Codebase list sslscan / 3d1c644
Imported Debian patch 1.11.5-rbsec-1 Marvin Stark authored 8 years ago Sophie Brun committed 8 years ago
16 changed file(s) with 751 addition(s) and 658 deletion(s). Raw diff Collapse all Expand all
+17
-0
.gitignore less more
0 # object files
1 *.o
2 *.obj
3
4 # compiled binary
5 sslscan
6 sslscan.exe
7
8 # debian build of openssl
9 openssl-*/
10 openssl_*
11 libcrypto*
12 libssl*
13
14 # custom openssl build
15 openssl/
16 .openssl.is.fresh
+19
-0
.travis.yml less more
0 language: c
1
2 compiler:
3 - clang
4 - gcc
5
6 env:
7 - TARGET=sslscan
8 - TARGET=static
9
10 script:
11 - make $TARGET CC=$CC
12
13 matrix:
14 exclude:
15 # OpenSSL can't be compiled out-of-the box with clang, see
16 # http://wiki.openssl.org/index.php/Compilation_and_Installation#Modifying_Build_Settings
17 - compiler: clang
18 env: TARGET=static
+60
-0
Changelog less more
00 Changelog
11 =========
2
3 Version: 1.11.5
4 Date : 24/03/2016
5 Author : rbsec <[email protected]>
6 Changes: The following are a list of changes
7 > Fix bug in heartbleed check (credit nuxi)
8 > Makefile improvements and fixes for OSX and FreeBSD
9 > Optimize OpenSSL clone
10 > Implement --show-times to display handshake times in milliseconds
11
12 Version: 1.11.4
13 Date : 06/03/2016
14 Author : rbsec <[email protected]>
15 Changes: The following are a list of changes
16 > Fix compression detection (credit nuxi)
17 > Added support for PostgreSQL (credit nuxi)
18
19 Version: 1.11.3
20 Date : 03/03/2016
21 Author : rbsec <[email protected]>
22 Changes: The following are a list of changes
23 > Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL
24
25 Version: 1.11.2
26 Date : 02/03/2016
27 Author : rbsec <[email protected]>
28 Changes: The following are a list of changes
29 > Makefile improvements
30 > Update OpenSSL from Git when statically building
31 > Use enable-ssl2 and enable-weak-ciphers when building statically
32
33 Version: 1.11.1
34 Date : 11/12/2015
35 Author : rbsec <[email protected]>
36 Changes: The following are a list of changes
37 > Show cipher IDs with --show-cipher-ids (credit maurice2k)
38 > Warn when building agsinst system OpenSSL rather than statically
39 > Allow building statically on OSX (experimental)
40
41 Version: 1.11.0
42 Date : 24/09/2015
43 Author : rbsec <[email protected]>
44 Changes: The following are a list of changes
45 > Rewrote ciphersuite scanning engine to be much faster
46 > Ciphers are now output in order of server preference
47 > Most secure protocols are scanned first (TLSv1.2 -> SSLv2)
48 > All protocols are tried when trying to obtain the certificate
49 > Obselete --failed and --no-preferred-ciphers options removed
50 > Flag TLSv1.0 ciphers in output
51 > Flag 56 bit ciphers as red, not yellow
52 > Fix building on OpenBSD (credit Stuart Henderson)
53 > Fix incorrect output when server prefers NULL ciphers
54
55 Version: 1.10.6
56 Date : 06/08/2015
57 Author : rbsec <[email protected]>
58 Changes: The following are a list of changes
59 > Fix --sleep only working for whole seconds (credit dmke)
60 > Fix compiling against OpenSSL 0.9.8 (credit aclemons)
61 > Flag expired certificates (credit jacktrice)
262
363 Version: 1.10.5
464 Date : 07/07/2015
+60
-15
Makefile less more
99 GIT_VERSION = $(shell grep -E -o -m 1 "[0-9]+\.[0-9]+\.[0-9]+" Changelog)
1010 endif
1111
12 # Detect OS
13 OS := $(shell uname)
14
1215 SRCS = sslscan.c
13 BINPATH = $(DESTDIR)/usr/bin/
14 MANPATH = $(DESTDIR)/usr/share/man/
16 PREFIX = /usr
17 BINDIR = $(PREFIX)/bin
18 MANDIR = $(PREFIX)/share/man
19 MAN1DIR = $(MANDIR)/man1
1520
1621 WARNINGS = -Wall -Wformat=2
1722 DEFINES = -DVERSION=\"$(GIT_VERSION)\"
1823
1924 # for dynamic linking
2025 LIBS = -lssl -lcrypto
26 ifneq ($(OS), FreeBSD)
27 LIBS += -ldl
28 endif
2129
2230 # for static linking
2331 ifeq ($(STATIC_BUILD), TRUE)
2432 PWD = $(shell pwd)/openssl
2533 LDFLAGS += -L${PWD}/
2634 CFLAGS += -I${PWD}/include/ -I${PWD}/
27 LIBS = -lssl -lcrypto -ldl
35 LIBS = -lssl -lcrypto -lz
36 ifneq ($(OS), FreeBSD)
37 LIBS += -ldl
38 endif
2839 GIT_VERSION := $(GIT_VERSION)-static
2940 else
3041 # for dynamic linking
31 LDFLAGS += -L/usr/local/ssl/lib/ -L/usr/local/opt/openssl/lib
32 CFLAGS += -I/usr/local/ssl/include/ -I/usr/local/ssl/include/openssl/ -I/usr/local/opt/openssl/include
42 LDFLAGS += -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/opt/openssl/lib -L/opt/local/lib
43 CFLAGS += -I/usr/local/include -I/usr/local/ssl/include -I/usr/local/ssl/include/openssl -I/usr/local/opt/openssl/include -I/opt/local/include -I/opt/local/include/openssl
3344 endif
3445
35 .PHONY: sslscan clean
46 .PHONY: all sslscan clean install uninstall static opensslpull
3647
3748 all: sslscan
49 @echo
50 @echo "==========="
51 @echo "| WARNING |"
52 @echo "==========="
53 @echo
54 @echo "Building against system OpenSSL. Legacy protocol checks may not be possible."
55 @echo "It is recommended that you statically build sslscan with \`make static\`."
56 @echo
3857
3958 sslscan: $(SRCS)
4059 $(CC) -o $@ ${WARNINGS} ${LDFLAGS} ${CFLAGS} ${CPPFLAGS} ${DEFINES} ${SRCS} ${LIBS}
4160
4261 install:
43 mkdir -p $(BINPATH)
44 mkdir -p $(MANPATH)man1/
45 cp sslscan $(BINPATH)
46 cp sslscan.1 $(MANPATH)man1/
62 @if [ ! -f sslscan ] ; then \
63 echo "\n=========\n| ERROR |\n========="; \
64 echo "Before installing you need to build sslscan with either \`make\` or \`make static\`\n"; \
65 exit 1; \
66 fi
67 ifeq ($(OS), Darwin)
68 install sslscan $(DESTDIR)$(BINDIR)/sslscan;
69 install sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1;
70 else
71 install -D sslscan $(DESTDIR)$(BINDIR)/sslscan;
72 install -D sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1;
73 endif
4774
4875 uninstall:
49 rm -f $(BINPATH)sslscan
50 rm -f $(MANPATH)man1/sslscan.1
76 rm -f $(DESTDIR)$(BINDIR)/sslscan
77 rm -f $(DESTDIR)$(MAN1DIR)/sslscan.1
5178
52 openssl/Makefile:
53 [ -d openssl -a -d openssl/.git ] && true || git clone https://github.com/openssl/openssl ./openssl && cd ./openssl && git checkout OpenSSL_1_0_2-stable
79 .openssl.is.fresh: opensslpull
80 true
81 opensslpull:
82 if [ -d openssl -a -d openssl/.git ]; then \
83 cd ./openssl && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
84 else \
85 git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
86 fi
87 sed -i.bak 's/# if 0/# if 1/g' openssl/ssl/s2_lib.c
88 rm openssl/ssl/s2_lib.c.bak
89
90 # Need to build OpenSSL differently on OSX
91 ifeq ($(OS), Darwin)
92 openssl/Makefile: .openssl.is.fresh
93 cd ./openssl; ./Configure enable-ssl2 enable-weak-ssl-ciphers zlib darwin64-x86_64-cc
94 # Any other *NIX platform
95 else
96 openssl/Makefile: .openssl.is.fresh
97 cd ./openssl; ./config no-shares enable-weak-ssl-ciphers enable-ssl2 zlib
98 endif
5499
55100 openssl/libcrypto.a: openssl/Makefile
56 cd ./openssl; ./config no-shares
57101 $(MAKE) -C openssl depend
58102 $(MAKE) -C openssl all
59103 $(MAKE) -C openssl test
64108 clean:
65109 if [ -d openssl -a -d openssl/.git ]; then ( cd ./openssl; git clean -fx ); fi;
66110 rm -f sslscan
111 rm -f .openssl.is.fresh
+20
-2
README.md less more
3131 * Experimental Windows support (credit jtesta).
3232 * Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 (--no-cipher-details)
3333 * Flag weak DHE keys with OpenSSL >= 1.0.2 (--cipher-details)
34 * Flag expired certificates
35 * Flag TLSv1.0 ciphers in output as weak.
36 * Experimental OSX support (static building only)
37 * Support for scanning PostgreSQL servers (credit nuxi)
3438
3539 ### Building on Windows
3640 Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can
4145 tested on Windows. As such, the Windows version should be considered experimental.
4246
4347 Pre-build cross-compiled Windows binaries are available on the [GitHub Releases Page](https://github.com/rbsec/sslscan/releases).
48
49
50 ### Building on OS X
51 There is experimental support for statically building on OS X, however this
52 should be considered unsupported. You may need to install any dependencies
53 required to compile OpenSSL from source on OS X. Once you have, just run:
54
55 make static
4456
4557 ### OpenSSL issues
4658
5668 To compile your own OpenSSL version, you'll probably need to install the
5769 OpenSSL build dependencies:
5870
59 apt-get install build-essential git
71 apt-get install build-essential git zlib1g-dev
6072 apt-get build-dep openssl
6173
6274 then run
88100
89101 The package can be found in the [Kali Git Repository](http://git.kali.org/gitweb/?p=packages/sslscan.git;a=summary).
90102
91 If for whatever reason you can't install this package, follow the instructions below for building on Debian.
103 If for whatever reason you can't install this package, follow the instructions
104 above for statically building against OpenSSL.
92105
93106 #### Building on Debian
107 It is recommended that you statically build sslscan using the instructions listed
108 above. If this is not an option and you want to compile your system OpenSSL
109 with support for legacy protocols such as SSLv2 and SSLv3 then follow the
110 instructions below.
111
94112 Note that many modern distros (including Debian) ship with a version of OpenSSL
95113 that disables support for SSLv2 ciphers. If `sslscan` is compiled on one of
96114 these distros, it will not be able to detect SSLv2.
