11#! /bin/bash
22
3+ NIST_SP_800_52=" config/nist-sp-800-52.json"
4+ JSON_REPORT=" data/tls_conn_report.json"
5+
36chk_cmd ()
47{
58 if ! command -v $1 & > /dev/null; then
@@ -50,6 +53,72 @@ parse_cmdargs()
5053 [[ -f $summcsv ]] && rm -f $summcsv
5154}
5255
56+ tls_json_report_beginner ()
57+ {
58+ echo -en " [\n" > $JSON_REPORT
59+ }
60+
61+ tls_conn_beginner ()
62+ {
63+ echo -en " \t{\n" >> $JSON_REPORT
64+ cat << EOF >> $JSON_REPORT
65+ "Name": "$TLS_Name ",
66+ "Address": "$TLS_Address ",
67+ "Status": "$TLS_Status ",
68+ "Max_Protocol_Version": "$TLS_Max_Protocol_Version ",
69+ "Total_Supported_Cipher_Suites": "$TLS_Conn_Success_Count ",
70+ "Ciphersuites": [
71+ EOF
72+ }
73+
74+ TLS_CONN_REPORT=" "
75+ TLS_Conn_Success_Count=0
76+ TLS_Max_Protocol_Version=" "
77+
78+ tls_conn_status_append ()
79+ {
80+ TLS_CONN_REPORT=$TLS_CONN_REPORT " $1 "
81+ }
82+
83+ tls_conn_status ()
84+ {
85+ if [ $TLS_Conn_Status == " Succeeded" ; then
86+ TLS_Conn_Success_Count=$(( TLS_Conn_Success_Count+ 1 ))
87+ [[ $TLS_Max_Protocol_Version == " " && TLS_Max_Protocol_Version=$TLS_Protocol_version
88+ fi
89+ if [ $1 -ne 1 ]; then
90+ tls_conn_status_append " ,\n"
91+ fi
92+ tls_conn_status_append " \t\t\t{\n"
93+ tls_conn_status_append " \t\t\t\t\" Ciphersuite\" : \" $TLS_Ciphersuite \" ,\n"
94+ tls_conn_status_append " \t\t\t\t\" Version\" : \" $TLS_Protocol_version \" ,\n"
95+ tls_conn_status_append " \t\t\t\t\" ConnectionStatus\" : \" $TLS_Conn_Status \" \n"
96+ tls_conn_status_append " \t\t\t}" >> $JSON_REPORT
97+ }
98+
99+ tls_conn_status_write_to_file ()
100+ {
101+ if [ $TLS_Conn_Success_Count -gt 0 ]; then
102+ TLS_Status=" TLS"
103+ fi
104+ tls_conn_beginner
105+ echo -en $TLS_CONN_REPORT >> $JSON_REPORT
106+ TLS_Max_Protocol_Version=" "
107+ TLS_CONN_REPORT=" "
108+ TLS_Conn_Success_Count=0
109+ }
110+
111+ tls_conn_trailer ()
112+ {
113+ echo -en " \n\t\t]\n" >> $JSON_REPORT
114+ echo -en " \t}\n" >> $JSON_REPORT
115+ }
116+
117+ tls_json_report_trailer ()
118+ {
119+ echo " ]" >> $JSON_REPORT
120+ }
121+
53122jsonreport ()
54123{
55124 [[ " $jsonout " == " " && return
@@ -90,11 +159,59 @@ csvreport()
90159EOF
91160}
92161
162+ reset_tls_conn_result ()
163+ {
164+ TLS_Protocol_version=" -"
165+ TLS_Ciphersuite=" -"
166+ TLS_Hash_used=" -"
167+ TLS_Signature_type=" -"
168+ TLS_Verification=" -"
169+ TLS_Conn_Status=" -"
170+ }
171+
172+ tls_conn_failure ()
173+ {
174+ TLS_Status=" CONNFAIL"
175+ TLS_Protocol_version=$1
176+ TLS_Ciphersuite=$2
177+ }
178+
179+ declare -A ossl_tls_ver_opt=(
180+ [" TLSv1.3" " -tls1_3"
181+ [" TLSv1.2" " -tls1_2"
182+ [" TLSv1.1" " -tls1_1"
183+ [" TLSv1.0" " -tls1_0"
184+ )
185+
186+ # For TLS 1.2 and older versions, OpenSSL maintains a ciphersuite name
187+ # different from the name specified in RFC
188+ declare -A tls12_ossl_cs=(
189+ [" TLS_RSA_WITH_AES_256_CBC_SHA" " AES256-SHA"
190+ [" TLS_RSA_WITH_AES_128_CBC_SHA" " AES128-SHA"
191+ [" TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" " ECDHE-RSA-AES256-SHA"
