-
Notifications
You must be signed in to change notification settings - Fork 0
/
tlsaudit_test.sh
executable file
·162 lines (130 loc) · 5.6 KB
/
tlsaudit_test.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/bin/bash
setUp() {
# Source TLSAudit functions
source ./lib/parser.sh
source ./lib/checker.sh
source ./lib/reporter.sh
# Parse the Nginx configuration file
parseNginxConfig ./test/nginx_example1.conf
# Loop through the array and store specific values in selected variables
for element in "${tls_options[@]}"; do
if [[ "$element" == "ssl_protocols:TLSv1" ]]; then
opt_tls1="$element"
elif [[ "$element" == "ssl_protocols:TLSv1.1" ]]; then
opt_tls11="$element"
elif [[ "$element" == "ssl_protocols:TLSv1.2" ]]; then
opt_tls12="$element"
elif [[ "$element" == "ssl_ciphers:HIGH" ]]; then
opt_ciphers_high="$element"
elif [[ "$element" == "ssl_ciphers:!aNULL" ]]; then
opt_ciphers_not_anull="$element"
elif [[ "$element" == "ssl_ciphers:!MD5" ]]; then
opt_ciphers_not_md5="$element"
fi
done
# Check Nnginx TLS options
checkNginxTLSOptions "$tls_options"
# Loop through the array and and store specific values in selected variables
for element in "${tls_audit_weak[@]}"; do
if [[ "$element" == "ssl_early_data:on" ]]; then
audit_weak_ssl_early_data="$element"
fi
done
# Loop through the array and store specific values in selected variables
for element in "${tls_audit_insecure[@]}"; do
if [[ "$element" == "ssl_protocols:TLSv1" ]]; then
audit_insecure_tls1="$element"
elif [[ "$element" == "ssl_protocols:TLSv1.1" ]]; then
audit_insecure_tls11="$element"
elif [[ "$element" == "ssl_protocols:SSLv2" ]]; then
audit_insecure_SSLv2="$element"
elif [[ "$element" == "ssl_protocols:SSLv3" ]]; then
audit_insecure_SSLv3="$element"
elif [[ "$element" == "ssl_ecdh_curve:secp192r1" ]]; then
audit_insecure_SECP192R1="$element"
elif [[ "$element" == "ssl_ecdh_curve:secp224r1" ]]; then
audit_insecure_SECP224R1="$element"
elif [[ "$element" == "ssl_ecdh_curve:secp160r1" ]]; then
audit_insecure_SECP160R1="$element"
elif [[ "$element" == "ssl_ecdh_curve:secp160k1" ]]; then
audit_insecure_SECP160K1="$element"
fi
done
}
tearDown() {
# Tear down the test environment
tls_options=()
tls_audit_weak=()
tls_audit_insecure=()
element=""
}
testParserProtocolTLSv1() {
# Test if the parser correctly extracts TLSv1 protocol
assertEquals "Nginx configuration contains ssl_protocols:TLSv1" "ssl_protocols:TLSv1" "$opt_tls1"
}
testParserProtocolTLSv11() {
# Test if the parser correctly extracts TLSv1.1 protocol
assertEquals "Nginx configuration contains ssl_protocols:TLSv1.1" "ssl_protocols:TLSv1.1" "$opt_tls11"
}
testParserProtocolTLSv12() {
# Test if the parser correctly extracts TLSv1.2 protocol
assertEquals "Nginx configuration contains ssl_protocols:TLSv1.2" "ssl_protocols:TLSv1.2" "$opt_tls12"
}
testParserCipherHIGH() {
# Test if the parser correctly extracts HIGH cipher
assertEquals "Nginx configuration contains ssl_ciphers:HIGH" "ssl_ciphers:HIGH" "$opt_ciphers_high"
}
testParserCipheraNull() {
# Test if the parser correctly extracts !aNULL cipher
assertEquals "Nginx configuration contains ssl_ciphers:!aNULL" "ssl_ciphers:!aNULL" "$opt_ciphers_not_anull"
}
testParserCipherMD5() {
# Test if the parser correctly extracts !MD5 cipher
assertEquals "Nginx configuration contains ssl_ciphers:!MD5" "ssl_ciphers:!MD5" $opt_ciphers_not_md5
}
testCheckerProtocolSSLv2() {
# Test if the checker can identify weak or insecure options
checkNginxTLSOptions "$tls_options"
assertEquals "SSLv2 option is insecure." "ssl_protocols:SSLv2" "$audit_insecure_SSLv2"
}
testCheckerProtocolSSLv3() {
# Test if the checker can identify weak or insecure options
checkNginxTLSOptions "$tls_options"
assertEquals "SSLv3 option is insecure." "ssl_protocols:SSLv3" "$audit_insecure_SSLv3"
}
testCheckerProtocolTLSv1() {
# Test if the checker can identify weak or insecure options
checkNginxTLSOptions "$tls_options"
assertEquals "TLSv1 option is insecure." "ssl_protocols:TLSv1" "$audit_insecure_tls1"
}
testCheckerProtocolTLSv11() {
# Test if the checker can identify weak or insecure options
checkNginxTLSOptions "$tls_options"
assertEquals "TLSv1.1 option is insecure." "ssl_protocols:TLSv1.1" "$audit_insecure_tls11"
}
testCheckerSSLEarlyData() {
# Test if the checker can identify weak or insecure options
checkNginxTLSOptions "$tls_options"
assertEquals "SSL Early Data option is weak." "ssl_early_data:on" "$audit_weak_ssl_early_data"
}
testCheckerSECP192R1() {
# Test if the checker can identify weak or insecure options
checkNginxTLSOptions "$tls_options"
assertEquals "secp192r1 option is insecure." "ssl_ecdh_curve:secp192r1" "$audit_insecure_SECP192R1"
}
testCheckerSECP224R1() {
# Test if the checker can identify weak or insecure options
checkNginxTLSOptions "$tls_options"
assertEquals "secp224r1 option is insecure." "ssl_ecdh_curve:secp224r1" "$audit_insecure_SECP224R1"
}
testCheckerSECP160R1() {
# Test if the checker can identify weak or insecure options
checkNginxTLSOptions "$tls_options"
assertEquals "secp160r1 option is insecure." "ssl_ecdh_curve:secp160r1" "$audit_insecure_SECP160R1"
}
testCheckerSECP160K1() {
# Test if the checker can identify weak or insecure options
checkNginxTLSOptions "$tls_options"
assertEquals "secp160K1 option is insecure." "ssl_ecdh_curve:secp160k1" "$audit_insecure_SECP160K1"
}
. shunit2