+1
-1
TODO less more
1111 Add HTML report generation
1212 Add diff between reported and actually supported ciphers
1313 Make a Debian package
14 We should explictly check for things that may be NULL; the original author was not very careful.
14 We should explicitly check for things that may be NULL; the original author was not very careful.
1515 Perhaps write a GUI for people who are console adverse?
1616 Compare with http://www.thesprawl.org/memdump/?entry=7
1717 Finally, we should send a diff from 1.8.2 to the upstream developer
+14
-0
debian/changelog less more
0 sslscan (1.11.5-rbsec-1) unstable; urgency=medium
1
2 * New Upstream release (Closes: #804616)
3 * debian/control
4 - Updated Standard-Version to 3.9.7.0
5 * Updated debian/watch
6 * Updated debian/rules to 3.0 (quilt) format
7 * Updated debian/copyright
8 * Upload to unstable
9 * Removed useless patches
10 * Removed git from Build-Depends
11
12 -- Marvin Stark <[email protected]> Fri, 01 Apr 2016 10:04:10 +0200
13
014 sslscan (1.10.5~git2365584ac4-1) experimental; urgency=medium
115
216 * New upstream release (Closes: #765692)
+2
-2
debian/control less more
22 Priority: extra
33 Maintainer: Marvin Stark <[email protected]>
44 Homepage: https://github.com/rbsec/sslscan
5 Build-Depends: debhelper (>= 9), libssl-dev, git
6 Standards-Version: 3.9.6
5 Build-Depends: debhelper (>= 9), libssl-dev
6 Standards-Version: 3.9.7.0
77
88 Package: sslscan
99 Architecture: any
+1
-0
debian/copyright less more
44 Files: *
55 Copyright: Copyright (C) 2007-2008 by Ian Ventura-Whiting
66 Copyright (C) 2010 by Michael Boman ([email protected])
7 Copyright (c) 2007-2010, The Tor Project, Inc.
78 Copyleft 2010 by Jacob Appelbaum <[email protected]>
89 Copyleft 2013 by rbsec <[email protected]>
910 Copyleft 2014 by Julian Kornberger <[email protected]>
+0
-11
debian/patches/001-makefile less more
0 --- a/Makefile
1 +++ b/Makefile
2 @@ -29,7 +29,7 @@
3 GIT_VERSION := $(GIT_VERSION)-static
4 else
5 # for dynamic linking
6 -LDFLAGS += -L/usr/local/ssl/lib/ -L/usr/local/opt/openssl/lib
7 +LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
8 CFLAGS += -I/usr/local/ssl/include/ -I/usr/local/ssl/include/openssl/ -I/usr/local/opt/openssl/include
9 endif
10
+0
-1
debian/patches/series less more
0 001-makefile
+8
-58
debian/rules less more
22 # Uncomment this to turn on verbose mode.
33 #export DH_VERBOSE=1
44
5 LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
5 # Build stuff
6 DPKG_EXPORT_BUILDFLAGS = 1
7 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
8 include /usr/share/dpkg/default.mk
69
7 configure: configure-stamp
8 configure-stamp:
9 dh_testdir
10 touch configure-stamp
10 %:
11 dh $@ --parallel
1112
12 build: build-stamp
13 build-arch: build
14 build-indep: build
15
16 build-stamp: configure-stamp
17 dh_testdir
18
19 # Compile sslscan
20 $(MAKE) all
21
22 touch $@
23
24 clean:
25 dh_testdir
26 dh_testroot
27 rm -f build-stamp configure-stamp
28
29 # clean up
30 $(MAKE) clean
31
32 dh_clean
33
34 install: build
35 dh_testdir
36 dh_testroot
37 dh_prep
38 dh_installdirs
39
40 # install sslscan
13 override_dh_auto_install:
4114 install -d $(CURDIR)/debian/sslscan/usr/bin/
4215 install -d $(CURDIR)/debian/sslscan/usr/share/man/man1/
43 $(MAKE) BINPATH="$(CURDIR)/debian/sslscan/usr/bin/" MANPATH="$(CURDIR)/debian/sslscan/usr/share/man/" install
44
45 # Build architecture-independent files here.
46 binary-indep: build install
47
48 # Build architecture-dependent files here.
49 binary-arch: build install
50 dh_testdir
51 dh_testroot
52 dh_installchangelogs Changelog
53 dh_installdocs
54 # dh_installman
55 dh_link
56 dh_strip
57 dh_compress
58 dh_fixperms
59 dh_installdeb
60 dh_shlibdeps
61 dh_gencontrol
62 dh_md5sums
63 dh_builddeb
64
65 binary: binary-indep binary-arch
66 .PHONY: build clean binary-indep binary-arch binary install configure
16 dh_auto_install -- BINPATH="$(CURDIR)/debian/sslscan/usr/bin/" MANPATH="$(CURDIR)/debian/sslscan/usr/share/man/"
+3
-3
debian/watch less more
0 # Compulsory line, this is a version 3 file
1 version=3
2 http://sf.net/sslscan/sslscan-([\d\.]*)\.tgz debian uupdate
0 version=4
1 opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/<project>-$1\.tar\.gz/ \
2 https://github.com/rbsec/sslscan/tags .*/v?(\d\S*)\.tar\.gz
+18
-11
sslscan.1 less more
5656 .B \-\-show\-client\-cas
5757 Show a list of CAs that the server allows for client authentication. Will be blank for IIS/Schannel servers.
5858 .TP
59 .B \-\-failed
60 Show rejected ciphers
61 (default is to listing only accepted ciphers)
59 .B \-\-show\-ciphers
60 Show a complete list of ciphers supported by sslscan
61 .TP
62 .B \-\-show\-cipher-ids
63 Print the hexadecimal cipher IDs
64 .TP
65 .B \-\-show\-times
66 Show the time taken for each handshake in milliseconds. Note that only a single request is made with each cipher, and that the size of the ClientHello is not constant, so this should not be used for proper benchmarking or performance testing.
67
68 You might want to also use \-\-no\-cipher\-details to make the output a bit clearer.
6269 .TP
6370 .B \-\-ssl2
6471 .br
6572 Only check SSLv2 ciphers
6673 .br
67 Note that this option may not be availalbe if system OpenSSL does not support SSLv2. Either build OpenSSL statically or rebuild your system OpenSSL with SSLv2 support. See the readme for further details.
74 Note that this option may not be available if system OpenSSL does not support SSLv2. Either build OpenSSL statically or rebuild your system OpenSSL with SSLv2 support. See the readme for further details.
6875 .TP
6976 .B \-\-ssl3
7077 .br
7178 Only check SSLv3 ciphers
7279 .br
73 Note that this option may not be availalbe if system OpenSSL does not support SSLv3. Either build OpenSSL statically or rebuild your system OpenSSL with SSLv3 support. See the readme for further details.
80 Note that this option may not be available if system OpenSSL does not support SSLv3. Either build OpenSSL statically or rebuild your system OpenSSL with SSLv3 support. See the readme for further details.
7481 .TP
7582 .B \-\-tls10
7683 .br
105112 A file containing PEM/ASN1 formatted client certificates
106113 .TP
107114 .B \-\-no\-ciphersuites
108 Only check for supported SSL/TLS versions, not ciphersuites
115 Do not scan for supported ciphersuites.
109116 .TP
110117 .B \-\-no\-renegotiation
111118 Do not check for secure TLS renegotiation
116123 .B \-\-no\-heartbleed
117124 Do not check for OpenSSL Heartbleed (CVE-2014-0160)
118125 .TP
119 .B \-\-no\-preferred
120 Do not check for preferred ciphersuites
121 .TP
122126 .B \-\-starttls\-ftp
123127 STARTTLS setup for FTP
124128 .TP
136140 .br
137141 Note that some servers hang when we try to use SSLv3 ciphers over STARTTLS. If you scan hangs, try using the --tlsall option.
138142 .TP
143 .B \-\-starttls\-psql
144 STARTTLS setup for PostgreSQL
145 .TP
139146 .B \-\-starttls\-xmpp
140147 STARTTLS setup for XMPP
141148 .TP
153160 .TP
154161 .B \-\-no\-cipher\-details
155162 .br
156 Hide NIST EC curve name and EDH key length. Requires OpenSSL >= 1.0.2 (so if you distro doesn't ship this, you'll need to statically build sslscan).
163 Hide NIST EC curve name and EDH/RSA key length. Requires OpenSSL >= 1.0.2 (so if you distro doesn't ship this, you'll need to statically build sslscan).
157164 .TP
158165 .B \-\-bugs
159166 .br
165172 .TP
166173 .B \-\-sleep=<msec>
167174 .br
168 Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Defaultis disalbed.
175 Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Default is disabled.
169176 .TP
170177 .B \-\-xml=<file>
171178 .br
+518
-548
sslscan.c less more
7575 #include <openssl/x509.h>
7676 #include <openssl/x509v3.h>
7777 #include <openssl/ocsp.h>
78 #ifndef OPENSSL_NO_COMP
79 #include <openssl/comp.h>
80 #endif
7881
7982 // If we're not compiling with Visual Studio, include unistd.h. VS
8083 // doesn't have this header.
8285 #include <unistd.h>
8386 #endif
8487
85 #ifdef __FreeBSD__
88 #if defined(__FreeBSD__) || defined(__OpenBSD__)
8689 #include <netinet/in.h>
8790 #endif
8891
108111 // STACK_OF is a sign that you should be using C++ :)
109112 STACK_OF(SSL_CIPHER) *cipherList;
110113 SSL *ssl = NULL;
111
112114 options->ctx = SSL_CTX_new(sslMethod);
113115 if (options->ctx == NULL) {
114116 printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
115117 return false;
116118 }
117
118119 SSL_CTX_set_cipher_list(options->ctx, "ALL:COMPLEMENTOFALL");
119
120120 ssl = SSL_new(options->ctx);
121121 if (ssl == NULL) {
122122 printf_error("%sERROR: Could not create SSL object.%s\n", COL_RED, RESET);
123123 SSL_CTX_free(options->ctx);
124124 return false;
125125 }
126
127126 cipherList = SSL_get_ciphers(ssl);
128
129127 // Create Cipher Struct Entries...
130128 for (loop = 0; loop < sk_SSL_CIPHER_num(cipherList); loop++)
131129 {
142140 sslCipherPointer->next = malloc(sizeof(struct sslCipher));
143141 sslCipherPointer = sslCipherPointer->next;
144142 }
145
146143 // Init
147144 memset(sslCipherPointer, 0, sizeof(struct sslCipher));
148
149145 // Add cipher information...
