bknowles
commented
8 years ago I'm running on Mavericks and 2.7dev works fine for me. Can you give a specific example of something that fails that we can test against?
Closed jrobertsz66 closed 8 years ago
bknowles
commented
8 years ago I'm running on Mavericks and 2.7dev works fine for me. Can you give a specific example of something that fails that we can test against?
jrobertsz66
commented
8 years ago it just hangs forever at the last line
rDNS (192.168.1.95): C02ML9L4FXYZ
I actually have to kill the program / script because it will stay there forever (no errors).
jrobertsz66
commented
8 years ago This is how I run it: ./testssl.sh 192.168.1.95:8181
jrobertsz66
commented
8 years ago If I run it the same way from an Ubuntu VM using the same IP and port, it works. Just on Mac it hangs. Here is my OS info:
ProductName: Mac OS X ProductVersion: 10.10.4 BuildVersion: 14E46
jrobertsz66
commented
8 years ago BTW - I run with the command --debug=2 and it produced a directory with some debug files:
~/dev$ cat /tmp/ssltester.ZNlOEY/errorfile.txt depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = localhost verify return:1 read:errno=0
~/dev$ cat /tmp/ssltester.ZNlOEY/environment.txt
CVS_REL: 1.379B 2015/09/25 12:35:41 GIT_REL:
PID: 89278 bash version: 3.2.57 status: release machine: x86_64-apple-darwin14 operating system: Darwin shellopts: braceexpand:hashall:interactive-comments
/usr/local/opt/openssl/bin/openssl version -a: OpenSSL 1.0.2f 28 Jan 2016 built on: reproducible build, date unspecified platform: darwin64-x86_64-cc options: bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: clang -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/usr/local/etc/openssl" OSSL_VER_MAJOR: 1 OSSL_VER_MINOR: 0.2 OSSL_VER_APPENDIX: f OSSL_BUILD_DATE: "reproducible build, date unspecified" OSSL_VER_PLATFORM: "darwin64-x86_64-cc"
OPENSSL_CONF: /tmp/ssltester.ZNlOEY/gost.conf
PATH: /usr/local/opt/openssl:/usr/local/Library/ENV/4.3:/usr/local/opt/openssl/bin:/usr/bin:/bin:/usr/sbin:/sbin PROG_NAME: testssl.sh INSTALL_DIR: RUN_DIR: /usr/local/Cellar/testssl/2.6/libexec/bin MAPPING_FILE_RFC:
CAPATH: /etc/ssl/certs/ ECHO: COLOR: 2 TERM_DWITH: 90 HAS_GNUDATE: false HAS_SED_E: true
SHOW_EACH_C: 0 SSL_NATIVE: false ASSUMING_HTTP false SNEAKY: false
DEBUG: 2
HSTS_MIN: 179 HPKP_MIN: 30 CLIENT_MIN_PFS: 5 DAYS2WARN1: 60 DAYS2WARN2: 30
HEADER_MAXSLEEP: 5 MAX_WAITSOCK: 10 HEARTBLEED_MAX_WAITSOCK: 8 CCS_MAX_WAITSOCK: 5 USLEEP_SND 0.1 USLEEP_REC 0.2
LANG="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_CTYPE="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_ALL=
jrobertsz66
commented
8 years ago BTW - here is the command and it now shows one additional line before it hangs when I use debug=2:
~/dev$ testssl.sh --debug=2 192.168.1.95:8181
No mapping file found
########################################################### testssl.sh 2.6 from https://testssl.sh/ (1.379B 2015/09/25 12:35:41)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/###########################################################
Using "OpenSSL 1.0.2f 28 Jan 2016" [~138 ciphers] on C02ML9L4FD57:/usr/local/opt/openssl/bin/openssl (built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")
192.168.1.95:8181 / Testing now (2016-02-05 01:05) ---> 192.168.1.95:8181 (192.168.1.95) <---
rDNS (192.168.1.95): C02ML9L4FD57. OPTIMAL_PROTO:
bknowles
commented
8 years ago If I run that exact same command, it executes fine:
$ testssl.sh --debug=2 192.168.1.95:8181
No mapping file found
###########################################################
testssl.sh 2.7dev from https://testssl.sh/dev/
(1.458 2016/02/01 21:05:44)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2f-dev)" [~183 ciphers]
on frobgaiju:/usr/local/ssl/bin/openssl
(built: "reproducible build, date unspecified", platform: "darwin-i386-cc")
192.168.1.95:8181
/
/Users/brad/bin/testssl.sh: connect: Network is unreachable
/Users/brad/bin/testssl.sh: line 3659: /dev/tcp/192.168.1.95/8181: Network is unreachable
Unable to open a socket to 192.168.1.95:8181. Fatal error: Can't connect to "192.168.1.95:8181"
Make sure a firewall is not between you and your scanning target!
