75 | 75 |
#include <openssl/x509.h>
|
76 | 76 |
#include <openssl/x509v3.h>
|
77 | 77 |
#include <openssl/ocsp.h>
|
|
78 |
#ifndef OPENSSL_NO_COMP
|
|
79 |
#include <openssl/comp.h>
|
|
80 |
#endif
|
78 | 81 |
|
79 | 82 |
// If we're not compiling with Visual Studio, include unistd.h. VS
|
80 | 83 |
// doesn't have this header.
|
|
82 | 85 |
#include <unistd.h>
|
83 | 86 |
#endif
|
84 | 87 |
|
85 | |
#ifdef __FreeBSD__
|
|
88 |
#if defined(__FreeBSD__) || defined(__OpenBSD__)
|
86 | 89 |
#include <netinet/in.h>
|
87 | 90 |
#endif
|
88 | 91 |
|
|
108 | 111 |
// STACK_OF is a sign that you should be using C++ :)
|
109 | 112 |
STACK_OF(SSL_CIPHER) *cipherList;
|
110 | 113 |
SSL *ssl = NULL;
|
111 | |
|
112 | 114 |
options->ctx = SSL_CTX_new(sslMethod);
|
113 | 115 |
if (options->ctx == NULL) {
|
114 | 116 |
printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
|
115 | 117 |
return false;
|
116 | 118 |
}
|
117 | |
|
118 | 119 |
SSL_CTX_set_cipher_list(options->ctx, "ALL:COMPLEMENTOFALL");
|
119 | |
|
120 | 120 |
ssl = SSL_new(options->ctx);
|
121 | 121 |
if (ssl == NULL) {
|
122 | 122 |
printf_error("%sERROR: Could not create SSL object.%s\n", COL_RED, RESET);
|
123 | 123 |
SSL_CTX_free(options->ctx);
|
124 | 124 |
return false;
|
125 | 125 |
}
|
126 | |
|
127 | 126 |
cipherList = SSL_get_ciphers(ssl);
|
128 | |
|
129 | 127 |
// Create Cipher Struct Entries...
|
130 | 128 |
for (loop = 0; loop < sk_SSL_CIPHER_num(cipherList); loop++)
|
131 | 129 |
{
|
|
142 | 140 |
sslCipherPointer->next = malloc(sizeof(struct sslCipher));
|
143 | 141 |
sslCipherPointer = sslCipherPointer->next;
|
144 | 142 |
}
|
145 | |
|
146 | 143 |
// Init
|
147 | 144 |
memset(sslCipherPointer, 0, sizeof(struct sslCipher));
|
148 | |
|
149 | 145 |
// Add cipher information...
|
150 | 146 |
sslCipherPointer->sslMethod = sslMethod;
|
151 | 147 |
sslCipherPointer->name = SSL_CIPHER_get_name(sk_SSL_CIPHER_value(cipherList, loop));
|
152 | 148 |
sslCipherPointer->version = SSL_CIPHER_get_version(sk_SSL_CIPHER_value(cipherList, loop));
|
153 | 149 |
SSL_CIPHER_description(sk_SSL_CIPHER_value(cipherList, loop), sslCipherPointer->description, sizeof(sslCipherPointer->description) - 1);
|
154 | 150 |
sslCipherPointer->bits = SSL_CIPHER_get_bits(sk_SSL_CIPHER_value(cipherList, loop), &tempInt);
|
155 | |
|
156 | |
|
157 | |
}
|
158 | |
|
|
151 |
}
|
159 | 152 |
SSL_free(ssl);
|
160 | 153 |
SSL_CTX_free(options->ctx);
|
161 | |
|
162 | 154 |
return returnCode;
|
163 | 155 |
}
|
164 | 156 |
|
|
434 | 426 |
return 0;
|
435 | 427 |
|
436 | 428 |
if (strstr(buffer, " 670 ") || strstr(buffer, ":STARTTLS successful")) {
|
437 | |
printf_verbose("STARTLS IRC sertup complete.\nServer reported %s\n", buffer);
|
|
429 |
printf_verbose("STARTLS IRC setup complete.\nServer reported %s\n", buffer);
|
438 | 430 |
} else {
|
439 | 431 |
printf_verbose("STARTLS IRC setup not complete.\nServer reported %s\n", buffer);
|
440 | 432 |
}
|
|
462 | 454 |
printf_verbose("Server reported: %s\n", buffer);
|
463 | 455 |
}
|
464 | 456 |
|
|
457 |
if (options->starttls_psql == true && tlsStarted == false)
|
|
458 |
{
|
|
459 |
unsigned char buffer;
|
|
460 |
|
|
461 |
tlsStarted = 1;
|
|
462 |
|
|
463 |
// Send SSLRequest packet
|
|
464 |
send(socketDescriptor, "\x00\x00\x00\x08\x04\xd2\x16\x2f", 8, 0);
|
|
465 |
|
|
466 |
// Read reply byte
|
|
467 |
if (1 != recv(socketDescriptor, &buffer, 1, 0)) {
|
|
468 |
printf_error("%s ERROR: unexpected EOF reading from %s:%d%s\n", COL_RED, options->host, options->port, RESET);
|
|
469 |
return 0;
|
|
470 |
}
|
|
471 |
|
|
472 |
if (buffer != 'S') {
|
|
473 |
printf_error("%s ERROR: server at %s:%d%s rejected TLS startup\n", COL_RED, options->host, options->port, RESET);
|
|
474 |
return 0;
|
|
475 |
}
|
|
476 |
}
|
|
477 |
|
465 | 478 |
// Setup an RDP socket with preamble
|
466 | 479 |
// Borrowed from https://labs.portcullis.co.uk/tools/ssl-cipher-suite-enum/
|
467 | 480 |
if (options->rdp == true && tlsStarted == false)
|
|
494 | 507 |
return 0;
|
495 | 508 |
}
|
496 | 509 |
}
|
|
510 |
|
497 | 511 |
// Return
|
498 | 512 |
return socketDescriptor;
|
499 | 513 |
}
|
|
526 | 540 |
SSL_CTX_set_default_passwd_cb(options->ctx, password_callback);
|
527 | 541 |
}
|
528 | 542 |
|
529 | |
// Seperate Certs and PKey Files...
|
|
543 |
// Separate Certs and PKey Files...
|
530 | 544 |
if ((options->clientCertsFile != 0) && (options->privateKeyFile != 0))
|
531 | 545 |
{
|
532 | 546 |
// Load Cert...
|
|
612 | 626 |
{
|
613 | 627 |
if (!SSL_CTX_check_private_key(options->ctx))
|
614 | 628 |
{
|
615 | |
printf("%s Prvate key does not match certificate.%s\n", COL_RED, RESET);
|
|
629 |
printf("%s Private key does not match certificate.%s\n", COL_RED, RESET);
|
616 | 630 |
return false;
|
617 | 631 |
}
|
618 | 632 |
else
|
|
664 | 678 |
|
665 | 679 |
long version = SSLeay();
|
666 | 680 |
if (version >= 0x009080c0L && version < 0x009080d0L) {
|
667 | |
printf_verbose("OpenSSL %s looks like version 0.9.8l; I will try SSL3_FLAGS to enable renegotation.\n",
|
|
681 |
printf_verbose("OpenSSL %s looks like version 0.9.8l; I will try SSL3_FLAGS to enable renegotiation.\n",
|
668 | 682 |
SSLeay_version(SSLEAY_VERSION));
|
669 | 683 |
use_unsafe_renegotiation_flag = 1;
|
670 | 684 |
use_unsafe_renegotiation_op = 1;
|
|
703 | 717 |
BIO *cipherConnectionBio;
|
704 | 718 |
SSL_SESSION session;
|
705 | 719 |
|
706 | |
tls_reneg_init(options);
|
707 | |
|
708 | 720 |
// Connect to host
|
709 | 721 |
socketDescriptor = tcpConnect(options);
|
710 | 722 |
if (socketDescriptor != 0)
|
711 | 723 |
{
|
712 | 724 |
// Setup Context Object...
|
713 | 725 |
options->ctx = SSL_CTX_new(sslMethod);
|
|
726 |
tls_reneg_init(options);
|
714 | 727 |
if (options->ctx != NULL)
|
715 | 728 |
{
|
716 | 729 |
if (SSL_CTX_set_cipher_list(options->ctx, "ALL:COMPLEMENTOFALL") != 0)
|
|
731 | 744 |
SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
|
732 | 745 |
#endif
|
733 | 746 |
|
|
747 |
#ifdef SSL_OP_NO_COMPRESSION
|
|
748 |
// Make sure to clear the no compression flag
|
|
749 |
SSL_clear_options(ssl, SSL_OP_NO_COMPRESSION);
|
|
750 |
#endif
|
|
751 |
|
734 | 752 |
if (ssl != NULL)
|
735 | 753 |
{
|
736 | 754 |
// Connect socket and BIO
|
|
749 | 767 |
|
750 | 768 |
session = *SSL_get_session(ssl);
|
751 | 769 |
|
752 | |
printf_xml(" <compression supported=\"%d\" />\n",
|
753 | |
session.compress_meth);
|
754 | |
|
755 | |
if (session.compress_meth == 0)
|
|
770 |
#ifndef OPENSSL_NO_COMP
|
|
771 |
// Make sure zlib is actually present
|
|
772 |
if (COMP_zlib()->type != NID_undef)
|
756 | 773 |
{
|
757 | |
printf("Compression %sdisabled%s\n\n", COL_GREEN, RESET);
|
|
774 |
printf_xml(" <compression supported=\"%d\" />\n",
|
|
775 |
session.compress_meth);
|
|
776 |
|
|
777 |
if (session.compress_meth == 0)
|
|
778 |
{
|
|
779 |
printf("Compression %sdisabled%s\n\n", COL_GREEN, RESET);
|
|
780 |
}
|
|
781 |
else
|
|
782 |
{
|
|
783 |
printf("Compression %senabled%s (CRIME)\n\n", COL_RED, RESET);
|
|
784 |
}
|
758 | 785 |
}
|
759 | 786 |
else
|
|
787 |
#endif
|
760 | 788 |
{
|
761 | |
printf("Compression %senabled%s (CRIME)\n\n", COL_RED, RESET);
|
|
789 |
printf("%sOpenSSL version does not support compression%s\n", COL_RED, RESET);
|
|
790 |
printf("%sRebuild with zlib1g-dev package for zlib support%s\n\n", COL_RED, RESET);
|
762 | 791 |
}
|
763 | 792 |
|
764 | 793 |
// Disconnect SSL over socket
|
|
816 | 845 |
BIO *cipherConnectionBio;
|
817 | 846 |
struct renegotiationOutput *renOut = newRenegotiationOutput();
|
818 | 847 |
|
819 | |
tls_reneg_init(options);
|
820 | |
|
821 | 848 |
// Connect to host
|
822 | 849 |
socketDescriptor = tcpConnect(options);
|
823 | 850 |
if (socketDescriptor != 0)
|
|
825 | 852 |
|
826 | 853 |
// Setup Context Object...
