IPv6 about testssl.sh HOT 19 CLOSED

Just committed the IPv6 patch.

As the log says: IPv6 is 80% working now. You either need a recent FC/RHEL/CentOS or a manually patched openssl tree with the patch from Fedora http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.2a-ipv6-apps.patch . Also you need a to set `HAS_IPv6=true``.

Example:

prompt% OPENSSL=/data/tmp/openssl-1.0.2d.v6/apps/openssl HAS_IPv6=true ./testssl.sh -p -U ipv6.google.com           22:52:39

###########################################################
    testssl.sh       2.7dev from https://testssl.sh/dev/
    (feaef68 2015-09-26 22:44:33 -- 1.393)

      This program is free software. Distribution and 
             modification under GPLv2 permitted. 
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2d 9 Jul 2015" [~145 ciphers] on
XXXX:/data/tmp/openssl-1.0.2d.v6/apps/openssl
 (built: "Sep 26 00:30:42 2015", platform: "linux-x86_64")


Testing now (2015-09-26 22:52) ---> [2a00:1450:4007:80e::200e]:443 (ipv6.google.com) <---

 rDNS ([2a00:1450:4007:80e::200e]): --
 Service detected:       HTTP

--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   h2, h2-15, h2-14, spdy/3.1, spdy/3, http/1.1 (advertised)

--> Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK)
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    NOT ok: uses gzip HTTP compression (only "/" tested)
 POODLE, SSL (CVE-2014-3566)               VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
 TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK) (tested with 6/9 ciphers)                                                                
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. "testssl.sh -E/-e" spots candidates                                                                                                                               
 BEAST (CVE-2011-3389)                     SSL3: ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA                                                                    
                                           TLS1: ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA                                                                    
                                           -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2                                 
 RC4 (CVE-2013-2566, CVE-2015-2808)        VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 RC4-MD5                                               


Done now (2015-09-26 22:53) ---> [2a00:1450:4007:80e::200e]:443 (ipv6.google.com) <---
prompt%

The "has thing" is kind of ugly, --ip= hasn;t been checked as well as proxy support. But other than that IPv6 works!

from testssl.sh.

a) currently impossible: "openssl s_client -connect ipv6.google.com:https" doesn't work!!! There's a patch though: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589520

b) Also it's more or less a disaster to implement as some helper programs either doesn't understand IPv6 at all (some netcat flavors), some need square brackets, some not, some quotes

from testssl.sh.

Only sockets do work with IPv6, so unless the whole testssl.sh is using this or openssl is supporting IPv6 there's nothing I could do.

from testssl.sh.

Good news:

The IPv6 patch from Fedora/RH works and out of the box newer FC/CentOS/RHEL openssl versions seems to have that included. ( @feld: Any any idea about the IPV6 status of FreeBSD openssl binaries?). Anyway: There need to be new binaries (see PeterMosmans/openssl#31).

As I wrote testssl.sh anticipatory for IPv6 (yes, I am one of the handful IPv6 users out there) the changes to testssl.sh were minor and I could w/ 20 minutes effort get a complete check of ipv6.google.com The only thing I am worrying now is how not to bother IPv4 only users with error messages.

Stay tuned!

from testssl.sh.

Work still to do:

1. make the --proxy option work wit IPv6 (OpenSSL is not that far yet but LibreSSL is)
2. --ip doesn't work
3. rDNS output looks ugly
4. "further IP addresses" lists now all IP addresses, not only the "other" ones. This is a general issue but was introduced in the IPv6 patch feaef68
5. The thing with the environment variable is ugly. Best would be auto detection (don't know how as a valid AAAA DNS record returned doesn't necessarily mean the client / the client's network supports IPv6). For medium terms maybe a cmd line flag suffices.

from testssl.sh.

5. cannot be done automagically as clients w/o IPv6 connectivity will experience unnecessary timeouts. Also the openssl client doesn't have a flag where one reliably can tell "oh, this has IPv6 support"

from testssl.sh.