DEBUG (level 2): see files in /tmp/ssltester.H5JVLuOf course, I don't have anything sitting on that IP address.
bknowles
commented
8 years ago Trying that exact same command on an IP:port that I do have something listening on, I get way too much detail to show here. So, I will instead provide the output of the normal command without the "--debug=2" option:
$ testssl.sh 172.16.1.27:5001
No mapping file found
###########################################################
testssl.sh 2.7dev from https://testssl.sh/dev/
(1.458 2016/02/01 21:05:44)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2f-dev)" [~183 ciphers]
on frobgaiju:/usr/local/ssl/bin/openssl
(built: "reproducible build, date unspecified", platform: "darwin-i386-cc")
Start 2016-02-05 00:26:14 -->> 172.16.1.27:5001 (172.16.1.27) <<--
rDNS (172.16.1.27): --
Service detected: HTTP
Testing protocols (via sockets except TLS 1.2 and SPDY/HTTP2)
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY/NPN spdy/3, spdy/2, http/1.1, x-mod-spdy/0.9.4.2-3a57358 (advertised)
HTTP2/ALPN not offered
Testing ~standard cipher lists
Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit encryption not offered (OK)
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Ciphers not offered (OK)
Medium grade encryption not offered (OK)
Triple DES Ciphers offered (NOT ok)
High grade encryption offered (OK)
Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here
PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES128-SHA
Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH
Cipher order
TLSv1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA
TLSv1.1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA
TLSv1.2: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA
spdy/3: ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA
spdy/2: ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA
http/1.1: ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA
x-mod-spdy/0.9.4.2-3a57358: ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA
Testing server defaults (Server Hello)
TLS server extensions (std) "renegotiation info" "EC point formats" "session ticket" "heartbeat" "next protocol"
Session Tickets RFC 5077 300 seconds (PFS requires session ticket keys to be rotated <= daily)
SSL Session ID support yes
TLS clock skew random values, no fingerprinting possible
Server key size 1024 bit
Signature Algorithm SHA256 with RSA
Fingerprint / Serial SHA1 54B8FB155255B2330C0184D205D3C87DA84FE418 / 1398543699A331
SHA256 C6E65F28D24A870246B2B461F22AD1030CDB469EEA99C0AAE1738DEB57E95554
Common Name (CN) "synology.com" (CN in response to request w/o SNI: "synology.com")
subjectAltName (SAN) --
Issuer "Synology Inc. CA" ("Synology Inc." from "TW")
EV cert (experimental) no
Certificate Expiration 7198 >= 60 days (2016-02-03 09:11 --> 2035-10-21 10:11 -0500)
# of certificates provided 1
Chain of trust (experim.) "/etc/*.pem" cannot be found / not readable
Certificate Revocation List --
OCSP URI --
OCSP stapling not offered
Testing HTTP header response @ "/"
HTTP Status Code 301 Moved Permanently, redirecting to "https://172.16.1.27/webman/index.cgi"
HTTP clock skew +28 sec from localtime
IPv4 address in header Location: https://172.16.1.27/webman/index.cgi
(check if it's your IP address or e.g. a cluster IP)
Strict Transport Security --
Public Key Pinning --
Server banner Apache
Application banner --
Cookie(s) (none issued at "/")
Security headers X-Frame-Options: SAMEORIGIN
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK) (timed out)
CCS (CVE-2014-0224) not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507), experim. Downgrade attack prevention supported (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
BEAST (CVE-2011-3389) TLS1: DES-CBC3-SHA AES128-SHA