|
827 | 854 |
options->ctx = SSL_CTX_new(sslMethod);
|
|
855 |
tls_reneg_init(options);
|
828 | 856 |
if (options->ctx != NULL)
|
829 | 857 |
{
|
830 | 858 |
if (SSL_CTX_set_cipher_list(options->ctx, "ALL:COMPLEMENTOFALL") != 0)
|
|
895 | 923 |
if( renOut->secure )
|
896 | 924 |
{
|
897 | 925 |
// If it supports secure renegotiations,
|
898 | |
// it should have renegotioation support in general
|
|
926 |
// it should have renegotiation support in general
|
899 | 927 |
renOut->supported = true;
|
900 | 928 |
status = true;
|
901 | 929 |
}
|
|
903 | 931 |
{
|
904 | 932 |
#endif
|
905 | 933 |
// We can't assume that just because the secure renegotiation
|
906 | |
// support failed the server doesn't support insecure renegotiations·
|
|
934 |
// support failed the server doesn't support insecure renegotiations·
|
907 | 935 |
|
908 | 936 |
// assume ssl is connected and error free up to here
|
909 | |
//setBlocking(ssl); // this is unnecessary if it is already blocking·
|
|
937 |
//setBlocking(ssl); // this is unnecessary if it is already blocking·
|
910 | 938 |
printf_verbose("Attempting SSL_renegotiate(ssl)\n");
|
911 | 939 |
SSL_renegotiate(ssl); // Ask to renegotiate the connection
|
912 | 940 |
// This hangs when an 'encrypted alert' is sent by the server
|
|
1024 | 1052 |
{
|
1025 | 1053 |
|
1026 | 1054 |
// Credit to Jared Stafford ([email protected])
|
1027 | |
char hello[] = {0x16,0x03,0x00,0x00,0xdc,0x01,0x00,0x00,0xd8,0x03,0x02,0x53,0x43,0x5b,0x90,0x9d,0x9b,0x72,0x0b,0xbc,0x0c,0xbc,0x2b,0x92,0xa8,0x48,0x97,0xcf,0xbd,0x39,0x04,0xcc,0x16,0x0a,0x85,0x03,0x90,0x9f,0x77,0x04,0x33,0xd4,0xde,0x00,0x00,0x66,0xc0,0x14,0xc0,0x0a,0xc0,0x22,0xc0,0x21,0x00,0x39,0x00,0x38,0x00,0x88,0x00,0x87,0xc0,0x0f,0xc0,0x05,0x00,0x35,0x00,0x84,0xc0,0x12,0xc0,0x08,0xc0,0x1c,0xc0,0x1b,0x00,0x16,0x00,0x13,0xc0,0x0d,0xc0,0x03,0x00,0x0a,0xc0,0x13,0xc0,0x09,0xc0,0x1f,0xc0,0x1e,0x00,0x33,0x00,0x32,0x00,0x9a,0x00,0x99,0x00,0x45,0x00,0x44,0xc0,0x0e,0xc0,0x04,0x00,0x2f,0x00,0x96,0x00,0x41,0xc0,0x11,0xc0,0x07,0xc0,0x0c,0xc0,0x02,0x00,0x05,0x00,0x04,0x00,0x15,0x00,0x12,0x00,0x09,0x00,0x14,0x00,0x11,0x00,0x08,0x00,0x06,0x00,0x03,0x00,0xff,0x01,0x00,0x00,0x49,0x00,0x0b,0x00,0x04,0x03,0x00,0x01,0x02,0x00,0x0a,0x00,0x34,0x00,0x32,0x00,0x0e,0x00,0x0d,0x00,0x19,0x00,0x0b,0x00,0x0c,0x00,0x18,0x00,0x09,0x00,0x0a,0x00,0x16,0x00,0x17,0x00,0x08,0x00,0x06,0x00,0x07,0x00,0x14,0x00,0x15,0x00,0x04,0x00,0x05,0x00,0x12,0x00,0x13,0x00,0x01,0x00,0x02,0x00,0x03,0x00,0x0f,0x00,0x10,0x00,0x11,0x00,0x23,0x00,0x00,0x00,0x0f,0x00,0x01,0x01};
|
|
1055 |
char hello[] = {0x16,0x03,0x01,0x00,0xdc,0x01,0x00,0x00,0xd8,0x03,0x00,0x53,0x43,0x5b,0x90,0x9d,0x9b,0x72,0x0b,0xbc,0x0c,0xbc,0x2b,0x92,0xa8,0x48,0x97,0xcf,0xbd,0x39,0x04,0xcc,0x16,0x0a,0x85,0x03,0x90,0x9f,0x77,0x04,0x33,0xd4,0xde,0x00,0x00,0x66,0xc0,0x14,0xc0,0x0a,0xc0,0x22,0xc0,0x21,0x00,0x39,0x00,0x38,0x00,0x88,0x00,0x87,0xc0,0x0f,0xc0,0x05,0x00,0x35,0x00,0x84,0xc0,0x12,0xc0,0x08,0xc0,0x1c,0xc0,0x1b,0x00,0x16,0x00,0x13,0xc0,0x0d,0xc0,0x03,0x00,0x0a,0xc0,0x13,0xc0,0x09,0xc0,0x1f,0xc0,0x1e,0x00,0x33,0x00,0x32,0x00,0x9a,0x00,0x99,0x00,0x45,0x00,0x44,0xc0,0x0e,0xc0,0x04,0x00,0x2f,0x00,0x96,0x00,0x41,0xc0,0x11,0xc0,0x07,0xc0,0x0c,0xc0,0x02,0x00,0x05,0x00,0x04,0x00,0x15,0x00,0x12,0x00,0x09,0x00,0x14,0x00,0x11,0x00,0x08,0x00,0x06,0x00,0x03,0x00,0xff,0x01,0x00,0x00,0x49,0x00,0x0b,0x00,0x04,0x03,0x00,0x01,0x02,0x00,0x0a,0x00,0x34,0x00,0x32,0x00,0x0e,0x00,0x0d,0x00,0x19,0x00,0x0b,0x00,0x0c,0x00,0x18,0x00,0x09,0x00,0x0a,0x00,0x16,0x00,0x17,0x00,0x08,0x00,0x06,0x00,0x07,0x00,0x14,0x00,0x15,0x00,0x04,0x00,0x05,0x00,0x12,0x00,0x13,0x00,0x01,0x00,0x02,0x00,0x03,0x00,0x0f,0x00,0x10,0x00,0x11,0x00,0x23,0x00,0x00,0x00,0x0f,0x00,0x01,0x01};
|
1028 | 1056 |
|
1029 | 1057 |
if (sslMethod == TLSv1_client_method())
|
1030 | 1058 |
{
|
1031 | |
hello[2] = 0x01;
|
|
1059 |
hello[10] = 0x01;
|
1032 | 1060 |
}
|
1033 | 1061 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
1034 | 1062 |
else if (sslMethod == TLSv1_1_client_method())
|
1035 | 1063 |
{
|
1036 | |
hello[2] = 0x02;
|
|
1064 |
hello[10] = 0x02;
|
1037 | 1065 |
}
|
1038 | 1066 |
else if (sslMethod == TLSv1_2_client_method())
|
1039 | 1067 |
{
|
1040 | |
hello[2] = 0x03;
|
|
1068 |
hello[10] = 0x03;
|
1041 | 1069 |
}
|
1042 | 1070 |
#endif
|
1043 | 1071 |
if (send(socketDescriptor, hello, sizeof(hello), 0) <= 0) {
|
|
1103 | 1131 |
{
|
1104 | 1132 |
break;
|
1105 | 1133 |
}
|
1106 | |
// Sucessful response
|
|
1134 |
// Successful response
|
1107 | 1135 |
else if (typ == 24 && ln > 3)
|
1108 | 1136 |
{
|
1109 | 1137 |
printf("%svulnerable%s to heartbleed\n", COL_RED, RESET);
|
|
1133 | 1161 |
|
1134 | 1162 |
int ssl_print_tmp_key(struct sslCheckOptions *options, SSL *s)
|
1135 | 1163 |
{
|
1136 | |
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
|
1164 |
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
1137 | 1165 |
EVP_PKEY *key;
|
1138 | 1166 |
if (!SSL_get_server_tmp_key(s, &key))
|
1139 | 1167 |
return 1;
|
|
1192 | 1220 |
|
1193 | 1221 |
|
1194 | 1222 |
// Test a cipher...
|
1195 | |
int testCipher(struct sslCheckOptions *options, struct sslCipher *sslCipherPointer)
|
|
1223 |
int testCipher(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
|
1196 | 1224 |
{
|
1197 | 1225 |
// Variables...
|
1198 | 1226 |
int cipherStatus;
|
|
1204 | 1232 |
int tempInt;
|
1205 | 1233 |
char requestBuffer[200];
|
1206 | 1234 |
char buffer[50];
|
|
1235 |
char hexCipherId[10];
|
1207 | 1236 |
int resultSize = 0;
|
1208 | |
const char *sslMethod = printableSslMethod(sslCipherPointer->sslMethod);
|
|
1237 |
int cipherbits;
|
|
1238 |
uint32_t cipherid;
|
|
1239 |
const SSL_CIPHER *sslCipherPointer;
|
|
1240 |
const char *cleanSslMethod = printableSslMethod(sslMethod);
|
|
1241 |
struct timeval tval_start, tval_end, tval_elapsed;
|
|
1242 |
if (options->showTimes)
|
|
1243 |
{
|
|
1244 |
gettimeofday(&tval_start, NULL);
|
|
1245 |
}
|
|
1246 |
|
|
1247 |
|
1209 | 1248 |
|
1210 | 1249 |
// Create request buffer...
|
1211 | 1250 |
memset(requestBuffer, 0, 200);
|
|
1215 | 1254 |
socketDescriptor = tcpConnect(options);
|
1216 | 1255 |
if (socketDescriptor != 0)
|
1217 | 1256 |
{
|
1218 | |
if (SSL_CTX_set_cipher_list(options->ctx, sslCipherPointer->name) != 0)
|
|
1257 |
if (SSL_CTX_set_cipher_list(options->ctx, options->cipherstring) != 0)
|
1219 | 1258 |
{
|
1220 | 1259 |
|
1221 | 1260 |
// Create SSL object...
