| James E. King, III | 0619087 | 2017-02-20 08:52:11 -0500 | [diff] [blame] | 1 | #!/bin/bash |
| 2 | |
| 3 | # |
| 4 | # Checks to make sure SSLv3 is not allowed by a server. |
| 5 | # |
| 6 | |
| 7 | THRIFTHOST=localhost |
| 8 | THRIFTPORT=9090 |
| 9 | |
| 10 | while [[ $# -ge 1 ]]; do |
| 11 | arg="$1" |
| 12 | argIN=(${arg//=/ }) |
| 13 | |
| 14 | case ${argIN[0]} in |
| 15 | -h|--host) |
| 16 | THRIFTHOST=${argIN[1]} |
| 17 | shift # past argument |
| 18 | ;; |
| 19 | -p|--port) |
| 20 | THRIFTPORT=${argIN[1]} |
| 21 | shift # past argument |
| 22 | ;; |
| 23 | *) |
| 24 | # unknown option ignored |
| 25 | ;; |
| 26 | esac |
| 27 | |
| 28 | shift # past argument or value |
| 29 | done |
| 30 | |
| 31 | function nosslv3 |
| 32 | { |
| 33 | local nego |
| 34 | local negodenied |
| James E. King III | f5f430d | 2018-06-08 03:37:55 +0000 | [diff] [blame] | 35 | local opensslv |
| 36 | |
| 37 | opensslv=$(openssl version | cut -d' ' -f2) |
| 38 | if [[ $opensslv > "1.0" ]]; then |
| 39 | echo "[pass] OpenSSL 1.1 or later - no need to check ssl3" |
| 40 | return 0 |
| 41 | fi |
| James E. King, III | 0619087 | 2017-02-20 08:52:11 -0500 | [diff] [blame] | 42 | |
| 43 | # echo "openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -ssl3 2>&1 < /dev/null" |
| 44 | nego=$(openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -ssl3 2>&1 < /dev/null) |
| 45 | negodenied=$? |
| 46 | |
| 47 | if [[ $negodenied -ne 0 ]]; then |
| 48 | echo "[pass] SSLv3 negotiation disabled" |
| 49 | echo $nego |
| 50 | return 0 |
| 51 | fi |
| 52 | |
| 53 | echo "[fail] SSLv3 negotiation enabled! stdout:" |
| 54 | echo $nego |
| 55 | return 1 |
| 56 | } |
| 57 | |
| 58 | nosslv3 |
| 59 | exit $? |