DHE-RSA-AES128-SHA AES256-SHA DHE-RSA-AES256-SHA
CAMELLIA128-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA256-SHA
DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA
VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing all 183 locally available ciphers against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits
-------------------------------------------------------------------------
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256
xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256
x9f DHE-RSA-AES256-GCM-SHA384 DH 1024 AESGCM 256
x6b DHE-RSA-AES256-SHA256 DH 1024 AES 256
x39 DHE-RSA-AES256-SHA DH 1024 AES 256
x88 DHE-RSA-CAMELLIA256-SHA DH 1024 Camellia 256
x9d AES256-GCM-SHA384 RSA AESGCM 256
x3d AES256-SHA256 RSA AES 256
x35 AES256-SHA RSA AES 256
x84 CAMELLIA256-SHA RSA Camellia 256
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128
xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128
x9e DHE-RSA-AES128-GCM-SHA256 DH 1024 AESGCM 128
x67 DHE-RSA-AES128-SHA256 DH 1024 AES 128
x33 DHE-RSA-AES128-SHA DH 1024 AES 128
x45 DHE-RSA-CAMELLIA128-SHA DH 1024 Camellia 128
x9c AES128-GCM-SHA256 RSA AESGCM 128
x3c AES128-SHA256 RSA AES 128
x2f AES128-SHA RSA AES 128
x41 CAMELLIA128-SHA RSA Camellia 128
xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 256 3DES 168
x0a DES-CBC3-SHA RSA 3DES 168
Running browser simulations (experimental)
Android 2.3.7 TLSv1 DHE-RSA-AES128-SHA
Android 4.0.4 TLSv1 ECDHE-RSA-AES128-SHA
Android 4.1.1 TLSv1 ECDHE-RSA-AES128-SHA
Android 4.2.2 TLSv1 ECDHE-RSA-AES128-SHA
Android 4.3 TLSv1.0 ECDHE-RSA-AES128-SHA
Android 4.4.2 TLSv1.1 ECDHE-RSA-AES128-SHA
Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Baidu Jan 2015 TLSv1 ECDHE-RSA-AES128-SHA
BingPreview Jan 2015 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Chrome 47 / OSX TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Firefox 31.3.0ESR / Win7 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Firefox 42 / OSX TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
GoogleBot Feb 2015 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
IE6 / XP No connection
IE7 / Vista TLSv1.0 ECDHE-RSA-AES128-SHA
IE8 / XP TLSv1.0 DES-CBC3-SHA
IE8-10 / Win7 TLSv1.0 ECDHE-RSA-AES128-SHA
IE11 / Win7 TLSv1.2 DHE-RSA-AES128-GCM-SHA256
IE11 / Win8.1 TLSv1.2 DHE-RSA-AES128-GCM-SHA256
IE10 / Win Phone 8.0 TLSv1.0 ECDHE-RSA-AES128-SHA
IE11 / Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256
IE11 / Win Phone 8.1 Update TLSv1.2 DHE-RSA-AES128-GCM-SHA256
IE11 / Win10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Edge 13 / Win10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Edge 12 / Win Phone 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Java 6u45 TLSv1 DHE-RSA-AES128-SHA
Java 7u25 TLSv1 ECDHE-RSA-AES128-SHA
Java 8u31 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
OpenSSL 0.9.8y TLSv1 DHE-RSA-AES128-SHA
OpenSSL 1.0.1l TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
OpenSSL 1.0.2 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Safari 5.1.9/ OSX 10.6.8 TLSv1 ECDHE-RSA-AES128-SHA
Safari 6 / iOS 6.0.1 TLSv1.2 ECDHE-RSA-AES128-SHA256
Safari 6.0.4/ OS X 10.8.4 TLSv1 ECDHE-RSA-AES128-SHA
Safari 7 / iOS 7.1 TLSv1.2 ECDHE-RSA-AES128-SHA256
Safari 7 / OS X 10.9 TLSv1.2 ECDHE-RSA-AES128-SHA256
Safari 8 / iOS 8.4 TLSv1.2 ECDHE-RSA-AES128-SHA256
Safari 8 / OS X 10.10 TLSv1.2 ECDHE-RSA-AES128-SHA256
Safari 9 / iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Safari 9 / OS X 10.11 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Done 2016-02-05 00:26:53 -->> 172.16.1.27:5001 (172.16.1.27) <<--So, it seems to me that your problem is likely to be the somewhat older version of testssl.sh that you have running, or something specific to your particular machine.