|
|
1238 | 1277 |
// Connect SSL over socket
|
1239 | 1278 |
cipherStatus = SSL_connect(ssl);
|
1240 | 1279 |
|
|
1280 |
sslCipherPointer = SSL_get_current_cipher(ssl);
|
|
1281 |
cipherbits = SSL_CIPHER_get_bits(sslCipherPointer, NULL);
|
|
1282 |
|
|
1283 |
if (cipherStatus == 0)
|
|
1284 |
{
|
|
1285 |
return false;
|
|
1286 |
}
|
|
1287 |
else if (cipherStatus != 1)
|
|
1288 |
{
|
|
1289 |
printf_verbose("SSL_get_error(ssl, cipherStatus) said: %d\n", SSL_get_error(ssl, cipherStatus));
|
|
1290 |
return false;
|
|
1291 |
}
|
|
1292 |
|
|
1293 |
cipherid = SSL_CIPHER_get_id(sslCipherPointer);
|
|
1294 |
cipherid = cipherid & 0x00ffffff; // remove first byte which is the version (0x03 for TLSv1/SSLv3)
|
|
1295 |
|
1241 | 1296 |
// Show Cipher Status
|
1242 | |
if (!((options->noFailed == true) && (cipherStatus != 1)))
|
|
1297 |
printf_xml(" <cipher status=\"");
|
|
1298 |
if (cipherStatus == 1)
|
1243 | 1299 |
{
|
1244 | |
printf_xml(" <cipher status=\"");
|
1245 | |
if (cipherStatus == 1)
|
|
1300 |
if (strcmp(options->cipherstring, "ALL:eNULL"))
|
1246 | 1301 |
{
|
1247 | 1302 |
printf_xml("accepted\"");
|
1248 | |
if (options->noFailed == false)
|
|
1303 |
printf("Accepted ");
|
|
1304 |
}
|
|
1305 |
else
|
|
1306 |
{
|
|
1307 |
printf_xml("preferred\"");
|
|
1308 |
printf("%sPreferred%s ", COL_GREEN, RESET);
|
|
1309 |
}
|
|
1310 |
if (options->http == true)
|
|
1311 |
{
|
|
1312 |
|
|
1313 |
// Stdout BIO...
|
|
1314 |
stdoutBIO = BIO_new(BIO_s_file());
|
|
1315 |
BIO_set_fp(stdoutBIO, stdout, BIO_NOCLOSE);
|
|
1316 |
|
|
1317 |
// HTTP Get...
|
|
1318 |
SSL_write(ssl, requestBuffer, sizeof(requestBuffer));
|
|
1319 |
memset(buffer ,0 , 50);
|
|
1320 |
resultSize = SSL_read(ssl, buffer, 49);
|
|
1321 |
if (resultSize > 9)
|
1249 | 1322 |
{
|
1250 | |
printf("%sAccepted%s ", COL_GREEN, RESET);
|
|
1323 |
int loop = 0;
|
|
1324 |
for (loop = 9; (loop < 49) && (buffer[loop] != 0) && (buffer[loop] != '\r') && (buffer[loop] != '\n'); loop++)
|
|
1325 |
{ }
|
|
1326 |
buffer[loop] = 0;
|
|
1327 |
|
|
1328 |
// Output HTTP code...
|
|
1329 |
printf("%s", buffer + 9);
|
|
1330 |
loop = strlen(buffer + 9);
|
|
1331 |
while (loop < 17)
|
|
1332 |
{
|
|
1333 |
loop++;
|
|
1334 |
printf(" ");
|
|
1335 |
}
|
|
1336 |
printf_xml(" http=\"%s\"", buffer + 9);
|
1251 | 1337 |
}
|
1252 | 1338 |
else
|
1253 | 1339 |
{
|
1254 | |
printf("Accepted ");
|
1255 | |
}
|
1256 | |
if (options->http == true)
|
1257 | |
{
|
1258 | |
|
1259 | |
// Stdout BIO...
|
1260 | |
stdoutBIO = BIO_new(BIO_s_file());
|
1261 | |
BIO_set_fp(stdoutBIO, stdout, BIO_NOCLOSE);
|
1262 | |
|
1263 | |
// HTTP Get...
|
1264 | |
SSL_write(ssl, requestBuffer, sizeof(requestBuffer));
|
1265 | |
memset(buffer ,0 , 50);
|
1266 | |
resultSize = SSL_read(ssl, buffer, 49);
|
1267 | |
if (resultSize > 9)
|
1268 | |
{
|
1269 | |
int loop = 0;
|
1270 | |
for (loop = 9; (loop < 49) && (buffer[loop] != 0) && (buffer[loop] != '\r') && (buffer[loop] != '\n'); loop++)
|
1271 | |
{ }
|
1272 | |
buffer[loop] = 0;
|
1273 | |
|
1274 | |
// Output HTTP code...
|
1275 | |
printf("%s", buffer + 9);
|
1276 | |
loop = strlen(buffer + 9);
|
1277 | |
while (loop < 17)
|
1278 | |
{
|
1279 | |
loop++;
|
1280 | |
printf(" ");
|
1281 | |
}
|
1282 | |
printf_xml(" http=\"%s\"", buffer + 9);
|
1283 | |
}
|
1284 | |
else
|
1285 | |
{
|
1286 | |
// Output HTTP code...
|
1287 | |
printf(" ");
|
1288 | |
}
|
|
1340 |
// Output HTTP code...
|
|
1341 |
printf(" ");
|
1289 | 1342 |
}
|
1290 | 1343 |
}
|
1291 | |
else if (cipherStatus == 0)
|
1292 | |
{
|
1293 | |
printf_xml("rejected\"");
|
1294 | |
if (options->http == true)
|
1295 | |
{
|
1296 | |
printf("Rejected N/A ");
|
1297 | |
}
|
1298 | |
else
|
1299 | |
{
|
1300 | |
printf("Rejected ");
|
1301 | |
}
|
1302 | |
}
|
1303 | |
else
|
1304 | |
{
|
1305 | |
printf_verbose("SSL_get_error(ssl, cipherStatus) said: %d\n", SSL_get_error(ssl, cipherStatus));
|
1306 | |
printf_xml("failed\"");
|
1307 | |
if (options->http == true)
|
1308 | |
{
|
1309 | |
printf("Failed N/A ");
|
1310 | |
}
|
1311 | |
else
|
1312 | |
{
|
1313 | |
printf("Failed ");
|
1314 | |
}
|
1315 | |
}
|
1316 | |
printf_xml(" sslversion=\"%s\"", sslMethod);
|
|
1344 |
}
|
|
1345 |
printf_xml(" sslversion=\"%s\"", cleanSslMethod);
|
1317 | 1346 |
#ifndef OPENSSL_NO_SSL2
|
1318 | |
if (sslCipherPointer->sslMethod == SSLv2_client_method())
|
1319 | |
{
|
1320 | |
printf("%sSSLv2%s ", COL_RED, RESET);
|
1321 | |
}
|
1322 | |
else
|
|
1347 |
if (strcmp(cleanSslMethod, "SSLv2") == 0)
|
|
1348 |
{
|
|
1349 |
printf("%sSSLv2%s ", COL_RED, RESET);
|
|
1350 |
}
|
|
1351 |
else
|
1323 | 1352 |
#endif
|
1324 | 1353 |
#ifndef OPENSSL_NO_SSL3
|
1325 | |
if (sslCipherPointer->sslMethod == SSLv3_client_method())
|
|
1354 |
if (strcmp(cleanSslMethod, "SSLv3") == 0)
|
1326 | 1355 |
{
|
1327 | 1356 |
printf("%sSSLv3%s ", COL_RED, RESET);
|
1328 | 1357 |
}
|
1329 | 1358 |
else
|
1330 | 1359 |
#endif
|
1331 | |
if (sslCipherPointer->sslMethod == TLSv1_client_method())
|
1332 | |
{
|
1333 | |
printf("TLSv1.0 ");
|
1334 | |
}
|
|
1360 |
if (strcmp(cleanSslMethod, "TLSv1.0") == 0)
|
|
1361 |
{
|
|
1362 |
printf("%sTLSv1.0%s ", COL_YELLOW, RESET);
|
|
1363 |
}
|
1335 | 1364 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
1336 | |
else if (sslCipherPointer->sslMethod == TLSv1_1_client_method())
|
1337 | |
{
|
1338 | |
printf("TLSv1.1 ");
|
1339 | |
}
|
1340 | |
else if (sslCipherPointer->sslMethod == TLSv1_2_client_method())
|
1341 | |
{
|
1342 | |
printf("TLSv1.2 ");
|
1343 | |
}
|
1344 | |
#endif
|
1345 | |
if (sslCipherPointer->bits < 10)
|
1346 | |
tempInt = 2;
|
1347 | |
else if (sslCipherPointer->bits < 100)
|
1348 | |
tempInt = 1;
|
1349 | |
else
|
1350 | |
tempInt = 0;
|
1351 | |
if (sslCipherPointer->bits == 0)
|
1352 | |
{
|
1353 | |
printf("%s%d%s bits ", COL_RED_BG, sslCipherPointer->bits, RESET);
|
1354 | |
}
|
1355 | |
else if (sslCipherPointer->bits > 56)
|
1356 | |
{
|
1357 | |
printf("%s%d%s bits ", COL_GREEN, sslCipherPointer->bits, RESET);
|
1358 | |
}
|
1359 | |
else if (sslCipherPointer->bits > 40)
|
1360 | |
{
|
1361 | |
printf("%s%d%s bits ", COL_YELLOW, sslCipherPointer->bits, RESET);
|
1362 | |
}
|
1363 | |
else
|
1364 | |
{
|
1365 | |
printf("%s%d%s bits ", COL_RED, sslCipherPointer->bits, RESET);
|
1366 | |
}
|
1367 | |
while (tempInt != 0)
|
1368 | |
{
|
1369 | |
tempInt--;
|
1370 | |
printf(" ");
|
1371 | |
}
|
1372 | |
printf_xml(" bits=\"%d\" cipher=\"%s\"", sslCipherPointer->bits, sslCipherPointer->name);
|
1373 | |
if (strstr(sslCipherPointer->name, "NULL"))
|
1374 | |
{
|
1375 | |
printf("%s%-29s%s", COL_RED_BG, sslCipherPointer->name, RESET);
|
1376 | |
}
|
1377 | |
else if (strstr(sslCipherPointer->name, "ADH") || strstr(sslCipherPointer->name, "AECDH"))
|
1378 | |
{
|
1379 | |
printf("%s%-29s%s", COL_PURPLE, sslCipherPointer->name, RESET);
|
1380 | |
}
|
1381 | |
else if (strstr(sslCipherPointer->name, "EXP") || (sslCipherPointer->sslMethod == SSLv3_client_method() && !strstr(sslCipherPointer->name, "RC4")))
|
1382 | |
{
|
1383 | |
printf("%s%-29s%s", COL_RED, sslCipherPointer->name, RESET);
|
1384 | |
}
|
1385 | |
else if (strstr(sslCipherPointer->name, "RC4"))
|
1386 | |
{
|
1387 | |
printf("%s%-29s%s", COL_YELLOW, sslCipherPointer->name, RESET);
|
1388 | |
}
|
1389 | |
else if (strstr(sslCipherPointer->name, "GCM"))
|
1390 | |
{
|
1391 | |
printf("%s%-29s%s", COL_GREEN, sslCipherPointer->name, RESET);
|
1392 | |
}
|
1393 | |
else
|
1394 | |
{
|
1395 | |
printf("%-29s", sslCipherPointer->name);
|
1396 | |
}
|
1397 | |
if (options->cipher_details == true)
|
1398 | |
{
|
1399 | |
ssl_print_tmp_key(options, ssl);
|
1400 | |
}
|
1401 | |
printf("\n");
|
1402 | |
printf_xml(" />\n");
|
|
1365 |
else
|
|
1366 |
{
|
|
1367 |
printf("%s ", cleanSslMethod);
|
|
1368 |
}
|
|
1369 |
#endif
|
|
1370 |
if (cipherbits < 10)
|
|
1371 |
tempInt = 2;
|
|
1372 |
else if (cipherbits < 100)
|
|
1373 |
tempInt = 1;
|
|
1374 |
else
|
|
1375 |
tempInt = 0;
|
|
1376 |
if (cipherbits == 0)
|
|
1377 |
{
|
|
1378 |
printf("%s%d%s bits ", COL_RED_BG, cipherbits, RESET);
|
1403 | 1379 |
}
|
1404 | |
|
|
1380 |
else if (cipherbits >= 112)
|
|
1381 |
{
|
|
1382 |
printf("%s%d%s bits ", COL_GREEN, cipherbits, RESET);
|
|
1383 |
}
|
|
1384 |
else if (cipherbits > 56)
|
|
1385 |
{
|
|
1386 |
