Skip to content

Commit 43b05b0

Browse files
drwetterdrwetter
committed
Added fileout, raw good/bad/info checks
1 parent b7cd397 commit 43b05b0

File tree

1 file changed

+41
-23
lines changed

1 file changed

+41
-23
lines changed

testssl.sh

Lines changed: 41 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -7354,12 +7354,15 @@ tls_time() {
73547354
return 0
73557355
}
73567356

7357-
# rfc8461
7357+
# rfc8461, rfc8460
73587358
sub_mta_sts() {
73597359
local mta_sts_record=""
73607360
local policy=""
73617361
local smtp_tls_record=""
73627362
local spaces="$1"
7363+
# we might reconsider this as booleans arent very flexible:
7364+
local mta_sts_record_ok=false policy_ok=false smtp_tls_record_ok=false
7365+
local jsonID="smtp_mtasts"
73637366
local useragent="$UA_STD"
73647367
$SNEAKY && useragent="$UA_SNEAKY"
73657368

@@ -7377,23 +7380,19 @@ sub_mta_sts() {
73777380
pr_bold " MTA-STS Policy "
73787381

73797382
mta_sts_record="$(get_txt_record _mta-sts.$NODE)"
7380-
# look for exact match for 'v=STSv1'
7381-
# look for exact match for 'id='
7382-
7383+
# look for exact match for 'v=STSv1' and 'id='
7384+
if [[ "$mta_sts_record" =~ v=STSv1 ]] && [[ "$mta_sts_record" =~ id= ]] && [[ "$mta_sts_record" =~ \; ]]; then
7385+
# id check needs to improved , see sts-id in https://tools.ietf.org/html/rfc8461#section-3.1
7386+
mta_sts_record_ok=true
7387+
fi
73837388
# echo "$mta_sts_record"; echo
73847389

73857390
policy="$(safe_echo "GET /.well-known/mta-sts.txt HTTP/1.1\r\nHost: mta-sts.$NODE\r\nUser-Agent: $useragent\r\nAccept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n" | $OPENSSL s_client $(s_client_options "-quiet -ign_eof -connect $NODEIP:443 $PROXY $SNI") 2>$ERRFILE)"
73867391
# here also the openssl return val needs to be checked
73877392

7388-
#tmp="$(printf "$policy" | awk '/^$/ { p=1;next } { if(!p) { print } }')"
7389-
# policy="$(awk '/^$/ { p=1;next } { if(!p) { print } }' <<< "$policy")"
73907393
policy="$(print_after_blankline "$policy")"
7391-
#echo "POLICY2: $tmp "
73927394
# echo "$policy"; echo
73937395

7394-
# header needs to be stripped. Either the lower bytes which come after Content-Length in the header.
7395-
# or starting from version or starting after blank line
7396-
73977396
# check policy:
73987397
# - grep -Ew 'version|mode|mx|max_age'
73997398
# - version.*STSv1$
@@ -7402,28 +7401,54 @@ sub_mta_sts() {
74027401
# - max_age should be sufficient otherwise caching it is ~useless, see HSTS
74037402
# - whether mx record matches
74047403

7404+
# for the time being:
7405+
[[ -n "$policy" ]] && policy_ok=true
7406+
74057407
if [[ $DEBUG -ge 1 ]]; then
74067408
echo "$mta_sts_record" >$TMPFILE/_mta-sts.$NODE.txt
74077409
echo "$policy" >$TMPFILE/$NODE.mta-sts.well-known_mta-sts.txt
74087410
echo "$smtp_tls_record" > $TMPFILE/_smtp._tls.$NODE
74097411
fi
74107412

74117413
smtp_tls_record="$(get_txt_record _smtp._tls.$NODE)"
7414+
# for the time being:
7415+
[[ -n "$smtp_tls_record" ]] && smtp_tls_record_ok=true
74127416

7413-
outln "valid _mta-sts TXT record \"$mta_sts_record\""
7417+
if "$mta_sts_record_ok"; then
7418+
pr_svrty_good "valid"
7419+
fileout "${jsonID}_txtrecord" "OK" "valid _mta-sts TXT record \"$mta_sts_record\""
7420+
else
7421+
pr_svrty_low "invalid"
7422+
fileout "${jsonID}_txtrecord" "OK" "valid _mta-sts TXT record \"$mta_sts_record\""
7423+
fi
7424+
outln " _mta-sts TXT record \"$mta_sts_record\""
74147425
out "$spaces"
7415-
outln "valid enforced policy \"https://mta-sts.$NODE/.well-known/mta-sts.txt\""
7426+
7427+
if "$policy_ok"; then
7428+
pr_svrty_good "valid and enforced"
7429+
fileout "${jsonID}_policy" "OK" "valid and enforced policy file \"https://mta-sts.$NODE/.well-known/mta-sts.txt\""
7430+
else
7431+
# missing: too short, not enforced, etc..
7432+
pr_svrty_low "invalid"
7433+
fileout "${jsonID}_policy" "LOW" "invalid policy file \"https://mta-sts.$NODE/.well-known/mta-sts.txt\""
7434+
fi
7435+
outln " policy file \"https://mta-sts.$NODE/.well-known/mta-sts.txt\""
74167436
out "$spaces"
7417-
outln "optional _smtp._tls TXT record \"$smtp_tls_record\""
7437+
7438+
if "$smtp_tls_record_ok"; then
7439+
outln "optional _smtp._tls TXT record \"$smtp_tls_record\""
7440+
fileout "${jsonID}_tlsrpt" "INFO" "optional _smtp._tls TXT record \"$smtp_tls_record\""
7441+
else
7442+
outln "No TLS RPT record"
7443+
fileout "${jsonID}_tlsrpt" "INFO" "no or invalid optional _smtp._tls TXT record \"$smtp_tls_record\""
7444+
fi
74187445

74197446
return 0
74207447
}
74217448

7422-
# e.g. for removing the HTTP header
7449+
# e.g. for removing the HTTP header. To be moved to the top
74237450
#
74247451
print_after_blankline() {
7425-
# doesn't work (oneliner with $1 instead of multiline):
7426-
#awk '/^$/ { p=1;next } { if(p) { print } }' <<< $1
74277452
local first=true
74287453
local line=""
74297454

@@ -7438,15 +7463,8 @@ print_after_blankline() {
74387463
fi
74397464
fi
74407465
done <<< $1
7441-
set +x
74427466
}
74437467

7444-
# e.g. for removing the body
7445-
#
7446-
print_before_blankline() {
7447-
# doesn't work (oneliner with $1 instead of multiline):
7448-
awk '/^$/ { p=1;next } { if(!p) { print } }' <<< $1
7449-
}
74507468

74517469

74527470
# RFC 6394

0 commit comments

Comments
 (0)