192+ [" TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" " ECDHE-RSA-AES128-SHA"
193+ )
194+
93195opensslscan ()
94196{
95197 tmp=/tmp/tls.out
96198 rm -f $tmp 2> /dev/null
97- timeout 2s openssl s_client -CApath /etc/ssl/certs/ -connect " $TLS_Address " < /dev/null 2> $tmp
199+ ver_opt=${ossl_tls_ver_opt[$1]}
200+ if [ -z $ver_opt ]; then
201+ echo " Invalid TLS version $1 "
202+ fi
203+ if [ $ver_opt == " -tls1_3" ; then
204+ ciphersuite=$2
205+ s_client_opt=" -ciphersuites $ciphersuite $ver_opt "
206+ else
207+ ciphersuite=${tls12_ossl_cs[$2]}
208+ if [ -z $ciphersuite ]; then
209+ echo " Unknown ciphersuite $ciphersuite "
210+ fi
211+ s_client_opt=" -cipher $ciphersuite $ver_opt "
212+ fi
213+ reset_tls_conn_result
214+ timeout 2s openssl s_client -connect $TLS_Address -CApath /etc/ssl/certs/ $s_client_opt -brief < /dev/null 2> $tmp
98215# echo "ret=$ret"
99216# cat $tmp
100217 conn_estd=0
@@ -105,10 +222,20 @@ opensslscan()
105222 key=${line/:*/ }
106223 val=${line/*: / }
107224 key=${key// / _}
225+ if [ " $val " == " $ciphersuite " ; then
226+ val=$2
227+ fi
108228 printf -v " TLS_$key " ' %s' " $val "
109229 TLS_Status=" TLS"
110230 done < $tmp
111- [[ " $TLS_Verification_error " != " " && TLS_Verification=" $TLS_Verification_error "
231+ if [ $conn_estd -ne 1 ]; then
232+ TLS_Conn_Status=" Failed"
233+ tls_conn_failure $1 $2
234+ else
235+ TLS_Conn_Status=" Succeeded"
236+ [[ " $TLS_Verification_error " != " " && TLS_Verification=" $TLS_Verification_error "
237+ fi
238+ tls_conn_status $3
112239}
113240
114241unsetvars ()
@@ -119,28 +246,48 @@ unsetvars()
119246 unset $varlist
120247}
121248
122- scantls ()
249+ dotlsconnect ()
123250{
124251 TLS_Status=" PLAIN_TEXT"
125252 nc -w 1 -z ${TLS_Address/:/ }
126253 case " $? " in
127- 0) opensslscan ;;
254+ 0) opensslscan $1 $2 $3 ;;
128255 * ) TLS_Status=" CONNFAIL"
129256 esac
130257
131258 jsonreport
132259 csvreport
133260}
134261
262+ scantls ()
263+ {
264+ cs_count=` jq ' .cipher_suites | length' $NIST_SP_800_52 `
265+ count=0
266+ tls_json_report_beginner
267+ for(( i= 0 ; i< $cs_count ; i++ )) ; do
268+ cipher_suite=` jq .cipher_suites[$i ].cipher_suite $NIST_SP_800_52 -r`
269+ supported_ver_count=` jq ' .cipher_suites[' $i ' ].versions | length' $NIST_SP_800_52 `
270+ for(( j= 0 ; j< $supported_ver_count ; j++ )) ; do
271+ tls_version=` jq .cipher_suites[$i ].versions[$j ].version $NIST_SP_800_52 -r`
272+ # echo "TLS Connect with $tls_version and $cipher_suite"
273+ count=$(( count+ 1 ))
274+ dotlsconnect $tls_version $cipher_suite $count
275+ done
276+ done
277+ tls_conn_status_write_to_file
278+ tls_conn_trailer
279+ tls_json_report_trailer
280+ }
281+
135282getsummary ()
136283{
137- status_arr=(
284+ status_arr=(
138285 " certificate has expired"
139286 " self-signed certificate"
140287 " insecure port"
141288 " connection failure"
142289 )
143- regex_arr=(
290+ regex_arr=(
144291 " certificate has expired"
145292 " self-signed certificate"
146293 " PLAIN_TEXT"
0 commit comments