printf("%s%d%s bits ", COL_YELLOW, cipherbits, RESET);
|
|
1387 |
}
|
|
1388 |
else
|
|
1389 |
{
|
|
1390 |
printf("%s%d%s bits ", COL_RED, cipherbits, RESET);
|
|
1391 |
}
|
|
1392 |
while (tempInt != 0)
|
|
1393 |
{
|
|
1394 |
tempInt--;
|
|
1395 |
printf(" ");
|
|
1396 |
}
|
|
1397 |
|
|
1398 |
sprintf(hexCipherId, "0x%X", cipherid);
|
|
1399 |
|
|
1400 |
if (options->showCipherIds == true)
|
|
1401 |
{
|
|
1402 |
printf("%8s ", hexCipherId);
|
|
1403 |
}
|
|
1404 |
|
|
1405 |
printf_xml(" bits=\"%d\" cipher=\"%s\" id=\"%s\"", cipherbits, sslCipherPointer->name, hexCipherId);
|
|
1406 |
if (strstr(sslCipherPointer->name, "NULL"))
|
|
1407 |
{
|
|
1408 |
printf("%s%-29s%s", COL_RED_BG, sslCipherPointer->name, RESET);
|
|
1409 |
}
|
|
1410 |
else if (strstr(sslCipherPointer->name, "ADH") || strstr(sslCipherPointer->name, "AECDH"))
|
|
1411 |
{
|
|
1412 |
printf("%s%-29s%s", COL_PURPLE, sslCipherPointer->name, RESET);
|
|
1413 |
}
|
|
1414 |
else if (strstr(sslCipherPointer->name, "EXP")
|
|
1415 |
#ifndef OPENSSL_NO_SSL3
|
|
1416 |
|| (strcmp(cleanSslMethod, "SSLv3") == 0 && !strstr(sslCipherPointer->name, "RC4"))
|
|
1417 |
#endif
|
|
1418 |
)
|
|
1419 |
{
|
|
1420 |
printf("%s%-29s%s", COL_RED, sslCipherPointer->name, RESET);
|
|
1421 |
}
|
|
1422 |
else if (strstr(sslCipherPointer->name, "RC4"))
|
|
1423 |
{
|
|
1424 |
printf("%s%-29s%s", COL_YELLOW, sslCipherPointer->name, RESET);
|
|
1425 |
}
|
|
1426 |
else if (strstr(sslCipherPointer->name, "GCM"))
|
|
1427 |
{
|
|
1428 |
printf("%s%-29s%s", COL_GREEN, sslCipherPointer->name, RESET);
|
|
1429 |
}
|
|
1430 |
else
|
|
1431 |
{
|
|
1432 |
printf("%-29s", sslCipherPointer->name);
|
|
1433 |
}
|
|
1434 |
|
|
1435 |
if (options->cipher_details == true)
|
|
1436 |
{
|
|
1437 |
ssl_print_tmp_key(options, ssl);
|
|
1438 |
}
|
|
1439 |
// Timing
|
|
1440 |
if (options->showTimes)
|
|
1441 |
{
|
|
1442 |
int msec;
|
|
1443 |
gettimeofday(&tval_end, NULL);
|
|
1444 |
timersub(&tval_end, &tval_start, &tval_elapsed);
|
|
1445 |
msec = tval_elapsed.tv_sec * 1000 + (int)tval_elapsed.tv_usec/1000;
|
|
1446 |
printf("%s %dms%s", COL_GREY, msec, RESET);
|
|
1447 |
printf_xml(" time=\"%d\"", msec);
|
|
1448 |
}
|
|
1449 |
|
|
1450 |
printf("\n");
|
|
1451 |
printf_xml(" />\n");
|
|
1452 |
|
1405 | 1453 |
// Disconnect SSL over socket
|
1406 | 1454 |
if (cipherStatus == 1)
|
|
1455 |
{
|
|
1456 |
strncat(options->cipherstring, ":!", 2);
|
|
1457 |
strncat(options->cipherstring, SSL_get_cipher_name(ssl), strlen(SSL_get_cipher_name(ssl)));
|
1407 | 1458 |
SSL_shutdown(ssl);
|
|
1459 |
}
|
1408 | 1460 |
|
1409 | 1461 |
// Free SSL object
|
1410 | 1462 |
SSL_free(ssl);
|
|
1418 | 1470 |
else
|
1419 | 1471 |
{
|
1420 | 1472 |
status = false;
|
1421 | |
printf("%s ERROR: Could set cipher %s.%s\n", COL_RED, sslCipherPointer->name, RESET);
|
1422 | 1473 |
}
|
1423 | 1474 |
|
1424 | 1475 |
// Disconnect from host
|
|
1429 | 1480 |
else
|
1430 | 1481 |
status = false;
|
1431 | 1482 |
|
|
1483 |
|
1432 | 1484 |
return status;
|
1433 | 1485 |
}
|
1434 | 1486 |
|
1435 | |
|
1436 | |
// Test for preferred ciphers
|
1437 | |
int defaultCipher(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
|
|
1487 |
int checkCertificateProtocol(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
|
1438 | 1488 |
{
|
1439 | |
// Variables...
|
1440 | |
int cipherStatus;
|
1441 | 1489 |
int status = true;
|
1442 | |
int socketDescriptor = 0;
|
1443 | |
SSL *ssl = NULL;
|
1444 | |
BIO *cipherConnectionBio;
|
1445 | |
int tempInt;
|
1446 | |
int tempInt2;
|
1447 | |
|
1448 | |
// Connect to host
|
1449 | |
socketDescriptor = tcpConnect(options);
|
1450 | |
if (socketDescriptor != 0)
|
1451 | |
{
|
1452 | |
// Setup Context Object...
|
1453 | |
options->ctx = SSL_CTX_new(sslMethod);
|
1454 | |
if (options->ctx != NULL)
|
1455 | |
{
|
1456 | |
if (SSL_CTX_set_cipher_list(options->ctx, "ALL:COMPLEMENTOFALL") != 0)
|
1457 | |
{
|
1458 | |
|
1459 | |
// Load Certs if required...
|
1460 | |
if ((options->clientCertsFile != 0) || (options->privateKeyFile != 0))
|
1461 | |
status = loadCerts(options);
|
1462 | |
|
1463 | |
if (status == true)
|
1464 | |
{
|
1465 | |
// Create SSL object...
|
1466 | |
ssl = SSL_new(options->ctx);
|
1467 | |
if (ssl != NULL)
|
1468 | |
{
|
1469 | |
// Connect socket and BIO
|
1470 | |
cipherConnectionBio = BIO_new_socket(socketDescriptor, BIO_NOCLOSE);
|
1471 | |
|
1472 | |
// Connect SSL and BIO
|
1473 | |
SSL_set_bio(ssl, cipherConnectionBio, cipherConnectionBio);
|
1474 | |
|
1475 | |
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
|
1476 | |
// TLS SNI
|
1477 | |
SSL_set_tlsext_host_name (ssl, options->host);
|
1478 | |
#endif
|
1479 | |
|
1480 | |
// Connect SSL over socket
|
1481 | |
cipherStatus = SSL_connect(ssl);
|
1482 | |
if (cipherStatus == 1)
|
1483 | |
{
|
1484 | |
#ifndef OPENSSL_NO_SSL2
|
1485 | |
if (sslMethod == SSLv2_client_method())
|
1486 | |
{
|
1487 | |
printf_xml(" <defaultcipher sslversion=\"SSLv2\" bits=\"");
|
1488 | |
printf("%sSSLv2%s ", COL_RED, RESET);
|
1489 | |
}
|
1490 | |
else
|
1491 | |
#endif
|
1492 | |
if (sslMethod == SSLv3_client_method())
|
1493 | |
{
|
1494 | |
printf_xml(" <defaultcipher sslversion=\"SSLv3\" bits=\"");
|
1495 | |
printf("%sSSLv3%s ", COL_RED, RESET);
|
1496 | |
}
|
1497 | |
else if (sslMethod == TLSv1_client_method())
|
1498 | |
{
|
1499 | |
printf_xml(" <defaultcipher sslversion=\"TLSv1.0\" bits=\"");
|
1500 | |
printf("TLSv1.0 ");
|
1501 | |
}
|
1502 | |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
1503 | |
else if (sslMethod == TLSv1_1_client_method())
|
1504 | |
{
|
1505 | |
printf_xml(" <defaultcipher sslversion=\"TLSv1.1\" bits=\"");
|
1506 | |
printf("TLSv1.1 ");
|
1507 | |
}
|
1508 | |
else if (sslMethod == TLSv1_2_client_method())
|
1509 | |
{
|
1510 | |
printf_xml(" <defaultcipher sslversion=\"TLSv1.2\" bits=\"");
|
1511 | |
printf("TLSv1.2 ");
|
1512 | |
}
|
1513 | |
#endif
|
1514 | |
if (SSL_get_cipher_bits(ssl, &tempInt2) < 10)
|
1515 | |
tempInt = 2;
|
1516 | |
else if (SSL_get_cipher_bits(ssl, &tempInt2) < 100)
|
1517 | |
tempInt = 1;
|
1518 | |
else
|
1519 | |
tempInt = 0;
|
1520 | |
//Bit ugly
|
1521 | |
int tempbits = SSL_get_cipher_bits(ssl, &tempInt2);
|
1522 | |
if (tempbits > 56)
|
1523 | |
{
|
1524 | |
printf("%s%d%s bits ", COL_GREEN, tempbits, RESET);
|
1525 | |
}
|
1526 | |
else if (tempbits > 40)
|
1527 | |
{
|
1528 | |
printf("%s%d%s bits ", COL_YELLOW, tempbits, RESET);
|
1529 | |
}
|
1530 | |
else
|
1531 | |
{
|
1532 | |
printf("%s%d%s bits ", COL_RED, tempbits, RESET);
|
1533 | |
}
|
1534 | |
|
1535 | |
while (tempInt != 0)
|
1536 | |
{
|
1537 | |
tempInt--;
|
1538 | |
printf(" ");
|
1539 | |
}
|
1540 | |
printf_xml("%d\" cipher=\"%s\"", SSL_get_cipher_bits(ssl, &tempInt2), SSL_get_cipher_name(ssl));
|
1541 | |
if (strstr(SSL_get_cipher_name(ssl), "EXP") || (sslMethod == SSLv3_client_method() && strstr(SSL_get_cipher_name(ssl), "CBC")))
|
1542 | |
{
|
1543 | |
printf("%s%-29s%s", COL_RED, SSL_get_cipher_name(ssl), RESET);
|
1544 | |
}
|
1545 | |
else if (strstr(SSL_get_cipher_name(ssl), "RC4"))
|
1546 | |
{
|
1547 | |
printf("%s%-29s%s", COL_YELLOW, SSL_get_cipher_name(ssl), RESET);
|
1548 | |
}
|
1549 | |
else if (strstr(SSL_get_cipher_name(ssl), "GCM"))
|
1550 | |
{
|
1551 | |
printf("%s%-29s%s", COL_GREEN, SSL_get_cipher_name(ssl), RESET);
|
1552 | |
}
|
1553 | |
else
|
1554 | |
{
|
1555 | |
printf("%-29s", SSL_get_cipher_name(ssl));
|
1556 | |
}
|
1557 | |
if (options->cipher_details == true)
|
1558 | |
{
|
1559 | |
ssl_print_tmp_key(options, ssl);
|
1560 | |
}
|
1561 | |
printf("\n");
|
1562 | |
printf_xml(" />\n");
|
1563 | |
|
1564 | |
// Disconnect SSL over socket
|
1565 | |
SSL_shutdown(ssl);
|
1566 | |
}
|
1567 | |
|
1568 | |
// Free SSL object
|
1569 | |
SSL_free(ssl);
|
1570 | |
}
|
1571 | |
else
|
1572 | |
{
|
1573 | |
status = false;
|
1574 | |
printf("%s ERROR: Could create SSL object.%s\n", COL_RED, RESET);
|
1575 | |
}
|
1576 | |
}
|
1577 | |
}
|
1578 | |
else
|
1579 | |
{
|
1580 | |
status = false;
|
1581 | |
printf("%s ERROR: Could set cipher.%s\n", COL_RED, RESET);
|
1582 | |
}
|
1583 | |
|
1584 | |
// Free CTX Object
|
1585 | |
SSL_CTX_free(options->ctx);
|
1586 | |
}
|
1587 | |
|
1588 | |
// Error Creating Context Object
|
|
1490 |
// Setup Context Object...
