Comments (19)
Just committed the IPv6 patch.
As the log says: IPv6 is 80% working now. You either need a recent FC/RHEL/CentOS or a manually patched openssl tree with the patch from Fedora http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.2a-ipv6-apps.patch . Also you need a to set `HAS_IPv6=true``.
Example:
prompt% OPENSSL=/data/tmp/openssl-1.0.2d.v6/apps/openssl HAS_IPv6=true ./testssl.sh -p -U ipv6.google.com 22:52:39
###########################################################
testssl.sh 2.7dev from https://testssl.sh/dev/
(feaef68 2015-09-26 22:44:33 -- 1.393)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2d 9 Jul 2015" [~145 ciphers] on
XXXX:/data/tmp/openssl-1.0.2d.v6/apps/openssl
(built: "Sep 26 00:30:42 2015", platform: "linux-x86_64")
Testing now (2015-09-26 22:52) ---> [2a00:1450:4007:80e::200e]:443 (ipv6.google.com) <---
rDNS ([2a00:1450:4007:80e::200e]): --
Service detected: HTTP
--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
SSLv2 not offered (OK)
SSLv3 offered (NOT ok)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY/NPN h2, h2-15, h2-14, spdy/3.1, spdy/3, http/1.1 (advertised)
--> Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK)
CCS (CVE-2014-0224) not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) NOT ok: uses gzip HTTP compression (only "/" tested)
POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
TLS_FALLBACK_SCSV (RFC 7507), experim. Downgrade attack prevention supported (OK)
FREAK (CVE-2015-0204) not vulnerable (OK) (tested with 6/9 ciphers)
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK), common primes not checked. "testssl.sh -E/-e" spots candidates
BEAST (CVE-2011-3389) SSL3: ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA
TLS1: ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA
-- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 RC4-MD5
Done now (2015-09-26 22:53) ---> [2a00:1450:4007:80e::200e]:443 (ipv6.google.com) <---
prompt%
The "has thing" is kind of ugly, --ip=
hasn;t been checked as well as proxy support. But other than that IPv6 works!
from testssl.sh.
a) currently impossible: "openssl s_client -connect ipv6.google.com:https" doesn't work!!! There's a patch though: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589520
b) Also it's more or less a disaster to implement as some helper programs either doesn't understand IPv6 at all (some netcat flavors), some need square brackets, some not, some quotes
from testssl.sh.
Only sockets do work with IPv6, so unless the whole testssl.sh is using this or openssl is supporting IPv6 there's nothing I could do.
from testssl.sh.
Good news:
The IPv6 patch from Fedora/RH works and out of the box newer FC/CentOS/RHEL openssl versions seems to have that included. ( @feld: Any any idea about the IPV6 status of FreeBSD openssl binaries?). Anyway: There need to be new binaries (see PeterMosmans/openssl#31).
As I wrote testssl.sh anticipatory for IPv6 (yes, I am one of the handful IPv6 users out there) the changes to testssl.sh were minor and I could w/ 20 minutes effort get a complete check of ipv6.google.com
The only thing I am worrying now is how not to bother IPv4 only users with error messages.
Stay tuned!
from testssl.sh.
Work still to do:
- make the
--proxy
option work wit IPv6 (OpenSSL is not that far yet but LibreSSL is) --ip
doesn't work- rDNS output looks ugly
- "further IP addresses" lists now all IP addresses, not only the "other" ones. This is a general issue but was introduced in the IPv6 patch feaef68
- The thing with the environment variable is ugly. Best would be auto detection (don't know how as a valid AAAA DNS record returned doesn't necessarily mean the client / the client's network supports IPv6). For medium terms maybe a cmd line flag suffices.
from testssl.sh.
- cannot be done automagically as clients w/o IPv6 connectivity will experience unnecessary timeouts. Also the openssl client doesn't have a flag where one reliably can tell "oh, this has IPv6 support"
from testssl.sh.
I added a hint in the compiling docu (https://github.com/drwetter/testssl.sh/blob/master/bin/Readme.md) to Peter's IPv6 branch and uploaded for the time being Linux binaries to
https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz / https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz.asc.
(Until further planned improvements are done I am hesitant to abuse github as a binary server)
from testssl.sh.
You could put the binaries in a separate repository. I've OpenSuSE systems connected to various ISPs, two connections (ADSL and fiber) have IPv6 in addition to IPV6 (the other, fiber and cable only have IPv4). So I can help testing. Just tell me the steps (:
from testssl.sh.
Hi Jeroen,
thx for letting me know that there's another person in the world using IPv6. ;-)
For now the site above (https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz) is the separate repository. I plan to update the binaries on github if there a more advances in the binaries (NNTP STARTTSSL patch, CCM ciphers/whatsoever).
