep "Server Temp Key:" ; then | ||||
| 		: | ||||
| 	$OPENSSL s_client -cipher ECDH -curves $curve -connect $HN:443 -servername $HN </dev/null 2>$ERRFILE | grep "Server Temp Key:" >$TMPFILE | ||||
|      if [[ $? -eq 0 ]]; then | ||||
| 	     printf "$curve: " | ||||
|           cat $TMPFILE | sed 's/^.*Server Temp Key: //' | ||||
| 	else | ||||
| 		echo '--' | ||||
|           if grep -q 'Error with' $ERRFILE; then | ||||
|                if  "$VERBOSE"; then | ||||
|                     echo "$curve: no client support" | ||||
|                fi | ||||
|           else | ||||
| 		     echo "$curve: --" | ||||
|           fi | ||||
| 	fi | ||||
| done | ||||
| 
 | ||||
| # vim:ts=5:sw=5:expandtab | ||||
| #  $Id: curves.bash,v 1.2 2016/07/08 09:39:27 dirkw Exp $  | ||||
| rm -f $ERRFILE $TMPFILE | ||||
| 
 | ||||
| # vim:ts=5:sw=5:expandtab | ||||
| #  $Id: curves.bash,v 1.3 2016/07/09 12:22:13 dirkw Exp $  | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user