|
|
1491 |
options->ctx = SSL_CTX_new(sslMethod);
|
|
1492 |
if (options->ctx != NULL)
|
|
1493 |
{
|
|
1494 |
// SSL implementation bugs/workaround
|
|
1495 |
if (options->sslbugs)
|
|
1496 |
SSL_CTX_set_options(options->ctx, SSL_OP_ALL | 0);
|
1589 | 1497 |
else
|
1590 | |
{
|
1591 | |
status = false;
|
1592 | |
printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
|
1593 | |
}
|
1594 | |
|
1595 | |
// Disconnect from host
|
1596 | |
close(socketDescriptor);
|
1597 | |
}
|
1598 | |
|
1599 | |
// Could not connect
|
|
1498 |
SSL_CTX_set_options(options->ctx, 0);
|
|
1499 |
|
|
1500 |
// Load Certs if required...
|
|
1501 |
if ((options->clientCertsFile != 0) || (options->privateKeyFile != 0))
|
|
1502 |
status = loadCerts(options);
|
|
1503 |
|
|
1504 |
// Check the certificate
|
|
1505 |
status = checkCertificate(options, sslMethod);
|
|
1506 |
}
|
|
1507 |
|
|
1508 |
// Error Creating Context Object
|
1600 | 1509 |
else
|
|
1510 |
{
|
|
1511 |
printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
|
1601 | 1512 |
status = false;
|
1602 | |
|
|
1513 |
}
|
1603 | 1514 |
return status;
|
1604 | 1515 |
}
|
1605 | 1516 |
|
1606 | 1517 |
// Report certificate weaknesses (key length and signing algorithm)
|
1607 | |
int checkCertificate(struct sslCheckOptions *options)
|
|
1518 |
int checkCertificate(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
|
1608 | 1519 |
{
|
1609 | 1520 |
int cipherStatus = 0;
|
1610 | 1521 |
int status = true;
|
|
1616 | 1527 |
BIO *fileBIO = NULL;
|
1617 | 1528 |
X509 *x509Cert = NULL;
|
1618 | 1529 |
EVP_PKEY *publicKey = NULL;
|
1619 | |
const SSL_METHOD *sslMethod = NULL;
|
1620 | 1530 |
char certAlgorithm[80];
|
1621 | 1531 |
X509_EXTENSION *extension = NULL;
|
1622 | 1532 |
|
|
1625 | 1535 |
if (socketDescriptor != 0)
|
1626 | 1536 |
{
|
1627 | 1537 |
// Setup Context Object...
|
1628 | |
if( options->sslVersion == ssl_v2 || options->sslVersion == ssl_v3) {
|
1629 | |
printf_verbose("sslMethod = SSLv23_method()");
|
1630 | |
sslMethod = SSLv23_method();
|
1631 | |
}
|
1632 | |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
1633 | |
else if( options->sslVersion == tls_v11) {
|
1634 | |
printf_verbose("sslMethod = TLSv1_1_method()");
|
1635 | |
sslMethod = TLSv1_1_method();
|
1636 | |
}
|
1637 | |
else if( options->sslVersion == tls_v12) {
|
1638 | |
printf_verbose("sslMethod = TLSv1_2_method()");
|
1639 | |
sslMethod = TLSv1_2_method();
|
1640 | |
}
|
1641 | |
#endif
|
1642 | |
else {
|
1643 | |
printf_verbose("sslMethod = TLSv1_method()\n");
|
1644 | |
printf_verbose("If server doesn't support TLSv1.0, manually specificy TLS version\n");
|
1645 | |
sslMethod = TLSv1_method();
|
1646 | |
}
|
1647 | 1538 |
options->ctx = SSL_CTX_new(sslMethod);
|
1648 | 1539 |
if (options->ctx != NULL)
|
1649 | 1540 |
{
|
|
1913 | 1804 |
}
|
1914 | 1805 |
}
|
1915 | 1806 |
}
|
|
1807 |
|
|
1808 |
// Check for certificate expiration
|
|
1809 |
time_t *ptime;
|
|
1810 |
int timediff;
|
|
1811 |
ptime = NULL;
|
|
1812 |
|
|
1813 |
printf("\nNot valid before: ");
|
|
1814 |
timediff = X509_cmp_time(X509_get_notBefore(x509Cert), ptime);
|
|
1815 |
// Certificate isn't valid yet
|
|
1816 |
if (timediff > 0)
|
|
1817 |
{
|
|
1818 |
printf("%s", COL_RED);
|
|
1819 |
}
|
|
1820 |
else
|
|
1821 |
{
|
|
1822 |
printf("%s", COL_GREEN);
|
|
1823 |
}
|
|
1824 |
ASN1_TIME_print(stdoutBIO, X509_get_notBefore(x509Cert));
|
|
1825 |
printf("%s", RESET);
|
|
1826 |
|
|
1827 |
if (options->xmlOutput) {
|
|
1828 |
printf_xml(" <not-valid-before>");
|
|
1829 |
ASN1_TIME_print(fileBIO, X509_get_notBefore(x509Cert));
|
|
1830 |
printf_xml("</not-valid-before>\n");
|
|
1831 |
}
|
|
1832 |
|
|
1833 |
printf("\nNot valid after: ");
|
|
1834 |
timediff = X509_cmp_time(X509_get_notAfter(x509Cert), ptime);
|
|
1835 |
// Certificate has expired
|
|
1836 |
if (timediff < 0)
|
|
1837 |
{
|
|
1838 |
printf("%s", COL_RED);
|
|
1839 |
}
|
|
1840 |
else
|
|
1841 |
{
|
|
1842 |
printf("%s", COL_GREEN);
|
|
1843 |
}
|
|
1844 |
ASN1_TIME_print(stdoutBIO, X509_get_notAfter(x509Cert));
|
|
1845 |
printf("%s", RESET);
|
|
1846 |
if (options->xmlOutput) {
|
|
1847 |
printf_xml(" <not-valid-after>");
|
|
1848 |
ASN1_TIME_print(fileBIO, X509_get_notAfter(x509Cert));
|
|
1849 |
printf_xml("</not-valid-after>\n");
|
|
1850 |
if (timediff < 0)
|
|
1851 |
{
|
|
1852 |
printf_xml(" <expired>true</expired>\n");
|
|
1853 |
}
|
|
1854 |
else
|
|
1855 |
{
|
|
1856 |
printf_xml(" <expired>false</expired>\n");
|
|
1857 |
}
|
|
1858 |
}
|
|
1859 |
printf("\n");
|
|
1860 |
|
1916 | 1861 |
// Free X509 Certificate...
|
1917 | 1862 |
X509_free(x509Cert);
|
|
1863 |
// This is abusing status a bit, but means that we'll only get the cert once
|
|
1864 |
status = false;
|
1918 | 1865 |
}
|
1919 | 1866 |
|
1920 | 1867 |
else {
|
|
1930 | 1877 |
|
1931 | 1878 |
// Disconnect SSL over socket
|
1932 | 1879 |
SSL_shutdown(ssl);
|
1933 | |
}
|
1934 | |
else
|
1935 | |
{
|
1936 | |
printf("\n%sFailed to connect to get certificate.%s\n", COL_RED, RESET);
|
1937 | |
printf("Most likley cause is server not supporting %s, try manually specifying version\n", printableSslMethod(sslMethod));
|
1938 | 1880 |
}
|
1939 | 1881 |
// Free SSL object
|
1940 | 1882 |
SSL_free(ssl);
|
|
2006 | 1948 |
#endif
|
2007 | 1949 |
else {
|
2008 | 1950 |
printf_verbose("sslMethod = TLSv1_method()\n");
|
2009 | |
printf_verbose("If server doesn't support TLSv1.0, manually specificy TLS version\n");
|
|
1951 |
printf_verbose("If server doesn't support TLSv1.0, manually specify TLS version\n");
|
2010 | 1952 |
sslMethod = TLSv1_method();
|
2011 | 1953 |
}
|
2012 | 1954 |
options->ctx = SSL_CTX_new(sslMethod);
|
|
2072 | 2014 |
else
|
2073 | 2015 |
{
|
2074 | 2016 |
printf("\n%sFailed to connect to get OCSP status.%s\n", COL_RED, RESET);
|
2075 | |
printf("Most likley cause is server not supporting %s, try manually specifying version\n", printableSslMethod(sslMethod));
|
|
2017 |
printf("Most likely cause is server not supporting %s, try manually specifying version\n", printableSslMethod(sslMethod));
|
2076 | 2018 |
}
|
2077 | 2019 |
// Free SSL object
|
2078 | 2020 |
SSL_free(ssl);
|
|
2893 | 2835 |
}
|
2894 | 2836 |
}
|
2895 | 2837 |
|
|
2838 |
int testProtocolCiphers(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
|
|
2839 |
{
|
|
2840 |
int status;
|
|
2841 |
status = true;
|
|
2842 |
strncpy(options->cipherstring, "ALL:eNULL", 10);
|
|
2843 |
|
|
2844 |
// Loop until the server won't accept any more ciphers
|
|
2845 |
while (status == true)
|
|
2846 |
{
|
|
2847 |
// Setup Context Object...