To run the thing you just need ./testssl.sh -6
or HAS_IPv6=true testssl.sh <mycmdline>
. Use ipv6.google.com
or dev.testssl.sh
as a test.
HTH?
Dirk
from testssl.sh.
I presume I need to rebuild my Darwin binaries, right?
from testssl.sh.
@jpluimers Yes
That's the branch with IPv6 support
from testssl.sh.
depends on you, @jpluimers. ;-)
I'll be happy to also update then the FreeBSD binary with IPv6 support and upload the resulting tarball under https://testssl.sh/ .
from testssl.sh.
git clone https://github.com/drwetter/testssl.sh.git
cd testssl.sh/
wget https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz.asc
tar xvf openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz
sudo gem install gist
for host in {ipv6.google.com,dev.testssl.sh}; do echo $host && ./testssl.sh --color 0 -6 $host | /usr/lib64/ruby/gems/2.0.0/gems/gist-4.4.2/bin/gist -p -d "testssl ipv6 $host"; done
(somehow gem doesn't install the gist into the path unlike brew install gist
on my Mac; not sure why, boy often I hate those 'helpful' installers)
Anyway, the results are:
ipv6.google.com https://gist.github.com/0f77bdc7d2fcbdb2fa40
dev.testssl.sh https://gist.github.com/22179ec12b744f42f992
from testssl.sh.
Cool!
See, @ all : IPv6 is sooo easy ;-)
from testssl.sh.
@PeterMosmans remind me in 2 weeks. I have to prep for teaching http://www.dapug.dk/2015/08/workshop-20.html and afterwards need a few days to wind down.
from testssl.sh.
$ ./testssl.sh -6 ipv6.google.com
...
Using "OpenSSL 1.0.2-chacha (1.0.2e-dev)" [~181 ciphers] on
haring:./bin/openssl.Linux.i686
(built: "Oct 5 11:30:36 2015", platform: "linux-elf")
So ... testssl.sh automagically uses the openssl unpacked in the testssh.sh/bin subdirectory? Impressive!
Sidenote: why is the "-6" needed? Can't testssl.sh self-detect that?
from testssl.sh.
-
for now you need to override this by using ENV ($OPENSSL) or by the option on the command line `--openssl=`` and use this: https://testssl.sh/openssl-1.0.2e-chacha.pm.ipv6.Linux.tar.gz. Pls read above! It's not updated at github yet as other updates in the binary are pending and I don't want folks to pull gigabytes from this repo -- github is not good serving frequently changing binaries.
-
As far as
-6
is concerned: I do not see platform compatible means checking for a local IPv6 address and for connectivity.
Cheers, Dirk
from testssl.sh.
Forgot to say: --ip=<ipv6address>
works, it has always been working, see ./testssl.sh -6 --openssl=<opensslbinarywithipv6support> --ip=2a01:238:4279:1200:1000:1:e571:51 dev.testssl.sh
.
What's open is IPv6 proxy support. The fedora patch I gave Peter and he rebased doesn't contain that and I couldn't it get that to fly within' 15 minutes either.
I know LibreSSL has that but haven't looked into the code yet. Is there a patch somehwere?
from testssl.sh.
Remaining issue of IPv6 proxy support will be tracked in #1105
from testssl.sh.
Related Issues (20)
- [Feature request] Differentiate between public and private PKI for 398days check HOT 5
- Signature Algorithm: also handle "sha1WithRSA" synonym for "sha1WithRSAEncryption" HOT 1
- DTLS Support [Feature request] HOT 1
- Error parsing a server hello HOT 5
- Typo in bug template HOT 1
- [Feature request] Consider trivy for scanning HOT 1
- [possible BUG] TLSv1.0/1.1 connection reported although not available HOT 4
- [BUG ] Fix codespell action to not scan ~/.git directory
- [BUG / possible BUG] Script freezes/hangs on the DROWN check HOT 3
- --html flag not generating HTML reports when run in Docker HOT 1
- [Feature request] Detect PQ Cipher X25519Kyber512Draft00 and X25519Kyber768Draft00 HOT 8
- Documentation update for ghcr.io + docker images
- [Feature request] New Cipher suites RFC 8998 etc. HOT 3
- Update client handshakes: Android 13
- There is difference in the results of ciphersuites between Qualys and TestSSL HOT 5
- [Feature request]: optionally exclude certificate issues from rating HOT 1
- Why cipherlist_AVERAGE's severity is low? what does cipherlist_AVERAGE contitutes?
- [BUG] testssl.sh fails to connect to AD (ldap) server with STARTTLS HOT 14
- [Feature request] make "-t <SERVICENAME> <TARGET>:<SERVICENAME>" work in a docker container
- [Feature request] Trustcor certificate HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from testssl.sh.