150146 sslCipherPointer->sslMethod = sslMethod;
151147 sslCipherPointer->name = SSL_CIPHER_get_name(sk_SSL_CIPHER_value(cipherList, loop));
152148 sslCipherPointer->version = SSL_CIPHER_get_version(sk_SSL_CIPHER_value(cipherList, loop));
153149 SSL_CIPHER_description(sk_SSL_CIPHER_value(cipherList, loop), sslCipherPointer->description, sizeof(sslCipherPointer->description) - 1);
154150 sslCipherPointer->bits = SSL_CIPHER_get_bits(sk_SSL_CIPHER_value(cipherList, loop), &tempInt);
155
156
157 }
158
151 }
159152 SSL_free(ssl);
160153 SSL_CTX_free(options->ctx);
161
162154 return returnCode;
163155 }
164156
434426 return 0;
435427
436428 if (strstr(buffer, " 670 ") || strstr(buffer, ":STARTTLS successful")) {
437 printf_verbose("STARTLS IRC sertup complete.\nServer reported %s\n", buffer);
429 printf_verbose("STARTLS IRC setup complete.\nServer reported %s\n", buffer);
438430 } else {
439431 printf_verbose("STARTLS IRC setup not complete.\nServer reported %s\n", buffer);
440432 }
462454 printf_verbose("Server reported: %s\n", buffer);
463455 }
464456
457 if (options->starttls_psql == true && tlsStarted == false)
458 {
459 unsigned char buffer;
460
461 tlsStarted = 1;
462
463 // Send SSLRequest packet
464 send(socketDescriptor, "\x00\x00\x00\x08\x04\xd2\x16\x2f", 8, 0);
465
466 // Read reply byte
467 if (1 != recv(socketDescriptor, &buffer, 1, 0)) {
468 printf_error("%s ERROR: unexpected EOF reading from %s:%d%s\n", COL_RED, options->host, options->port, RESET);
469 return 0;
470 }
471
472 if (buffer != 'S') {
473 printf_error("%s ERROR: server at %s:%d%s rejected TLS startup\n", COL_RED, options->host, options->port, RESET);
474 return 0;
475 }
476 }
477
465478 // Setup an RDP socket with preamble
466479 // Borrowed from https://labs.portcullis.co.uk/tools/ssl-cipher-suite-enum/
467480 if (options->rdp == true && tlsStarted == false)
494507 return 0;
495508 }
496509 }
510
497511 // Return
498512 return socketDescriptor;
499513 }
526540 SSL_CTX_set_default_passwd_cb(options->ctx, password_callback);
527541 }
528542
529 // Seperate Certs and PKey Files...
543 // Separate Certs and PKey Files...
530544 if ((options->clientCertsFile != 0) && (options->privateKeyFile != 0))
531545 {
532546 // Load Cert...
612626 {
613627 if (!SSL_CTX_check_private_key(options->ctx))
614628 {
615 printf("%s Prvate key does not match certificate.%s\n", COL_RED, RESET);
629 printf("%s Private key does not match certificate.%s\n", COL_RED, RESET);
616630 return false;
617631 }
618632 else
664678
665679 long version = SSLeay();
666680 if (version >= 0x009080c0L && version < 0x009080d0L) {
667 printf_verbose("OpenSSL %s looks like version 0.9.8l; I will try SSL3_FLAGS to enable renegotation.\n",
681 printf_verbose("OpenSSL %s looks like version 0.9.8l; I will try SSL3_FLAGS to enable renegotiation.\n",
668682 SSLeay_version(SSLEAY_VERSION));
669683 use_unsafe_renegotiation_flag = 1;
670684 use_unsafe_renegotiation_op = 1;
703717 BIO *cipherConnectionBio;
704718 SSL_SESSION session;
705719
706 tls_reneg_init(options);
707
708720 // Connect to host
709721 socketDescriptor = tcpConnect(options);
710722 if (socketDescriptor != 0)
711723 {
712724 // Setup Context Object...
713725 options->ctx = SSL_CTX_new(sslMethod);
726 tls_reneg_init(options);
714727 if (options->ctx != NULL)
715728 {
716729 if (SSL_CTX_set_cipher_list(options->ctx, "ALL:COMPLEMENTOFALL") != 0)
731744 SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
732745 #endif
733746
747 #ifdef SSL_OP_NO_COMPRESSION
748 // Make sure to clear the no compression flag
749 SSL_clear_options(ssl, SSL_OP_NO_COMPRESSION);
750 #endif
751
734752 if (ssl != NULL)
735753 {
736754 // Connect socket and BIO
749767
750768 session = *SSL_get_session(ssl);
751769
752 printf_xml(" <compression supported=\"%d\" />\n",
753 session.compress_meth);
754
755 if (session.compress_meth == 0)
770 #ifndef OPENSSL_NO_COMP
771 // Make sure zlib is actually present
772 if (COMP_zlib()->type != NID_undef)
756773 {
757 printf("Compression %sdisabled%s\n\n", COL_GREEN, RESET);
774 printf_xml(" <compression supported=\"%d\" />\n",
775 session.compress_meth);
776
777 if (session.compress_meth == 0)
778 {
779 printf("Compression %sdisabled%s\n\n", COL_GREEN, RESET);
780 }
781 else
782 {
783 printf("Compression %senabled%s (CRIME)\n\n", COL_RED, RESET);
784 }
758785 }
759786 else
787 #endif
760788 {
761 printf("Compression %senabled%s (CRIME)\n\n", COL_RED, RESET);
789 printf("%sOpenSSL version does not support compression%s\n", COL_RED, RESET);
790 printf("%sRebuild with zlib1g-dev package for zlib support%s\n\n", COL_RED, RESET);
762791 }
763792
764793 // Disconnect SSL over socket
816845 BIO *cipherConnectionBio;
817846 struct renegotiationOutput *renOut = newRenegotiationOutput();
818847
819 tls_reneg_init(options);
820
821848 // Connect to host
822849 socketDescriptor = tcpConnect(options);
823850 if (socketDescriptor != 0)
825852
826853 // Setup Context Object...
827854 options->ctx = SSL_CTX_new(sslMethod);
855 tls_reneg_init(options);
828856 if (options->ctx != NULL)
829857 {
830858 if (SSL_CTX_set_cipher_list(options->ctx, "ALL:COMPLEMENTOFALL") != 0)
895923 if( renOut->secure )
896924 {
897925 // If it supports secure renegotiations,
898 // it should have renegotioation support in general
926 // it should have renegotiation support in general
899927 renOut->supported = true;
900928 status = true;
901929 }
903931 {
904932 #endif
905933 // We can't assume that just because the secure renegotiation
906 // support failed the server doesn't support insecure renegotiations·
934 // support failed the server doesn't support insecure renegotiations·
907935
908936 // assume ssl is connected and error free up to here
909 //setBlocking(ssl); // this is unnecessary if it is already blocking·
937 //setBlocking(ssl); // this is unnecessary if it is already blocking·
910938 printf_verbose("Attempting SSL_renegotiate(ssl)\n");
911939 SSL_renegotiate(ssl); // Ask to renegotiate the connection
912940 // This hangs when an 'encrypted alert' is sent by the server
10241052 {
10251053
10261054 // Credit to Jared Stafford ([email protected])
1027 char hello[] = {0x16,0x03,0x00,0x00,0xdc,0x01,0x00,0x00,0xd8,0x03,0x02,0x53,0x43,0x5b,0x90,0x9d,0x9b,0x72,0x0b,0xbc,0x0c,0xbc,0x2b,0x92,0xa8,0x48,0x97,0xcf,0xbd,0x39,0x04,0xcc,0x16,0x0a,0x85,0x03,0x90,0x9f,0x77,0x04,0x33,0xd4,0xde,0x00,0x00,0x66,0xc0,0x14,0xc0,0x0a,0xc0,0x22,0xc0,0x21,0x00,0x39,0x00,0x38,0x00,0x88,0x00,0x87,0xc0,0x0f,0xc0,0x05,0x00,0x35,0x00,0x84,0xc0,0x12,0xc0,0x08,0xc0,0x1c,0xc0,0x1b,0x00,0x16,0x00,0x13,0xc0,0x0d,0xc0,0x03,0x00,0x0a,0xc0,0x13,0xc0,0x09,0xc0,0x1f,0xc0,0x1e,0x00,0x33,0x00,0x32,0x00,0x9a,0x00,0x99,0x00,0x45,0x00,0x44,0xc0,0x0e,0xc0,0x04,0x00,0x2f,0x00,0x96,0x00,0x41,0xc0,0x11,0xc0,0x07,0xc0,0x0c,0xc0,0x02,0x00,0x05,0x00,0x04,0x00,0x15,0x00,0x12,0x00,0x09,0x00,0x14,0x00,0x11,0x00,0x08,0x00,0x06,0x00,0x03,0x00,0xff,0x01,0x00,0x00,0x49,0x00,0x0b,0x00,0x04,0x03,0x00,0x01,0x02,0x00,0x0a,0x00,0x34,0x00,0x32,0x00,0x0e,0x00,0x0d,0x00,0x19,0x00,0x0b,0x00,0x0c,0x00,0x18,0x00,0x09,0x00,0x0a,0x00,0x16,0x00,0x17,0x00,0x08,0x00,0x06,0x00,0x07,0x00,0x14,0x00,0x15,0x00,0x04,0x00,0x05,0x00,0x12,0x00,0x13,0x00,0x01,0x00,0x02,0x00,0x03,0x00,0x0f,0x00,0x10,0x00,0x11,0x00,0x23,0x00,0x00,0x00,0x0f,0x00,0x01,0x01};
1055 char hello[] = {0x16,0x03,0x01,0x00,0xdc,0x01,0x00,0x00,0xd8,0x03,0x00,0x53,0x43,0x5b,0x90,0x9d,0x9b,0x72,0x0b,0xbc,0x0c,0xbc,0x2b,0x92,0xa8,0x48,0x97,0xcf,0xbd,0x39,0x04,0xcc,0x16,0x0a,0x85,0x03,0x90,0x9f,0x77,0x04,0x33,0xd4,0xde,0x00,0x00,0x66,0xc0,0x14,0xc0,0x0a,0xc0,0x22,0xc0,0x21,0x00,0x39,0x00,0x38,0x00,0x88,0x00,0x87,0xc0,0x0f,0xc0,0x05,0x00,0x35,0x00,0x84,0xc0,0x12,0xc0,0x08,0xc0,0x1c,0xc0,0x1b,0x00,0x16,0x00,0x13,0xc0,0x0d,0xc0,0x03,0x00,0x0a,0xc0,0x13,0xc0,0x09,0xc0,0x1f,0xc0,0x1e,0x00,0x33,0x00,0x32,0x00,0x9a,0x00,0x99,0x00,0x45,0x00,0x44,0xc0,0x0e,0xc0,0x04,0x00,0x2f,0x00,0x96,0x00,0x41,0xc0,0x11,0xc0,0x07,0xc0,0x0c,0xc0,0x02,0x00,0x05,0x00,0x04,0x00,0x15,0x00,0x12,0x00,0x09,0x00,0x14,0x00,0x11,0x00,0x08,0x00,0x06,0x00,0x03,0x00,0xff,0x01,0x00,0x00,0x49,0x00,0x0b,0x00,0x04,0x03,0x00,0x01,0x02,0x00,0x0a,0x00,0x34,0x00,0x32,0x00,0x0e,0x00,0x0d,0x00,0x19,0x00,0x0b,0x00,0x0c,0x00,0x18,0x00,0x09,0x00,0x0a,0x00,0x16,0x00,0x17,0x00,0x08,0x00,0x06,0x00,0x07,0x00,0x14,0x00,0x15,0x00,0x04,0x00,0x05,0x00,0x12,0x00,0x13,0x00,0x01,0x00,0x02,0x00,0x03,0x00,0x0f,0x00,0x10,0x00,0x11,0x00,0x23,0x00,0x00,0x00,0x0f,0x00,0x01,0x01};
10281056
10291057 if (sslMethod == TLSv1_client_method())
10301058 {
1031 hello[2] = 0x01;
1059 hello[10] = 0x01;
10321060 }
10331061 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
10341062 else if (sslMethod == TLSv1_1_client_method())
10351063 {
1036 hello[2] = 0x02;
1064 hello[10] = 0x02;
10371065 }
10381066 else if (sslMethod == TLSv1_2_client_method())
10391067 {
1040 hello[2] = 0x03;
1068 hello[10] = 0x03;
10411069 }
10421070 #endif
10431071 if (send(socketDescriptor, hello, sizeof(hello), 0) <= 0) {
11031131 {
11041132 break;
11051133 }
1106 // Sucessful response
1134 // Successful response
11071135 else if (typ == 24 && ln > 3)
11081136 {
11091137 printf("%svulnerable%s to heartbleed\n", COL_RED, RESET);
11331161
11341162 int ssl_print_tmp_key(struct sslCheckOptions *options, SSL *s)
11351163 {
1136 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
1164 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
11371165 EVP_PKEY *key;
11381166 if (!SSL_get_server_tmp_key(s, &key))
11391167 return 1;
11921220
11931221
11941222 // Test a cipher...
