diff options
| author | Remy <relst@relst.nl> | 2016-04-13 06:24:42 +0200 |
|---|---|---|
| committer | Remy <relst@relst.nl> | 2016-04-13 06:24:42 +0200 |
| commit | 151e36ec4c1de29788cb67e751c1f225170c335b (patch) | |
| tree | 87227a04b40b70358c800fabcaa642e2a1e92af5 | |
| parent | ad47580237957bc1a32f2859028aa0b58d0117cb (diff) | |
| download | ssl-decoder-151e36ec4c1de29788cb67e751c1f225170c335b.zip ssl-decoder-151e36ec4c1de29788cb67e751c1f225170c335b.tar.gz ssl-decoder-151e36ec4c1de29788cb67e751c1f225170c335b.tar.bz2 | |
fixes for OpenSSL 1.1.0, dockerfile
| -rw-r--r-- | CHANGELOG.md | 11 | ||||
| -rw-r--r-- | docker/Dockerfile | 33 | ||||
| -rw-r--r-- | docker/README.md | 9 | ||||
| -rw-r--r-- | docker/run.sh | 14 | ||||
| -rw-r--r-- | functions/connection.php | 54 | ||||
| -rw-r--r-- | functions/ocsp.php | 20 | ||||
| -rw-r--r-- | functions/tls_fallback_scsv.php | 18 | ||||
| -rw-r--r-- | functions/variables.php | 4 | ||||
| -rw-r--r-- | functions/verify_certifitcate.php | 2 |
9 files changed, 127 insertions, 38 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 8092855..42893f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,16 @@ # Changelog +## 3.2 + +- Add support for PHP 7. +- Add support for OpenSSL 1.1.0 +- OpenSSL 1.1 has full IPv6 support in the CLI tools. Therefore the following checks work and the warnings are removed: + - OCSP stapling check + - TLS_FALLBACK_SCSV + - SSL Compression +- Add Dockerfile to set up a dev environment or self hosted instance very fast, since OpenSSL 1.1.0 is now a requirement and not every server will have that right now. + + ## 3.1 - Fix HTTP header resolution in some cloudflare cases (HSTS/HPKP) diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 0000000..8f6682c --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,33 @@ +FROM php:7.0-apache +RUN apt-get update && apt-get install -y \ + libfreetype6-dev \ + libjpeg62-turbo-dev \ + libmcrypt-dev \ + libpng12-dev \ + zlib1g-dev \ + libicu-dev \ + g++ \ + python2.7 \ + python-all-dev \ + python-netaddr \ + perl \ + dnsutils \ + wget \ + && curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin \ + && docker-php-ext-configure intl \ + && docker-php-ext-install -j$(nproc) iconv \ + && docker-php-ext-install -j$(nproc) mcrypt \ + && docker-php-ext-install -j$(nproc) mbstring \ + && docker-php-ext-install -j$(nproc) bcmath \ + && docker-php-ext-install -j$(nproc) intl \ + && docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ \ + && docker-php-ext-install -j$(nproc) gd \ + && mkdir -p /usr/local/src \ + && cd /usr/local/src \ + && wget https://openssl.org/source/openssl-1.1.0-pre4.tar.gz \ + && tar -xf openssl-1.1.0-pre4.tar.gz \ + && cd openssl-1.1.0-pre4 \ + && ./config --prefix=/usr/local no-afalgeng \ + && make \ + && make install + diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 0000000..e82a54f --- /dev/null +++ b/docker/README.md @@ -0,0 +1,9 @@ +# Docker container for the SSL Decoder + +Make sure [Docker](https://docs.docker.com/) is installed. [Digital Ocean](https://www.digitalocean.com/?refcode=7435ae6b8212) has a nice Docker image to get started right away (affiliate link). + +`cd` into the `docker` folder after cloning the repository and run the provided script: + + bash run.sh + +It will compile and assemble the docker container with Ubuntu 14.04, PHP 7.0, Apache 2.4 and OpenSSL 1.1.0. Run the script again to start the container again.
