WarpEngineer · May 1, 2021 00:48 · Nov 30, 2017 · Apr 7, 2017 · Mar 29, 2017 · Mar 1, 2016
diff --git a/ssl_test.sh b/ssl_test.sh
@@ -59,7 +59,7 @@ echo "$SCLIENT_DUMP" | openssl x509 -noout -text
 echo ""
 echo "Protocol Support"
 echo "--------------------"
-SUPPORTED_PROTOCOLS=$(openssl s_client - 2>&1 | grep -P ' - just use (?!DTLS)' | sort | sed 's/ *- just use /|/g')
+SUPPORTED_PROTOCOLS=$(openssl s_client --help 2>&1 | grep -P ' -? [jJ]ust use (?!DTLS)' | sort -di -b -k1,1 | sed 's/ *-\? [jJ]ust use */|/g')
 for PROTOCOL in ${SUPPORTED_PROTOCOLS}; do
   SCLIENT_ARG=$(echo "$PROTOCOL" | cut -d "|" -f 1)
   PROT_DESC=$(echo "$PROTOCOL" | cut -d "|" -f 2)

diff --git a/ssl_test.sh b/ssl_test.sh
@@ -90,7 +90,7 @@ if [[ "$?" == 0 ]] ; then echo "NO"; else echo "YES"; fi
 #if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
 echo -n "TLS_FALLBACK_SCV (anti-POODLE):		"
 echo "" | openssl s_client -connect $SERVER -fallback_scsv -no_tls1_2 > /dev/null 2>&1
-if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
+if [[ "$?" != 0 ]] ; then echo "YES"; else echo "NO"; fi
 
 echo ""
 echo "Cipher Support"

diff --git a/ssl_test.sh b/ssl_test.sh
@@ -46,8 +46,17 @@ CIPHERS=$(echo "$CIPHERS" | sed -r 's/[\t ]+/|/g')
 
 echo "Testing $SERVER_HOST on port $SERVER_PORT with a delay of ${DELAY_MS}ms"
 echo "Using $(openssl version)"
+
+# Store the output to reuse for some other testing
+SCLIENT_DUMP=$(echo "" | openssl s_client -connect $SERVER 2>&1)
+
 echo ""
+echo "Certificate Information"
+echo "--------------------"
+echo "$SCLIENT_DUMP" | openssl x509 -noout -text
+
 
+echo ""
 echo "Protocol Support"
 echo "--------------------"
 SUPPORTED_PROTOCOLS=$(openssl s_client - 2>&1 | grep -P ' - just use (?!DTLS)' | sort | sed 's/ *- just use /|/g')
@@ -60,6 +69,29 @@ for PROTOCOL in ${SUPPORTED_PROTOCOLS}; do
   sleep $DELAY_S
 done
 
+echo ""
+echo "General Support"
+echo "--------------------"
+echo -n "Secure Renegotiation:			"
+echo "$SCLIENT_DUMP" | grep "Secure Renegotiation IS supported" > /dev/null 2>&1
+if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
+echo -n "Client-Initiated Renegotiation:		"
+echo "HEAD / HTTP/1.1
+R" | openssl s_client -crlf -connect $SERVER > /dev/null 2>&1
+if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
+echo -n "TLS Compression (CRIME attack vuln):	"
+echo "$SCLIENT_DUMP" | grep "Compression: NONE" > /dev/null 2>&1
+if [[ "$?" == 0 ]] ; then echo "NO"; else echo "YES"; fi
+#echo -n "HTTP Compression (BREACH attack vuln):	"
+#echo "GET / HTTP/1.1
+#Host: $SERVER_HOST
+#Accept-Encoding: gzip,deflate,compress,br,bzip2,lzma,sdch,xpress,xz
+#" | openssl s_client -ign_eof -crlf -connect $SERVER 2>&1 | grep -Pi "^Content-Encoding:[^\r\n]*(gzip|deflate|compress|br|bzip2|lzma|sdch|xpress|xz)" > /dev/null 2>&1
+#if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
+echo -n "TLS_FALLBACK_SCV (anti-POODLE):		"
+echo "" | openssl s_client -connect $SERVER -fallback_scsv -no_tls1_2 > /dev/null 2>&1
+if [[ "$?" == 0 ]] ; then echo "YES"; else echo "NO"; fi
+
 echo ""
 echo "Cipher Support"
 CIPHER_COUNT=$(echo "${CIPHERS}" | wc -l 2>/dev/null)