1195 int testCipher(struct sslCheckOptions *options, struct sslCipher *sslCipherPointer)
1223 int testCipher(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
11961224 {
11971225 // Variables...
11981226 int cipherStatus;
12041232 int tempInt;
12051233 char requestBuffer[200];
12061234 char buffer[50];
1235 char hexCipherId[10];
12071236 int resultSize = 0;
1208 const char *sslMethod = printableSslMethod(sslCipherPointer->sslMethod);
1237 int cipherbits;
1238 uint32_t cipherid;
1239 const SSL_CIPHER *sslCipherPointer;
1240 const char *cleanSslMethod = printableSslMethod(sslMethod);
1241 struct timeval tval_start, tval_end, tval_elapsed;
1242 if (options->showTimes)
1243 {
1244 gettimeofday(&tval_start, NULL);
1245 }
1246
1247
12091248
12101249 // Create request buffer...
12111250 memset(requestBuffer, 0, 200);
12151254 socketDescriptor = tcpConnect(options);
12161255 if (socketDescriptor != 0)
12171256 {
1218 if (SSL_CTX_set_cipher_list(options->ctx, sslCipherPointer->name) != 0)
1257 if (SSL_CTX_set_cipher_list(options->ctx, options->cipherstring) != 0)
12191258 {
12201259
12211260 // Create SSL object...
12381277 // Connect SSL over socket
12391278 cipherStatus = SSL_connect(ssl);
12401279
1280 sslCipherPointer = SSL_get_current_cipher(ssl);
1281 cipherbits = SSL_CIPHER_get_bits(sslCipherPointer, NULL);
1282
1283 if (cipherStatus == 0)
1284 {
1285 return false;
1286 }
1287 else if (cipherStatus != 1)
1288 {
1289 printf_verbose("SSL_get_error(ssl, cipherStatus) said: %d\n", SSL_get_error(ssl, cipherStatus));
1290 return false;
1291 }
1292
1293 cipherid = SSL_CIPHER_get_id(sslCipherPointer);
1294 cipherid = cipherid & 0x00ffffff; // remove first byte which is the version (0x03 for TLSv1/SSLv3)
1295
12411296 // Show Cipher Status
1242 if (!((options->noFailed == true) && (cipherStatus != 1)))
1297 printf_xml(" <cipher status=\"");
1298 if (cipherStatus == 1)
12431299 {
1244 printf_xml(" <cipher status=\"");
1245 if (cipherStatus == 1)
1300 if (strcmp(options->cipherstring, "ALL:eNULL"))
12461301 {
12471302 printf_xml("accepted\"");
1248 if (options->noFailed == false)
1303 printf("Accepted ");
1304 }
1305 else
1306 {
1307 printf_xml("preferred\"");
1308 printf("%sPreferred%s ", COL_GREEN, RESET);
1309 }
1310 if (options->http == true)
1311 {
1312
1313 // Stdout BIO...
1314 stdoutBIO = BIO_new(BIO_s_file());
1315 BIO_set_fp(stdoutBIO, stdout, BIO_NOCLOSE);
1316
1317 // HTTP Get...
1318 SSL_write(ssl, requestBuffer, sizeof(requestBuffer));
1319 memset(buffer ,0 , 50);
1320 resultSize = SSL_read(ssl, buffer, 49);
1321 if (resultSize > 9)
12491322 {
1250 printf("%sAccepted%s ", COL_GREEN, RESET);
1323 int loop = 0;
1324 for (loop = 9; (loop < 49) && (buffer[loop] != 0) && (buffer[loop] != '\r') && (buffer[loop] != '\n'); loop++)
1325 { }
1326 buffer[loop] = 0;
1327
1328 // Output HTTP code...
1329 printf("%s", buffer + 9);
1330 loop = strlen(buffer + 9);
1331 while (loop < 17)
1332 {
1333 loop++;
1334 printf(" ");
1335 }
1336 printf_xml(" http=\"%s\"", buffer + 9);
12511337 }
12521338 else
12531339 {
1254 printf("Accepted ");
1255 }
1256 if (options->http == true)
1257 {
1258
1259 // Stdout BIO...
1260 stdoutBIO = BIO_new(BIO_s_file());
1261 BIO_set_fp(stdoutBIO, stdout, BIO_NOCLOSE);
1262
1263 // HTTP Get...
1264 SSL_write(ssl, requestBuffer, sizeof(requestBuffer));
1265 memset(buffer ,0 , 50);
1266 resultSize = SSL_read(ssl, buffer, 49);
1267 if (resultSize > 9)
1268 {
1269 int loop = 0;
1270 for (loop = 9; (loop < 49) && (buffer[loop] != 0) && (buffer[loop] != '\r') && (buffer[loop] != '\n'); loop++)
1271 { }
1272 buffer[loop] = 0;
1273
1274 // Output HTTP code...
1275 printf("%s", buffer + 9);
1276 loop = strlen(buffer + 9);
1277 while (loop < 17)
1278 {
1279 loop++;
1280 printf(" ");
1281 }
1282 printf_xml(" http=\"%s\"", buffer + 9);
1283 }
1284 else
1285 {
1286 // Output HTTP code...
1287 printf(" ");
1288 }
1340 // Output HTTP code...
1341 printf(" ");
12891342 }
12901343 }
1291 else if (cipherStatus == 0)
1292 {
1293 printf_xml("rejected\"");
1294 if (options->http == true)
1295 {
1296 printf("Rejected N/A ");
1297 }
1298 else
1299 {
1300 printf("Rejected ");
1301 }
1302 }
1303 else
1304 {
1305 printf_verbose("SSL_get_error(ssl, cipherStatus) said: %d\n", SSL_get_error(ssl, cipherStatus));
1306 printf_xml("failed\"");
1307 if (options->http == true)
1308 {
1309 printf("Failed N/A ");
1310 }
1311 else
1312 {
1313 printf("Failed ");
1314 }
1315 }
1316 printf_xml(" sslversion=\"%s\"", sslMethod);
1344 }
1345 printf_xml(" sslversion=\"%s\"", cleanSslMethod);
13171346 #ifndef OPENSSL_NO_SSL2
1318 if (sslCipherPointer->sslMethod == SSLv2_client_method())
1319 {
1320 printf("%sSSLv2%s ", COL_RED, RESET);
1321 }
1322 else
1347 if (strcmp(cleanSslMethod, "SSLv2") == 0)
1348 {
1349 printf("%sSSLv2%s ", COL_RED, RESET);
1350 }
1351 else
13231352 #endif
13241353 #ifndef OPENSSL_NO_SSL3
1325 if (sslCipherPointer->sslMethod == SSLv3_client_method())
1354 if (strcmp(cleanSslMethod, "SSLv3") == 0)
13261355 {
13271356 printf("%sSSLv3%s ", COL_RED, RESET);
13281357 }
13291358 else
13301359 #endif
1331 if (sslCipherPointer->sslMethod == TLSv1_client_method())
1332 {
1333 printf("TLSv1.0 ");
1334 }
1360 if (strcmp(cleanSslMethod, "TLSv1.0") == 0)
1361 {
1362 printf("%sTLSv1.0%s ", COL_YELLOW, RESET);
1363 }
13351364 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
1336 else if (sslCipherPointer->sslMethod == TLSv1_1_client_method())
1337 {
1338 printf("TLSv1.1 ");
1339 }
1340 else if (sslCipherPointer->sslMethod == TLSv1_2_client_method())
1341 {
1342 printf("TLSv1.2 ");
1343 }
1344 #endif
1345 if (sslCipherPointer->bits < 10)
1346 tempInt = 2;
1347 else if (sslCipherPointer->bits < 100)
1348 tempInt = 1;
1349 else
1350 tempInt = 0;
1351 if (sslCipherPointer->bits == 0)
1352 {
1353 printf("%s%d%s bits ", COL_RED_BG, sslCipherPointer->bits, RESET);
1354 }
1355 else if (sslCipherPointer->bits > 56)
1356 {
1357 printf("%s%d%s bits ", COL_GREEN, sslCipherPointer->bits, RESET);
1358 }
1359 else if (sslCipherPointer->bits > 40)
1360 {
1361 printf("%s%d%s bits ", COL_YELLOW, sslCipherPointer->bits, RESET);
1362 }
1363 else
1364 {
1365 printf("%s%d%s bits ", COL_RED, sslCipherPointer->bits, RESET);
1366 }
1367 while (tempInt != 0)
1368 {
1369 tempInt--;
1370 printf(" ");
1371 }
1372 printf_xml(" bits=\"%d\" cipher=\"%s\"", sslCipherPointer->bits, sslCipherPointer->name);
1373 if (strstr(sslCipherPointer->name, "NULL"))
1374 {
1375 printf("%s%-29s%s", COL_RED_BG, sslCipherPointer->name, RESET);
1376 }
1377 else if (strstr(sslCipherPointer->name, "ADH") || strstr(sslCipherPointer->name, "AECDH"))
1378 {
1379 printf("%s%-29s%s", COL_PURPLE, sslCipherPointer->name, RESET);
1380 }
1381 else if (strstr(sslCipherPointer->name, "EXP") || (sslCipherPointer->sslMethod == SSLv3_client_method() && !strstr(sslCipherPointer->name, "RC4")))
1382 {
1383 printf("%s%-29s%s", COL_RED, sslCipherPointer->name, RESET);
1384 }
1385 else if (strstr(sslCipherPointer->name, "RC4"))
1386 {
1387 printf("%s%-29s%s", COL_YELLOW, sslCipherPointer->name, RESET);
1388 }
1389 else if (strstr(sslCipherPointer->name, "GCM"))
1390 {
1391 printf("%s%-29s%s", COL_GREEN, sslCipherPointer->name, RESET);
1392 }
1393 else
1394 {
1395 printf("%-29s", sslCipherPointer->name);
1396 }
1397 if (options->cipher_details == true)
1398 {
1399 ssl_print_tmp_key(options, ssl);
1400 }
1401 printf("\n");
1402 printf_xml(" />\n");
1365 else
1366 {
1367 printf("%s ", cleanSslMethod);
1368 }
1369 #endif
1370 if (cipherbits < 10)
1371 tempInt = 2;
1372 else if (cipherbits < 100)
1373 tempInt = 1;
