James E. King, III | 0619087 | 2017-02-20 08:52:11 -0500 | [diff] [blame^] | 1 | #!/bin/bash |
| 2 | |
| 3 | # |
| 4 | # Checks to make sure TLSv1.0 or later is allowed by a server. |
| 5 | # |
| 6 | |
| 7 | THRIFTHOST=localhost |
| 8 | THRIFTPORT=9090 |
| 9 | |
| 10 | while [[ $# -ge 1 ]]; do |
| 11 | arg="$1" |
| 12 | argIN=(${arg//=/ }) |
| 13 | |
| 14 | case ${argIN[0]} in |
| 15 | -h|--host) |
| 16 | THRIFTHOST=${argIN[1]} |
| 17 | shift # past argument |
| 18 | ;; |
| 19 | -p|--port) |
| 20 | THRIFTPORT=${argIN[1]} |
| 21 | shift # past argument |
| 22 | ;; |
| 23 | *) |
| 24 | # unknown option ignored |
| 25 | ;; |
| 26 | esac |
| 27 | |
| 28 | shift # past argument or value |
| 29 | done |
| 30 | |
| 31 | declare -A EXPECT_NEGOTIATE |
| 32 | EXPECT_NEGOTIATE[tls1]=1 |
| 33 | EXPECT_NEGOTIATE[tls1_1]=1 |
| 34 | EXPECT_NEGOTIATE[tls1_2]=1 |
| 35 | |
| 36 | failures=0 |
| 37 | |
| 38 | function tls |
| 39 | { |
| 40 | for PROTO in "${!EXPECT_NEGOTIATE[@]}"; do |
| 41 | |
| 42 | local nego |
| 43 | local negodenied |
| 44 | local res |
| 45 | |
| 46 | echo "openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -$PROTO 2>&1 < /dev/null" |
| 47 | nego=$(openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -$PROTO 2>&1 < /dev/null) |
| 48 | negodenied=$? |
| 49 | echo "result of command: $negodenied" |
| 50 | |
| 51 | res="enabled"; if [[ ${EXPECT_NEGOTIATE[$PROTO]} -eq 0 ]]; then res="disabled"; fi |
| 52 | |
| 53 | if [[ $negodenied -ne ${EXPECT_NEGOTIATE[$PROTO]} ]]; then |
| 54 | echo "$PROTO negotiation allowed" |
| 55 | else |
| 56 | echo "[warn] $PROTO negotiation did not work" |
| 57 | echo $nego |
| 58 | ((failures++)) |
| 59 | fi |
| 60 | done |
| 61 | } |
| 62 | |
| 63 | tls |
| 64 | |
| 65 | if [[ $failures -eq 3 ]]; then |
| 66 | echo "[fail] At least one of TLSv1.0, TLSv1.1, or TLSv1.2 needs to work, but does not" |
| 67 | exit $failures |
| 68 | fi |
| 69 | |
| 70 | echo "[pass] At least one of TLSv1.0, TLSv1.1, or TLSv1.2 worked" |
| 71 | exit 0 |