@@ -61,6 +61,7 @@ SSL_NATIVE=${SSL_NATIVE:-0} # we do per default bash sockets!
6161# FIXME: still to be filled with (more) sense:
6262DEBUG=${DEBUG:- 0} # if 1 the temp files won't be erased. 2: list more what's going on (formerly: eq VERBOSE=1), 3: slight hexdumps
6363 # and other info, 4: the whole nine yards of output
64+ PS4=' +(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
6465
6566CAPATH=" ${CAPATH:-/ etc/ ssl/ certs/ } " # Does nothing yet. FC has only a CA bundle per default, ==> openssl version -d
6667HSTS_MIN=180 # >180 days is ok for HSTS
223224
224225# ##### function definitions
225226
227+ debugme () {
228+ if [[ $DEBUG -ge 2 ]]; then
229+ echo " $@ "
230+ " $@ "
231+ else
232+ :
233+ fi
234+ }
235+
226236tmpfile_handle () {
227237 if [[ " $DEBUG " -eq 0 ]] ; then
228238 rm $TMPFILE
@@ -358,7 +368,7 @@ poodle() {
358368 fi
359369 outln
360370
361- tmpfile_handle $FUNCNAME .txt
371+ tmpfile_handle $FUNCNAME .txt
362372 return $ret
363373}
364374
@@ -1999,9 +2009,9 @@ heartbleed(){
19992009}
20002010
20012011
2012+ # This tests for CVE-2009-3555 / RFC5746, OSVDB: 59968-59974
20022013renego () {
20032014 ADDCMD=" "
2004- # This tests for CVE-2009-3555 / RFC5746, OSVDB: 59968-59974
20052015 case " $OSSL_VER " in
20062016 0.9.8* ) # we need this for Mac OSX unfortunately
20072017 case " $OSSL_VER_APPENDIX " in
@@ -2011,33 +2021,33 @@ renego() {
20112021 [m-z])
20122022 # all ok ;;
20132023 esac ;;
2014- 1.0.1* )
2024+ 1.0.1* |1.0.2 * )
20152025 ADDCMD=" -legacy_renegotiation"
20162026 0.9.9* |1.0* )
20172027 # all ok ;;
20182028 esac
2029+ pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
2030+ echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP :$PORT $SNI & > $TMPFILE
2031+ reneg_ok=$? # 0=client is renegotiating and does not get an error: vuln to DoS via client initiated renegotiation
2032+ case $reneg_ok in
2033+ 0) pr_litered " IS vulnerable (NOT ok)" ; outln " , DoS threat"
2034+ 1) pr_litegreenln " not vulnerable (OK)"
2035+ * ) outln " FIXME: $reneg_ok "
2036+ esac
2037+
20192038 pr_bold " Renegotiation " ; out " (CVE 2009-3555) "
2020- echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP :$PORT $SNI & > /dev/null
2021- reneg_ok=$? # 0=client is renegotiating and does not gets an error: that should not be!
20222039 NEG_STR=" Secure Renegotiation IS NOT"
20232040 echo " R" | $OPENSSL s_client $STARTTLS -connect $NODEIP :$PORT $SNI 2>&1 | grep -iq " $NEG_STR "
20242041 secreg=$? # 0= Secure Renegotiation IS NOT supported
2042+ case $secreg in
2043+ 0) pr_redln " IS vulnerable (NOT ok)"
2044+ 1) pr_greenln " not vulnerable (OK)"
2045+ * ) outln " FIXME: $secreg "
2046+ esac
20252047
2026- if [ $reneg_ok -eq 0 ] && [ $secreg -eq 0 ]; then
2027- # Client side renegotiation is accepted and secure renegotiation IS NOT supported
2028- pr_redln " IS vulnerable (NOT ok)"
2029- return 1
2030- fi
2031- if [ $reneg_ok -eq 1 ] && [ $secreg -eq 1 ]; then
2032- pr_greenln " not vulnerable (OK)"
2033- return 0
2034- fi
2035- if [ $reneg_ok -eq 1 ] ; then # 1,0
2036- pr_litegreenln " got an error from the server while renegotiating on client: should be ok ($reneg_ok ,$secreg )"
2037- return 0
2038- fi
2039- pr_litegreenln " Patched Server detected ($reneg_ok ,$secreg ), probably ok" # 0,1
2040- return 0
2048+ tmpfile_handle $FUNCNAME .txt
2049+ return $secreg
2050+ # https://community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
20412051}
20422052
20432053crime () {
@@ -2064,11 +2074,12 @@ crime() {
20642074 $OPENSSL zlib -e -a -in /dev/stdin & > /dev/stdout < /dev/null | grep -q zlib
20652075 if [ $? -eq 0 ]; then
20662076 pr_magentaln " Local Problem: Your $OPENSSL lacks zlib support"
2067- return 0 # FIXME
2077+ return 7
20682078 fi
20692079
2070- STR=` $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP :$PORT $SNI 2>&1 < /dev/null | grep Compression `
2071- if echo $STR | grep -q NONE > /dev/null; then
2080+ # STR=`$OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI 2>&1 </dev/null | grep Compression `
2081+ $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP :$PORT $SNI 2>&1 < /dev/null > $TMPFILE
2082+ if grep Compression | grep -q NONE > /dev/null; then
20722083 pr_green " not vulnerable (OK)"
20732084 [[ $SERVICE == " HTTP" || out " (not using HTTP anyway)"
20742085 ret=0
@@ -2118,6 +2129,7 @@ crime() {
21182129# fi
21192130 [ $VERBERR -eq 0 ] && outln " $STR "
21202131 # echo
2132+ tmpfile_handle $FUNCNAME .txt
21212133 return $ret
21222134}
21232135
@@ -2175,6 +2187,7 @@ beast(){
21752187# printf "For a full individual test of each CBC cipher suites support by your $OPENSSL run \"$0 -x CBC $NODE\"\n"
21762188
21772189 shopt -u lastpipe # othwise for some reason it segfaults
2190+ tmpfile_handle $FUNCNAME .txt
21782191 return $ret
21792192}
21802193
@@ -2286,7 +2299,7 @@ starttls() {
22862299 ret=2
22872300 ;;
22882301 esac
2289-
2302+ tmpfile_handle $FUNCNAME .txt
22902303 return $ret
22912304}
22922305
@@ -2812,6 +2825,6 @@ case "$1" in
28122825 exit $ret ;;
28132826esac
28142827
2815- # $Id: testssl.sh,v 1.181 2015/02/04 08:48:33 dirkw Exp $
2828+ # $Id: testssl.sh,v 1.184 2015/02/11 08:43:03 dirkw Exp $
28162829# vim:ts=5:sw=5
28172830
0 commit comments