1374 else
1375 tempInt = 0;
1376 if (cipherbits == 0)
1377 {
1378 printf("%s%d%s bits ", COL_RED_BG, cipherbits, RESET);
14031379 }
1404
1380 else if (cipherbits >= 112)
1381 {
1382 printf("%s%d%s bits ", COL_GREEN, cipherbits, RESET);
1383 }
1384 else if (cipherbits > 56)
1385 {
1386 printf("%s%d%s bits ", COL_YELLOW, cipherbits, RESET);
1387 }
1388 else
1389 {
1390 printf("%s%d%s bits ", COL_RED, cipherbits, RESET);
1391 }
1392 while (tempInt != 0)
1393 {
1394 tempInt--;
1395 printf(" ");
1396 }
1397
1398 sprintf(hexCipherId, "0x%X", cipherid);
1399
1400 if (options->showCipherIds == true)
1401 {
1402 printf("%8s ", hexCipherId);
1403 }
1404
1405 printf_xml(" bits=\"%d\" cipher=\"%s\" id=\"%s\"", cipherbits, sslCipherPointer->name, hexCipherId);
1406 if (strstr(sslCipherPointer->name, "NULL"))
1407 {
1408 printf("%s%-29s%s", COL_RED_BG, sslCipherPointer->name, RESET);
1409 }
1410 else if (strstr(sslCipherPointer->name, "ADH") || strstr(sslCipherPointer->name, "AECDH"))
1411 {
1412 printf("%s%-29s%s", COL_PURPLE, sslCipherPointer->name, RESET);
1413 }
1414 else if (strstr(sslCipherPointer->name, "EXP")
1415 #ifndef OPENSSL_NO_SSL3
1416 || (strcmp(cleanSslMethod, "SSLv3") == 0 && !strstr(sslCipherPointer->name, "RC4"))
1417 #endif
1418 )
1419 {
1420 printf("%s%-29s%s", COL_RED, sslCipherPointer->name, RESET);
1421 }
1422 else if (strstr(sslCipherPointer->name, "RC4"))
1423 {
1424 printf("%s%-29s%s", COL_YELLOW, sslCipherPointer->name, RESET);
1425 }
1426 else if (strstr(sslCipherPointer->name, "GCM"))
1427 {
1428 printf("%s%-29s%s", COL_GREEN, sslCipherPointer->name, RESET);
1429 }
1430 else
1431 {
1432 printf("%-29s", sslCipherPointer->name);
1433 }
1434
1435 if (options->cipher_details == true)
1436 {
1437 ssl_print_tmp_key(options, ssl);
1438 }
1439 // Timing
1440 if (options->showTimes)
1441 {
1442 int msec;
1443 gettimeofday(&tval_end, NULL);
1444 timersub(&tval_end, &tval_start, &tval_elapsed);
1445 msec = tval_elapsed.tv_sec * 1000 + (int)tval_elapsed.tv_usec/1000;
1446 printf("%s %dms%s", COL_GREY, msec, RESET);
1447 printf_xml(" time=\"%d\"", msec);
1448 }
1449
1450 printf("\n");
1451 printf_xml(" />\n");
1452
14051453 // Disconnect SSL over socket
14061454 if (cipherStatus == 1)
1455 {
1456 strncat(options->cipherstring, ":!", 2);
1457 strncat(options->cipherstring, SSL_get_cipher_name(ssl), strlen(SSL_get_cipher_name(ssl)));
14071458 SSL_shutdown(ssl);
1459 }
14081460
14091461 // Free SSL object
14101462 SSL_free(ssl);
14181470 else
14191471 {
14201472 status = false;
1421 printf("%s ERROR: Could set cipher %s.%s\n", COL_RED, sslCipherPointer->name, RESET);
14221473 }
14231474
14241475 // Disconnect from host
14291480 else
14301481 status = false;
14311482
1483
14321484 return status;
14331485 }
14341486
1435
1436 // Test for preferred ciphers
1437 int defaultCipher(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
1487 int checkCertificateProtocol(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
14381488 {
1439 // Variables...
1440 int cipherStatus;
14411489 int status = true;
1442 int socketDescriptor = 0;
1443 SSL *ssl = NULL;
1444 BIO *cipherConnectionBio;
1445 int tempInt;
1446 int tempInt2;
1447
1448 // Connect to host
1449 socketDescriptor = tcpConnect(options);
1450 if (socketDescriptor != 0)
1451 {
1452 // Setup Context Object...
1453 options->ctx = SSL_CTX_new(sslMethod);
1454 if (options->ctx != NULL)
1455 {
1456 if (SSL_CTX_set_cipher_list(options->ctx, "ALL:COMPLEMENTOFALL") != 0)
1457 {
1458
1459 // Load Certs if required...
1460 if ((options->clientCertsFile != 0) || (options->privateKeyFile != 0))
1461 status = loadCerts(options);
1462
1463 if (status == true)
1464 {
1465 // Create SSL object...
1466 ssl = SSL_new(options->ctx);
1467 if (ssl != NULL)
1468 {
1469 // Connect socket and BIO
1470 cipherConnectionBio = BIO_new_socket(socketDescriptor, BIO_NOCLOSE);
1471
1472 // Connect SSL and BIO
1473 SSL_set_bio(ssl, cipherConnectionBio, cipherConnectionBio);
1474
1475 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
1476 // TLS SNI
1477 SSL_set_tlsext_host_name (ssl, options->host);
1478 #endif
1479
1480 // Connect SSL over socket
1481 cipherStatus = SSL_connect(ssl);
1482 if (cipherStatus == 1)
1483 {
1484 #ifndef OPENSSL_NO_SSL2
1485 if (sslMethod == SSLv2_client_method())
1486 {
1487 printf_xml(" <defaultcipher sslversion=\"SSLv2\" bits=\"");
1488 printf("%sSSLv2%s ", COL_RED, RESET);
1489 }
1490 else
1491 #endif
1492 if (sslMethod == SSLv3_client_method())
1493 {
1494 printf_xml(" <defaultcipher sslversion=\"SSLv3\" bits=\"");
1495 printf("%sSSLv3%s ", COL_RED, RESET);
1496 }
1497 else if (sslMethod == TLSv1_client_method())
1498 {
1499 printf_xml(" <defaultcipher sslversion=\"TLSv1.0\" bits=\"");
1500 printf("TLSv1.0 ");
1501 }
1502 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
1503 else if (sslMethod == TLSv1_1_client_method())
1504 {
1505 printf_xml(" <defaultcipher sslversion=\"TLSv1.1\" bits=\"");
1506 printf("TLSv1.1 ");
1507 }
1508 else if (sslMethod == TLSv1_2_client_method())
1509 {
1510 printf_xml(" <defaultcipher sslversion=\"TLSv1.2\" bits=\"");
1511 printf("TLSv1.2 ");
1512 }
1513 #endif
1514 if (SSL_get_cipher_bits(ssl, &tempInt2) < 10)
1515 tempInt = 2;
1516 else if (SSL_get_cipher_bits(ssl, &tempInt2) < 100)
1517 tempInt = 1;
1518 else
1519 tempInt = 0;
1520 //Bit ugly
1521 int tempbits = SSL_get_cipher_bits(ssl, &tempInt2);
1522 if (tempbits > 56)
1523 {
1524 printf("%s%d%s bits ", COL_GREEN, tempbits, RESET);
1525 }
1526 else if (tempbits > 40)
1527 {
1528 printf("%s%d%s bits ", COL_YELLOW, tempbits, RESET);
1529 }
1530 else
1531 {
1532 printf("%s%d%s bits ", COL_RED, tempbits, RESET);
1533 }
1534
1535 while (tempInt != 0)
1536 {
1537 tempInt--;
1538 printf(" ");
1539 }
1540 printf_xml("%d\" cipher=\"%s\"", SSL_get_cipher_bits(ssl, &tempInt2), SSL_get_cipher_name(ssl));
1541 if (strstr(SSL_get_cipher_name(ssl), "EXP") || (sslMethod == SSLv3_client_method() && strstr(SSL_get_cipher_name(ssl), "CBC")))
1542 {
1543 printf("%s%-29s%s", COL_RED, SSL_get_cipher_name(ssl), RESET);
1544 }
1545 else if (strstr(SSL_get_cipher_name(ssl), "RC4"))
1546 {
1547 printf("%s%-29s%s", COL_YELLOW, SSL_get_cipher_name(ssl), RESET);
1548 }
1549 else if (strstr(SSL_get_cipher_name(ssl), "GCM"))
1550 {
1551 printf("%s%-29s%s", COL_GREEN, SSL_get_cipher_name(ssl), RESET);
1552 }
1553 else
1554 {
1555 printf("%-29s", SSL_get_cipher_name(ssl));
1556 }
1557 if (options->cipher_details == true)
1558 {
1559 ssl_print_tmp_key(options, ssl);
1560 }
1561 printf("\n");
1562 printf_xml(" />\n");
1563
1564 // Disconnect SSL over socket
1565 SSL_shutdown(ssl);
1566 }
1567
1568 // Free SSL object
1569 SSL_free(ssl);
1570 }
1571 else
1572 {
1573 status = false;
1574 printf("%s ERROR: Could create SSL object.%s\n", COL_RED, RESET);
1575 }
1576 }
1577 }
1578 else
1579 {
1580 status = false;
1581 printf("%s ERROR: Could set cipher.%s\n", COL_RED, RESET);
1582 }
1583
1584 // Free CTX Object
1585 SSL_CTX_free(options->ctx);
1586 }
1587
1588 // Error Creating Context Object
1490 // Setup Context Object...
1491 options->ctx = SSL_CTX_new(sslMethod);
1492 if (options->ctx != NULL)
1493 {
1494 // SSL implementation bugs/workaround
1495 if (options->sslbugs)
1496 SSL_CTX_set_options(options->ctx, SSL_OP_ALL | 0);
15891497 else
1590 {
1591 status = false;
1592 printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
1593 }
1594
1595 // Disconnect from host
1596 close(socketDescriptor);
1597 }
1598
1599 // Could not connect
1498 SSL_CTX_set_options(options->ctx, 0);
1499
1500 // Load Certs if required...