jrobertsz66
commented
8 years ago hmmm...ok...is there a way to see what the script is doing at the time it hangs, besides what we have already done? How do I get the same version of the script that you have? BTW, the script I am using runs fine on Ubuntu.
jrobertsz66
commented
8 years ago Running this command:
sudo testssl.sh --debug=6 --ip 192.168.1.95 192.168.1.95:8181
I get a few more lines at the end - It looks like it is hung after connecting:
192.168.1.95:8181 / Testing now (2016-02-05 09:02) ---> 192.168.1.95:8181 (192.168.1.95) <---
rDNS (192.168.1.95): C02ML9L4FD57. OPTIMAL_PROTO: PID TT STAT TIME COMMAND 96372 s002 R+ 0:00.00 /usr/local/opt/openssl/bin/openssl s_client -quiet -connect 192.168.1.95
bknowles
commented
8 years ago You could edit the first line of the testssl.sh script, where it currently says:
#!/usr/bin/env bashAnd change that to be something more like:
#!/usr/bin/env bash -vxYou get the latest development version of the testssl.sh script directly from this repo. See also the last paragraph of the section entitled "Longer read" at https://testssl.sh/
bknowles
commented
8 years ago Note that the last line of your output above shows the following:
/usr/local/opt/openssl/bin/openssl s_client -quiet -connect 192.168.1.95So, that's most likely where the script is getting hung -- it is using openssl s_client to connect to that IP address, and it's waiting for a response. It shouldn't wait more than a couple of minutes before that connection attempt times out, and the script then continues with whatever the next line of code is.
jrobertsz66
commented
8 years ago OK - replacing the first line in the script with this: #!/usr/bin/env bash -vx
yielded this:
362> debugme(): [[ 6 -ge 2 ]] 362> debugme(): echo 'OPTIMAL_PROTO: ' OPTIMAL_PROTO: 4274> determine_optimal_proto(): [[ 1 -eq 0 ]] 4297> determine_service(): false 4299> determine_service(): ua='Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0' 4300> determine_service(): GET_REQ11='GET / HTTP/1.1\r\nHost: 192.168.1.95\r\nUser-Agent: Mozilla/5.0 (X11; Linux x8664; rv:42.0) Gecko/19700101 Firefox/42.0\r\nConnection: Close\r\nAccept: text/\r\n\r\n' 4301> determine_service(): HEAD_REQ11='HEAD / HTTP/1.1\r\nHost: 192.168.1.95\r\nUser-Agent: Mozilla/5.0 (X11; Linux x8664; rv:42.0) Gecko/19700101 Firefox/42.0\r\nAccept: text/\r\n\r\n' 4302> determine_service(): GET_REQ10='GET / HTTP/1.0\r\nUser-Agent: Mozilla/5.0 (X11; Linux x8664; rv:42.0) Gecko/19700101 Firefox/42.0\r\nConnection: Close\r\nAccept: text/\r\n\r\n' 4303> determine_service(): HEAD_REQ10='HEAD / HTTP/1.0\r\nUser-Agent: Mozilla/5.0 (X11; Linux x8664; rv:42.0) Gecko/19700101 Firefox/42.0\r\nAccept: text/\r\n\r\n' 4304> determine_service(): runs_HTTP 460> runs_HTTP(): wait_kill 9477 5 435> wait_kill(): local pid=9477 459> runs_HTTP(): printf 'GET / HTTP/1.1\r\nHost: 192.168.1.95\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0\r\nConnection: Close\r\nAccept: text/*\r\n\r\n' 436> wait_kill(): local maxsleep=5 438> wait_kill(): true 439> wait_kill(): [[ 6 -ge 6 ]] 439> wait_kill(): ps 9477 459> runs_HTTP(): /usr/bin/openssl s_client -quiet -connect 192.168.1.95:8181 PID TT STAT TIME COMMAND 9477 s002 R+ 0:00.00 /usr/bin/openssl s_client -quiet -connect 192.168.1.95 440> wait_kill(): ps 9477 443> wait_kill(): sleep 1 444> wait_kill(): maxsleep=4 445> wait_kill(): test 4 -le 0 438> wait_kill(): true 439> wait_kill(): [[ 6 -ge 6 ]] 439> wait_kill(): ps 9477
jrobertsz66
commented
8 years ago It hangs for over 10 minutes - still hanged
jrobertsz66
commented
8 years ago After about 30 minutes or so, I get this - I run the command as sudo:
439> wait_kill(): ps 10433
Failure calling sysctl: Operation not permitted 440> wait_kill(): ps 10433
drwetter
commented
8 years ago a) thx for everybody helping here b) latest in the 2.6 branch is 1.379c from September 29, 2015 c) It seems hard to guess what's happening here as it's not an external IP d) I am wondering whether it's worth to spend too much time for this (2.6 branch) as 2.7dev works.
