diff options
| author | Remy <relst@relst.nl> | 2016-04-13 06:24:42 +0200 |
|---|---|---|
| committer | Remy <relst@relst.nl> | 2016-04-13 06:24:42 +0200 |
| commit | 151e36ec4c1de29788cb67e751c1f225170c335b (patch) | |
| tree | 87227a04b40b70358c800fabcaa642e2a1e92af5 /functions | |
| parent | ad47580237957bc1a32f2859028aa0b58d0117cb (diff) | |
| download | ssl-decoder-151e36ec4c1de29788cb67e751c1f225170c335b.zip ssl-decoder-151e36ec4c1de29788cb67e751c1f225170c335b.tar.gz ssl-decoder-151e36ec4c1de29788cb67e751c1f225170c335b.tar.bz2 | |
fixes for OpenSSL 1.1.0, dockerfile
Diffstat (limited to 'functions')
| -rw-r--r-- | functions/connection.php | 54 | ||||
| -rw-r--r-- | functions/ocsp.php | 20 | ||||
| -rw-r--r-- | functions/tls_fallback_scsv.php | 18 | ||||
| -rw-r--r-- | functions/variables.php | 4 | ||||
| -rw-r--r-- | functions/verify_certifitcate.php | 2 |
5 files changed, 60 insertions, 38 deletions
diff --git a/functions/connection.php b/functions/connection.php index a5075cc..a834223 100644 --- a/functions/connection.php +++ b/functions/connection.php @@ -208,13 +208,18 @@ function test_sslv2($ip, $port) { function conn_compression($host, $ip, $port) { global $timeout; - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + //if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - return true; - } + // return true; + //} $exitstatus = 0; $output = 0; - exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"', $output, $exitstatus); + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . $ip . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"', $output, $exitstatus); + } else { + exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"', $output, $exitstatus); + } if ($exitstatus == 0) { $result = false; } else { @@ -851,10 +856,10 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul $context = stream_context_get_params($read_stream); $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta']; $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"])[0]; - - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 )) { - $result["warning"][] = "You are testing an IPv6 host. Due to <a href=\"https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest\">bugs</a> in OpenSSL's command line tools the results will be inaccurate. Known incorrect are OCSP Stapling, TLS_FALLBACK_SCSV and SSL Compression results, others may also be incorrect."; - } + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 )) { + // $result["warning"][] = "You are testing an IPv6 host. Due to <a href=\"https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest\">bugs</a> in OpenSSL's command line tools the results will be inaccurate. Known incorrect are OCSP Stapling, TLS_FALLBACK_SCSV and SSL Compression results, others may also be incorrect."; + // } $result["checked_hostname"] = $host; //chain @@ -978,13 +983,14 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul if ($compression == false) { $result["compression"] = false; } else { - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - $result["warning"][] = 'SSL compression not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; - } else { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + // $result["warning"][] = 'SSL compression not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + // } else { $result["compression"] = true; $result["warning"][] = 'SSL compression enabled. Please disable to prevent attacks like CRIME.'; - } + // } } @@ -1140,13 +1146,14 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul if ($fallback['tls_fallback_scsv_support'] == 1) { $result["tls_fallback_scsv"] = "supported"; } else { - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - $result["warning"][] = 'TLS_FALLBACK_SCSV not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; - } else { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + //if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + //$result["warning"][] = 'TLS_FALLBACK_SCSV not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + //} else { $result["tls_fallback_scsv"] = "unsupported"; $result["warning"][] = "TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection."; - } + //} } } //hsts @@ -1183,13 +1190,14 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul if($stapling["working"] == 1) { $result["ocsp_stapling"] = $stapling; } else { - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - $result["warning"][] = 'OCSP Stapling not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; - } else { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + // $result["warning"][] = 'OCSP Stapling not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + // } else { $result["ocsp_stapling"] = "not set"; $result["warning"][] = "OCSP Stapling not enabled."; - } + // } } $result["heartbeat"] = heartbeat_test($host, $port); diff --git a/functions/ocsp.php b/functions/ocsp.php index b9cefcb..a855bf3 100644 --- a/functions/ocsp.php +++ b/functions/ocsp.php @@ -17,12 +17,20 @@ function ocsp_stapling($host, $ip, $port) { //used openssl cli to check if host has enabled oscp stapling. global $timeout; + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + // return false; + // } + $result = ""; + // escapeshellcmd adds \[\] to ipv6 address. + // todo: look into escapeshellarg vs. escapeshellcmd if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - return false; + $output = shell_exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect \'' . $ip . ':' . escapeshellcmd($port) . '\' -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); + } else { + $output = shell_exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); } - $result = ""; - $output = shell_exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); + if (strpos($output, "no response sent") !== false) { $result = array("working" => 0, "cert_status" => "No response sent"); @@ -67,9 +75,9 @@ function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) { // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround. $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST); - $output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1'); + $output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -resp_text -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST='. escapeshellcmd($ocsp_host) . '" 2>&1'); - $filter_output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"'); + $filter_output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -resp_text -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST='. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem" | grep -e "Cert Status:" -e "Revocation Time:" -e "Revocation Reason:" -e "This Update:" -e "Next Update:" -e "OCSP Response Status:"'); $output = preg_replace("/[[:blank:]]+/"," ", $output); $ocsp_status_lines = explode("\n", $output); diff --git a/functions/tls_fallback_scsv.php b/functions/tls_fallback_scsv.php index bd65c42..0892923 100644 --- a/functions/tls_fallback_scsv.php +++ b/functions/tls_fallback_scsv.php @@ -16,16 +16,22 @@ function tls_fallback_scsv($host, $ip, $port) { global $timeout; - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - return false; - } + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + // if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + // return false; + // } $result = []; $protocols = ssl_conn_protocols($host, $ip, $port); if (count(array_filter($protocols)) > 1) { $result['protocol_count'] = count(array_filter($protocols)); - $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect " . escapeshellcmd($ip) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); - if ( stripos($fallback_test, "alert inappropriate fallback") !== false ) { + // OpenSSL 1.1.0 has ipv6 support: https://rt.openssl.org/Ticket/Display.html?id=1832 + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect '" . $ip . ":" . escapeshellcmd($port) . "' -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); + } else { + $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect " . escapeshellcmd($ip) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); + } + if ( stripos($fallback_test, "SSL alert number 86") !== false ) { $result['tls_fallback_scsv_support'] = 1; } } else { diff --git a/functions/variables.php b/functions/variables.php index eca3087..d036ca8 100644 --- a/functions/variables.php +++ b/functions/variables.php @@ -15,7 +15,7 @@ // along with this program. If not, see <http://www.gnu.org/licenses/>. # timeout in seconds, used globally (curl, shell commands, etc) -$timeout = 2; +$timeout = 120; # max chain length (big chain slows down checks) $max_chain_length = 10; @@ -23,7 +23,7 @@ $max_chain_length = 10; # Don't change stuff down here. date_default_timezone_set('UTC'); -$version = 3.1; +$version = 3.2; ini_set('default_socket_timeout', $timeout); diff --git a/functions/verify_certifitcate.php b/functions/verify_certifitcate.php index 4e23fc0..025c504 100644 --- a/functions/verify_certifitcate.php +++ b/functions/verify_certifitcate.php @@ -94,7 +94,7 @@ function spki_hash($raw_cert_data) { $tmp_dir = '/tmp/'; //below command returns the SPKI hash of a public key. openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem'); - $output = shell_exec('timeout ' . $timeout . 'openssl x509 -noout -in '.$tmp_dir.$random_blurp.'.cert_client.pem -pubkey | openssl asn1parse -noout -inform pem -out '.$tmp_dir.$random_blurp.'.public.key; openssl dgst -sha256 -binary '. $tmp_dir . $random_blurp . '.public.key | openssl enc -base64 2>&1'); + $output = shell_exec('timeout ' . $timeout . ' openssl x509 -noout -in '.$tmp_dir.$random_blurp.'.cert_client.pem -pubkey | openssl asn1parse -noout -inform pem -out '.$tmp_dir.$random_blurp.'.public.key; openssl dgst -sha256 -binary '. $tmp_dir . $random_blurp . '.public.key | openssl enc -base64 2>&1'); //remove those files again. unlink($tmp_dir.$random_blurp.'.cert_client.pem'); unlink($tmp_dir.$random_blurp.'.public.key'); |