|
|
2848 |
options->ctx = SSL_CTX_new(sslMethod);
|
|
2849 |
if (options->ctx != NULL)
|
|
2850 |
{
|
|
2851 |
|
|
2852 |
// SSL implementation bugs/workaround
|
|
2853 |
if (options->sslbugs)
|
|
2854 |
SSL_CTX_set_options(options->ctx, SSL_OP_ALL | 0);
|
|
2855 |
else
|
|
2856 |
SSL_CTX_set_options(options->ctx, 0);
|
|
2857 |
|
|
2858 |
// Load Certs if required...
|
|
2859 |
if ((options->clientCertsFile != 0) || (options->privateKeyFile != 0))
|
|
2860 |
status = loadCerts(options);
|
|
2861 |
|
|
2862 |
// Test the cipher
|
|
2863 |
if (status == true)
|
|
2864 |
status = testCipher(options, sslMethod);
|
|
2865 |
|
|
2866 |
// Free CTX Object
|
|
2867 |
SSL_CTX_free(options->ctx);
|
|
2868 |
}
|
|
2869 |
|
|
2870 |
// Error Creating Context Object
|
|
2871 |
else
|
|
2872 |
{
|
|
2873 |
printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
|
|
2874 |
return false;
|
|
2875 |
}
|
|
2876 |
}
|
|
2877 |
return true;
|
|
2878 |
}
|
|
2879 |
|
2896 | 2880 |
// Test a single host and port for ciphers...
|
2897 | 2881 |
int testHost(struct sslCheckOptions *options)
|
2898 | 2882 |
{
|
|
2912 | 2896 |
// Test renegotiation
|
2913 | 2897 |
printf("Testing SSL server %s%s%s on port %s%d%s\n\n", COL_GREEN, options->host, RESET, COL_GREEN, options->port, RESET);
|
2914 | 2898 |
|
2915 | |
sslCipherPointer = options->ciphers;
|
2916 | |
|
2917 | 2899 |
if (options->showClientCiphers == true)
|
2918 | 2900 |
{
|
|
2901 |
// Build a list of ciphers...
|
|
2902 |
switch (options->sslVersion)
|
|
2903 |
{
|
|
2904 |
case ssl_all:
|
|
2905 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
|
2906 |
populateCipherList(options, TLSv1_2_client_method());
|
|
2907 |
populateCipherList(options, TLSv1_1_client_method());
|
|
2908 |
#endif
|
|
2909 |
populateCipherList(options, TLSv1_client_method());
|
|
2910 |
#ifndef OPENSSL_NO_SSL3
|
|
2911 |
populateCipherList(options, SSLv3_client_method());
|
|
2912 |
#endif
|
|
2913 |
#ifndef OPENSSL_NO_SSL2
|
|
2914 |
populateCipherList(options, SSLv2_client_method());
|
|
2915 |
#endif
|
|
2916 |
break;
|
|
2917 |
case tls_all:
|
|
2918 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
|
2919 |
populateCipherList(options, TLSv1_2_client_method());
|
|
2920 |
populateCipherList(options, TLSv1_1_client_method());
|
|
2921 |
#endif
|
|
2922 |
populateCipherList(options, TLSv1_client_method());
|
|
2923 |
break;
|
|
2924 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
|
2925 |
case tls_v12:
|
|
2926 |
populateCipherList(options, TLSv1_2_client_method());
|
|
2927 |
break;
|
|
2928 |
case tls_v11:
|
|
2929 |
populateCipherList(options, TLSv1_1_client_method());
|
|
2930 |
break;
|
|
2931 |
#endif
|
|
2932 |
case tls_v10:
|
|
2933 |
populateCipherList(options, TLSv1_client_method());
|
|
2934 |
break;
|
|
2935 |
#ifndef OPENSSL_NO_SSL3
|
|
2936 |
case ssl_v3:
|
|
2937 |
populateCipherList(options, SSLv3_client_method());
|
|
2938 |
break;
|
|
2939 |
#endif
|
|
2940 |
#ifndef OPENSSL_NO_SSL2
|
|
2941 |
case ssl_v2:
|
|
2942 |
populateCipherList(options, SSLv2_client_method());
|
|
2943 |
break;
|
|
2944 |
#endif
|
|
2945 |
}
|
2919 | 2946 |
printf("\n %sSupported Client Cipher(s):%s\n", COL_BLUE, RESET);
|
|
2947 |
sslCipherPointer = options->ciphers;
|
2920 | 2948 |
while ((sslCipherPointer != 0) && (status == true))
|
2921 | 2949 |
{
|
2922 | 2950 |
printf(" %s\n",sslCipherPointer->name);
|
2923 | |
printf_xml(" <client-cipher cipher=\"%s\">\n", sslCipherPointer->name);
|
|
2951 |
printf_xml(" <client-cipher cipher=\"%s\" />\n", sslCipherPointer->name);
|
2924 | 2952 |
|
2925 | 2953 |
sslCipherPointer = sslCipherPointer->next;
|
2926 | 2954 |
}
|
|
2955 |
printf("\n");
|
2927 | 2956 |
}
|
2928 | 2957 |
|
2929 | 2958 |
if (status == true && options->reneg )
|
|
2941 | 2970 |
if (status == true && options->heartbleed )
|
2942 | 2971 |
{
|
2943 | 2972 |
printf(" %sHeartbleed:%s\n", COL_BLUE, RESET);
|
|
2973 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
|
2974 |
if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v12)
|
|
2975 |
{
|
|
2976 |
printf("TLS 1.2 ");
|
|
2977 |
status = testHeartbleed(options, TLSv1_2_client_method());
|
|
2978 |
}
|
|
2979 |
if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v11)
|
|
2980 |
{
|
|
2981 |
printf("TLS 1.1 ");
|
|
2982 |
status = testHeartbleed(options, TLSv1_1_client_method());
|
|
2983 |
}
|
|
2984 |
#endif
|
2944 | 2985 |
if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v10)
|
2945 | 2986 |
{
|
2946 | 2987 |
printf("TLS 1.0 ");
|
2947 | 2988 |
status = testHeartbleed(options, TLSv1_client_method());
|
2948 | 2989 |
}
|
2949 | |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
2950 | |
if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v11)
|
2951 | |
{
|
2952 | |
printf("TLS 1.1 ");
|
2953 | |
status = testHeartbleed(options, TLSv1_1_client_method());
|
2954 | |
}
|
2955 | |
if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v12)
|
2956 | |
{
|
2957 | |
printf("TLS 1.2 ");
|
2958 | |
status = testHeartbleed(options, TLSv1_2_client_method());
|
2959 | |
}
|
2960 | |
#endif
|
2961 | 2990 |
if( options->sslVersion == ssl_v2 || options->sslVersion == ssl_v3)
|
2962 | 2991 |
{
|
2963 | 2992 |
printf("%sAll TLS protocols disabled, cannot check for heartbleed.\n%s", COL_RED, RESET);
|
|
2979 | 3008 |
{
|
2980 | 3009 |
// Test supported ciphers...
|
2981 | 3010 |
printf(" %sSupported Server Cipher(s):%s\n", COL_BLUE, RESET);
|
2982 | |
sslCipherPointer = options->ciphers;
|
2983 | |
while ((sslCipherPointer != 0) && (status == true))
|
2984 | |
{
|
2985 | |
|
2986 | |
// Setup Context Object...
|
2987 | |
options->ctx = SSL_CTX_new(sslCipherPointer->sslMethod);
|
2988 | |
if (options->ctx != NULL)
|
2989 | |
{
|
2990 | |
|
2991 | |
// SSL implementation bugs/workaround
|
2992 | |
if (options->sslbugs)
|
2993 | |
SSL_CTX_set_options(options->ctx, SSL_OP_ALL | 0);
|
2994 | |
else
|
2995 | |
SSL_CTX_set_options(options->ctx, 0);
|
2996 | |
|
2997 | |
// Load Certs if required...
|
2998 | |
if ((options->clientCertsFile != 0) || (options->privateKeyFile != 0))
|
2999 | |
status = loadCerts(options);
|
3000 | |
|
3001 | |
|
3002 | |
// Test
|
3003 | |
if (status == true)
|
3004 | |
status = testCipher(options, sslCipherPointer);
|
3005 | |
|
3006 | |
// Free CTX Object
|
3007 | |
SSL_CTX_free(options->ctx);
|
3008 | |
}
|
3009 | |
|
3010 | |
// Error Creating Context Object
|
3011 | |
else
|
3012 | |
{
|
3013 | |
status = false;
|
3014 | |
printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
|
3015 | |
}
|
3016 | |
|
3017 | |
sslCipherPointer = sslCipherPointer->next;
|
3018 | |
|
3019 | |
}
|
3020 | |
printf("\n");
|
3021 | |
}
|
3022 | |
if (status == true && options->getPreferredCiphers == true)
|
3023 | |
{
|
3024 | |
// Test preferred ciphers...