I added a hint in the compiling docu (https://github.com/drwetter/testssl.sh/blob/master/bin/Readme.md) to Peter's IPv6 branch and uploaded for the time being Linux binaries to
https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz / https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz.asc.

(Until further planned improvements are done I am hesitant to abuse github as a binary server)

from testssl.sh.

You could put the binaries in a separate repository. I've OpenSuSE systems connected to various ISPs, two connections (ADSL and fiber) have IPv6 in addition to IPV6 (the other, fiber and cable only have IPv4). So I can help testing. Just tell me the steps (:

from testssl.sh.

Hi Jeroen,

thx for letting me know that there's another person in the world using IPv6. ;-)

For now the site above (https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz) is the separate repository. I plan to update the binaries on github if there a more advances in the binaries (NNTP STARTTSSL patch, CCM ciphers/whatsoever).

To run the thing you just need ./testssl.sh -6 or HAS_IPv6=true testssl.sh <mycmdline>. Use ipv6.google.com or dev.testssl.sh as a test.

HTH?

Dirk

from testssl.sh.

I presume I need to rebuild my Darwin binaries, right?

from testssl.sh.

@jpluimers Yes 😄 I created a special branch, called ipv6 - see https://github.com/PeterMosmans/openssl/tree/ipv6
That's the branch with IPv6 support

from testssl.sh.

depends on you, @jpluimers. ;-)

I'll be happy to also update then the FreeBSD binary with IPv6 support and upload the resulting tarball under https://testssl.sh/ .

from testssl.sh.

git clone https://github.com/drwetter/testssl.sh.git
cd testssl.sh/
wget https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz.asc
tar xvf openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz
sudo gem install gist
for host in {ipv6.google.com,dev.testssl.sh}; do echo $host && ./testssl.sh --color 0 -6 $host | /usr/lib64/ruby/gems/2.0.0/gems/gist-4.4.2/bin/gist -p -d "testssl ipv6 $host"; done 

(somehow gem doesn't install the gist into the path unlike brew install gist on my Mac; not sure why, boy often I hate those 'helpful' installers)

Anyway, the results are:

ipv6.google.com https://gist.github.com/0f77bdc7d2fcbdb2fa40
dev.testssl.sh https://gist.github.com/22179ec12b744f42f992

from testssl.sh.

Cool!

See, @ all : IPv6 is sooo easy ;-)

from testssl.sh.

@PeterMosmans remind me in 2 weeks. I have to prep for teaching http://www.dapug.dk/2015/08/workshop-20.html and afterwards need a few days to wind down.

from testssl.sh.

$ ./testssl.sh -6 ipv6.google.com
...
 Using "OpenSSL 1.0.2-chacha (1.0.2e-dev)" [~181 ciphers] on
 haring:./bin/openssl.Linux.i686
 (built: "Oct  5 11:30:36 2015", platform: "linux-elf")

So ... testssl.sh automagically uses the openssl unpacked in the testssh.sh/bin subdirectory? Impressive!

Sidenote: why is the "-6" needed? Can't testssl.sh self-detect that?

from testssl.sh.

1. for now you need to override this by using ENV ($OPENSSL) or by the option on the command line `--openssl=`` and use this: https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz. Pls read above! It's not updated at github yet as other updates in the binary are pending and I don't want folks to pull gigabytes from this repo -- github is not good serving frequently changing binaries.

2. As far as -6 is concerned: I do not see platform compatible means checking for a local IPv6 address and for connectivity.

Cheers, Dirk

from testssl.sh.

Forgot to say: --ip=<ipv6address> works, it has always been working, see ./testssl.sh -6 --openssl=<opensslbinarywithipv6support> --ip=2a01:238:4279:1200:1000:1:e571:51 dev.testssl.sh.

What's open is IPv6 proxy support. The fedora patch I gave Peter and he rebased doesn't contain that and I couldn't it get that to fly within' 15 minutes either.

I know LibreSSL has that but haven't looked into the code yet. Is there a patch somehwere?

from testssl.sh.

Remaining issue of IPv6 proxy support will be tracked in #1105

from testssl.sh.