drwetter
commented
8 years ago PS: If I use Linux and use an IP which is in use but a port which is not, it works ok (there seems to be an error for the banner as it says 2.7dev):
###########################################################
testssl.sh 2.7dev from https://testssl.sh/dev/
(4183d8e 2015-09-30 23:36:09 -- 1.396)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
HOST:$PWD/bin/openssl.Linux.x86_64
(built: "Jul 6 18:05:33 2015", platform: "linux-x86_64")
./testssl.sh: connect: No route to host
./testssl.sh: line 2406: /dev/tcp/192.168.211.147/8181: No route to host
Unable to open a socket to 192.168.211.147:8181. Fatal error: Can't connect to "192.168.211.147:8181"
Make sure a firewall is not between you and your scanning target!
Same for FreeBSD 9..3
drwetter
commented
8 years ago I am closing it as we would need an external IP to reproduce it.
jrobertsz66
commented
8 years ago I think the problem was missunderstood. I cannot connect to my local glassfish web server and run the script from my mac but i can connect to the same glassfish server from a linux vm running on my mac. Therefore you really shouldnt need my glassfish server. The issue does not seem related to the server. It seems related to the script not running on my mac
Sent from my iPhone
On Feb 20, 2016, at 5:17 AM, Dirk Wetter notifications@github.com wrote:
I am closing it as we would need an external IP to reproduce it.
— Reply to this email directly or view it on GitHub.
jrobertsz66
commented
8 years ago If need anything else from my mac environment ill be glad to provide it. Btw, i also tried to connect to another server on my network from my mac and had the same problem on my mac but not from my linux vm.
Sent from my iPhone
On Feb 22, 2016, at 4:19 PM, Joe Roberts carl.roberts.zapata@gmail.com wrote:
I think the problem was missunderstood. I cannot connect to my local glassfish web server and run the script from my mac but i can connect to the same glassfish server from a linux vm running on my mac. Therefore you really shouldnt need my glassfish server. The issue does not seem related to the server. It seems related to the script not running on my mac
Sent from my iPhone
On Feb 20, 2016, at 5:17 AM, Dirk Wetter notifications@github.com wrote:
I am closing it as we would need an external IP to reproduce it.
— Reply to this email directly or view it on GitHub.
drwetter
commented
8 years ago I don't own a MAC and there are unfortunately no VMs, so that part I need a hand.
And this bug report is not complete yet. What I am missing from you is more input:
a) confirmation of the bug with the master from 2.7 b) using Mac OS X on the client side c) a glassfish server to test against
Any special implementation of glassfish, what does the server banner say?
drwetter
commented
8 years ago I think the problem was missunderstood. I cannot connect to my local glassfish web server and run the script from my mac
Let me come back to the question from @bknowles : what does /usr/bin/openssl s_client -quiet -connect 192.168.1.95:8181 do?
My humble guess is that your firewall is blocking it.
drwetter
commented
8 years ago @jrobertsz66 you please run /usr/bin/openssl s_client -quiet -connect 192.168.1.95:8181 and check whether it hangs?
jrobertsz66
commented
8 years ago It works:
~$ /usr/bin/openssl s_client -quiet -connect 192.168.1.95:8181 depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = localhost verify return:1
jrobertsz66
commented
8 years ago Well, please tell me if that is the correct output. It seems to work.