|
3025 | |
printf(" %sPreferred Server Cipher(s):%s\n", COL_BLUE, RESET);
|
3026 | 3011 |
switch (options->sslVersion)
|
3027 | 3012 |
{
|
3028 | 3013 |
case ssl_all:
|
3029 | |
#ifndef OPENSSL_NO_SSL2
|
3030 | |
status = defaultCipher(options, SSLv2_client_method());
|
3031 | |
#endif
|
|
3014 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
|
3015 |
if (status != false)
|
|
3016 |
status = testProtocolCiphers(options, TLSv1_2_client_method());
|
|
3017 |
if (status != false)
|
|
3018 |
status = testProtocolCiphers(options, TLSv1_1_client_method());
|
|
3019 |
#endif
|
|
3020 |
if (status != false)
|
|
3021 |
status = testProtocolCiphers(options, TLSv1_client_method());
|
3032 | 3022 |
#ifndef OPENSSL_NO_SSL3
|
3033 | 3023 |
if (status != false)
|
3034 | |
status = defaultCipher(options, SSLv3_client_method());
|
3035 | |
#endif
|
|
3024 |
status = testProtocolCiphers(options, SSLv3_client_method());
|
|
3025 |
#endif
|
|
3026 |
#ifndef OPENSSL_NO_SSL2
|
3036 | 3027 |
if (status != false)
|
3037 | |
status = defaultCipher(options, TLSv1_client_method());
|
3038 | |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
3039 | |
if (status != false)
|
3040 | |
status = defaultCipher(options, TLSv1_1_client_method());
|
3041 | |
if (status != false)
|
3042 | |
status = defaultCipher(options, TLSv1_2_client_method());
|
|
3028 |
status = testProtocolCiphers(options, SSLv2_client_method());
|
3043 | 3029 |
#endif
|
3044 | 3030 |
break;
|
3045 | 3031 |
#ifndef OPENSSL_NO_SSL2
|
3046 | 3032 |
case ssl_v2:
|
3047 | |
status = defaultCipher(options, SSLv2_client_method());
|
|
3033 |
status = testProtocolCiphers(options, SSLv2_client_method());
|
3048 | 3034 |
break;
|
3049 | 3035 |
#endif
|
3050 | 3036 |
#ifndef OPENSSL_NO_SSL3
|
3051 | 3037 |
case ssl_v3:
|
3052 | |
status = defaultCipher(options, SSLv3_client_method());
|
|
3038 |
status = testProtocolCiphers(options, SSLv3_client_method());
|
3053 | 3039 |
break;
|
3054 | 3040 |
#endif
|
3055 | 3041 |
case tls_all:
|
3056 | |
if (status != false)
|
3057 | |
status = defaultCipher(options, TLSv1_client_method());
|
3058 | 3042 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
3059 | 3043 |
if (status != false)
|
3060 | |
status = defaultCipher(options, TLSv1_1_client_method());
|
|
3044 |
status = testProtocolCiphers(options, TLSv1_2_client_method());
|
3061 | 3045 |
if (status != false)
|
3062 | |
status = defaultCipher(options, TLSv1_2_client_method());
|
3063 | |
#endif
|
|
3046 |
status = testProtocolCiphers(options, TLSv1_1_client_method());
|
|
3047 |
#endif
|
|
3048 |
if (status != false)
|
|
3049 |
status = testProtocolCiphers(options, TLSv1_client_method());
|
3064 | 3050 |
break;
|
3065 | 3051 |
case tls_v10:
|
3066 | |
status = defaultCipher(options, TLSv1_client_method());
|
|
3052 |
status = testProtocolCiphers(options, TLSv1_client_method());
|
3067 | 3053 |
break;
|
3068 | 3054 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
3069 | 3055 |
case tls_v11:
|
3070 | |
status = defaultCipher(options, TLSv1_1_client_method());
|
|
3056 |
status = testProtocolCiphers(options, TLSv1_1_client_method());
|
3071 | 3057 |
break;
|
3072 | 3058 |
case tls_v12:
|
3073 | |
status = defaultCipher(options, TLSv1_2_client_method());
|
|
3059 |
status = testProtocolCiphers(options, TLSv1_2_client_method());
|
3074 | 3060 |
break;
|
3075 | 3061 |
#endif
|
3076 | 3062 |
}
|
|
3085 | 3071 |
// Show weak certificate signing algorithm or key strength
|
3086 | 3072 |
if (status == true && options->checkCertificate == true)
|
3087 | 3073 |
{
|
3088 | |
status = checkCertificate(options);
|
|
3074 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
|
3075 |
if (status != false)
|
|
3076 |
{
|
|
3077 |
status = checkCertificateProtocol(options, TLSv1_2_client_method());
|
|
3078 |
}
|
|
3079 |
if (status != false)
|
|
3080 |
status = checkCertificateProtocol(options, TLSv1_1_client_method());
|
|
3081 |
#endif
|
|
3082 |
if (status != false)
|
|
3083 |
status = checkCertificateProtocol(options, TLSv1_client_method());
|
|
3084 |
#ifndef OPENSSL_NO_SSL3
|
|
3085 |
if (status != false)
|
|
3086 |
status = checkCertificateProtocol(options, SSLv3_client_method());
|
|
3087 |
#endif
|
|
3088 |
#ifndef OPENSSL_NO_SSL2
|
|
3089 |
if (status != false)
|
|
3090 |
status = checkCertificateProtocol(options, SSLv2_client_method());
|
|
3091 |
#endif
|
3089 | 3092 |
}
|
3090 | 3093 |
|
3091 | 3094 |
// Print client auth trusted CAs
|
|
3125 | 3128 |
memset(&options, 0, sizeof(struct sslCheckOptions));
|
3126 | 3129 |
options.port = 0;
|
3127 | 3130 |
xmlArg = 0;
|
3128 | |
strcpy(options.host, "127.0.0.1");
|
3129 | |
options.noFailed = true;
|
|
3131 |
strncpy(options.host, "127.0.0.1", 10);
|
3130 | 3132 |
options.showCertificate = false;
|
3131 | 3133 |
options.showTrustedCAs = false;
|
3132 | 3134 |
options.checkCertificate = true;
|
3133 | 3135 |
options.showClientCiphers = false;
|
|
3136 |
options.showCipherIds = false;
|
|
3137 |
options.showTimes = false;
|
3134 | 3138 |
options.ciphersuites = true;
|
3135 | 3139 |
options.reneg = true;
|
3136 | 3140 |
options.compression = true;
|
|
3141 | 3145 |
options.starttls_pop3 = false;
|
3142 | 3146 |
options.starttls_smtp = false;
|
3143 | 3147 |
options.starttls_xmpp = false;
|
|
3148 |
options.starttls_psql = false;
|
3144 | 3149 |
options.xmpp_server = false;
|
3145 | 3150 |
options.verbose = false;
|
3146 | 3151 |
options.cipher_details = true;
|
3147 | 3152 |
options.ipv4 = true;
|
3148 | 3153 |
options.ipv6 = true;
|
3149 | |
options.getPreferredCiphers = true;
|
3150 | 3154 |
options.ocspStatus = false;
|
3151 | 3155 |
|
3152 | 3156 |
// Default socket timeout 3s
|
|
3182 | 3186 |
options.targets = argLoop;
|
3183 | 3187 |
}
|
3184 | 3188 |
|
3185 | |
// Show unsupported ciphers
|
3186 | |
else if (strcmp("--failed", argv[argLoop]) == 0)
|
3187 | |
options.noFailed = false;
|
3188 | |
|
3189 | 3189 |
// Show certificate
|
3190 | 3190 |
else if (strcmp("--show-certificate", argv[argLoop]) == 0)
|
3191 | 3191 |
options.showCertificate = true;
|
|
3197 | 3197 |
// Show supported client ciphers
|
3198 | 3198 |
else if (strcmp("--show-ciphers", argv[argLoop]) == 0)
|
3199 | 3199 |
options.showClientCiphers = true;
|
|
3200 |
|
|
3201 |
// Show ciphers ids
|
|
3202 |
else if (strcmp("--show-cipher-ids", argv[argLoop]) == 0)
|
|
3203 |
{
|
|
3204 |
options.showCipherIds = true;
|
|
3205 |
}
|
|
3206 |
|
|
3207 |
// Show handshake times
|
|
3208 |
else if (strcmp("--show-times", argv[argLoop]) == 0)
|
|
3209 |
{
|
|
3210 |
options.showTimes = true;
|
|
3211 |
}
|
3200 | 3212 |
|
3201 | 3213 |
// Show client auth trusted CAs
|
3202 | 3214 |
else if (strcmp("--show-client-cas", argv[argLoop]) == 0)
|
|
3229 | 3241 |
COL_BLUE = "";
|
3230 | 3242 |
COL_GREEN = "";
|
3231 | 3243 |
COL_PURPLE = "";
|
3232 | |
COL_RED_BG = "";
|
|
3244 |
COL_RED_BG = "";
|
3233 | 3245 |
}
|
3234 | 3246 |
|
3235 | 3247 |
// Client Certificates
|
|
3260 | 3272 |
else if (strcmp("--no-heartbleed", argv[argLoop]) == 0)
|
3261 | 3273 |
options.heartbleed = false;
|
3262 | 3274 |
|
3263 | |
// Don't determine preferred ciphers
|
3264 | |
else if (strcmp("--no-preferred", argv[argLoop]) == 0)
|
3265 | |
options.getPreferredCiphers = false;
|
3266 | |
|
3267 | 3275 |
// StartTLS... FTP
|
3268 | 3276 |
else if (strcmp("--starttls-ftp", argv[argLoop]) == 0)
|
3269 | 3277 |
options.starttls_ftp = true;
|
|
3286 | 3294 |
// StartTLS... XMPP
|
3287 | 3295 |
else if (strcmp("--starttls-xmpp", argv[argLoop]) == 0)
|
3288 | 3296 |
options.starttls_xmpp = true;
|
|
3297 |
|
|
3298 |
// StartTLS... PostgreSQL
|
|
3299 |
else if (strcmp("--starttls-psql", argv[argLoop]) == 0)
|
|
3300 |
options.starttls_psql = true;
|
|
3301 |
|
3289 | 3302 |
#ifndef OPENSSL_NO_SSL2
|
3290 | 3303 |
// SSL v2 only...