\ No newline at end of file diff --git a/docker/run.sh b/docker/run.sh new file mode 100644 index 0000000..86d23c2 --- /dev/null +++ b/docker/run.sh @@ -0,0 +1,14 @@ +#!/bin/bash +APPNAME="ssl-decoder" +IMGNAME="php-7.0-apache-2.4-openssl-1.1.0" +FOLDERHERE="/home/remy/repo/ssl-decoder/" +FOLDERTHERE="/var/www/html" + +DOCKER_ID="$(docker ps -a 2>&1 | grep "${APPNAME}" | awk '{print $1}')" +if [[ ! -z ${DOCKER_ID} ]]; then + docker stop "${DOCkER_ID}" + docker rm "${DOCKER_ID}" +fi + +docker build -t "${IMGNAME}" . +docker run --name "${APPNAME}" -v ${FOLDERHERE}:${FOLDERTHERE} ${IMGNAME} diff --git a/functions/connection.php b/functions/connection.php index a5075cc..a834223 100644 --- a/functions/connection.php +++ b/functions/connection.php @@ -208,13 +208,18 @@ function test_sslv2($ip, $port) { function conn_compression($host, $ip, $port) { global $timeout; - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + //if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - return true; - } + // return true; + //} $exitstatus = 0; $output = 0; - exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"', $output, $exitstatus); + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . $ip . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"', $output, $exitstatus); + } else { + exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"', $output, $exitstatus); + } if ($exitstatus == 0) { $result = false; } else { @@ -851,10 +856,10 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul $context = stream_context_get_params($read_stream); $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta']; $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"])[0]; - - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 )) { - $result["warning"][] = "You are testing an IPv6 host. Due to <a href=\"https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest\">bugs</a> in OpenSSL's command line tools the results will be inaccurate. Known incorrect are OCSP Stapling, TLS_FALLBACK_SCSV and SSL Compression results, others may also be incorrect."; - } + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 )) { + // $result["warning"][] = "You are testing an IPv6 host. Due to <a href=\"https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest\">bugs</a> in OpenSSL's command line tools the results will be inaccurate. Known incorrect are OCSP Stapling, TLS_FALLBACK_SCSV and SSL Compression results, others may also be incorrect."; + // } $result["checked_hostname"] = $host; //chain @@ -978,13 +983,14 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul if ($compression == false) { $result["compression"] = false; } else { - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - $result["warning"][] = 'SSL compression not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; - } else { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + // $result["warning"][] = 'SSL compression not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + // } else { $result["compression"] = true; $result["warning"][] = 'SSL compression enabled. Please disable to prevent attacks like CRIME.'; - } + // } } @@ -1140,13 +1146,14 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul if ($fallback['tls_fallback_scsv_support'] == 1) { $result["tls_fallback_scsv"] = "supported"; } else { - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - $result["warning"][] = 'TLS_FALLBACK_SCSV not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; - } else { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + //if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + //$result["warning"][] = 'TLS_FALLBACK_SCSV not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + //} else { $result["tls_fallback_scsv"] = "unsupported"; $result["warning"][] = "TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection."; - } + //} } } //hsts @@ -1183,13 +1190,14 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul if($stapling["working"] == 1) { $result["ocsp_stapling"] = $stapling; } else { - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - $result["warning"][] = 'OCSP Stapling not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; - } else { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + // $result["warning"][] = 'OCSP Stapling not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + // } else { $result["ocsp_stapling"] = "not set"; $result["warning"][] = "OCSP Stapling not enabled."; - } + // } } $result["heartbeat"] = heartbeat_test($host, $port); diff --git a/functions/ocsp.php b/functions/ocsp.php index b9cefcb..a855bf3 100644 --- a/functions/ocsp.php +++ b/functions/ocsp.php @@ -17,12 +17,20 @@ function ocsp_stapling($host, $ip, $port) { //used openssl cli to check if