1501 if ((options->clientCertsFile != 0) || (options->privateKeyFile != 0))
1502 status = loadCerts(options);
1503
1504 // Check the certificate
1505 status = checkCertificate(options, sslMethod);
1506 }
1507
1508 // Error Creating Context Object
16001509 else
1510 {
1511 printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
16011512 status = false;
1602
1513 }
16031514 return status;
16041515 }
16051516
16061517 // Report certificate weaknesses (key length and signing algorithm)
1607 int checkCertificate(struct sslCheckOptions *options)
1518 int checkCertificate(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
16081519 {
16091520 int cipherStatus = 0;
16101521 int status = true;
16161527 BIO *fileBIO = NULL;
16171528 X509 *x509Cert = NULL;
16181529 EVP_PKEY *publicKey = NULL;
1619 const SSL_METHOD *sslMethod = NULL;
16201530 char certAlgorithm[80];
16211531 X509_EXTENSION *extension = NULL;
16221532
16251535 if (socketDescriptor != 0)
16261536 {
16271537 // Setup Context Object...
1628 if( options->sslVersion == ssl_v2 || options->sslVersion == ssl_v3) {
1629 printf_verbose("sslMethod = SSLv23_method()");
1630 sslMethod = SSLv23_method();
1631 }
1632 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
1633 else if( options->sslVersion == tls_v11) {
1634 printf_verbose("sslMethod = TLSv1_1_method()");
1635 sslMethod = TLSv1_1_method();
1636 }
1637 else if( options->sslVersion == tls_v12) {
1638 printf_verbose("sslMethod = TLSv1_2_method()");
1639 sslMethod = TLSv1_2_method();
1640 }
1641 #endif
1642 else {
1643 printf_verbose("sslMethod = TLSv1_method()\n");
1644 printf_verbose("If server doesn't support TLSv1.0, manually specificy TLS version\n");
1645 sslMethod = TLSv1_method();
1646 }
16471538 options->ctx = SSL_CTX_new(sslMethod);
16481539 if (options->ctx != NULL)
16491540 {
19131804 }
19141805 }
19151806 }
1807
1808 // Check for certificate expiration
1809 time_t *ptime;
1810 int timediff;
1811 ptime = NULL;
1812
1813 printf("\nNot valid before: ");
1814 timediff = X509_cmp_time(X509_get_notBefore(x509Cert), ptime);
1815 // Certificate isn't valid yet
1816 if (timediff > 0)
1817 {
1818 printf("%s", COL_RED);
1819 }
1820 else
1821 {
1822 printf("%s", COL_GREEN);
1823 }
1824 ASN1_TIME_print(stdoutBIO, X509_get_notBefore(x509Cert));
1825 printf("%s", RESET);
1826
1827 if (options->xmlOutput) {
1828 printf_xml(" <not-valid-before>");
1829 ASN1_TIME_print(fileBIO, X509_get_notBefore(x509Cert));
1830 printf_xml("</not-valid-before>\n");
1831 }
1832
1833 printf("\nNot valid after: ");
1834 timediff = X509_cmp_time(X509_get_notAfter(x509Cert), ptime);
1835 // Certificate has expired
1836 if (timediff < 0)
1837 {
1838 printf("%s", COL_RED);
1839 }
1840 else
1841 {
1842 printf("%s", COL_GREEN);
1843 }
1844 ASN1_TIME_print(stdoutBIO, X509_get_notAfter(x509Cert));
1845 printf("%s", RESET);
1846 if (options->xmlOutput) {
1847 printf_xml(" <not-valid-after>");
1848 ASN1_TIME_print(fileBIO, X509_get_notAfter(x509Cert));
1849 printf_xml("</not-valid-after>\n");
1850 if (timediff < 0)
1851 {
1852 printf_xml(" <expired>true</expired>\n");
1853 }
1854 else
1855 {
1856 printf_xml(" <expired>false</expired>\n");
1857 }
1858 }
1859 printf("\n");
1860
19161861 // Free X509 Certificate...
19171862 X509_free(x509Cert);
1863 // This is abusing status a bit, but means that we'll only get the cert once
1864 status = false;
19181865 }
19191866
19201867 else {
19301877
19311878 // Disconnect SSL over socket
19321879 SSL_shutdown(ssl);
1933 }
1934 else
1935 {
1936 printf("\n%sFailed to connect to get certificate.%s\n", COL_RED, RESET);
1937 printf("Most likley cause is server not supporting %s, try manually specifying version\n", printableSslMethod(sslMethod));
19381880 }
19391881 // Free SSL object
19401882 SSL_free(ssl);
20061948 #endif
20071949 else {
20081950 printf_verbose("sslMethod = TLSv1_method()\n");
2009 printf_verbose("If server doesn't support TLSv1.0, manually specificy TLS version\n");
1951 printf_verbose("If server doesn't support TLSv1.0, manually specify TLS version\n");
20101952 sslMethod = TLSv1_method();
20111953 }
20121954 options->ctx = SSL_CTX_new(sslMethod);
20722014 else
20732015 {
20742016 printf("\n%sFailed to connect to get OCSP status.%s\n", COL_RED, RESET);
2075 printf("Most likley cause is server not supporting %s, try manually specifying version\n", printableSslMethod(sslMethod));
2017 printf("Most likely cause is server not supporting %s, try manually specifying version\n", printableSslMethod(sslMethod));
20762018 }
20772019 // Free SSL object
20782020 SSL_free(ssl);
28932835 }
28942836 }
28952837
2838 int testProtocolCiphers(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
2839 {
2840 int status;
2841 status = true;
2842 strncpy(options->cipherstring, "ALL:eNULL", 10);
2843
2844 // Loop until the server won't accept any more ciphers
2845 while (status == true)
2846 {
2847 // Setup Context Object...
2848 options->ctx = SSL_CTX_new(sslMethod);
2849 if (options->ctx != NULL)
2850 {
2851
2852 // SSL implementation bugs/workaround
2853 if (options->sslbugs)
2854 SSL_CTX_set_options(options->ctx, SSL_OP_ALL | 0);
2855 else
2856 SSL_CTX_set_options(options->ctx, 0);
2857
2858 // Load Certs if required...
2859 if ((options->clientCertsFile != 0) || (options->privateKeyFile != 0))
2860 status = loadCerts(options);
2861
2862 // Test the cipher
2863 if (status == true)
2864 status = testCipher(options, sslMethod);
2865
2866 // Free CTX Object
2867 SSL_CTX_free(options->ctx);
2868 }
2869
2870 // Error Creating Context Object
2871 else
2872 {
2873 printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
2874 return false;
2875 }
2876 }
2877 return true;
2878 }
2879
28962880 // Test a single host and port for ciphers...
28972881 int testHost(struct sslCheckOptions *options)
28982882 {
29122896 // Test renegotiation
29132897 printf("Testing SSL server %s%s%s on port %s%d%s\n\n", COL_GREEN, options->host, RESET, COL_GREEN, options->port, RESET);
29142898
2915 sslCipherPointer = options->ciphers;
2916
29172899 if (options->showClientCiphers == true)
29182900 {
2901 // Build a list of ciphers...
2902 switch (options->sslVersion)
2903 {
2904 case ssl_all:
2905 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
2906 populateCipherList(options, TLSv1_2_client_method());
2907 populateCipherList(options, TLSv1_1_client_method());
2908 #endif
2909 populateCipherList(options, TLSv1_client_method());
2910 #ifndef OPENSSL_NO_SSL3
2911 populateCipherList(options, SSLv3_client_method());
2912 #endif
2913 #ifndef OPENSSL_NO_SSL2
2914 populateCipherList(options, SSLv2_client_method());
2915 #endif
2916 break;
2917 case tls_all:
2918 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
2919 populateCipherList(options, TLSv1_2_client_method());
2920 populateCipherList(options, TLSv1_1_client_method());
2921 #endif
2922 populateCipherList(options, TLSv1_client_method());
2923 break;
2924 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
2925 case tls_v12:
2926 populateCipherList(options, TLSv1_2_client_method());
2927 break;
2928 case tls_v11:
2929 populateCipherList(options, TLSv1_1_client_method());
2930 break;
2931 #endif
2932 case tls_v10:
2933 populateCipherList(options, TLSv1_client_method());
2934 break;
2935 #ifndef OPENSSL_NO_SSL3
2936 case ssl_v3:
2937 populateCipherList(options, SSLv3_client_method());
2938 break;
2939 #endif
2940 #ifndef OPENSSL_NO_SSL2
2941 case ssl_v2:
2942 populateCipherList(options, SSLv2_client_method());
2943 break;
2944 #endif
2945 }
29192946 printf("\n %sSupported Client Cipher(s):%s\n", COL_BLUE, RESET);
2947 sslCipherPointer = options->ciphers;
29202948 while ((sslCipherPointer != 0) && (status == true))
29212949 {
29222950 printf(" %s\n",sslCipherPointer->name);
2923 printf_xml(" <client-cipher cipher=\"%s\">\n", sslCipherPointer->name);
2951 printf_xml(" <client-cipher cipher=\"%s\" />\n", sslCipherPointer->name);
29242952
29252953 sslCipherPointer = sslCipherPointer->next;
29262954 }
2955 printf("\n");
29272956 }
29282957
29292958 if (status == true && options->reneg )
29412970 if (status == true && options->heartbleed )
29422971 {
29432972 printf(" %sHeartbleed:%s\n", COL_BLUE, RESET);
2973 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
2974 if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v12)
2975 {
2976 printf("TLS 1.2 ");
2977 status = testHeartbleed(options, TLSv1_2_client_method());
2978 }
2979 if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v11)
2980 {
2981 printf("TLS 1.1 ");
2982 status = testHeartbleed(options, TLSv1_1_client_method());
2983 }
2984 #endif
29442985 if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v10)
29452986 {
29462987 printf("TLS 1.0 ");
29472988 status = testHeartbleed(options, TLSv1_client_method());
29482989 }
2949 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
2950 if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v11)
2951 {
2952 printf("TLS 1.1 ");
2953 status = testHeartbleed(options, TLSv1_1_client_method());
2954 }
2955 if( options->sslVersion == ssl_all || options->sslVersion == tls_all || options->sslVersion == tls_v12)
2956 {
2957 printf("TLS 1.2 ");
2958 status = testHeartbleed(options, TLSv1_2_client_method());
2959 }
2960 #endif
29612990 if( options->sslVersion == ssl_v2 || options->sslVersion == ssl_v3)
29622991 {
29632992 printf("%sAll TLS protocols disabled, cannot check for heartbleed.\n%s", COL_RED, RESET);
29793008 {
29803009 // Test supported ciphers...