|
3291 | 3304 |
else if (strcmp("--ssl2", argv[argLoop]) == 0)
|
|
3405 | 3418 |
else if (options.port == 0) {
|
3406 | 3419 |
if (options.starttls_ftp)
|
3407 | 3420 |
options.port = 21;
|
3408 | |
if (options.starttls_imap)
|
|
3421 |
else if (options.starttls_imap)
|
3409 | 3422 |
options.port = 143;
|
3410 | |
if (options.starttls_irc)
|
|
3423 |
else if (options.starttls_irc)
|
3411 | 3424 |
options.port = 6667;
|
3412 | |
if (options.starttls_pop3)
|
|
3425 |
else if (options.starttls_pop3)
|
3413 | 3426 |
options.port = 110;
|
3414 | |
if (options.starttls_smtp)
|
|
3427 |
else if (options.starttls_smtp)
|
3415 | 3428 |
options.port = 25;
|
3416 | |
if (options.starttls_xmpp)
|
|
3429 |
else if (options.starttls_xmpp)
|
3417 | 3430 |
options.port = 5222;
|
3418 | |
if (options.rdp)
|
|
3431 |
else if (options.starttls_psql)
|
|
3432 |
options.port = 5432;
|
|
3433 |
else if (options.rdp)
|
3419 | 3434 |
options.port = 3389;
|
3420 | |
if (options.port == 0)
|
|
3435 |
else
|
3421 | 3436 |
options.port = 443;
|
3422 | 3437 |
}
|
3423 | 3438 |
}
|
|
3482 | 3497 |
printf(" Hosts can be supplied with ports (host:port)\n");
|
3483 | 3498 |
printf(" %s--ipv4%s Only use IPv4\n", COL_GREEN, RESET);
|
3484 | 3499 |
printf(" %s--ipv6%s Only use IPv6\n", COL_GREEN, RESET);
|
3485 | |
printf(" %s--failed%s Show unsupported ciphers.\n", COL_GREEN, RESET);
|
3486 | |
printf(" %s--show-certificate%s Show full certificate information.\n", COL_GREEN, RESET);
|
3487 | |
printf(" %s--no-check-certificate%s Don't warn about weak certificate algorithm or keys.\n", COL_GREEN, RESET);
|
3488 | |
printf(" %s--show-client-cas%s Show trusted CAs for TLS client auth.\n", COL_GREEN, RESET);
|
3489 | |
printf(" %s--show-ciphers%s Show supported client ciphers.\n", COL_GREEN, RESET);
|
|
3500 |
printf(" %s--show-certificate%s Show full certificate information\n", COL_GREEN, RESET);
|
|
3501 |
printf(" %s--no-check-certificate%s Don't warn about weak certificate algorithm or keys\n", COL_GREEN, RESET);
|
|
3502 |
printf(" %s--show-client-cas%s Show trusted CAs for TLS client auth\n", COL_GREEN, RESET);
|
|
3503 |
printf(" %s--show-ciphers%s Show supported client ciphers\n", COL_GREEN, RESET);
|
|
3504 |
printf(" %s--show-cipher-ids%s Show cipher ids\n", COL_GREEN, RESET);
|
|
3505 |
printf(" %s--show-times%s Show handhake times in milliseconds\n", COL_GREEN, RESET);
|
3490 | 3506 |
#ifndef OPENSSL_NO_SSL2
|
3491 | |
printf(" %s--ssl2%s Only check SSLv2 ciphers.\n", COL_GREEN, RESET);
|
|
3507 |
printf(" %s--ssl2%s Only check SSLv2 ciphers\n", COL_GREEN, RESET);
|
3492 | 3508 |
#endif
|
3493 | 3509 |
#ifndef OPENSSL_NO_SSL3
|
3494 | |
printf(" %s--ssl3%s Only check SSLv3 ciphers.\n", COL_GREEN, RESET);
|
3495 | |
#endif
|
3496 | |
printf(" %s--tls10%s Only check TLSv1.0 ciphers.\n", COL_GREEN, RESET);
|
|
3510 |
printf(" %s--ssl3%s Only check SSLv3 ciphers\n", COL_GREEN, RESET);
|
|
3511 |
#endif
|
|
3512 |
printf(" %s--tls10%s Only check TLSv1.0 ciphers\n", COL_GREEN, RESET);
|
3497 | 3513 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
3498 | |
printf(" %s--tls11%s Only check TLSv1.1 ciphers.\n", COL_GREEN, RESET);
|
3499 | |
printf(" %s--tls12%s Only check TLSv1.2 ciphers.\n", COL_GREEN, RESET);
|
3500 | |
#endif
|
3501 | |
printf(" %s--tlsall%s Only check TLS ciphers (all versions).\n", COL_GREEN, RESET);
|
3502 | |
printf(" %s--ocsp%s Request OCSP response from server.\n", COL_GREEN, RESET);
|
|
3514 |
printf(" %s--tls11%s Only check TLSv1.1 ciphers\n", COL_GREEN, RESET);
|
|
3515 |
printf(" %s--tls12%s Only check TLSv1.2 ciphers\n", COL_GREEN, RESET);
|
|
3516 |
#endif
|
|
3517 |
printf(" %s--tlsall%s Only check TLS ciphers (all versions)\n", COL_GREEN, RESET);
|
|
3518 |
printf(" %s--ocsp%s Request OCSP response from server\n", COL_GREEN, RESET);
|
3503 | 3519 |
printf(" %s--pk=<file>%s A file containing the private key or a PKCS#12 file\n", COL_GREEN, RESET);
|
3504 | 3520 |
printf(" containing a private key/certificate pair\n");
|
3505 | 3521 |
printf(" %s--pkpass=<password>%s The password for the private key or PKCS#12 file\n", COL_GREEN, RESET);
|
3506 | 3522 |
printf(" %s--certs=<file>%s A file containing PEM/ASN1 formatted client certificates\n", COL_GREEN, RESET);
|
3507 | |
printf(" %s--no-ciphersuites%s Only check for supported SSL/TLS versions, not ciphers\n", COL_GREEN, RESET);
|
|
3523 |
printf(" %s--no-ciphersuites%s Do not check for supported ciphersuites\n", COL_GREEN, RESET);
|
3508 | 3524 |
printf(" %s--no-renegotiation%s Do not check for TLS renegotiation\n", COL_GREEN, RESET);
|
3509 | 3525 |
printf(" %s--no-compression%s Do not check for TLS compression (CRIME)\n", COL_GREEN, RESET);
|
3510 | 3526 |
printf(" %s--no-heartbleed%s Do not check for OpenSSL Heartbleed (CVE-2014-0160)\n", COL_GREEN, RESET);
|
3511 | |
printf(" %s--no-preferred%s Do not determine preferred ciphers\n", COL_GREEN, RESET);
|
3512 | 3527 |
printf(" %s--starttls-ftp%s STARTTLS setup for FTP\n", COL_GREEN, RESET);
|
3513 | 3528 |
printf(" %s--starttls-imap%s STARTTLS setup for IMAP\n", COL_GREEN, RESET);
|
3514 | 3529 |
printf(" %s--starttls-irc%s STARTTLS setup for IRC\n", COL_GREEN, RESET);
|
3515 | 3530 |
printf(" %s--starttls-pop3%s STARTTLS setup for POP3\n", COL_GREEN, RESET);
|
3516 | 3531 |
printf(" %s--starttls-smtp%s STARTTLS setup for SMTP\n", COL_GREEN, RESET);
|
3517 | 3532 |
printf(" %s--starttls-xmpp%s STARTTLS setup for XMPP\n", COL_GREEN, RESET);
|
3518 | |
printf(" %s--xmpp-server%s Use a server-to-server XMPP handshake.\n", COL_GREEN, RESET);
|
3519 | |
printf(" %s--http%s Test a HTTP connection.\n", COL_GREEN, RESET);
|
3520 | |
printf(" %s--rdp%s Send RDP preamble before starting scan.\n", COL_GREEN, RESET);
|
|
3533 |
printf(" %s--starttls-psql%s STARTTLS setup for PostgreSQL\n", COL_GREEN, RESET);
|
|
3534 |
printf(" %s--xmpp-server%s Use a server-to-server XMPP handshake\n", COL_GREEN, RESET);
|
|
3535 |
printf(" %s--http%s Test a HTTP connection\n", COL_GREEN, RESET);
|
|
3536 |
printf(" %s--rdp%s Send RDP preamble before starting scan\n", COL_GREEN, RESET);
|
3521 | 3537 |
printf(" %s--bugs%s Enable SSL implementation bug work-arounds\n", COL_GREEN, RESET);
|
3522 | |
printf(" %s--timeout=<sec>%s Set socket timeout. Default is 3s.\n", COL_GREEN, RESET);
|
3523 | |
printf(" %s--sleep=<msec>%s Pause between connection request. Default is disabled.\n", COL_GREEN, RESET);
|
3524 | |
printf(" %s--xml=<file>%s Output results to an XML file.\n", COL_GREEN, RESET);
|
3525 | |
printf(" %s--version%s Display the program version.\n", COL_GREEN, RESET);
|
3526 | |
printf(" %s--verbose%s Display verbose output.\n", COL_GREEN, RESET);
|
|
3538 |
printf(" %s--timeout=<sec>%s Set socket timeout. Default is 3s\n", COL_GREEN, RESET);
|
|
3539 |
printf(" %s--sleep=<msec>%s Pause between connection request. Default is disabled\n", COL_GREEN, RESET);
|
|
3540 |
printf(" %s--xml=<file>%s Output results to an XML file\n", COL_GREEN, RESET);
|
|
3541 |
printf(" %s--version%s Display the program version\n", COL_GREEN, RESET);
|
|
3542 |
printf(" %s--verbose%s Display verbose output\n", COL_GREEN, RESET);
|
3527 | 3543 |
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
3528 | |
printf(" %s--no-cipher-details%s Display EC curve names and EDH key lengths.\n", COL_GREEN, RESET);
|
3529 | |
#endif
|
3530 | |
printf(" %s--no-colour%s Disable coloured output.\n", COL_GREEN, RESET);
|
|
3544 |
printf(" %s--no-cipher-details%s Disable EC curve names and EDH/RSA key lengths output\n", COL_GREEN, RESET);
|
|
3545 |
#endif
|
|
3546 |
printf(" %s--no-colour%s Disable coloured output\n", COL_GREEN, RESET);
|
3531 | 3547 |
printf(" %s--help%s Display the help text you are now reading\n\n", COL_GREEN, RESET);
|
3532 | 3548 |
printf("%sExample:%s\n", COL_BLUE, RESET);
|
3533 | 3549 |
printf(" %s%s 127.0.0.1%s\n", COL_GREEN, argv[0], RESET);
|
|
3556 | 3572 |
|
3557 | 3573 |
SSLeay_add_all_algorithms();
|
3558 | 3574 |
ERR_load_crypto_strings();
|
3559 | |
|
3560 | |
// Build a list of ciphers...
|
3561 | |
switch (options.sslVersion)
|
3562 | |
{
|
3563 | |
case ssl_all:
|
3564 | |
#ifndef OPENSSL_NO_SSL2
|
3565 | |
populateCipherList(&options, SSLv2_client_method());
|
3566 | |
#endif
|
3567 | |
#ifndef OPENSSL_NO_SSL3
|
3568 | |
populateCipherList(&options, SSLv3_client_method());
|
3569 | |
#endif
|
3570 | |
populateCipherList(&options, TLSv1_client_method());
|
3571 | |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
3572 | |
populateCipherList(&options, TLSv1_1_client_method());
|
3573 | |
populateCipherList(&options, TLSv1_2_client_method());
|
3574 | |
#endif
|
3575 | |
break;
|
3576 | |
#ifndef OPENSSL_NO_SSL2
|
3577 | |
case ssl_v2:
|
3578 | |
populateCipherList(&options, SSLv2_client_method());
|
3579 | |
break;
|
3580 | |
#endif
|
3581 | |
#ifndef OPENSSL_NO_SSL3
|
3582 | |
case ssl_v3:
|
3583 | |
populateCipherList(&options, SSLv3_client_method());
|
3584 | |
break;
|
3585 | |
#endif
|
3586 | |
case tls_all:
|
3587 | |
populateCipherList(&options, TLSv1_client_method());
|
3588 | |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
3589 | |
populateCipherList(&options, TLSv1_1_client_method());
|
3590 | |
populateCipherList(&options, TLSv1_2_client_method());
|
3591 | |
#endif
|
3592 | |
break;
|
3593 | |
case tls_v10:
|
3594 | |
populateCipherList(&options, TLSv1_client_method());
|
3595 | |
break;
|
3596 | |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
3597 | |
case tls_v11:
|
3598 | |
populateCipherList(&options, TLSv1_1_client_method());
|
3599 | |
break;
|
3600 | |
case tls_v12:
|
3601 | |
populateCipherList(&options, TLSv1_2_client_method());
|
3602 | |
break;
|
3603 | |
#endif
|
3604 | |
}
|
3605 | 3575 |
|
3606 | 3576 |
// Do the testing...
|
3607 | 3577 |
if (mode == mode_single)
|