diff --git a/ssl_test.sh b/ssl_test.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Author: Jay Dansand for Lawrence University Technology Services
+# Author: Jay Dansand, Technology Services, Lawrence University
 # Date: 10/17/2014
 
 # OpenSSL requires a port specification; default to 443.
@@ -65,7 +65,6 @@ echo "Cipher Support"
 CIPHER_COUNT=$(echo "${CIPHERS}" | wc -l 2>/dev/null)
 echo "Testing ${CIPHER_COUNT} OpenSSL cipher suites matching \"$CIPHER_SUITES\""
 echo "  (execute \"openssl ciphers '$CIPHER_SUITES'\" to see the list.)"
-# echo $CIPHERS
 echo "--------------------"
 HEADER="Cipher Tag|Cipher Prot.|Key Ex.|Auth.|Encryption|MAC
 $CIPHERS"

diff --git a/ssl_test.sh b/ssl_test.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Author: Jay Dansand, Technology Services, Lawrence University
+# Author: Jay Dansand for Lawrence University Technology Services
 # Date: 10/17/2014
 
 # OpenSSL requires a port specification; default to 443.
@@ -65,6 +65,7 @@ echo "Cipher Support"
 CIPHER_COUNT=$(echo "${CIPHERS}" | wc -l 2>/dev/null)
 echo "Testing ${CIPHER_COUNT} OpenSSL cipher suites matching \"$CIPHER_SUITES\""
 echo "  (execute \"openssl ciphers '$CIPHER_SUITES'\" to see the list.)"
+# echo $CIPHERS
 echo "--------------------"
 HEADER="Cipher Tag|Cipher Prot.|Key Ex.|Auth.|Encryption|MAC
 $CIPHERS"
@@ -73,7 +74,7 @@ IFS=$'\n'
 for CIPHER_DETAILS in ${CIPHERS[@]}; do
   CIPHER=$(echo "$CIPHER_DETAILS" | cut -d "|" -f 1)
   RESULT=$(echo -n | openssl s_client -cipher "$CIPHER" -connect $SERVER 2>&1)
-  if [[ "$RESULT" =~ "Cipher is ${CIPHER}" || "$RESULT" =~ "Cipher    :" ]] ; then
+  if [[ "$RESULT" =~ "Cipher is ${CIPHER}" || ("$RESULT" =~ "Cipher    :" && ! ("$RESULT" =~ "Cipher    : 0000")) ]] ; then
     PROT_DESC=$(echo "$RESULT" | grep -oP '(?<=Protocol  : )[^\b]+')
     echo "$HEADER
 $CIPHER_DETAILS" | column -t -s "|" | tail -1