29813010 printf(" %sSupported Server Cipher(s):%s\n", COL_BLUE, RESET);
2982 sslCipherPointer = options->ciphers;
2983 while ((sslCipherPointer != 0) && (status == true))
2984 {
2985
2986 // Setup Context Object...
2987 options->ctx = SSL_CTX_new(sslCipherPointer->sslMethod);
2988 if (options->ctx != NULL)
2989 {
2990
2991 // SSL implementation bugs/workaround
2992 if (options->sslbugs)
2993 SSL_CTX_set_options(options->ctx, SSL_OP_ALL | 0);
2994 else
2995 SSL_CTX_set_options(options->ctx, 0);
2996
2997 // Load Certs if required...
2998 if ((options->clientCertsFile != 0) || (options->privateKeyFile != 0))
2999 status = loadCerts(options);
3000
3001
3002 // Test
3003 if (status == true)
3004 status = testCipher(options, sslCipherPointer);
3005
3006 // Free CTX Object
3007 SSL_CTX_free(options->ctx);
3008 }
3009
3010 // Error Creating Context Object
3011 else
3012 {
3013 status = false;
3014 printf_error("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
3015 }
3016
3017 sslCipherPointer = sslCipherPointer->next;
3018
3019 }
3020 printf("\n");
3021 }
3022 if (status == true && options->getPreferredCiphers == true)
3023 {
3024 // Test preferred ciphers...
3025 printf(" %sPreferred Server Cipher(s):%s\n", COL_BLUE, RESET);
30263011 switch (options->sslVersion)
30273012 {
30283013 case ssl_all:
3029 #ifndef OPENSSL_NO_SSL2
3030 status = defaultCipher(options, SSLv2_client_method());
3031 #endif
3014 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
3015 if (status != false)
3016 status = testProtocolCiphers(options, TLSv1_2_client_method());
3017 if (status != false)
3018 status = testProtocolCiphers(options, TLSv1_1_client_method());
3019 #endif
3020 if (status != false)
3021 status = testProtocolCiphers(options, TLSv1_client_method());
30323022 #ifndef OPENSSL_NO_SSL3
30333023 if (status != false)
3034 status = defaultCipher(options, SSLv3_client_method());
3035 #endif
3024 status = testProtocolCiphers(options, SSLv3_client_method());
3025 #endif
3026 #ifndef OPENSSL_NO_SSL2
30363027 if (status != false)
3037 status = defaultCipher(options, TLSv1_client_method());
3038 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
3039 if (status != false)
3040 status = defaultCipher(options, TLSv1_1_client_method());
3041 if (status != false)
3042 status = defaultCipher(options, TLSv1_2_client_method());
3028 status = testProtocolCiphers(options, SSLv2_client_method());
30433029 #endif
30443030 break;
30453031 #ifndef OPENSSL_NO_SSL2
30463032 case ssl_v2:
3047 status = defaultCipher(options, SSLv2_client_method());
3033 status = testProtocolCiphers(options, SSLv2_client_method());
30483034 break;
30493035 #endif
30503036 #ifndef OPENSSL_NO_SSL3
30513037 case ssl_v3:
3052 status = defaultCipher(options, SSLv3_client_method());
3038 status = testProtocolCiphers(options, SSLv3_client_method());
30533039 break;
30543040 #endif
30553041 case tls_all:
3056 if (status != false)
3057 status = defaultCipher(options, TLSv1_client_method());
30583042 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
30593043 if (status != false)
3060 status = defaultCipher(options, TLSv1_1_client_method());
3044 status = testProtocolCiphers(options, TLSv1_2_client_method());
30613045 if (status != false)
3062 status = defaultCipher(options, TLSv1_2_client_method());
3063 #endif
3046 status = testProtocolCiphers(options, TLSv1_1_client_method());
3047 #endif
3048 if (status != false)
3049 status = testProtocolCiphers(options, TLSv1_client_method());
30643050 break;
30653051 case tls_v10:
3066 status = defaultCipher(options, TLSv1_client_method());
3052 status = testProtocolCiphers(options, TLSv1_client_method());
30673053 break;
30683054 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
30693055 case tls_v11:
3070 status = defaultCipher(options, TLSv1_1_client_method());
3056 status = testProtocolCiphers(options, TLSv1_1_client_method());
30713057 break;
30723058 case tls_v12:
3073 status = defaultCipher(options, TLSv1_2_client_method());
3059 status = testProtocolCiphers(options, TLSv1_2_client_method());
30743060 break;
30753061 #endif
30763062 }
30853071 // Show weak certificate signing algorithm or key strength
30863072 if (status == true && options->checkCertificate == true)
30873073 {
3088 status = checkCertificate(options);
3074 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
3075 if (status != false)
3076 {
3077 status = checkCertificateProtocol(options, TLSv1_2_client_method());
3078 }
3079 if (status != false)
3080 status = checkCertificateProtocol(options, TLSv1_1_client_method());
3081 #endif
3082 if (status != false)
3083 status = checkCertificateProtocol(options, TLSv1_client_method());
3084 #ifndef OPENSSL_NO_SSL3
3085 if (status != false)
3086 status = checkCertificateProtocol(options, SSLv3_client_method());
3087 #endif
3088 #ifndef OPENSSL_NO_SSL2
3089 if (status != false)
3090 status = checkCertificateProtocol(options, SSLv2_client_method());
3091 #endif
30893092 }
30903093
30913094 // Print client auth trusted CAs
31253128 memset(&options, 0, sizeof(struct sslCheckOptions));
31263129 options.port = 0;
31273130 xmlArg = 0;
3128 strcpy(options.host, "127.0.0.1");
3129 options.noFailed = true;
3131 strncpy(options.host, "127.0.0.1", 10);
31303132 options.showCertificate = false;
31313133 options.showTrustedCAs = false;
31323134 options.checkCertificate = true;
31333135 options.showClientCiphers = false;
3136 options.showCipherIds = false;
3137 options.showTimes = false;
31343138 options.ciphersuites = true;
31353139 options.reneg = true;
31363140 options.compression = true;
31413145 options.starttls_pop3 = false;
31423146 options.starttls_smtp = false;
31433147 options.starttls_xmpp = false;
3148 options.starttls_psql = false;
31443149 options.xmpp_server = false;
31453150 options.verbose = false;
31463151 options.cipher_details = true;
31473152 options.ipv4 = true;
31483153 options.ipv6 = true;
3149 options.getPreferredCiphers = true;
31503154 options.ocspStatus = false;
31513155
31523156 // Default socket timeout 3s
31823186 options.targets = argLoop;
31833187 }
31843188
3185 // Show unsupported ciphers
3186 else if (strcmp("--failed", argv[argLoop]) == 0)
3187 options.noFailed = false;
3188
31893189 // Show certificate
31903190 else if (strcmp("--show-certificate", argv[argLoop]) == 0)
31913191 options.showCertificate = true;
31973197 // Show supported client ciphers
31983198 else if (strcmp("--show-ciphers", argv[argLoop]) == 0)
31993199 options.showClientCiphers = true;
3200
3201 // Show ciphers ids
3202 else if (strcmp("--show-cipher-ids", argv[argLoop]) == 0)
3203 {
3204 options.showCipherIds = true;
3205 }
3206
3207 // Show handshake times
3208 else if (strcmp("--show-times", argv[argLoop]) == 0)
3209 {
3210 options.showTimes = true;
3211 }
32003212
32013213 // Show client auth trusted CAs
32023214 else if (strcmp("--show-client-cas", argv[argLoop]) == 0)
32293241 COL_BLUE = "";
32303242 COL_GREEN = "";
32313243 COL_PURPLE = "";
3232 COL_RED_BG = "";
3244 COL_RED_BG = "";
32333245 }
32343246
32353247 // Client Certificates
32603272 else if (strcmp("--no-heartbleed", argv[argLoop]) == 0)
32613273 options.heartbleed = false;
32623274
3263 // Don't determine preferred ciphers
3264 else if (strcmp("--no-preferred", argv[argLoop]) == 0)
3265 options.getPreferredCiphers = false;
3266
32673275 // StartTLS... FTP
32683276 else if (strcmp("--starttls-ftp", argv[argLoop]) == 0)
32693277 options.starttls_ftp = true;
32863294 // StartTLS... XMPP
32873295 else if (strcmp("--starttls-xmpp", argv[argLoop]) == 0)
32883296 options.starttls_xmpp = true;
3297
3298 // StartTLS... PostgreSQL
3299 else if (strcmp("--starttls-psql", argv[argLoop]) == 0)
3300 options.starttls_psql = true;
3301
32893302 #ifndef OPENSSL_NO_SSL2
32903303 // SSL v2 only...
