jaydansand · December 14, 2021 13:36 · sverrehu · Feb 2, 2021
diff --git a/ssl_test.sh b/ssl_test.sh
 #!/bin/bash
 # Author: Jay Dansand, Technology Services, Lawrence University
 # Date: 10/17/2014

 # OpenSSL requires a port specification; default to 443.
 SERVER="$1:443"
 SERVER_HOST=$(echo "$SERVER" | cut -d ":" -f 1)
 SERVER_PORT=$(echo "$SERVER" | cut -d ":" -f 2)
 if [[ -z "$SERVER_HOST" || -z "$SERVER_PORT" ]]; then
  echo "Usage: $0 host[:port] [ciphers [delay in ms]]"
  echo ""
  echo "  port - Remote host port"
  echo "    Default: 443"
  echo "  ciphers - Expression suitable for the command \"openssl ciphers [ciphers]\""
  echo "    Default: ALL:eNULL:aNULL"
  echo "  delay - Time between probe requests in ms"
  echo "    Default: 125"
  echo ""
  echo "  Example: $0 localhost:8443"
  echo "    Test localhost on port 8443 with all ciphers and default delay (125ms)"
  echo ""
  echo "  Example: $0 example.com \"ALL:!aNULL\" 1000"
  echo "    Test example.com on default port (443) with all ciphers except aNULL and delay of 1000ms"
  exit
 fi
 SERVER="$SERVER_HOST:$SERVER_PORT"

 DELAY_MS="$3"
 echo "$DELAY_MS"
 if [[ "$DELAY_MS" -le 0 ]]; then
  DELAY_MS=125
 fi
 DELAY_S=$(printf $(expr "$DELAY_MS" / 1000).%03d $(expr "$DELAY_MS" % 1000) )

 CIPHER_SUITES="$2"
 if [[ -z "$CIPHER_SUITES" ]]; then
  CIPHER_SUITES='ALL:eNULL:aNULL'
 fi
 CIPHERS=$(openssl ciphers -v "${CIPHER_SUITES}" 2>&1)
 if [[ "$?" -ne 0 ]]; then
  ERROR=$(echo -n "$CIPHERS" | cut -s -d':' -f6)
  echo "ERROR in cipher list: \"$ERROR\""
  exit
 fi
 CIPHERS=$(echo "$CIPHERS" | sed -r 's/[\t ]+/|/g')

 echo "Testing $SERVER_HOST on port $SERVER_PORT with a delay of ${DELAY_MS}ms"
 echo "Using $(openssl version)"

 # Store the output to reuse for some other testing
 SCLIENT_DUMP=$(echo "" | openssl s_client -connect $SERVER 2>&1)

 echo ""
 echo "Certificate Information"
 echo "--------------------"
 echo "$SCLIENT_DUMP" | openssl x509 -noout -text


 echo ""
 echo "Protocol Support"
 echo "--------------------"
 SUPPORTED_PROTOCOLS=$(openssl s_client --help 2>&1 | grep -P ' -? [jJ]ust use (?!DTLS)' | sort -di -b -k1,1 | sed 's/ *-\? [jJ]ust use */|/g')
 for PROTOCOL in ${SUPPORTED_PROTOCOLS}; do
  SCLIENT_ARG=$(echo "$PROTOCOL" | cut -d "|" -f 1)
  PROT_DESC=$(echo "$PROTOCOL" | cut -d "|" -f 2)
  echo -n "$PROT_DESC	: "
  echo -n | openssl s_client "$SCLIENT_ARG" -connect $SERVER > /dev/null 2>&1
  if [[ $? == 0 ]] ; then echo "YES"; else echo "NO"; fi
  sleep $DELAY_S
 done