After 10 secs or so I get this additional line:
read:errno=0
The program then exits.
jrobertsz66
commented
8 years ago Also answers to previous questions:
a) I am running this version:
testssl.sh 2.7dev from https://testssl.sh/dev/ (1.464 2016/02/07 18:13:58)
b) Yes - using MAC OSX on the client side and se server side it hangs. If I run the same testssl.sh script from linux pointing to the same GF on the MAC it runs without hanging.
c) It is not any special implementation of GF and I don't think it is related to GF and here is why: I was able to reproduce the error talking to PHP server (NOT GF) from my MAC using your script. If I run the script again from Linux pointing to that PHP server, it works again from Linux.
Also, if I just take your script and run it from my MAC using www.google.com, it hangs again, but not when I run it from Linux.
jrobertsz66
commented
8 years ago Here is the output when it hangs when I use the Google URL:
~/dev$ ./security/scripts/testssl.sh www.google.com
No mapping file found
########################################################### testssl.sh 2.7dev from https://testssl.sh/dev/ (1.464 2016/02/07 18:13:58)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/###########################################################
Using "OpenSSL 1.0.2d 9 Jul 2015" [~138 ciphers] on C02ML9L4FD57:/usr/bin/openssl (built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")
Start 2016-02-29 12:42:57 -->> 74.125.22.106:443 (www.google.com) <<--
jrobertsz66
commented
8 years ago Could it be the OpenSSL version?
drwetter
commented
8 years ago @jrobertsz66 can't believe this. try to execute with bash -vx testssl.sh www.google.com and let me know where it hangs.
@ all: somebody with a Mac: can you pls try to verify/falsify this?
logopk
commented
8 years ago Tested on Yosemite with the 2.6 version and the Master with google.com and openssl 1.0.2h from macports.
No hang, 2.7 seemingly much slower than 2.6.
But: there seems to be a date format problem:
Certificate Expiration >= 60 daysFailed conversion of May 18 10:59:02 2016 GMT'' using format%b %d %T %Y %Z''
date: illegal time format
usage: date [-jnu] [-d dst] [-r seconds] [-t west] [-v[+|-]val[ymwdHMS]] ...
[-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] [+format](--> 2016-08-10 12:46 +0200)
drwetter
commented
8 years ago @logopk : Thx for reporting.
2.6 is old, I am not going to fix that anymore (unless someone creates a PR). The illegal time format message: Was that 2.6? If I try this on 2.7dev on FreeBSD 9 it works perfectly but also v2.6. (1.379c 2015/09/29) works.
For the upcoming release a final polish for Darwin will be requested.
logopk
commented
8 years ago Dirk, the dateformat issue happened on 2.6 and 2.7dev on a German MacOS X Yosemite AND the 2.7dev docker-image of jumanjiman.
drwetter
commented
8 years ago @logopk : could you please do me the favor and open an new issue. If possible add the output of /tmp/ssltestter.*/environment.txt .
drwetter
commented
8 years ago @jrobertsz66:
1) Could you please run again bash -vx testssl.sh <target> until it hangs. No need to use sudo. The one @ https://github.com/drwetter/testssl.sh/issues/284#issuecomment-180469276 wasn't done.
2) Also please provide the output from wget -S -q --no-check-certificate -O /dev/null <URL>.
Please try to be exact and careful description as otherwise we won't able to help you. One careful crafted reply suffices in the most cases.
It looks like the openssl command doesn't hang but getting the HTTP header does. But I do not understand why that is not being killed.
logopk
commented
8 years ago @drwetter: now if I check, the date format problem on the Mac happens only in 2.6 and it seems to be related to the missing LC_ALL=C. Fair enough if you don't change this anymore. I will file an issue for the docker version of 2.7dev.
Hi,
When I run the latest script (dowloaded today) on OSX Mavericks - it just hangs. If I run the same script on Ubuntu server 14, it runs fine. Here is the output and then it just hangs after that.
No mapping file found
Using "OpenSSL 1.0.2f 28 Jan 2016" [~138 ciphers] on C02ML9L4FXYZ:/usr/local/opt/openssl/bin/openssl (built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")
Testing now (2016-02-04 18:14) ---> 192.168.1.95:8181 (192.168.1.95) <---
rDNS (192.168.1.95): C02ML9L4FXYZ.