host has enabled oscp stapling. global $timeout; + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + // return false; + // } + $result = ""; + // escapeshellcmd adds \[\] to ipv6 address. + // todo: look into escapeshellarg vs. escapeshellcmd if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - return false; + $output = shell_exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect \'' . $ip . ':' . escapeshellcmd($port) . '\' -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); + } else { + $output = shell_exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); } - $result = ""; - $output = shell_exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); + if (strpos($output, "no response sent") !== false) { $result = array("working" => 0, "cert_status" => "No response sent"); @@ -67,9 +75,9 @@ function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) { // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround. $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST); - $output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1'); + $output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -resp_text -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST='. escapeshellcmd($ocsp_host) . '" 2>&1'); - $filter_output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"'); + $filter_output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -resp_text -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST='. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem" | grep -e "Cert Status:" -e "Revocation Time:" -e "Revocation Reason:" -e "This Update:" -e "Next Update:" -e "OCSP Response Status:"'); $output = preg_replace("/[[:blank:]]+/"," ", $output); $ocsp_status_lines = explode("\n", $output); diff --git a/functions/tls_fallback_scsv.php b/functions/tls_fallback_scsv.php index bd65c42..0892923 100644 --- a/functions/tls_fallback_scsv.php +++ b/functions/tls_fallback_scsv.php @@ -16,16 +16,22 @@ function tls_fallback_scsv($host, $ip, $port) { global $timeout; - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - return false; - } + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + // return false; + // } $result = []; $protocols = ssl_conn_protocols($host, $ip, $port); if (count(array_filter($protocols)) > 1) { $result['protocol_count'] = count(array_filter($protocols)); - $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect " . escapeshellcmd($ip) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); - if ( stripos($fallback_test, "alert inappropriate fallback") !== false ) { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect '" . $ip . ":" . escapeshellcmd($port) . "' -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); + } else { + $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect " . escapeshellcmd($ip) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); + } + if ( stripos($fallback_test, "SSL alert number 86") !== false ) { $result['tls_fallback_scsv_support'] = 1; } } else { diff --git a/functions/variables.php b/functions/variables.php index eca3087..d036ca8 100644 --- a/functions/variables.php +++ b/functions/variables.php @@ -15,7 +15,7 @@ // along with this program. If not, see <http://www.gnu.org/licenses/>. # timeout in seconds, used globally (curl, shell commands, etc) -$timeout = 2; +$timeout = 120; # max chain length (big chain slows down checks) $max_chain_length = 10; @@ -23,7 +23,7 @@ $max_chain_length = 10; # Don't change stuff down here. date_default_timezone_set('UTC'); -$version = 3.1; +$version = 3.2; ini_set('default_socket_timeout', $timeout); diff --git a/functions/verify_certifitcate.php b/functions/verify_certifitcate.php index 4e23fc0..025c504 100644 --- a/functions/verify_certifitcate.php +++ b/functions/verify_certifitcate.php @@ -94,7 +94,7 @@ function spki_hash($raw_cert_data) { $tmp_dir = '/tmp/'; //below command returns the SPKI hash of a public key. openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem'); - $output = shell_exec('timeout ' . $timeout . 'openssl x509 -noout -in '.$tmp_dir.$random_blurp.'.cert_client.pem -pubkey | openssl asn1parse -noout -inform pem -out '.$tmp_dir.$random_blurp.'.public.key; openssl dgst -sha256 -binary '. $tmp_dir . $random_blurp . '.public.key | openssl enc -base64 2>&1'); + $output = shell_exec('timeout ' . $timeout . ' openssl x509 -noout -in '.$tmp_dir.$random_blurp.'.cert_client.pem -pubkey | openssl asn1parse -noout -inform pem -out '.$tmp_dir.$random_blurp.'.public.key; openssl dgst -sha256 -binary '. $tmp_dir . $random_blurp . '.public.key | openssl enc -base64 2>&1'); //remove those files again. unlink($tmp_dir.$random_blurp.'.cert_client.pem'); unlink($tmp_dir.$random_blurp.'.public.key'); |