 echo ""
 echo "General Support"
 echo "--------------------"
 echo -n "Secure Renegotiation:			"
 echo "$SCLIENT_DUMP" | grep "Secure Renegotiation IS supported" > /dev/null 2>&1
 if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
 echo -n "Client-Initiated Renegotiation:		"
 echo "HEAD / HTTP/1.1
 R" | openssl s_client -crlf -connect $SERVER > /dev/null 2>&1
 if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
 echo -n "TLS Compression (CRIME attack vuln):	"
 echo "$SCLIENT_DUMP" | grep "Compression: NONE" > /dev/null 2>&1
 if [[ "$?" == 0 ]] ; then echo "NO"; else echo "YES"; fi
 #echo -n "HTTP Compression (BREACH attack vuln):	"
 #echo "GET / HTTP/1.1
 #Host: $SERVER_HOST
 #Accept-Encoding: gzip,deflate,compress,br,bzip2,lzma,sdch,xpress,xz
 #" | openssl s_client -ign_eof -crlf -connect $SERVER 2>&1 | grep -Pi "^Content-Encoding:[^\r\n]*(gzip|deflate|compress|br|bzip2|lzma|sdch|xpress|xz)" > /dev/null 2>&1
 #if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
 echo -n "TLS_FALLBACK_SCV (anti-POODLE):		"
 echo "" | openssl s_client -connect $SERVER -fallback_scsv -no_tls1_2 > /dev/null 2>&1
 if [[ "$?" != 0 ]] ; then echo "YES"; else echo "NO"; fi

 echo ""
 echo "Cipher Support"
 CIPHER_COUNT=$(echo "${CIPHERS}" | wc -l 2>/dev/null)
 echo "Testing ${CIPHER_COUNT} OpenSSL cipher suites matching \"$CIPHER_SUITES\""
 echo "  (execute \"openssl ciphers '$CIPHER_SUITES'\" to see the list.)"
 echo "--------------------"
 HEADER="Cipher Tag|Cipher Prot.|Key Ex.|Auth.|Encryption|MAC
 $CIPHERS"
 echo "$HEADER" | column -t -s "|" | head -1
 IFS=$'\n'
 for CIPHER_DETAILS in ${CIPHERS[@]}; do
  CIPHER=$(echo "$CIPHER_DETAILS" | cut -d "|" -f 1)
  RESULT=$(echo -n | openssl s_client -cipher "$CIPHER" -connect $SERVER 2>&1)
  if [[ "$RESULT" =~ "Cipher is ${CIPHER}" || ("$RESULT" =~ "Cipher    :" && ! ("$RESULT" =~ "Cipher    : 0000")) ]] ; then
    PROT_DESC=$(echo "$RESULT" | grep -oP '(?<=Protocol  : )[^\b]+')
    echo "$HEADER
 $CIPHER_DETAILS" | column -t -s "|" | tail -1
  fi
  sleep $DELAY_S
 done
	#!/bin/bash
	# Author: Jay Dansand, Technology Services, Lawrence University
	# Date: 10/17/2014

	# OpenSSL requires a port specification; default to 443.
	SERVER="$1:443"
	SERVER_HOST=$(echo "$SERVER" \| cut -d ":" -f 1)
	SERVER_PORT=$(echo "$SERVER" \| cut -d ":" -f 2)
	if [[ -z "$SERVER_HOST" \|\| -z "$SERVER_PORT" ]]; then
	echo "Usage: $0 host[:port] [ciphers [delay in ms]]"
	echo ""
	echo " port - Remote host port"
	echo " Default: 443"
	echo " ciphers - Expression suitable for the command \"openssl ciphers [ciphers]\""
	echo " Default: ALL:eNULL:aNULL"
	echo " delay - Time between probe requests in ms"
	echo " Default: 125"
	echo ""
	echo " Example: $0 localhost:8443"
	echo " Test localhost on port 8443 with all ciphers and default delay (125ms)"
	echo ""
	echo " Example: $0 example.com \"ALL:!aNULL\" 1000"
	echo " Test example.com on default port (443) with all ciphers except aNULL and delay of 1000ms"
	exit
	fi
	SERVER="$SERVER_HOST:$SERVER_PORT"

	DELAY_MS="$3"
	echo "$DELAY_MS"
	if [[ "$DELAY_MS" -le 0 ]]; then
	DELAY_MS=125
	fi
	DELAY_S=$(printf $(expr "$DELAY_MS" / 1000).%03d $(expr "$DELAY_MS" % 1000) )

	CIPHER_SUITES="$2"
	if [[ -z "$CIPHER_SUITES" ]]; then
	CIPHER_SUITES='ALL:eNULL:aNULL'
	fi
	CIPHERS=$(openssl ciphers -v "${CIPHER_SUITES}" 2>&1)
	if [[ "$?" -ne 0 ]]; then
	ERROR=$(echo -n "$CIPHERS" \| cut -s -d':' -f6)
	echo "ERROR in cipher list: \"$ERROR\""
	exit
	fi
	CIPHERS=$(echo "$CIPHERS" \| sed -r 's/[\t ]+/\|/g')

	echo "Testing $SERVER_HOST on port $SERVER_PORT with a delay of ${DELAY_MS}ms"
	echo "Using $(openssl version)"

