diff options
| author | Remy <relst@relst.nl> | 2015-06-03 20:33:22 +0200 |
|---|---|---|
| committer | Remy <relst@relst.nl> | 2015-06-03 20:33:22 +0200 |
| commit | 456eca5418301adde7b970873bd25882ebc92ad2 (patch) | |
| tree | 1623a8a397cad266f3212529108c59273be18622 | |
| parent | 08fd83615c592dde84d89de5ed32b24590f5e32f (diff) | |
| download | ssl-decoder-456eca5418301adde7b970873bd25882ebc92ad2.zip ssl-decoder-456eca5418301adde7b970873bd25882ebc92ad2.tar.gz ssl-decoder-456eca5418301adde7b970873bd25882ebc92ad2.tar.bz2 | |
don't return false info on ipv6 only hosts. only test if ipv4, otherwise return warning
| -rw-r--r-- | functions/connection.php | 32 | ||||
| -rw-r--r-- | functions/ocsp.php | 4 | ||||
| -rw-r--r-- | functions/tls_fallback_scsv.php | 4 |
3 files changed, 34 insertions, 6 deletions
diff --git a/functions/connection.php b/functions/connection.php index a6049cd..46ba3f9 100644 --- a/functions/connection.php +++ b/functions/connection.php @@ -150,6 +150,10 @@ function test_sslv2($ip, $port) { function conn_compression($host, $ip, $port) { global $timeout; + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + return true; + } $exitstatus = 0; $output = 0; //pre_dump('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"'); @@ -616,8 +620,14 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul if ($compression == false) { $result["compression"] = false; } else { - $result["compression"] = true; - $result["warning"][] = 'SSL compression enabled. Please disable to prevent attacks like CRIME.'; + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + $result["warning"][] = 'SSL compression not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + } else { + $result["compression"] = true; + $result["warning"][] = 'SSL compression enabled. Please disable to prevent attacks like CRIME.'; + } + } // protocols @@ -777,8 +787,13 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul if ($fallback['tls_fallback_scsv_support'] == 1) { $result["tls_fallback_scsv"] = "supported"; } else { - $result["tls_fallback_scsv"] = "unsupported"; - $result["warning"][] = "TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection."; + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + $result["warning"][] = 'TLS_FALLBACK_SCSV not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + } else { + $result["tls_fallback_scsv"] = "unsupported"; + $result["warning"][] = "TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection."; + } } } //hsts @@ -815,8 +830,13 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul if($stapling["working"] == 1) { $result["ocsp_stapling"] = $stapling; } else { - $result["ocsp_stapling"] = "not set"; - $result["warning"][] = "OCSP Stapling not enabled."; + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + $result["warning"][] = 'OCSP Stapling not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + } else { + $result["ocsp_stapling"] = "not set"; + $result["warning"][] = "OCSP Stapling not enabled."; + } } $result["openssl_version"] = shell_exec("openssl version"); diff --git a/functions/ocsp.php b/functions/ocsp.php index 99b5f2d..12397f9 100644 --- a/functions/ocsp.php +++ b/functions/ocsp.php @@ -16,6 +16,10 @@ function ocsp_stapling($host, $ip, $port) { global $timeout; + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + return false; + } $result = ""; $output = shell_exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); if (strpos($output, "no response sent") !== false) { diff --git a/functions/tls_fallback_scsv.php b/functions/tls_fallback_scsv.php index dc58f11..bd65c42 100644 --- a/functions/tls_fallback_scsv.php +++ b/functions/tls_fallback_scsv.php @@ -16,6 +16,10 @@ function tls_fallback_scsv($host, $ip, $port) { global $timeout; + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + return false; + } $result = []; $protocols = ssl_conn_protocols($host, $ip, $port); if (count(array_filter($protocols)) > 1) { |