32913304 else if (strcmp("--ssl2", argv[argLoop]) == 0)
34053418 else if (options.port == 0) {
34063419 if (options.starttls_ftp)
34073420 options.port = 21;
3408 if (options.starttls_imap)
3421 else if (options.starttls_imap)
34093422 options.port = 143;
3410 if (options.starttls_irc)
3423 else if (options.starttls_irc)
34113424 options.port = 6667;
3412 if (options.starttls_pop3)
3425 else if (options.starttls_pop3)
34133426 options.port = 110;
3414 if (options.starttls_smtp)
3427 else if (options.starttls_smtp)
34153428 options.port = 25;
3416 if (options.starttls_xmpp)
3429 else if (options.starttls_xmpp)
34173430 options.port = 5222;
3418 if (options.rdp)
3431 else if (options.starttls_psql)
3432 options.port = 5432;
3433 else if (options.rdp)
34193434 options.port = 3389;
3420 if (options.port == 0)
3435 else
34213436 options.port = 443;
34223437 }
34233438 }
34823497 printf(" Hosts can be supplied with ports (host:port)\n");
34833498 printf(" %s--ipv4%s Only use IPv4\n", COL_GREEN, RESET);
34843499 printf(" %s--ipv6%s Only use IPv6\n", COL_GREEN, RESET);
3485 printf(" %s--failed%s Show unsupported ciphers.\n", COL_GREEN, RESET);
3486 printf(" %s--show-certificate%s Show full certificate information.\n", COL_GREEN, RESET);
3487 printf(" %s--no-check-certificate%s Don't warn about weak certificate algorithm or keys.\n", COL_GREEN, RESET);
3488 printf(" %s--show-client-cas%s Show trusted CAs for TLS client auth.\n", COL_GREEN, RESET);
3489 printf(" %s--show-ciphers%s Show supported client ciphers.\n", COL_GREEN, RESET);
3500 printf(" %s--show-certificate%s Show full certificate information\n", COL_GREEN, RESET);
3501 printf(" %s--no-check-certificate%s Don't warn about weak certificate algorithm or keys\n", COL_GREEN, RESET);
3502 printf(" %s--show-client-cas%s Show trusted CAs for TLS client auth\n", COL_GREEN, RESET);
3503 printf(" %s--show-ciphers%s Show supported client ciphers\n", COL_GREEN, RESET);
3504 printf(" %s--show-cipher-ids%s Show cipher ids\n", COL_GREEN, RESET);
3505 printf(" %s--show-times%s Show handhake times in milliseconds\n", COL_GREEN, RESET);
34903506 #ifndef OPENSSL_NO_SSL2
3491 printf(" %s--ssl2%s Only check SSLv2 ciphers.\n", COL_GREEN, RESET);
3507 printf(" %s--ssl2%s Only check SSLv2 ciphers\n", COL_GREEN, RESET);
34923508 #endif
34933509 #ifndef OPENSSL_NO_SSL3
3494 printf(" %s--ssl3%s Only check SSLv3 ciphers.\n", COL_GREEN, RESET);
3495 #endif
3496 printf(" %s--tls10%s Only check TLSv1.0 ciphers.\n", COL_GREEN, RESET);
3510 printf(" %s--ssl3%s Only check SSLv3 ciphers\n", COL_GREEN, RESET);
3511 #endif
3512 printf(" %s--tls10%s Only check TLSv1.0 ciphers\n", COL_GREEN, RESET);
34973513 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
3498 printf(" %s--tls11%s Only check TLSv1.1 ciphers.\n", COL_GREEN, RESET);
3499 printf(" %s--tls12%s Only check TLSv1.2 ciphers.\n", COL_GREEN, RESET);
3500 #endif
3501 printf(" %s--tlsall%s Only check TLS ciphers (all versions).\n", COL_GREEN, RESET);
3502 printf(" %s--ocsp%s Request OCSP response from server.\n", COL_GREEN, RESET);
3514 printf(" %s--tls11%s Only check TLSv1.1 ciphers\n", COL_GREEN, RESET);
3515 printf(" %s--tls12%s Only check TLSv1.2 ciphers\n", COL_GREEN, RESET);
3516 #endif
3517 printf(" %s--tlsall%s Only check TLS ciphers (all versions)\n", COL_GREEN, RESET);
3518 printf(" %s--ocsp%s Request OCSP response from server\n", COL_GREEN, RESET);
35033519 printf(" %s--pk=<file>%s A file containing the private key or a PKCS#12 file\n", COL_GREEN, RESET);
35043520 printf(" containing a private key/certificate pair\n");
35053521 printf(" %s--pkpass=<password>%s The password for the private key or PKCS#12 file\n", COL_GREEN, RESET);
35063522 printf(" %s--certs=<file>%s A file containing PEM/ASN1 formatted client certificates\n", COL_GREEN, RESET);
3507 printf(" %s--no-ciphersuites%s Only check for supported SSL/TLS versions, not ciphers\n", COL_GREEN, RESET);
3523 printf(" %s--no-ciphersuites%s Do not check for supported ciphersuites\n", COL_GREEN, RESET);
35083524 printf(" %s--no-renegotiation%s Do not check for TLS renegotiation\n", COL_GREEN, RESET);
35093525 printf(" %s--no-compression%s Do not check for TLS compression (CRIME)\n", COL_GREEN, RESET);
35103526 printf(" %s--no-heartbleed%s Do not check for OpenSSL Heartbleed (CVE-2014-0160)\n", COL_GREEN, RESET);
3511 printf(" %s--no-preferred%s Do not determine preferred ciphers\n", COL_GREEN, RESET);
35123527 printf(" %s--starttls-ftp%s STARTTLS setup for FTP\n", COL_GREEN, RESET);
35133528 printf(" %s--starttls-imap%s STARTTLS setup for IMAP\n", COL_GREEN, RESET);
35143529 printf(" %s--starttls-irc%s STARTTLS setup for IRC\n", COL_GREEN, RESET);
35153530 printf(" %s--starttls-pop3%s STARTTLS setup for POP3\n", COL_GREEN, RESET);
35163531 printf(" %s--starttls-smtp%s STARTTLS setup for SMTP\n", COL_GREEN, RESET);
35173532 printf(" %s--starttls-xmpp%s STARTTLS setup for XMPP\n", COL_GREEN, RESET);
3518 printf(" %s--xmpp-server%s Use a server-to-server XMPP handshake.\n", COL_GREEN, RESET);
3519 printf(" %s--http%s Test a HTTP connection.\n", COL_GREEN, RESET);
3520 printf(" %s--rdp%s Send RDP preamble before starting scan.\n", COL_GREEN, RESET);
3533 printf(" %s--starttls-psql%s STARTTLS setup for PostgreSQL\n", COL_GREEN, RESET);
3534 printf(" %s--xmpp-server%s Use a server-to-server XMPP handshake\n", COL_GREEN, RESET);
3535 printf(" %s--http%s Test a HTTP connection\n", COL_GREEN, RESET);
3536 printf(" %s--rdp%s Send RDP preamble before starting scan\n", COL_GREEN, RESET);
35213537 printf(" %s--bugs%s Enable SSL implementation bug work-arounds\n", COL_GREEN, RESET);
3522 printf(" %s--timeout=<sec>%s Set socket timeout. Default is 3s.\n", COL_GREEN, RESET);
3523 printf(" %s--sleep=<msec>%s Pause between connection request. Default is disabled.\n", COL_GREEN, RESET);
3524 printf(" %s--xml=<file>%s Output results to an XML file.\n", COL_GREEN, RESET);
3525 printf(" %s--version%s Display the program version.\n", COL_GREEN, RESET);
3526 printf(" %s--verbose%s Display verbose output.\n", COL_GREEN, RESET);
3538 printf(" %s--timeout=<sec>%s Set socket timeout. Default is 3s\n", COL_GREEN, RESET);
3539 printf(" %s--sleep=<msec>%s Pause between connection request. Default is disabled\n", COL_GREEN, RESET);
3540 printf(" %s--xml=<file>%s Output results to an XML file\n", COL_GREEN, RESET);
3541 printf(" %s--version%s Display the program version\n", COL_GREEN, RESET);
3542 printf(" %s--verbose%s Display verbose output\n", COL_GREEN, RESET);
35273543 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
3528 printf(" %s--no-cipher-details%s Display EC curve names and EDH key lengths.\n", COL_GREEN, RESET);
3529 #endif
3530 printf(" %s--no-colour%s Disable coloured output.\n", COL_GREEN, RESET);
3544 printf(" %s--no-cipher-details%s Disable EC curve names and EDH/RSA key lengths output\n", COL_GREEN, RESET);
3545 #endif
3546 printf(" %s--no-colour%s Disable coloured output\n", COL_GREEN, RESET);
35313547 printf(" %s--help%s Display the help text you are now reading\n\n", COL_GREEN, RESET);
35323548 printf("%sExample:%s\n", COL_BLUE, RESET);
35333549 printf(" %s%s 127.0.0.1%s\n", COL_GREEN, argv[0], RESET);
35563572
35573573 SSLeay_add_all_algorithms();
35583574 ERR_load_crypto_strings();
3559
3560 // Build a list of ciphers...
3561 switch (options.sslVersion)
3562 {
3563 case ssl_all:
3564 #ifndef OPENSSL_NO_SSL2
3565 populateCipherList(&options, SSLv2_client_method());
3566 #endif
3567 #ifndef OPENSSL_NO_SSL3
3568 populateCipherList(&options, SSLv3_client_method());
3569 #endif
3570 populateCipherList(&options, TLSv1_client_method());
3571 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
3572 populateCipherList(&options, TLSv1_1_client_method());
3573 populateCipherList(&options, TLSv1_2_client_method());
3574 #endif
3575 break;
3576 #ifndef OPENSSL_NO_SSL2
3577 case ssl_v2:
3578 populateCipherList(&options, SSLv2_client_method());
3579 break;
3580 #endif
3581 #ifndef OPENSSL_NO_SSL3
3582 case ssl_v3:
3583 populateCipherList(&options, SSLv3_client_method());
3584 break;
3585 #endif
3586 case tls_all:
3587 populateCipherList(&options, TLSv1_client_method());
3588 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
3589 populateCipherList(&options, TLSv1_1_client_method());
3590 populateCipherList(&options, TLSv1_2_client_method());
3591 #endif
3592 break;
3593 case tls_v10:
3594 populateCipherList(&options, TLSv1_client_method());
3595 break;
3596 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
3597 case tls_v11:
3598 populateCipherList(&options, TLSv1_1_client_method());
3599 break;
3600 case tls_v12:
3601 populateCipherList(&options, TLSv1_2_client_method());
3602 break;
3603 #endif
3604 }
36053575
36063576 // Do the testing...
36073577 if (mode == mode_single)
+10
-6
sslscan.h less more
6969 const char *COL_BLUE = "";
7070 const char *COL_GREEN = "";
7171 const char *COL_PURPLE = "";
72 const char *COL_GREY = "";
7273 const char *COL_RED_BG = "";
7374 #else
7475 const char *RESET = "";
7778 const char *COL_BLUE = "";
7879 const char *COL_GREEN = "";
7980 const char *COL_PURPLE = "";
81 const char *COL_GREY = "";
8082 const char *COL_RED_BG = "";
8183 #endif
8284
111113 // Program Options...
112114 char host[512];
113115 int port;
114 int noFailed;
115116 int showCertificate;
116117 int checkCertificate;
117118 int showTrustedCAs;
118119 int showClientCiphers;
120 int showCipherIds;
121 int showTimes;
119122 int ciphersuites;
120123 int reneg;
121124 int compression;
126129 int starttls_pop3;
127130 int starttls_smtp;
128131 int starttls_xmpp;
132 int starttls_psql;
129133 int xmpp_server;
130134 int sslVersion;
131135 int targets;
136140 int cipher_details;
137141 int ipv4;
138142 int ipv6;
139 int getPreferredCiphers;
140143 int ocspStatus;
144 char cipherstring[65536];
141145
142146 // File Handles...
143147 FILE *xmlOutput;
187191 int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent);
188192
189193 int tcpConnect(struct sslCheckOptions *);
190 int populateCipherList(struct sslCheckOptions *, const SSL_METHOD *);
191194
192195 // Tests
193196 void tls_reneg_init(struct sslCheckOptions *);
198201 int testCompression(struct sslCheckOptions *, const SSL_METHOD *);
199202 int testRenegotiation(struct sslCheckOptions *, const SSL_METHOD *);
200203 int testHeartbleed(struct sslCheckOptions *, const SSL_METHOD *);
201 int testCipher(struct sslCheckOptions *, struct sslCipher *);
204 int testCipher(struct sslCheckOptions *, const SSL_METHOD *);
205 int testProtocolCiphers(struct sslCheckOptions *, const SSL_METHOD *);
202206 int testConnection(struct sslCheckOptions *);
203207 int testHost(struct sslCheckOptions *);
204208
205209 int loadCerts(struct sslCheckOptions *);
206 int defaultCipher(struct sslCheckOptions *, const SSL_METHOD *);
207 int checkCertificate(struct sslCheckOptions *);
210 int checkCertificateProtocols(struct sslCheckOptions *, const SSL_METHOD *);
211 int checkCertificate(struct sslCheckOptions *, const SSL_METHOD *);
208212 int showCertificate(struct sslCheckOptions *);
209213
210214 #endif