	# Store the output to reuse for some other testing
	SCLIENT_DUMP=$(echo "" \| openssl s_client -connect $SERVER 2>&1)

	echo ""
	echo "Certificate Information"
	echo "--------------------"
	echo "$SCLIENT_DUMP" \| openssl x509 -noout -text


	echo ""
	echo "Protocol Support"
	echo "--------------------"
	SUPPORTED_PROTOCOLS=$(openssl s_client --help 2>&1 \| grep -P ' -? [jJ]ust use (?!DTLS)' \| sort -di -b -k1,1 \| sed 's/ -\? [jJ]ust use /\|/g')
	for PROTOCOL in ${SUPPORTED_PROTOCOLS}; do
	SCLIENT_ARG=$(echo "$PROTOCOL" \| cut -d "\|" -f 1)
	PROT_DESC=$(echo "$PROTOCOL" \| cut -d "\|" -f 2)
	echo -n "$PROT_DESC : "
	echo -n \| openssl s_client "$SCLIENT_ARG" -connect $SERVER > /dev/null 2>&1
	if [[ $? == 0 ]] ; then echo "YES"; else echo "NO"; fi
	sleep $DELAY_S
	done

	echo ""
	echo "General Support"
	echo "--------------------"
	echo -n "Secure Renegotiation: "
	echo "$SCLIENT_DUMP" \| grep "Secure Renegotiation IS supported" > /dev/null 2>&1
	if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
	echo -n "Client-Initiated Renegotiation: "
	echo "HEAD / HTTP/1.1
	R" \| openssl s_client -crlf -connect $SERVER > /dev/null 2>&1
	if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
	echo -n "TLS Compression (CRIME attack vuln): "
	echo "$SCLIENT_DUMP" \| grep "Compression: NONE" > /dev/null 2>&1
	if [[ "$?" == 0 ]] ; then echo "NO"; else echo "YES"; fi
	#echo -n "HTTP Compression (BREACH attack vuln): "
	#echo "GET / HTTP/1.1
	#Host: $SERVER_HOST
	#Accept-Encoding: gzip,deflate,compress,br,bzip2,lzma,sdch,xpress,xz
	#" \| openssl s_client -ign_eof -crlf -connect $SERVER 2>&1 \| grep -Pi "^Content-Encoding:[^\r\n]*(gzip\|deflate\|compress\|br\|bzip2\|lzma\|sdch\|xpress\|xz)" > /dev/null 2>&1
	#if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
	echo -n "TLS_FALLBACK_SCV (anti-POODLE): "
	echo "" \| openssl s_client -connect $SERVER -fallback_scsv -no_tls1_2 > /dev/null 2>&1
	if [[ "$?" != 0 ]] ; then echo "YES"; else echo "NO"; fi

	echo ""
	echo "Cipher Support"
	CIPHER_COUNT=$(echo "${CIPHERS}" \| wc -l 2>/dev/null)
	echo "Testing ${CIPHER_COUNT} OpenSSL cipher suites matching \"$CIPHER_SUITES\""
	echo " (execute \"openssl ciphers '$CIPHER_SUITES'\" to see the list.)"
	echo "--------------------"
	HEADER="Cipher Tag\|Cipher Prot.\|Key Ex.\|Auth.\|Encryption\|MAC
	$CIPHERS"
	echo "$HEADER" \| column -t -s "\|" \| head -1
	IFS=$'\n'
	for CIPHER_DETAILS in ${CIPHERS[@]}; do
	CIPHER=$(echo "$CIPHER_DETAILS" \| cut -d "\|" -f 1)
	RESULT=$(echo -n \| openssl s_client -cipher "$CIPHER" -connect $SERVER 2>&1)
	if [[ "$RESULT" =~ "Cipher is ${CIPHER}" \|\| ("$RESULT" =~ "Cipher :" && ! ("$RESULT" =~ "Cipher : 0000")) ]] ; then
	PROT_DESC=$(echo "$RESULT" \| grep -oP '(?<=Protocol : )[^\b]+')
	echo "$HEADER
	$CIPHER_DETAILS" \| column -t -s "\|" \| tail -1
	fi
	sleep $DELAY_S
	done