diff --git a/ssl_test.sh b/ssl_test.sh
@@ -0,0 +1,82 @@
+#!/bin/bash
+# Author: Jay Dansand, Technology Services, Lawrence University
+# Date: 10/17/2014
+
+# OpenSSL requires a port specification; default to 443.
+SERVER="$1:443"
+SERVER_HOST=$(echo "$SERVER" | cut -d ":" -f 1)
+SERVER_PORT=$(echo "$SERVER" | cut -d ":" -f 2)
+if [[ -z "$SERVER_HOST" || -z "$SERVER_PORT" ]]; then
+  echo "Usage: $0 host[:port] [ciphers [delay in ms]]"
+  echo ""
+  echo "  port - Remote host port"
+  echo "    Default: 443"
+  echo "  ciphers - Expression suitable for the command \"openssl ciphers [ciphers]\""
+  echo "    Default: ALL:eNULL:aNULL"
+  echo "  delay - Time between probe requests in ms"
+  echo "    Default: 125"
+  echo ""
+  echo "  Example: $0 localhost:8443"
+  echo "    Test localhost on port 8443 with all ciphers and default delay (125ms)"
+  echo ""
+  echo "  Example: $0 example.com \"ALL:!aNULL\" 1000"
+  echo "    Test example.com on default port (443) with all ciphers except aNULL and delay of 1000ms"
+  exit
+fi
+SERVER="$SERVER_HOST:$SERVER_PORT"
+
+DELAY_MS="$3"
+echo "$DELAY_MS"
+if [[ "$DELAY_MS" -le 0 ]]; then
+  DELAY_MS=125
+fi
+DELAY_S=$(printf $(expr "$DELAY_MS" / 1000).%03d $(expr "$DELAY_MS" % 1000) )
+
+CIPHER_SUITES="$2"
+if [[ -z "$CIPHER_SUITES" ]]; then
+  CIPHER_SUITES='ALL:eNULL:aNULL'
+fi
+CIPHERS=$(openssl ciphers -v "${CIPHER_SUITES}" 2>&1)
+if [[ "$?" -ne 0 ]]; then
+  ERROR=$(echo -n "$CIPHERS" | cut -s -d':' -f6)
+  echo "ERROR in cipher list: \"$ERROR\""
+  exit
+fi
+CIPHERS=$(echo "$CIPHERS" | sed -r 's/[\t ]+/|/g')
+
+echo "Testing $SERVER_HOST on port $SERVER_PORT with a delay of ${DELAY_MS}ms"
+echo "Using $(openssl version)"
+echo ""
+
+echo "Protocol Support"
+echo "--------------------"
+SUPPORTED_PROTOCOLS=$(openssl s_client - 2>&1 | grep -P ' - just use (?!DTLS)' | sort | sed 's/ *- just use /|/g')
+for PROTOCOL in ${SUPPORTED_PROTOCOLS}; do
+  SCLIENT_ARG=$(echo "$PROTOCOL" | cut -d "|" -f 1)
+  PROT_DESC=$(echo "$PROTOCOL" | cut -d "|" -f 2)
+  echo -n "$PROT_DESC	: "
+  echo -n | openssl s_client "$SCLIENT_ARG" -connect $SERVER > /dev/null 2>&1
+  if [[ $? == 0 ]] ; then echo "YES"; else echo "NO"; fi
+  sleep $DELAY_S
+done
+
+echo ""
+echo "Cipher Support"
+CIPHER_COUNT=$(echo "${CIPHERS}" | wc -l 2>/dev/null)
+echo "Testing ${CIPHER_COUNT} OpenSSL cipher suites matching \"$CIPHER_SUITES\""
+echo "  (execute \"openssl ciphers '$CIPHER_SUITES'\" to see the list.)"
+echo "--------------------"
+HEADER="Cipher Tag|Cipher Prot.|Key Ex.|Auth.|Encryption|MAC
+$CIPHERS"
+echo "$HEADER" | column -t -s "|" | head -1
+IFS=$'\n'
+for CIPHER_DETAILS in ${CIPHERS[@]}; do
+  CIPHER=$(echo "$CIPHER_DETAILS" | cut -d "|" -f 1)
+  RESULT=$(echo -n | openssl s_client -cipher "$CIPHER" -connect $SERVER 2>&1)
+  if [[ "$RESULT" =~ "Cipher is ${CIPHER}" || "$RESULT" =~ "Cipher    :" ]] ; then
+    PROT_DESC=$(echo "$RESULT" | grep -oP '(?<=Protocol  : )[^\b]+')
+    echo "$HEADER
+$CIPHER_DETAILS" | column -t -s "|" | tail -1
+  fi
+  sleep $DELAY_S
+done